Head Image

Olympus OM-D E-M10 Firmware Hack

Firmware Documents

//Update: 07.08.14

Because I only own an E-M10 this is all about the new OM-D camera. But the procedure for hacking an Olympus firmware is the same for all 3 OM-D cameras.

Firmware documentation can be found here:
http://dl01.olympus-imaging.com/ww/ud2/ENU/0001/1130/index01a.html
Firmware Update Document Olympus OM-D E-M10

This shows the internal "id" code for the E-M10: 1130. Every Olympus camera has one. For example E-M1's id is 1090 and E-M5's 0970.

The system behind the link: http://dl01.olympus-imaging.com/ww/ud2/[language]/0001/[camera id]/index[firmware number]a.html
Where the firmware number is an integer: Ver. 1.0= 1; Ver 1.1= 2; etc.

Firmware Bin

I searched for older firmware hacks for the OM-D series and found some people who downloaded and decrypted one for the E-M5: http://www.personal-view.com/talks/discussion/2789/olympus-hacks/p2
On this page is a link to the binary firmware file of the E-M5 which is being downloaded by the "Olympus Digital Camera Updater" to update the firmware of your Olympus camera.

So I wrote an app to search(with the new id of the E-M10) the Olympus website for similar pages to get the firmware for the E-M10.
The link I found for the newest Version 1.1: http://dl01.olympus-imaging.com/OLYMPUS_MASTER/FIRMWARES/0001/1130/OLY_E_113_1104_0000_0000.BIN

Binary Decryption

So as described at "person-view.com" I extracted all the files with the "oly_fw_tools" and got 64 files (incl. resources). Now that is where the fun part takes place: Reverse engineering.
So far I only had time to look at the strings inside the language and main code files and can say: The camera does not support 25fps video. Or in other words: Olympus did not wrote any code for that yet.
Years ago there where some rumors that the E-M5 does support 60/120fps, but as confirmed by others that settings is only for the internal view finder, which indeed has support for up to 240fps.

So to get further: I decrypted the main_code.bin (binary file) of the firmware with the command:
"oly_fw_manip.exe --analyze --in OLY_E_113_1104_0000_0000.dissected\00.main-code-01.bin --out .\OLY_E_113_1104_0000_0000.analysis"
What you get is the file "00.main-code-01.addr_strings_all.txt" which contains a more readable version of all strings you would also find in the HEX file. Encrypted and progressed code is being ignored, resulting in a "fun to search through" file.

some findings: (there are many)
  • The E-M10 supports Bluetooth, which i did not know before. Apparently there is equipment which uses Bluetooth, but can we use it also for our purposes? The strings show that a "OLYMPUS BlueSDK a4" is used to connect to the PENPEL.
  • 0x00DF39C8:WIFI SHELL //can we execute commands over WiFi?
  • 0x000D5CC4:USF debugging shell Version 1.10 //The debugging shell Olympus made?
  • System running: uITRON 
  • Broadcom BCM%04x 802.11 Wireless Controller with Broadcom SDPCMD CDC driver
  • MAC address belongs to FUJITSU LIMITED

After I looked up almost the whole document I have to admit, that it's not as useful as I thought. It is basically a giant debug value text. It contains all kinds of debug strings for different situations like USB-, WiFi and SD-Card-debugging. If we get a shell to work, the possibilities are almost endless. Nevertheless it's also useful to get some cgi comands. Those are the commands send by the Olympus Image Share" App.

Well let's go on with the hex file.
(it's a time consuming process and the whole analysis takes time, so be patient :) )

Flashing the new Firmware

Flashing a manipulated firmware is not much of a problem. There is a pyhon script available to emulate the Olympus server. With this, a new (hacked) firmware can be flashed just like a normal one, no matter what version is installed.

The Server running with a python script. It detects the firmware as a file for the E-M10
It is German, but you can see, that the new firmware is detected as Version 1.2
This is not a manipulated firmware yet. It's just to test the update process before I risk anything else.
Result: It works like a charm! We can flash any firmware - check.

Next Step: scsi commands

Next up are commands you send by a usb wire to the camera. Because we have literally tons of debug commands I try to establish a debug connection.

//Original Publish Date: 29.07.14
//Update 1: 01.08.14
//Update 2: 04.08.14
//Update 3: 05.08.14

4 comments:

  1. Good work. Keep hacking!

    ReplyDelete
  2. Hi, great article, could you please post the oly_fw_tools? I wasn't able to register to personal-view forum.

    ReplyDelete
    Replies
    1. Write me an email and I will give you a link.

      Delete
  3. Hi,

    Can the EM-1 or EM-10 firmware be hacked or modified to work on the PEN EP-5? I would love to add the Live Composite feature to my PEN.

    Thanks!

    ReplyDelete