Personal View site logo
Lumix G9 firmware reverse engineering
  • Hey there, I recently got myself a Lumix G9 and was keen to look into the firmware. I'm hitting a roadblock, but maybe somebody can help me :)

    The .bin firmware you can download from Panasonic (https://av.jpn.support.panasonic.com/support/share2/eww/com/dsc/fts/zip/G9___V22.zip) has the "UPD " magic, followed by 8 bytes I couldn't associate, and then what seems like a product identifier "MC471" (MC = mirrorless camera?)

    The interesting stuff starts at 0x2EC, where something which looks like a partition table starts. This section is 4884 bytes long (including some padding I believe) and contains 48 partitions which I managed to reverse engineer:

    // 92 bytes - index entry of the partition listing struct partitionIndexEntry { char name[12]; // 12 bytes - name of the partition int offsetFile; // 4 bytes - offset in the firmware file int size; // 4 bytes - size of the partition int offsetMemory; // 4 bytes - offset in the memory on the camera int encryption; // 4 bytes - whether the partition is encrypted (0x3) or not (0x2) char checksum[32]; // 32 bytes - SHA-256 checksum of unencrypted partitions? char key[16]; // 16 bytes - encryption key?, if encryption == 0x3 char padding[16]; // 16 bytes - padding };

    Reading that in in my custom C tool I've written for this logs out 48 partitions with their offset (in the firmware file, the real data starts at 0x1600) and size. I added automatic dd'ing so I now got 48 .bin files which are the extracted partitions out of the big firmware file. Adding all the sizes of the partitions together is also exactly the size of the original .bin minus the 0x1600/5120 bytes at the beginning which are the headers and partition table. You can download the extracted partition files here: https://drive.google.com/file/d/1P4681aZkRlCUuaiL10nH_En1g70iRLKS/view

    Now, they obviously seem to be encrypted, and I haven't been able to figure out how. As you can see I was thinking whether the 16 byte long key in the partition index might be a key, because it's filled with zeros if encryption is 0x2.

    This is my progress, I greatly appreciate any hints!

  • 21 Replies sorted by
  • Nice work.

    Issue is encryption, as it is serious and key is inside encrypted parts :-)

    So, only way to get it is to have unencrypted firmware dump.

  • So, only way to get it is to have unencrypted firmware dump.

    Bummer, I bet we can only get it by cracking open the camera and finding some debug pads?

  • @jverbeek

    I think such do not exist.

    So only way is advanced dumping of BGA NAND chip, not easy.

  • What a great camera it would be to patch though....

  • please don't get discouraged and abandon, i've been digging on the GH5s firmware files for fun without much luck because i'm in the hardware field rather than software, this gives me hope

  • @bbcello

    i've been digging on the GH5s firmware files for fun without much luck because i'm in the hardware field rather than software,

    Can you explain that you tried to do?

  • Can you explain that you tried to do?

    Mostly N00b things that would give you a chuckle, like noting/testing the HTTP commands that people have discovered after failed binwalks and Ghidra attempts on the firmware files. I had a surge of inspiration from reversing the serial coms from gimbal focus motor back in March and wanted to attempt to find out if the Vlog-L profile was capped in range. Sadly i'm not a good at software reversing lol

  • @bbccello

    Do you mean working with firmware update available on site?

    Or you do only HTTP comments connecting camera to computer?

  • I got a question for Jverbeek, I was talking to an EE Guy from work who has tons experience dumping flash data... if I were to experiment on a spare GH4 board and dump the NOR firmware would you consider taking a look at the dumps? I think the panasonic firmware is all structured similarly, because i found the same listed table contents as you did in your G9 from looking at my GH4 and GH5s firmware bin files

  • @bbcello

    Lot of Panasonic cameras actually have custom chip on top of main LSI that has both NAND and DRAM.

    And it is NOR, it is NAND.

    Structure of firmware in encrypted file and on NAND chip has almost nothing in common.

  • Thats really discouraging, in your opinion... do you think Vlog-L is a capped profile and could be optimized further? My biggest hunch on this is with the release of the BGH1 where they reused the GH5s sensor and said they 'upgraded' the vlog-L profile which shows obvious increase in range.

  • Hey there. After a hiatus, I got my hands on a BGA NAND dump of a Lumix G9. Binwalking through that gives me a lot of interesting results. @bbcello the problem would be how to get the modified firmware back on the NAND. I really wouldn't recommend flashing anything on a NAND, as just one byte offset will brick the whole device.

  • Here are a few interesting finds in the G9 NAND dump: - Uses YAFFS and Squash filesystems a lot (can also be a false positive, whoever alot of the filesystems are actually dated 2018-03-28 which sounds plausible) - CPU is ARM, I can see a Linux executable zImage for ARM - A lot of JPEG image data (probably icons for the UI or false positives) - Some references to C++ code for deep learning! - A CramFS (ram filesystem) containing 4477506 files, probably the most interesting thing

  • Not sure what most of that means, but as a G9 owner it seems exciting!

  • @jverbeek

    Thats really exciting! any way i could get a copy of that for snooping?

  • I can assure that it looks legit, but needs lot of work.

  • G9 hack would be awesome cos it would bring gh5 hack and that would be also grate. I must admit though the have the same sensor and LSI so...

  • @jverbeek

    How does this data compare to the partition table of the firmware file you spliced up?

  • Panny Secret Service already kidnapped him...

  • I want hack for time limit. Thank you.

  • Hi, i was offered a G9 that does not have the language that i want in the menu, is there some way to unlock languages?