Fujifilm Custom Firmware - Non-CANON cameras development - CHDK Forum

Fujifilm Custom Firmware

  • 13 Replies
  • 7874 Views
Fujifilm Custom Firmware
« on: 20 / July / 2021, 20:10:34 »
Advertisements
I've been working on a custom firmware for Fujifilm based cameras for a few months now.
Writeup: https://danielc.dev/blog/hacking-the-fujifilm-digital-cameras
Source code: https://github.com/petabyt/fujifilm


Original post:
I've got my hands on a Fujifilm Finepix HS20EXR. I'm currently working on manipulating firmware files.

I haven't done anything too crazy yet, but here's a "Leet" hack: https://petabyt.dev/filedump/fujil.png
All I had to do was change the 1000 4000 at 0x204 in the firmware file.

I've written a basic firmware unpacker (https://github.com/petabyt/fujifilm-firmware) and
have been working on figuring out how to insert custom code. Here are some observations:

- Code seems to be 32 bit ARM (not thumb)
- The firmware includes SQLite and some sql code. Not sure why.
- Unlike the cameras described in https://chdk.setepontos.com/index.php?topic=6484.0, the camera I have
does not appear to have any batch scripting or hidden menu.
- The code includes "A:\DCAA\auto_act.scr". Is this some kind of script? Making the file on the SD
card doesn't seem to do anything.
- There is a "Happy Birthday!" string in the firmware.
- These strings suggest there may be a secret menu:
     "OSD DEBUG MODE SCREEN SELECT"
     "SCREEN   <UP/DOWN>    : "
     "WARNING  <RIGHT/LEFT> : "

I've tried repacking the firmware with small modifications, but it says it's invalid, probably because
it uses a checksum to scan the file first.
« Last Edit: 13 / July / 2022, 13:52:16 by petabyte »

*

Offline Caefix

  • *****
  • 948
  • Sorry, busy deleting test shots...
Re: Fujifilm Firmware Study
« Reply #1 on: 21 / July / 2021, 12:26:17 »
Fuji ... :blink: Maybe some hints there ?

FUJI FINEPIX HS20 EXR FIRMWARE UPDATE TO WINDOWS 10
&&
A link to a leica-hack, because he found a Fujifilm-FR processor:
https://chdk.setepontos.com/index.php?topic=13668.0
&& a link update for his reference [11]
https://www.fujitsu.com/downloads/CN/fss/services/automotive/FR81S/progfr81-prog-manual-cm71-00105-1e.pdf
https://www.cypress.com/file/238211/download

... Not my spot, too hot ...  :xmas
« Last Edit: 21 / July / 2021, 13:53:53 by Caefix »
All lifetime is a loan from eternity.

Re: Fujifilm Firmware Study
« Reply #2 on: 21 / July / 2021, 16:18:50 »
Fuji ... :blink: Maybe some hints there ?

FUJI FINEPIX HS20 EXR FIRMWARE UPDATE TO WINDOWS 10
&&
A link to a leica-hack, because he found a Fujifilm-FR processor:
https://chdk.setepontos.com/index.php?topic=13668.0
&& a link update for his reference [11]
https://www.fujitsu.com/downloads/CN/fss/services/automotive/FR81S/progfr81-prog-manual-cm71-00105-1e.pdf
https://www.cypress.com/file/238211/download

... Not my spot, too hot ...  :xmas

Do Fujitsu and Fujifilm use the same software?
« Last Edit: 22 / July / 2021, 00:22:51 by petabyte »

*

Offline Caefix

  • *****
  • 948
  • Sorry, busy deleting test shots...
Re: Fujifilm Firmware Study
« Reply #3 on: 22 / July / 2021, 10:54:13 »
Fuji ... :blink: Maybe some hints there ?
... Not my spot, too hot ...  :xmas

Do Fujitsu and Fujifilm use the same software?
I guess: hopefully not  :-X
All lifetime is a loan from eternity.

Re: Fujifilm Firmware Study
« Reply #4 on: 23 / July / 2021, 17:37:40 »
Success! I was able to update to a custom firmware. It turns out the checksum is just a simple
case of "add all the bytes and make sure it equals X". (I had tested this earlier, but I guess I did it wrong)

In order to modify the original firmware, all I have to do was increment/decrement
a few bytes to make sure both checksums were the same.



EDIT: I've now gotten ARM assembly executing. Now it's only a matter of time before we have a FHDK...
« Last Edit: 24 / July / 2021, 02:57:21 by petabyte »

*

Offline c_joerg

  • *****
  • 1251
Re: Fujifilm Firmware Study
« Reply #5 on: 24 / July / 2021, 02:49:14 »
Congratulations...
It looks like you have a lot of background knowledge to do something like this...
« Last Edit: 24 / July / 2021, 02:59:05 by c_joerg »
M100 100a, M3 121a, G9x II (1.00c), 2*G1x (101a,100e), S110 (103a), SX50 (100c), SX230 (101a), S45,
Flickr https://www.flickr.com/photos/136329431@N06/albums
YouTube https://www.youtube.com/channel/UCrTH0tHy9OYTVDzWIvXEMlw/videos?shelf_id=0&view=0&sort=dd

Re: Fujifilm Firmware Study
« Reply #6 on: 24 / July / 2021, 02:55:36 »
Thanks. I learned most of the things I know by working on https://github.com/petabyt/ahdk.

Re: Fujifilm Firmware Study
« Reply #7 on: 26 / July / 2021, 16:10:58 »
I was finishing up my RAM dumper and made a small typo in the code that
ruined the ROM, bricking my camera.

If anybody wants to continue this, feel free to ask any questions.

(I'm not too disappointed, I bought the camera barely working for $30, but definitely a bummer.)
« Last Edit: 28 / July / 2021, 02:59:56 by petabyte »

*

Offline Caefix

  • *****
  • 948
  • Sorry, busy deleting test shots...
Re: Fujifilm Firmware Study
« Reply #8 on: 28 / July / 2021, 13:32:47 »
All lifetime is a loan from eternity.

*

Offline reyalp

  • ******
  • 14125
Re: Fujifilm Firmware Study
« Reply #9 on: 29 / July / 2021, 00:22:43 »
I was finishing up my RAM dumper and made a small typo in the code that
ruined the ROM, bricking my camera.

If anybody wants to continue this, feel free to ask any questions.

(I'm not too disappointed, I bought the camera barely working for $30, but definitely a bummer.)
These things happen  ;)
Wouldn't be surprising if it had some kind of boot loader or rescue loader functionality like Canon cams do.
Don't forget what the H stands for.

 

Related Topics


SimplePortal © 2008-2014, SimplePortal