Understanding Firmware

Introduction

Most electronic devices nowadays are based on digital chips called microcontrollers, that run a program called firmware. This firmware is responsible for all operations, from initializing the device, checking all peripherials and other components are OK and ready to use, driving menu interface, responding to buttons, and ultimately perform what the device is designed for.

The Nikon DSLRs are such devices, and contain several chips, among which several microcontrollers. Two of them (called A and B in short) perform most of the hi-level logic. Like most advanced device makers, Nikon has foreseen the possibility that their cameras could benefit from improvements or bugfixes. The firmwares for those two microcontrollers are thus stored in semi-permanent memory (flash) that can be rewritten by a specific procedure to "update the firmware" (that is, replace it with another version including desired changes). This is known as "flashing" the camera.

For all cameras that have already received such updates, Nikon makes the updated firmware(s) available as downloadable files on their website. Recent firmwares (A and B) are combined into a single file, which is encrypted, then compressed into an executable with the RAR tool. To get the encrypted combined binary file, simply execute the downloaded file. You then normally put the resulting file on a memory card to flash the camera.

If you want to work on the firmware, instead of flashing the camera, you have first to decrypt that file. The encryption algorithm has been found at the end of 2011 by Simeon Pilgrim and you can find the details starting from this post on his blog. Several tools are now available to decrypt the firmware, one of them being built in the NikonEmulator.

Once decrypted and separated, the A and B firmware are just two binary files that are understood by the camera microcontrollers, but are not (yet) human readable.

The "B" microcontroller

General information

The "B" microcontroller is the one we mainly focus on because it drives the screen and handles user interaction such as menu navigation. It is a Nikon Expeed processor and is based on a Fujitsu FR (or FR-V) 32-bit microcontroller, most probably from or close to the FR80 family, like the chips numbered 916xx or 91F6xx to be found here.

As such, the firmware that drives the menus and the basic logic of the camera consists of binary machine code understood by that specific family of microcontrollers. That binary code can be converted back to very low-level human-readable code (assembly language). (Note: Nikon didn't write most of the firmware in assembly, but in a higher-level language such as C. Although, as we don't have access to these "sources", all we can do is start from what we have - compiled machine code files - and translate them into assembly language)

To dig into the B firmware code, it is thus highly advised to first carefully read chapters 1 to 3 of the FR Family instruction manual (see reference below). Those 30 pages are really a prerequisite before trying to follow or ask questions about internals of the code. For more advanced understanding of that microcontroller, reading the FR80 Programming manual is advised, because it approaches other aspects of the chip and has a slightly modified instruction set, used in the Expeed.

Fortunately, work has been done to convert the binary format to human readable "text" format known as assembly language. A good deal of the work was made by Kevin Schoedel in his Dfr disassembler, and this disassembler was improved and included in several tools such as the NikonEmulator.

Address map

To the best of our knowledge, the basic address map of the D5100 "B" firmware is as follows :

• 0x00000000-0x00001000(?) are microcontroller registers. They are used to configure the different circuits that live on the chip along with the CPU. All information we find with respect to this I/O map is summarized into this spreadsheet.
• 0x000E0000-0x000FFFFF is Boot ROM. It contains the original interrupt vector as well as a bootloader with "recovery" functionality in case firmware update fails, or which gives control to the firmware code if valid.
• 0x00040000 till 0x00ABFFFF contains the firmware itself (note that it overlaps the ROM area above: flashing the 0xE0000-FFFFF area is skipped by the firmware loader. That firmware contains code (CPU init, OS, libraries, and Nikon-specific code, the entry point being at 0x40000), another interrupt vector, and data (pointer tables, localized strings, icons, JPEG files, ...).
• 0x40060000 is an unknown component.
• 0x69000000 is a RAM area with variables etc.
• 0x80000000 another RAM area with variables etc.
• 0xCE57DC60-CE6A9C5F is screen memory. It is encoded in YUV 4:2:2, So a first array contains luminance values Y (one byte for each pixel), then two arrays contain chrominance components U&V (one byte valid for 2 adjacent pixels: half horizontal resolution for hue).

Reference documentation from Fujitsu

• FR Family Instruction Manual
• FR 80 Programming manual
• MB91605A Series Hardware manual - This model shares many aspects with the Expeed but some features differ

The "A" microcontroller

General information

The "A" microcontroller is aimed at I/O tasks. For our target cameras (D5100 etc), it's a Toshiba TMP19A44FEXBG. Work is in progress to better understand its exact role and interactions with the "B" microcontroller.

Address map

• 0xBFC00000-0xBFCBFFFF contains the firmware itself
• 0xFF000000-0xFF00FFFF contains registers for peripherials. See hardware documentation below

Reference documentation from Toshiba

• Architecture and Assembly language documentation
• Hardware datasheet