search

ma1co / fwtool.py

A tool to unpack Sony camera firmware images
MIT License
160 stars 30 forks source link

Confirm known 'keys' from 'Backup.bin' #6

Open mungewell opened 6 years ago

mungewell commented 6 years ago

It is possible to pull and decode the 'Backup.bin' file from either the firmware installer image, or directly from camera using Sony-PMCE-RE's updaterconsole. https://github.com/ma1co/Sony-PMCA-RE

Is anyone compiling a list of known 'keys'?

I assume that there is some standardization between different camera models. Looked at AS15, QX10 and AS100 and they seem to have similar 'blocks'.

Once understood, how can the keys be modified to change camera behaviour? Is there a method of writing an individual 'key' to the camera, or does the whole 'Backup.bin' have compiled and to be written back to the camera (and how)?

mungewell commented 6 years ago

Making some progress, but a little confused about the actions of/on 'Backup.bin'. Hoping someone can give some guidance.

After installing 'Tweak' on a HX60, I can connect it to network and telnet to it. Then make changes using the (on camera) 'bk.elf' command.

$ telnet 192.168.1.101
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.

BusyBox v1.13.4 (2012-07-17 15:11:04 JST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # /usr/bin/bk.elf r 0x00510036
id:00510036 size:1 data:
01,
/ # /usr/bin/bk.elf w 0x00510036 0 
id:00510036 size:1 data:00, 
/ # /usr/bin/bk.elf r 0x00510036
id:00510036 size:1 data:
00,
/ # /usr/bin/bk.elf l 0x00510036
Backup load address:0x4553008
---------
BackupID:00510036 (SID:051)
info:0x4557dee
size_ofst:010467b8
attr:00 size:1 ofst:288696 data:0x45997c0

01,
/ # /usr/bin/bk.elf s           
done
/ # /usr/bin/bk.elf l 0x00510036
Backup load address:0x4434008
---------
BackupID:00510036 (SID:051)
info:0x4438dee
size_ofst:010467b8
attr:00 size:1 ofst:288696 data:0x447a7c0

What I'm not sure about is when the changes are actioned. Do they happen immediately, after the sync, or after a power cycle? In the (randomish) keys I have change, I see them revert back automatically after a power cycle....

mungewell commented 6 years ago

If you change a used key (in a way you can observe the change) the effect is instant. Still not sure what the 'sync' command does....

ma1co commented 6 years ago

I'd suggest that we compile the list of known keys directly in OpenMemories: Platform. There are already a few properties which are needed for the tweaks.

Regarding Backup.bin in general: When the camera boots, the contents of Backup.bin are copied to memory. Any call to Backup_read, Backup_write or similar reads or modifies the data in memory. If you call Backup_write (through bk.elf w for example), every subsequent call to Backup_read will return the modified value. So changes should be immediate, as long as the corresponding code calls Backup_read everytime and doesn't cache the value somewhere. Since the values are only modified in memory, the Backup.bin file becomes outdated. You can write the data in memory back to the file by calling Backup_sync_all (through bk.elf s for example). Since this writes data to disk, it takes a moment to complete. Backup_sync_all is called automatically when the camera is switched off, so you don't have to worry (as long as you don't crash the camera or remove the battery).

mungewell commented 6 years ago

You might enjoy the attached spreadsheet. Lots of video settings (mostly) understood.

video_settings.zip