Zachariah wrote:



Hello,



I'm a sony a7ii owner and I'm currently thinking about building a AF ring near the LM-EA7 from techart but with a better motorisation. I though suck at programming. I found the firmware adresses for the LM-EA7 in the android apk to upgrade it. This may help you guys on your research for e-mount reverse engineering and also talk about the mistakes that may have been done on this ring.

LM-EA7,Firmware for LM-EA7 Ver6.0.0 20180105,http://www.techart-logic.com/g-nex3/firmware/lm-ea7/m-nex180105.bin ,38603

LM-EA7,Firmware for LM-EA7 Ver5.0.0 20170214,http://www.techart-logic.com/g-nex3/firmware/lm-ea7/m-nex170511.bin ,42745

LM-EA7,Firmware for LM-EA7 Ver4.0.0 20160905,http://www.techart-logic.com/g-nex3/firmware/lm-ea7/m-nex160905.bin ,7942

LM-EA7,Firmware for LM-EA7 Ver3.0.0 20160626,http://www.techart-logic.com/g-nex3/firmware/lm-ea7/m-nex160626.bin ,36800

LM-EA7,Firmware for LM-EA7 Ver2.0.0 20160415,http://www.techart-logic.com/g-nex3/firmware/lm-ea7/m-nex160415.bin ,51154

LM-EA7,Firmware for LM-EA7 Ver1.0.0 20160320,http://www.techart-logic.com/g-nex3/firmware/lm-ea7/m-nex160320.bin,8519

Under the assumption that the LM-EA7 uses the same controller as the old EOS-NEX III - those firmwares are most likely for a TI CC2540 (8051 microcontroller).



The EOS-NEX III, as bad as it was, probably would have some useful hints if its firmware were disassembled, as:

1) It has a known microcontroller with a publically available datasheet

2) It has the ability to perform rudimentary native emulation

3) If I recall correctly, firmware for it was not encrypted. There was a strange pad of random garbage or zeroes at the beginning of the file, but eventually you'd see what was clearly an 8051 interrupt jump table.



IIRC the interrupt jump table was at offset 0x2000 - prior to that (now that i'm looking at it in ghex), there were a bunch of repeating counters from 0x00 to 0xff...



The firmware URLs can be pulled from http://www.techart-logic.com/g-nex3/firmware/firmware.txt



Interestingly there are now references to an EOS-NEXplus?



The Viltrox firmwares are encrypted with what appears to be a block cipher in ECB mode that likely encrypts plaintext zeroes to:

7747 b9de 4b55 15ca aa87 e858 7be5 2a3c



Given that they're bothering to encrypt their firmware, the chances of them not only decrypting it but opening up source code are slim to none, I really would prefer if we not antagonize people whose engineering practices make it pretty clear they're unlikely to be sympathetic to our cause.



Edited by Entropy512 - 30 May 2019 at 12:57 Under the assumption that the LM-EA7 uses the same controller as the old EOS-NEX III - those firmwares are most likely for a TI CC2540 (8051 microcontroller).The EOS-NEX III, as bad as it was, probably would have some useful hints if its firmware were disassembled, as:1) It has a known microcontroller with a publically available datasheet2) It has the ability to perform rudimentary native emulation3) If I recall correctly, firmware for it was not encrypted. There was a strange pad of random garbage or zeroes at the beginning of the file, but eventually you'd see what was clearly an 8051 interrupt jump table.IIRC the interrupt jump table was at offset 0x2000 - prior to that (now that i'm looking at it in ghex), there were a bunch of repeating counters from 0x00 to 0xff...The firmware URLs can be pulled from http://www.techart-logic.com/g-nex3/firmware/firmware.txtInterestingly there are now references to an EOS-NEXplus?The Viltrox firmwares are encrypted with what appears to be a block cipher in ECB mode that likely encrypts plaintext zeroes to:7747 b9de 4b55 15ca aa87 e858 7be5 2a3cGiven that they're bothering to encrypt their firmware, the chances of them not only decrypting it but opening up source code are slim to none, I really would prefer if we not antagonize people whose engineering practices make it pretty clear they're unlikely to be sympathetic to our cause.









I agree the EOS-NEX III is probably a better option to reverse engineer and that CPU is a TI CC2540. Then again I don't have the skills to actually do that work. I'm a complete newbie to IDA. Leegong I see the L2B07 stuct in there with ARM little endian thumb mode, it looks longer than the lengths I see in actual packets. Going forward if I were to get an EOS-NEX III or Tamron 28-75 and interrogate it using my tooling would that provide useful hints for you to work on the reverse engineering of it's firmware?



Edited by bostwickenator - 01 June 2019 at 02:22

bostwickenator wrote:



I agree the EOS-NEX III is probably a better option to reverse engineer and that CPU is a TI CC2540. Then again I don't have the skills to actually do that work. I'm a complete newbie to IDA. Leegong I see the L2B07 stuct in there with ARM little endian thumb mode, it looks longer than the lengths I see. Going forward if I were to get an EOS-NEX III or Tamron 28-75 and interrogate it using my tooling would that provide useful hints for you to work on the reverse engineering of it's firmware?

I definitely used to have packet traces of the Techart III, I can't remember if my unit is still functional... The switch is definitely broken, that's for sure!



I got my capture setup working again a week or two ago, HOWEVER I need to update my sigkrok protocol decoder for the new v3 decoder API - I've known this needed to be done for a while but kept on putting it off, v2 support is now removed so I have to do this. At least it'll make decoding data faster once I DO finish.



I might work on it this weekend, the weather isn't looking very nice. :) I definitely used to have packet traces of the Techart III, I can't remember if my unit is still functional... The switch is definitely broken, that's for sure!I got my capture setup working again a week or two ago, HOWEVER I need to update my sigkrok protocol decoder for the new v3 decoder API - I've known this needed to be done for a while but kept on putting it off, v2 support is now removed so I have to do this. At least it'll make decoding data faster once I DO finish.I might work on it this weekend, the weather isn't looking very nice. :)

From what I determined with my cheap EF-NEX adapter they pretend to be a LA-EA3 or LA-EA4. Things we learn there might will not apply to all lens operation modes but may still be valuable.



I suspect the firmware for the EOS-NEX III looks odd because there is some firmware for the bluetooth radio module in that same bundle.



FYI I've made some progress with the Teensy based approach. It's capable of talking at both low and high bauds and logging data for all the lenses I've got here. I've also worked with Dashie on getting him setup and he is now able to replicate what I've got working here.



Anyway I'm happy to buy whatever hardware I need so that we have something more than one of us can work on in isolation. Leegong I've been in discussions with the Nikon hacker guys (one of whom it turns out I shared an office with) and they say you are a wizard so whatever I can do to help get you some progress I will do. If I have to buy a really nice lens in the process I think I can deal with that ;). Before that though what do you think about Entropy512's suggestion about the Telechart firmwares as targets for our effort.







Edited by bostwickenator - 30 May 2019 at 23:05 Oh wow I just found something else great. http://viltrox.com/en/index.php?m=index&a=content&cid=119 their firmware upgrade process you plug in the lens which mounts as a flashdrive and you drag and drop the bin onto it. IDA appears to be able to pull this binary apart very easily I think even I can find the firmware upgrade version check routines. I've got the files saved in case they disappear.

bostwickenator wrote:



Oh wow I just found something else great. http://viltrox.com/en/index.php?m=index&a=content&cid=119 their firmware upgrade process you plug in the lens which mounts as a flashdrive and you drag and drop the bin onto it. IDA appears to be able to pull this binary apart very easily I think even I can find the firmware upgrade version check routines. I've got the files saved in case they disappear.

Wait... It does???



Which version are you looking at?



As I mentioned, the versions I've looked at STRONGLY hint at being encrypted with a block cipher in ECB mode, I thought I had posted what is likely the "encrypted zeroes" pattern this morning?



So if you've found a firmware image that's not encrypted... That's big... Wait... It does???Which version are you looking at?As I mentioned, the versions I've looked at STRONGLY hint at being encrypted with a block cipher in ECB mode, I thought I had posted what is likely the "encrypted zeroes" pattern this morning?So if you've found a firmware image that's not encrypted... That's big...









bostwickenator wrote:



From what I determined with my cheap EF-NEX adapter they pretend to be a LA-EA3 or LA-EA4. Things we learn there might will not apply to all lens operation modes but may still be valuable.



Nearly everything on the market emulates an LA-EA3 (or at least attempts to) - I generally call this "legacy adapter emulation".



Known exceptions:

MC-11 when an SGV lens is attached - probably the only half-decent native emulation implementation, and even it has serious deficiencies

Metabones in "advanced" mode (sets lots of fields to 0x00 - which probably means "invalid/not present")

Techart III in "Fn" mode (hardcodes a lot of fields, many to definitively wrong values, IIRC I've got a post in the dpreview thread linked from the first post here that covers one such example with the focus position)

Viltrox IV in "CDAF" mode

The new Yongnuo adapter in "Multi-focus" mode





I suspect the firmware for the EOS-NEX III looks odd because there is some firmware for the bluetooth radio module in that same bundle.



I suspect some sort of "padding" for something the bootloader chooses not to overwrite. It's definitely not firmware for the BT radio - it's a repeating pattern of 0x00 counting up to 0xff and then wrapping around, up to offset 0x2000 - that appears to be where the intterupt table lies. I *think* (will check this weekend) the table appeared to be relative, OR it was "absolute with a 0x2000 offset" - I can't remember exactly, will look again.





FYI I've made some progress with the Teensy based approach. It's capable of talking at both low and high bauds and logging data for all the lenses I've got here. I've also worked with Dashie on getting him setup and he is now able to replicate what I've got working here.



NICE. Especially nailing the baudrate changes (although Leegong found some great pointers for those...)! I have a Teensy, haven't had the time to get it up and running yet.





Anyway I'm happy to buy whatever hardware I need so that we have something more than one of us can work on in isolation. Leegong I've been in discussions with the Nikon hacker guys (one of whom it turns out I shared an office with) and they say you are a wizard so whatever I can do to help get you some progress I will do. If I have to buy a really nice lens in the process I think I can deal with that ;). Before that though what do you think about Entropy512's suggestion about the Telechart firmwares as targets for our effort.



The Techart firmwares will definitely give some hints, but as a warning: We KNOW that some of what they're doing is wrong. However "wrong but accepted by the body" is probably farther than where we are now. :)



The big thing is - the Techart firmwares seem to be unencrypted AND with a known microcontroller.



And yeah - leegong's reputation gets around. I'm very happy to have him around here, his input was HIGHLY beneficial as far as correcting some false assumptions I had made. Nearly everything on the market emulates an LA-EA3 (or at least attempts to) - I generally call this "legacy adapter emulation".Known exceptions:MC-11 when an SGV lens is attached - probably the only half-decent native emulation implementation, and even it has serious deficienciesMetabones in "advanced" mode (sets lots of fields to 0x00 - which probably means "invalid/not present")Techart III in "Fn" mode (hardcodes a lot of fields, many to definitively wrong values, IIRC I've got a post in the dpreview thread linked from the first post here that covers one such example with the focus position)Viltrox IV in "CDAF" modeThe new Yongnuo adapter in "Multi-focus" modeI suspect some sort of "padding" for something the bootloader chooses not to overwrite. It's definitely not firmware for the BT radio - it's a repeating pattern of 0x00 counting up to 0xff and then wrapping around, up to offset 0x2000 - that appears to be where the intterupt table lies. I *think* (will check this weekend) the table appeared to be relative, OR it was "absolute with a 0x2000 offset" - I can't remember exactly, will look again.NICE. Especially nailing the baudrate changes (although Leegong found some great pointers for those...)! I have a Teensy, haven't had the time to get it up and running yet.The Techart firmwares will definitely give some hints, but as a warning: We KNOW that some of what they're doing is wrong. However "wrong but accepted by the body" is probably farther than where we are now. :)The big thing is - the Techart firmwares seem to be unencrypted AND with a known microcontroller.And yeah - leegong's reputation gets around. I'm very happy to have him around here, his input was HIGHLY beneficial as far as correcting some false assumptions I had made.

The I'm looking at the firmware for their E-Mount 85mm lens not one of their adapters. It starts with RAIKAGE'S PRODUCT FIRMWARE and I've gone through and inspected most of it in IDA, it's not encrypted. It's ARM little endian btw. I think this is a really good candidate because it's simple, it's not doing complicated AF work and not implementing EF and E protocols. We can validate a lot of assumptions using it.

Hi , bostwickenator :



I think Entropy512's suggestion about the Telechart firmware is nice ,

however in my opinion , reversing Sigma MC-11 firmware is much more worthing.



Regarding TAMRON A036 firmware , it's almost the only way to identify

MCU model number and get Datasheet of MCU , then we'll be able to understand

definition of MCU registers ( base address is 0x40000000 ),

these registers are related to Camera-Lens communicating messages

strongly and widely ,

if we understand definition of these registers , for sure we'll understand

lots of E-mount protocol .



BTW , i'm also reversing Nikon Z7 firmware at NikonHacker.



Edited by Leegong - 31 May 2019 at 08:50

The MC-11 is definitely the gold standard. Sigma are probably pretty good at protecting their firmware though? Anyway I've got the MC-11 on hand and I don't mind pulling it apart if you need PCB photos for it. I heard you might be a little busy at the moment. Great work over at NikonHacker :D.

You don't need pulling MC-11 apart ,

the MCU model in MC-11 is identified ,

it's Japanese Renesas RX series chip .

bostwickenator wrote:



The MC-11 is definitely the gold standard. Sigma are probably pretty good at protecting their firmware though? Anyway I've got the MC-11 on hand and I don't mind pulling it apart if you need PCB photos for it. I heard you might be a little busy at the moment. Great work over at NikonHacker :D.

I'm not so sure if Sigma is actually protecting the firmware that well - if I recall correctly, leegong has already picked it apart somewhat?



I recall a post earlier in this thread that I thought had contained discoveries from the MC-11 firmware. However my memory could be wrong? I'm not so sure if Sigma is actually protecting the firmware that well - if I recall correctly, leegong has already picked it apart somewhat?I recall a post earlier in this thread that I thought had contained discoveries from the MC-11 firmware. However my memory could be wrong?

Geez I think I need to start writing a monthly progress report or something so I don't keep missing things. It's such a sprawling project it's hard to keep all the bits straight. I'll go back and review what we got from the MC-11.