Personal View site logo
Make sure to join PV on Telegram or Facebook! Perfect to keep up with community on your smartphone.
Please, support PV!
It allows to keep PV going, with more focus towards AI, but keeping be one of the few truly independent places.
Sony Alpha hacks talk
  • 255 Replies sorted by
  • Thanks ma1co. I was able to decompile both A7 and A7II firmware. I wanna try yo put av-cam.bin from A7II to A7 firmware to have access to XAVC-S codec on my A7 - maybe even get a look at A7SII av-cam.bin for 4k recording !

    Before investigating further - I wanna know if/how I can compile back to firmware. I saw old version of fwtool there was the -c tag, but it's seems it's not part of your python script.

  • I wanna try yo put av-cam.bin from A7II to A7 firmware to have access to XAVC-S codec on my A7 - maybe even get a look at A7SII av-cam.bin for 4k recording

    Do not even try to do this.

    I saw old version of fwtool there was the -c tag, but it's seems it's not part of your python script.

    diff is published in this topic, so proper unpacker can be compiled.

    • I wanna try yo put av-cam.bin from A7II to A7 firmware to have access to XAVC-S codec on my A7 - maybe even get a look at A7SII av-cam.bin for 4k recording

    Is it possible to port PDAF via 3rd adapter from A7II to A7 firmware ?

  • Is it possible to port PDAF via 3rd adapter from A7II to A7 firmware ?

    What you mean?

  • Sony a7II firmware update FW 2.0 adds Uncompressed Raw and Phase Detection AF for third-party lenses with Smart adapters, We know A7 and A7II cmos are same, so can we add this feature to A7 ?

  • Sony a7II firmware update FW 2.0 adds Uncompressed Raw and Phase Detection AF for third-party lenses with Smart adapters, We know A7 and A7II cmos are same, so can we add this feature to A7 ?

    No.

  • Can anyone merge the diff and compile into an executable, please. It's been months.

    If I could, I would. But programming isn't for me. And for those I know that does program, the repo is on a very different platform from what they use.

    Just a thought.

  • If I could, I would. But programming isn't for me. And for those I know that does program, the repo is on a very different platform from what they use.

    Sorry?

    If you have source and can compile it you can apply it even manually.

    http://gnuwin32.sourceforge.net/packages/diffutils.htm I think it is diff for windows.

  • But how do I pull from the repo?

    That's the biggest question.

  • That's the biggest question.

    Why you do not read at all?

    http://www.personal-view.com/faqs/sony-hack/source-control

  • That didn't provide me with a lot of answers, but nevermind, I was able to pull everything down.

    Thanks anyway.

  • That didn't provide me with a lot of answers, but nevermind,

    Well, it has ALL the answers, including link to tool, direct command and details.

  • Whew.

    Since pulling all the source codes, I've encountered a number of problems

    1: unable to patch on Windows (well, my fault for insisting that patching should be done on Windows; learned my lesson and instead using Kali Linux) 2: unable to build, citing obj\Debug\src\fwtool.o||In function main':| E:\FWTOOL Linux\fwtool\src\fwtool.c|179|undefined reference toux_read_file'| ||=== Build finished: 1 errors, 0 warnings (0 minutes, 1 seconds) ===|

    3: unable to patch on Linux, citing fdat_crypt.c already patched

    What have I done wrong here?

  • On the main board of Sony 55-210 f4.5-5.6 lens ,there is a lens motor driving chip BU24130GU-E2 by ROHM , could anybody share datasheet/manual of this chip with me ?

  • Just found Toshiba TMP19A44 on A55 camera main board , according to A55 level3 repair manual , TMP19A44 is responsibile for E mount communication with lens , did you guys get bin file (firmware) for this TMP19A44 ?

    A55_levels3_TMP19A44.png
    1074 x 702 - 95K
  • @Leegong

    By idea it must be part of firmware. So you need to look at all files after unpacking.

  • @Vitaliy_Kiselev , I agreed with you , there should be one file for TMP19A44 firmware ,
    i disassembly several files in 0800_appli directory , none of them seems to match with TMP19 binary code , maybe it is compressed or encrypted or ... so i just wonder , anybody gets bin file (firmware) for this TMP19A44 ?

  • So did anyone ever managed to flash a repacked firmware onto gen 3 devices with the fwtool + patch?

    Decrypting works perfrectly, but even if I use the original FDAT_fw.tar and rename it to FDAT_fw.mod.tar, the repacking runs without errors, but then right before the tool would detect my camera (the first time I click NEXT) I get this, but only when the camera is connected: "The update is aborted due to an error during the process. Follow the following procedures. (remove hardware, reboot camera, reboot the software, etc)"

    Running the original fw update tells me there's no need to update, so it's not the detection of my camera.

    I will eventually want to change the language on my sony a6000, and in theory I know how to do that, but until repacking gets sorted out there's no point :S After failing to apply the patch with tortoisemerge and a bunch of others (even gnu patch for windows), I applied the patch BY HAND (dont judge ;_;) I've found that one thing is missing from the patch to be able to build, you have to add "fwt_uxbrowse.c" and "fwt_uxbrowse.h" to the cbp file, just like it adds fdat_cipher_gen3.h and .c

    Later I might dig into the source, I'm assuming only unpacking is implemented for gen 3 properly. I've done some programming before, but never played around with other people's code. A couple of months and I will get it ;)

  • To apply the patch, use "patch -p1 -i patchfile.diff". On windows, you can download the patch binary here: http://gnuwin32.sourceforge.net/packages/patch.htm (make sure the diff file has windows style line endings)

    The build is already broken in version control, just add the fwt_uxbrowse files to your project.

    Repacking should also work for gen3 firmware. Make sure you not only rename FDAT_fw.tar to FDAT_fw.mod.tar, but also FDAT_fs00.fsimg to FDAT_fs00.mod.fsimg.

    As always, be careful. It is too damn easy to brick your camera this way.

  • Thank you ma1co Sadly, the problem persists. I really got my hopes up when reading your reply, just to fail again :)

    Here's the steps I'm doing: (fwtool.exe and update.exe file in the same folder)

    1. cmd: fwtool Update.exe
    2. -- success
    3. rename FDAT_fw.tar to FDAT_fw.mod.tar
    4. rename FDAT_fs00.fsimg to FDAT_fs00.mod.fsimg
    5. cmd: fwtool -c Update
    6. --success
    7. camera plugged in, turned on, run the update
    8. gif attachment related
    fwupdate.png
    959 x 745 - 75K
    fwupdate.gif
    611 x 422 - 185K
  • Sry, I can't really help you, it works fine for me (at least until the version check, I didn't actually flash the firmware).

    I don't really think that the actual firmware image is the issue, it's rather your USB connection. If the .dat container was corrupted, another error would be shown in the beginning. If the actual encrypted fdat image was corrupted, this would only be detected during the version check one step later.

    Maybe make sure that FirmwareData_Original.dat.save and FirmwareData_NexHack.dat have exactly the same size and almost the same content (just some bytes near the beginning (the version) and some bytes in the end (the checksum) should be different).

    Maybe try flipping the 2 files. Theoretically you should have the same problem with the original image.

  • It's not the USB connection.

    The 2 files have the same size, and when I swap them, the updater works (or at least checks the version)

    I thought maybe I messed something up by patching by hand, but then it would probably either wouldn't build or wouldn't work at all.

    I couldn't get the patcher to work, once I try to run it with the diff file, it crashes.

    I attached how the beginning of the two files look like. Is this normal?

    hex.png
    1557 x 957 - 194K
  • You definitely messed up with the code. The first ~512 bytes of your file are encrypted with the wrong key. Lines 0xf0 to 0x280 should be the same in both files (each line is an encrypted block of 16 bytes set to zero, so it should yield the same result every time). So check that you've applied the patch correctly!

    As I said in my previous post, for the patch command to work on windows, you have to replace all line endings (\n) with \r\n in the diff file. I guess that's why it crashes.

  • Somehow I missed the importance of line endings. Patch works now, repacking works, updating works.

    Now, I've read on nex-hacks that after making the changes you want, you can just put everyting back into a .tar with 7-zip, but I've noticed that this of course heavily messes up permission attributes.

    I can tell the original attributes are stored in a text file next to the extracted folder. How should I go packing it up properly after making the changes?

    What I'm trying to accomplish in the end is to set the default language to english. As far as I understand, all I have to do is swap the *_J1 file in the backup folder with the *_ALLLANG (so swap their names) and do the same in the sum file.

    EDIT1: I've managed to put everything back together properly on debian, with the modified tar utility explained in /faqs/sony-hack/languages. I was a little bit worried since the new tar file came out 2kb bigger, but I did it anyway. It took its time but the camera finished updating without any issue, and now the version says 3.11 in camera menu too, but doing a factory reset didn't change the language...

    Maybe they prevented this mod somehow? Or I should use another file instead of ALLLANG as J1.

    I'll experiment more tomorrow, I'm going to sleep now.

  • After soft bricking twice and flashing 5 different mods successfully, I wasn't able to get any other language. I've tried:

    • swapping _UC2.bin with _J1.bin
    • swapping ALLLANG.bin, twice
    • replacing every bin with the ALLLANG.bin (no boot)
    • editing the files, swapping their names there too, as the header contains it (see attachment).

    Of course I made a factory reset after every update.

    I've got no other idea, I just assume they noticed and essentially eliminated this easy way of modifying the japanese unit's language in ILCE-6000. Or maybe I'm just missing something here.

    bindiff.png
    1245 x 482 - 65K