fujifilm finepix s series

jean80it

3

fujifilm finepix s series

« on: 16 / June / 2011, 04:51:24 »

Advertisements

Hi,
my name is Giancarlo and this is my first post here. I just bought a Fujifilm Finepix s2700HD and was utterly disappointed by the limitated-on-purpose software accompanying an otherwise great camera. So i started digging for solutions.
Now: i know that you're not so interested in starting development of a whole new hack kit for fujifilm from scratch, but luckily i'm a professional developer that sometimes does lo-level for fun, so i offer myself to experiment a little bit if proper starting directions are given.
There are many reasons to help me doing this:
1) Finepix hardware is good and they're probably the cheapest cameras on the market among the bridge category
2) the exact same firmware is often shared across a great number of different camera models (e.g. the firmware for my camera is directly installable in the following models: S2500HD / S2550HD / S2600HD / S2700HD / S1800 / S1850 / S1880 / S1900 / S1600 / S1700 / S1730 / S1770 / S1780), so great compatibility could possibly be achieved with little effort
3) I already downloaded a firmware update and looked inside it with an hex editor and found lots of references to scripts with .srt extension that contain basic like commands (yes, the file doesn't appear to be encrypted)
4) i'm not so mad to desire a whole new firmware... for me, just an hack to be able to save RAW data would be a great improvement to start with

So, if someone wants to take a look, the firmware update file is dowloadable here ( http://www.fujifilm.com/support/digital_cameras/software/firmware/s/finepix_s2500hd/fupd.html ) after conditions somewhere in the middle of the page are accepted. Don't be fooled: only the DAT file is needed.

Any advice? For instance... is that DAT file only containing the new firmware to be written by the exsisting camera software, or it is the executable that actively flashes the internal memory? can you recognize a structure usually connected with a certain architecture in the photography world? Is the starting magic number "RHIR" helping any of you recognizing the format? Wich tools can i use to extract/disassemble?

Many thanks in advance.

Logged

jean80it

3

Re: fujifilm finepix s series

« Reply #1 on: 20 / June / 2011, 04:56:24 »

UPDATE: maybe there's no need to hack anything, because i discovered the presence of a so-called "HIDDEN MENU" that gives access to various debug, development and calibration features. Notably, it gives the chance to switch to manual focus and to save RAW files when capturing. Too bad i have not discovered how to access this menu, yet: i can only see the menu title and all the functions labels inside the firmware update image.
So, i'm calling for help to anyone that happens to own a finepix to try different combinations of keys while turning on the camera to help discover the access to this hidden menu - or - to take a look into the firmware update file - or - to dig deeper in the internet for service papers.

PS: in the firmware i saw that they're using (un)lock files... that is, for crytical operations a file with a given name has to be present on SD in order for the operation to succeed. From my brief analysis, "A:\" appears to be the internal memory, while "B:\" seems to be the SD card.... maybe some further reading of the strings in the FW package could make this mechanism more clear.

PS 2: in my experience nothing went wrong (it would be silly for a camera to hang if mistakenly turned on with the wrong key pressed down), but i experienced a small malfunctioning possibly unrelated to my attempts. A configuration reset immediately solved the issue.

While i understand that this could be a little bit out of topic in a development board, i think mantainers will understand my willingness to post it here anyways. Nevertheless, the discovery of the hidden menu could lead to advances in the development of a possible hack.

Logged

jean80it

3

Re: fujifilm finepix s series

« Reply #2 on: 20 / June / 2011, 08:41:47 »

Ok, sorry to bump this over and over, but i think this is a nice place to report updates. I'm sorta giving up trying codes by hand... i would like to try disassembling code to find there how to access secret menu. I understand that i should use IDA to disassemble binaries, but the question is: how to extract single binaries from the whole .DAT package? If anyone with some experience could give me and advice...
thanks in advance.

Logged

Skinkie

7

Re: fujifilm finepix s series

« Reply #3 on: 22 / October / 2011, 03:49:07 »

Hi, just to give you an heads up. I have bought an ultra cheap AV200. They only costs 50 euro's here now. It is a pretty camera with 720p recording. The biggest problem I have with this camera is that it lacks a manual focus, aperture/shutter setting and records 720p is such conservative mode that is probably only choosen to support any slow SD card on the market.

I am surprised that you found an HIDDEN MENU. That indeed opens possibilities. I have downloaded the 1.01 firmware for my camera. I hope there is some clue in there.

Next to that, the foundation I participate in contacted Fujifilm The Netherlands, if there is any possibility to kickstart a CHDK/Magic Lantern project, just to have competition with Canon. They understood our proposal and passed on the question to Fujifilm Germany. I'll keep the updates posted.

Logged

Skinkie

7

Re: fujifilm finepix s series

« Reply #4 on: 27 / December / 2011, 14:56:27 »

As was pointed out in the first post. It is easy to see there is a HIDDEN MENU somewhere. And a lot inside the camera is scripted. The entire fireware of the Fujifilm AV200 AV205 seems to be unencrypted.

This is just plain-text; The firmware might actually some sort of filesystem.

Code: [Select]

 [BCIP]
 NAME=EE

 [1]
 Command Name=BCIP_GET_EE_CONFIGURATION
 Operation Code=0x910f
 Operation Container Size=12
 Response Container Size=12

 [2]
 Command Name=BCIP_SET_SCRIPT_EVENT_FINISH
 Operation Code=0x913a
 Operation Container Size=12
 Response Container Size=12

 [3]
 Command Name=BCIP_SEND_DATA_TO_SCRIPT
 Operation Code=0x913b
 Operation Container Size=32
 Response Container Size=12
 P1=0   ;
 P2=0   ;
 P3=0   ;
 P4=0   ;
 P5=0   ;
 SP1=Value1
 SP2=Value2
 SP3=Value3
 SP4=Value4
 SP5=Value5

 [4]
 Command Name=BCIP_Get_Trace_buffer
 Operation Code=0x9228
 Data Phase=1 ; 0: No data phase. 1: Device to PC 2: PC to Device
 Operation Container Size=12
 Response Container Size=16
 DP1=Total_length

 [5]
 Command Name=BCIP_GET_DOMO_VERSION
 Operation Code=0x9124
 Operation Container Size=12
 Response Container Size=20
 DP1=Domo Ver.
 DP2=Board Type

 [6]
 Command Name=BCIP_REGISTER
 Operation Code=0x912e
 Operation Container Size=24
 Response Container Size=32
 P1=0x0
 P2=0x0
 P3=0x0
 SP1=0:Read|1:Write
 SP2=Register Address
 SP3=Write Data
 DP1=Register 1
 DP2=Register 2
 DP3=Register 3
 DP4=Register 4
 DP5=Register 5

 [7]
 Command Name=BCIP_LCD_PLAY_IMAGE
 Operation Code=0x9116
 Operation Container Size=28
 Response Container Size=12
 P1=1
 P2=255
 P3=255
 P4=255
 SP1=1:R|2:G|3:B|4:Black|5:White|6:Custom|8:Turn on TG pattern|9:Turn off TG pattern
 SP2=R Level
 SP3=G Level
 SP4=B Level

 [8]
 Command Name=BCIP_DLL_INIT
 Operation Code=0x912c
 Operation Container Size=32
 Response Container Size=28
 P1=0x1
 P2=0x1
 P3=0x1
 P4=0x1
 P5=0x0
 SP1=En DLL
 SP2=LPDiv
 SP3=HFReq
 SP4=ClampDis
 SP5=0:WR 1:RD
 DP1=RG_SHD
 DP2=SHP_H1
 DP3=H2_AFECLK
 DP4=Pad_Ctrl

 [9]
 Command Name=BCIP_DLL_TUNE
 Operation Code=0x912d
 Operation Container Size=32
 Response Container Size=12
 P1=0x0
 P2=0x1
 P3=0x1
 P4=0x13
 P5=0x0 ;
 SP1=0:RG|1:SHD|2:SHP|3:H1|4:H2|5:CLK
 SP2=Enable
 SP3=Invert
 SP4=end
 SP5=start

Code: [Select]


 [BCIP]
 NAME=OM

 [1]
 Command Name=BCIP_Get_OM_Property
 Operation Code=0x9200
 Data Phase=1               ; 0: No data phase. 1: Device to PC 2: PC to Device
 P1=0xffff              ; 0xffff: Without parameter 1. Otherwise: Default of parameter 1.
 P2=0xffff              ; 0xffff: Without parameter 2. Otherwise: Default of parameter 2.
 P3=0xffff              ; 0xffff: Without parameter 3. Otherwise: Default of parameter 3.
 P4=0xffff              ; 0xffff: Without parameter 4. Otherwise: Default of parameter 4.
 P5=0xffff              ; 0xffff: Without parameter 5. Otherwise: Default of parameter 5.
 Operation Container Size=12
 Response Container Size=32
 DP1=Lens ID
 DP2=Zoom UML
 DP3=Zoom LML
 DP4=Zoom Position
 DP5=Aperture Range

 [2]
 Command Name=BCIP_GET_OM_CONFIGURATION
 Operation Code=0x9211
 Operation Container Size=12
 Response Container Size=12

 [3]
 Command Name=BCIP_SET_EXPOSURE_TIME
 Operation Code=0x9210
 Operation Container Size=20
 Response Container Size=16
 P1=240
 SP1=micro second
 P2=0
 SP2=0:LV 1:FR

 [4]
 Command Name=BCIP_SET_ISO_GAIN
 Operation Code=0x9212
 Operation Container Size=16
 Response Container Size=12
 P1=240 ; ISO Gain
 SP1=ISO_Gain

 [5]
 Command Name=BCIP_SET_CLAMP_LEVEL
 Operation Code=0x9213
 Operation Container Size=16
 Response Container Size=12
 P1=240 ; Clame level
 SP1=Clamp_Level 0_255

 [6]
 Command Name=BCIP_ZOOM_MOVE
 Operation Code=0x9204
 Operation Container Size=16
 Response Container Size=28
 SP1=Physical Pos.
 DP1=Zoom time(High Byte)
 DP2=Zoom time(Low Byte)
 DP3=PI Value
 DP4=ErrCode

 [7]
 Command Name=BCIP_Aperture
 Operation Code=0x9208
 P1=0
 Operation Container Size=20
 Response Container Size=16
 P1=0
 SP1=0:Set 1:Get
 SP2=1:Big 9:Small
 DP1= Value

 [8]
 Command Name=BCIP_Shutter
 Operation Code=0x9209

 Operation Container Size=20
 Response Container Size=16
 P1=0
 SP1=0:Set 1:Get
 SP2=0:Close 1:Open
 DP1= Value

 [9]
 Command Name=BCIP_FOCUS_MOVE
 Operation Code=0x9205
 Operation Container Size=16
 Response Container Size=16
 P1=0
 SP1=Physical Pos.
 DP1=ErrorCode

 [10]
 Command Name=BCIP_FOCUS_Status
 Operation Code=0x9206
 Operation Container Size=16
 Response Container Size=16
 P1=0
 SP1=0~3
 DP1=Status

 [11]
 Command Name=BCIP_FOCUS_Reset
 Operation Code=0x9207
 Operation Container Size=12
 Response Container Size=16
 DP1=ErrorCode

 [12]
 Command Name=BCIP_GET_IMAGE_ANALYSIS
 Operation Code=0x9226
 Operation Container Size=16
 Response Container Size=32
 P1=0
 SP1=0:Sel Standard Deviation|1:Sel White_bad_pixel|2:Sel mean_value|3:Get Width_Height
 DP1=R_std
 DP2=GR_std
 DP3=GB_std
 DP4=B_std
 DP5=Y_std

 [13]
 Command Name=BCIP_LensInitial
 Operation Code=0x920a
 Data Phase=0
 Operation Container Size=12
 Response Container Size=16
 DP1=Err Code

 [14]
 Command Name=BCIP_Lens_Off
 Operation Code=0x9203
 Operation Container Size=12
 Response Container Size=16
 DP1=ErrCode

 [15]
 Command Name=BCIP_Take_Picture
 Operation Code=0x920e
 Data Phase=0 ; 0: No data phase. 1: Device to PC 2: PC to Device
 Operation Container Size=24
 Response Container Size=32
 P1=0
 P2=1
 SP1=0:Take Monitor|1:Take FR|2:Take VGA|3:Take 24_color|4:Take_Dark_frame|6:Do_AE|7:Do_AF
 SP2=0:No_int 1:inter
 SP3=FR_WOI 0:Full_image|1:L_Top|2:Mid_Top|3:R_Top|4:L_Mid|5:Center|6:R_Mid|7:L_Bot|8:Mid_Bot|9:R_Bot
 DP1=R
 DP2=Gr
 DP3=Gb
 DP4=B
 DP5=Y


 [16]
 Command Name=BCIP_ENABLE_LIVE_VIEW
 Operation Code=0x913c
 Operation Container Size=16
 Response Container Size=16
 P1=1
 SP1=0:Review mode|1:Live mode
 DP1=Err Code

 [17]
 Command Name=BCIP_ADJ_WOI
 Operation Code=0x9225
 Data Phase=0
 Operation Container Size=32
 Response Container Size=12
 P1=0x3e8
 P2=0x320
 P3=0x3e8
 P4=0x190
 P5=0
 SP1=X_offset
 SP2=Y_offset
 SP3=X_length
 SP4=Y_length
 SP5=0:Disable WOI|1:Enable WOI

 [18]
 Command Name=BCIP_SET_BALCK_OFFSET
 Operation Code=0x9229
 Operation Container Size=16
 Response Container Size=12
 P1=0
 SP1=Value 0_255

 [19]
 Command Name=BCIP_SET_LCD_BACK_LIGHT
 Operation Code=0x922a
 Operation Container Size=16
 Response Container Size=12
 P1=1
 SP1=0:Back Light OFF|1:Back Light ON

 [20]
 Command Name=BCIP_GET_ISO100_GAIN
 Operation Code=0x922b
 Operation Container Size=12
 Response Container Size=32
 DP1=ISO_gain_R
 DP2=ISO_gain_Gr
 DP3=ISO_gain_Gb
 DP4=ISO_gain_B
 DP5=Error Code

 [21]
 Command Name=BCIP_GET_CCD_PARM
 Operation Code=0x921F
 Operation Container Size=16
 Response Container Size=24
 P1=1
 SP1=0:Live View|1:FR
 DP1=Width
 DP2=Heigh
 DP3=Color Order

Logged

nirvalo

1

Re: fujifilm finepix s series

« Reply #5 on: 23 / May / 2012, 22:46:54 »

Hi, I've been reading all the post and I'll like to contribute somehow to the development of this. I own a S2950 and I also think that is really limited to what it can really do. I kinda-know which tools to use but I see that you have some advantage. Which tools are you using or recommend me to start to work?

Grettings for all your effort.

Logged

mistahmo

1

Re: fujifilm finepix s series

« Reply #6 on: 08 / July / 2012, 12:37:38 »

Any updates on finding the hidden menu? I've tried many combinations but none have worked

Logged

alex

4

Re: fujifilm finepix s series

« Reply #7 on: 10 / July / 2012, 17:05:39 »

Hello all. I'm using FujiFilm HS20EXR and I'd like to help you.
Skinkie, can you tell me, what soft did you use to decompile or look through .dat files from firmware to get this function's headers?

Logged

lionking

3

Re: fujifilm finepix s series

« Reply #8 on: 13 / July / 2012, 12:02:50 »

How to access scripting:

1. Create "Batch" folder on SD Card
2. Create BatchScripts.txt file in "Batch" folder
3. Open BatchScripts.txt with notepad and write any word there, e. g. "test" (without "").
4. Create a file named the same as the word in "BatchScripts.txt", with .srt extension (e.g. test.srt).
5. All BASIC codes goes to this file (e.g. test.srt)
6. Create a 1:1 copy of your file (test.srt) with the same name, but change the extension to .pat (test.pat)
7. Turn your camera on

Quote

Validating log file of B:\Batch\test.srt:
Matched.
Max memory allocated for this batch: 17680 bytes

@alex:
Just simply open fpupdate.dat with hex editor or notepad++

Edit: List of strings from the 1.04 S2500HD firmware:
http://pastebin.com/hfSsZwTy

Batch.zip (1.21 kB - downloaded 495 times.)

« Last Edit: 13 / July / 2012, 13:23:53 by lionking »

Logged

alex

4

Re: fujifilm finepix s series

« Reply #9 on: 25 / July / 2012, 05:41:11 »

@lionking, when I opened it with np++, I got a list of symbols. Without code or something readeble. (I'm working with HS20EXR)

Interesting, but when I opened your fpupdate file, I got that list of strange symbols too. Looks like I didn't have some symbols.

« Last Edit: 25 / July / 2012, 05:51:42 by alex »

Logged