Lumix G9 firmware reverse engineering

jverbeek

Hey there, I recently got myself a Lumix G9 and was keen to look into the firmware. I'm hitting a roadblock, but maybe somebody can help me :)

The .bin firmware you can download from Panasonic (https://av.jpn.support.panasonic.com/support/share2/eww/com/dsc/fts/zip/G9___V22.zip) has the "UPD " magic, followed by 8 bytes I couldn't associate, and then what seems like a product identifier "MC471" (MC = mirrorless camera?)

The interesting stuff starts at 0x2EC, where something which looks like a partition table starts. This section is 4884 bytes long (including some padding I believe) and contains 48 partitions which I managed to reverse engineer:

// 92 bytes - index entry of the partition listing struct partitionIndexEntry { char name[12]; // 12 bytes - name of the partition int offsetFile; // 4 bytes - offset in the firmware file int size; // 4 bytes - size of the partition int offsetMemory; // 4 bytes - offset in the memory on the camera int encryption; // 4 bytes - whether the partition is encrypted (0x3) or not (0x2) char checksum[32]; // 32 bytes - SHA-256 checksum of unencrypted partitions? char key[16]; // 16 bytes - encryption key?, if encryption == 0x3 char padding[16]; // 16 bytes - padding };

Reading that in in my custom C tool I've written for this logs out 48 partitions with their offset (in the firmware file, the real data starts at 0x1600) and size. I added automatic dd'ing so I now got 48 .bin files which are the extracted partitions out of the big firmware file. Adding all the sizes of the partitions together is also exactly the size of the original .bin minus the 0x1600/5120 bytes at the beginning which are the headers and partition table. You can download the extracted partition files here: https://drive.google.com/file/d/1P4681aZkRlCUuaiL10nH_En1g70iRLKS/view

Now, they obviously seem to be encrypted, and I haven't been able to figure out how. As you can see I was thinking whether the 16 byte long key in the partition index might be a key, because it's filled with zeros if encryption is 0x2.

This is my progress, I greatly appreciate any hints!

DrDave

Never mind.

mee

DrDave sorry, I was sleep deprived for both of those posts, and in the second sorta forgot this started from G9 question. I am not sure what you mean by service menu, but are you referring to G9 or G7?

DrDave

@mee Did you try the service menu? On mine I could change almost all settings with the service menu, including pal/ntsc and remove the time limit. I'm not referring to the menu but the service menu.

mee

@DrDave I can't speak to each countries version, but in Japan the ability to change to English in the menu did not come until the G8 aka G85 or whatever the successor to the G7 was called in each country. G8 in Japan. For CP+ 2018 Panasonic lent me a US and Japanese G8/G85 and Panasonic upper management changed the Japanese version to English in front of me, after that I changed many in shops for testing, but went with the G7 because at the time it was about 30,000 yen used ($300) versus the then new price of about 80,000 yen for the G8. Interesting to see the G7 raise in price recently above that of 3 years ago.

In short, you can get a G8 on a good day for roughly the same price as a G7 so if you need English either get a G7 from an English speaking country or get a G8/G85/G89/80 etc... Essentially same camera with stabilization and a few other features. Stabilization rivals that of G9 in my experience.

DrDave

@mee Can't you can change the language of G7 with service menu?

mee

Videoist the short answer is no. Personally I used a g7 for 2 years that only spoke Japanese. I watched videos of the English menu page by page to memorize and map functions I needed most frequently. Yes it was still a challenge at times, but mostly it became second nature within a few months, and was actually not such a big deal. Cameras that we use daily or at least weekly are actually more about muscle memory and spatial memory than they are about reading.

konjow

@Vitaliy I still have hope for GH3 Hack which should be out soon :) Thats why I got this camera for...

Videoist

Hi, i was offered a G9 that does not have the language that i want in the menu, is there some way to unlock languages?

DrDave

I want hack for time limit. Thank you.

LongJohnSilver

Panny Secret Service already kidnapped him...

bbcello

@jverbeek

How does this data compare to the partition table of the firmware file you spliced up?

endotoxic

G9 hack would be awesome cos it would bring gh5 hack and that would be also grate. I must admit though the have the same sensor and LSI so...

Vitaliy_Kiselev

I can assure that it looks legit, but needs lot of work.

bbcello

@jverbeek

Thats really exciting! any way i could get a copy of that for snooping?

aldolega

Not sure what most of that means, but as a G9 owner it seems exciting!

jverbeek

Here are a few interesting finds in the G9 NAND dump: - Uses YAFFS and Squash filesystems a lot (can also be a false positive, whoever alot of the filesystems are actually dated 2018-03-28 which sounds plausible) - CPU is ARM, I can see a Linux executable zImage for ARM - A lot of JPEG image data (probably icons for the UI or false positives) - Some references to C++ code for deep learning! - A CramFS (ram filesystem) containing 4477506 files, probably the most interesting thing

jverbeek

Hey there. After a hiatus, I got my hands on a BGA NAND dump of a Lumix G9. Binwalking through that gives me a lot of interesting results. @bbcello the problem would be how to get the modified firmware back on the NAND. I really wouldn't recommend flashing anything on a NAND, as just one byte offset will brick the whole device.

bbcello

Thats really discouraging, in your opinion... do you think Vlog-L is a capped profile and could be optimized further? My biggest hunch on this is with the release of the BGH1 where they reused the GH5s sensor and said they 'upgraded' the vlog-L profile which shows obvious increase in range.

Vitaliy_Kiselev

@bbcello

Lot of Panasonic cameras actually have custom chip on top of main LSI that has both NAND and DRAM.

And it is NOR, it is NAND.

Structure of firmware in encrypted file and on NAND chip has almost nothing in common.

bbcello

I got a question for Jverbeek, I was talking to an EE Guy from work who has tons experience dumping flash data... if I were to experiment on a spare GH4 board and dump the NOR firmware would you consider taking a look at the dumps? I think the panasonic firmware is all structured similarly, because i found the same listed table contents as you did in your G9 from looking at my GH4 and GH5s firmware bin files

Vitaliy_Kiselev

@bbccello

Do you mean working with firmware update available on site?

Or you do only HTTP comments connecting camera to computer?

bbcello

Can you explain that you tried to do?

Mostly N00b things that would give you a chuckle, like noting/testing the HTTP commands that people have discovered after failed binwalks and Ghidra attempts on the firmware files. I had a surge of inspiration from reversing the serial coms from gimbal focus motor back in March and wanted to attempt to find out if the Vlog-L profile was capped in range. Sadly i'm not a good at software reversing lol

Vitaliy_Kiselev

@bbcello

i've been digging on the GH5s firmware files for fun without much luck because i'm in the hardware field rather than software,

Can you explain that you tried to do?

bbcello

please don't get discouraged and abandon, i've been digging on the GH5s firmware files for fun without much luck because i'm in the hardware field rather than software, this gives me hope

mee

What a great camera it would be to patch though....

Howdy, Stranger!

Categories

Tags in Topic

Top Posters