A lot of people asked me what I do and if they can reproduce what I've done. So I made a little tutorial how you extract, analyze and manipulate an Olympus firmware file.
1. Download all the files you need.
- Firmware Control Tool. With this you can flash any firmware you want for your camera. Also you can download all the official updates which are available on the Olympus server.
Link: Firmware Control Tool
- Firmware extract tool. This tool allows you to extract different files out of the main firmware file. It also is able to extract most of the readable debug text of the firmware. After the whole process you can repack the firmware with this tool.
Tool link: Olympus_fw_tools.zip
VisualStudio sourcecode: visualStudioCode.rar
- You have to download an official firmware with the Firmware Control Tool of 1a). This is the firmware all your work is based on.
- Carving Tool. A tool that helps you to search for files stored inside the firmware.
Link: carver-recovery
2. Extract the firmware
- First open a command window (cmd) with the path of the tool. You can do this if you push SHIFT and right click on the folder. Select "Open command window here":
- First take a look at all the commands. Type "oly_fw_manip.exe -?" to see them all.
Then you have to extract the main firmware file. Type "oly_fw_manip.exe --unpack --in firmware_file.BIN --out firmware_output.xml". You can also find all commands as .bat files in the tools folder. You can edit them with any text editor and run them like a normal program.
- You will get up to 5 files with the E-M5 and 3 files with other cameras. The filename shows you what the file is about.
- Now run the extract command on the "00.main-code-01.bin" file. This is the file where all the code is being stored and also our point where we have to edit the code. But first run in cmd: "oly_fw_manip.exe --analyze --in firmware_file.dissected\00.main-code-01.bin --out .\firmware_file.analysis". You will get all the readable text. This text shows you what part of the code has what purpose. If you find a lot of ISO debug text this part of the code is maybe about the ISO settings.
- You will find a lot of interesting strings about WiFi, HDMI, ISO, exposure etc. They are sometimes interesting, but only the fewest are useful because we are not able to execute these debug commands yet. (some SCSI commands worked, but thats not enough) If you have any specific idea how we could send them to the camera, please let me know: e-mail
- If you want to extract all photos/images of the firmware you can run the file carver software. It extracts some images you can search for in the hex code as well. This means you can edit the picture and paste the code again into the firmware file.
3. Manipulate the firmware
- Now edit the firmware file. I prefer to edit it with a HEX editor. I use this one: wxhexeditor
You
may have to find patterns that look similar and edit them. For example
you can find the hex values for 100,200,250 etc which are the lower ISO values
and edit them. This way I managed to enable ISO 80,125 & 160
values. Link: new-iso-values
- You can also use IDA Pro to reverse engineer the code. The processor of the E-M5 is a "Matshi-MN103". The other cpus are unknown yet. If you want further information on this visit this link or ask me.
- You can download multiple firmware files of different cameras and compare the code. For example the E-M1 firmware 1.1 has got the same resource files as the E-M10 1.1.
4. Repack the firmware
- Repack the firmware with cmd: "oly_fw_manip.exe --pack --in firmware_file.xml --out new_firmware_name.BIN". You will get a new file which should be ready to flash
5. Flash the firmware
- Start the Firmware Control Tool again and start the server with the new file you just created.
- Start the official Digital Camera Updater and run the update process like normal.
- Wait for the OK sign and your all done! You just flashed a custom firmware.
Matshi as in Matsushita Electronic == Panasonic. http://en.wikipedia.org/wiki/MN103
ReplyDeleteI seem to keep getting errors and am unable to unpack the EM5 2.0 firmware.
ReplyDeleteI performed the analyze command. That resulted in two xml files, but it also returned the this error in command prompt: Index range exceeds random number generator.
Here are the other errors
>>oly_fw_manip.exe --in em5output.dissected\00.main-code-01.bin --unpack –out em5output.dissected\output
Olympus E-series Firmware Tool
Version 1.02 -- USE AT OWN RISK!
Block 00:
Block type signature: 0xFAFC ("•³") Unknown block signature
Model signature: 0xFFF0 Unknown block type/model signature combination
Warning: Zero-padding/unknown field was not zero!
Data was 0xCB 0xCB 0x8F 0x30
Loading address: 0x8F80700F
Size (body): -2140139773 bytes (0x80700F03)
Error(s):
Block length exceeds remaining file length. Input file format probably not supported.
>>oly_fw_manip.exe --in em5output.dissected\00.main-code-01.bin --extract-resources --out em5output.dissected\output
Olympus E-series Firmware Tool
Version 1.02 -- USE AT OWN RISK!
Error(s):
Couldn't open input file.
Should I email you. I am interested in developing for the EM5
wanted to take a look at my OM-D E10 files, but analyze fails:
ReplyDeleteOlympus E-series Firmware Tool
Version 1.02 -- USE AT OWN RISK!
Analyzing MN103 machine code...
Error(s):
Index range exceeds random number generator range.