This shows you the differences between two versions of the page.
|
sony-hack:languages [2015/08/10 18:30] vitaliy_kiselev created |
sony-hack:languages [2015/08/10 18:32] (current) vitaliy_kiselev |
||
|---|---|---|---|
| Line 27: | Line 27: | ||
| When you run the FW update software from Sony (e.g. Update_SLTA65V105.exe) this will unpack in some directory (eventually in the windows temp) showing following structure. | When you run the FW update software from Sony (e.g. Update_SLTA65V105.exe) this will unpack in some directory (eventually in the windows temp) showing following structure. | ||
| - | {{ :development:fwupdate_1.png |}} | + | {{ fwupdate_1.png |}} |
| In the Resource directory you will find the actual firmware as a big .dat file which is unique for all cameras of a certain type (therefore it has all the languages included). | In the Resource directory you will find the actual firmware as a big .dat file which is unique for all cameras of a certain type (therefore it has all the languages included). | ||
| - | {{ :development:fwupdate_2-153x300.png |}} | + | {{ fwupdate_2-153x300.png |}} |
| I have chosen to do unpacking and repacking of the .dat file on linux for easy keeping file attributes intact. I installed an openSUSE 11 on a virtual machine and worked as root using Mono-IDE for writing C code (packing and unpacking the dat file) and Okteta Hex-editor for easy computing of CRC checksums and modification of files at bit level. | I have chosen to do unpacking and repacking of the .dat file on linux for easy keeping file attributes intact. I installed an openSUSE 11 on a virtual machine and worked as root using Mono-IDE for writing C code (packing and unpacking the dat file) and Okteta Hex-editor for easy computing of CRC checksums and modification of files at bit level. | ||
| Line 72: | Line 72: | ||
| 4 bytes CRC checksum of the whole file without DEND section (including it’s size) as seen on the following image: (THIS YOU HAVE TO CHANGE ACORDINGLY IF YOU HAVE MADE MODIFICATIONS TO THE DAT FILE !!!!) | 4 bytes CRC checksum of the whole file without DEND section (including it’s size) as seen on the following image: (THIS YOU HAVE TO CHANGE ACORDINGLY IF YOU HAVE MADE MODIFICATIONS TO THE DAT FILE !!!!) | ||
| - | {{ :development:fwupdate_3.png |}} | + | {{ fwupdate_3.png |}} |
| I cut every section of the dat file and save them in separate files. The FDAT section is the actual firmware. This part is encrypted (with SHA1 for generation 1 cameras and AES for gen 2 cameras). I would not post any decryption keys here but you can find a decriptor for this somwhere else (google is your friend). | I cut every section of the dat file and save them in separate files. The FDAT section is the actual firmware. This part is encrypted (with SHA1 for generation 1 cameras and AES for gen 2 cameras). I would not post any decryption keys here but you can find a decriptor for this somwhere else (google is your friend). | ||
| Line 78: | Line 78: | ||
| After you decrypt the FDAT section (let out the first 4 bytes which is the name of the section – FDAT) you end up with something like this: | After you decrypt the FDAT section (let out the first 4 bytes which is the name of the section – FDAT) you end up with something like this: | ||
| - | {{ :development:fwupdate_4.png |}} | + | {{ fwupdate_4.png |}} |
| The decoded FDAT file has three sections: | The decoded FDAT file has three sections: | ||
| Line 91: | Line 91: | ||
| - | {{ :development:fwupdate_5.png |}} | + | {{ fwupdate_5.png |}} |
| You can proceed further and decompress the partition images (nflash3, nflash8 … ) found under /0700_part_image/dev but this is not needed for getting the language hack working. | You can proceed further and decompress the partition images (nflash3, nflash8 … ) found under /0700_part_image/dev but this is not needed for getting the language hack working. | ||
| Line 97: | Line 97: | ||
| Under /0110_backup/SYSAVIP-DSLR/PS_UUG you will find a set of configuration files for different regions | Under /0110_backup/SYSAVIP-DSLR/PS_UUG you will find a set of configuration files for different regions | ||
| - | {{ :development:fwupdate_6.png |}} | + | {{ fwupdate_6.png |}} |
| Each region supports a set of languages as shown in the following table. | Each region supports a set of languages as shown in the following table. | ||
| Line 116: | Line 116: | ||
| The idea is simple: swap the 01000000_CX86800_J1.bin file with one who has the standard language you want to have (e.g. 21000000_CX86801_CEE2.bin for Russian or 21000000_CX86801_CEE4.bin for Spanish). You will also have to swap some numbers in /0111_backup_sum/backup file. This file stores the checksums of all files in the backup directory (second column values inside the file). | The idea is simple: swap the 01000000_CX86800_J1.bin file with one who has the standard language you want to have (e.g. 21000000_CX86801_CEE2.bin for Russian or 21000000_CX86801_CEE4.bin for Spanish). You will also have to swap some numbers in /0111_backup_sum/backup file. This file stores the checksums of all files in the backup directory (second column values inside the file). | ||
| - | {{ :development:fwupdate_7.png |}} | + | {{ fwupdate_7.png |}} |
| After putting the dat file back from the modified pieces (I will describe how in the second part of this post), with modifying all the checksums accordingly (and also the fw version) you can upload the fw to the camera. On the first camera start after new fw has been uploaded the language will still be Japanese. You have to go to the last menu item on the camera menu and perform a camera reset to the factory settings. This step will read the configuration file from /0110_backup/SYSAVIP-DSLR/PS_UUG and will take the J1 file (J1 is fixed in an eprom inside the camera) which by now is holding the configuration for another region. | After putting the dat file back from the modified pieces (I will describe how in the second part of this post), with modifying all the checksums accordingly (and also the fw version) you can upload the fw to the camera. On the first camera start after new fw has been uploaded the language will still be Japanese. You have to go to the last menu item on the camera menu and perform a camera reset to the factory settings. This step will read the configuration file from /0110_backup/SYSAVIP-DSLR/PS_UUG and will take the J1 file (J1 is fixed in an eprom inside the camera) which by now is holding the configuration for another region. | ||
| Line 128: | Line 128: | ||
| I had to modify the source of the tar utility and compile it anew. The source code for tar 1.26 is at http://www.gnu.org/software/tar/#releases. The changes are needed in the create.c file in src directory (comment lines 1889 to 1897 — see picture bellow). | I had to modify the source of the tar utility and compile it anew. The source code for tar 1.26 is at http://www.gnu.org/software/tar/#releases. The changes are needed in the create.c file in src directory (comment lines 1889 to 1897 — see picture bellow). | ||
| - | {{ :development:fwupdate_8.png |}} | + | {{ fwupdate_8.png |}} |
| Wih this modified tar utility and having the changes performed on the files (as described in Part 1) you tar back the directory structure as following: | Wih this modified tar utility and having the changes performed on the files (as described in Part 1) you tar back the directory structure as following: | ||
| Line 138: | Line 138: | ||
| The header (512 byte long) from the FDAT section has to be also modified to increase the fw version number. The version number is to be found at offset 0×20 (minor version) and 0×21 (major version). After increasing the count of the minor version the checksum of the header have to be modified as well. The checksum starts at offser ox08 and is 4 bytes long but written in reverse order as seen in the picture bellow (is the checksum of the header without the first 12 bytes). | The header (512 byte long) from the FDAT section has to be also modified to increase the fw version number. The version number is to be found at offset 0×20 (minor version) and 0×21 (major version). After increasing the count of the minor version the checksum of the header have to be modified as well. The checksum starts at offser ox08 and is 4 bytes long but written in reverse order as seen in the picture bellow (is the checksum of the header without the first 12 bytes). | ||
| - | {{ :development:fwupdate_9.png |}} | + | {{ fwupdate_9.png |}} |
| Glue now together the header, the CROMFS part and the new tar archive and you have a FDAT section ready to be encrypted (AES for gen2 cameras). | Glue now together the header, the CROMFS part and the new tar archive and you have a FDAT section ready to be encrypted (AES for gen2 cameras). | ||