Personal View site logo
Make sure to join PV on Telegram or Facebook! Perfect to keep up with community on your smartphone.
Sony NEX-5 firmware language hack, japanese, change language J1
  • Hello.

    I apologize in advance for the necroposting (or a sort of). But I bought used Sony Nex-5 just 2 weeks ago. This is the version for the Japanese region without the ability to change the language. I have searched many forums and resources in an attempt to change it. I know it was possible in the past, but at the moment all the links are outdated and I can't find the patcher (I believe that is the only way to deal with J1 version).

    I downloaded the fwtool and unpacked the firmware, but in my case there are no separate language files and there is no backup folder. I analyzed all the files and realized that all messages are stored in the executable main file. This is an elf file, so I analyzed its resources, and I see that all the necessary string lines are already there. At first, I thought just to replace the Japanese strings with Russian or English, but the number of strings for different languages ​​is different, that is, in English, let's say 4000 string resources and in Russian 6000. This is probably due to the fact that the text takes up space on the camera screen and where for one language must be written in several lines, for another one is enough.

    There were patchers on the old, now defunct sites, and on the old forums they claim that the nex-5 patcher only changes 6 bytes and 3 bytes of the checksum. Therefore, I concluded that it is more correct not to replace string resources, but to correct the language or region definition code.

    I installed the IDA disassembler and began to study the main file. I am a programmer, but my knowledge is not enough to find the right piece of code. Please, can someone still have a patcher for nex-5 or nex-3, please share. Firmware that would change the language - it doesn't matter to Russian or English will go as well. It does not matter if the firmware is obsolete (the last version is 5, but any working Russian/English will work).

    Or maybe one of the developers remembers the keyword or the name of the function that the patcher changed? I'll be very grateful for any clue. I haven't been able to sleep for two weeks now because I'm sure a hack is possible, but I can't seem to find a clue.

    I've already tried everything I could. I searched for files on ftp, on Chinese search engines, on other networks. I started looking for people who wrote posts about successful firmware, but many of them were online 5 years ago. I beg you. Please help. Any help is greatly appreciated.

  • 12 Replies sorted by
  • Try this

    https://www.personal-view.com/faqs/_media/sony-hack/nex3.jap2eng.patcher.zip

    It is from my old nex-hack project.

    I saw on Russian forum here https://www.sony-club.ru/forum/threads/rusifikacija-nex-ov.69669/ mention that NAX-3 patcher works for NEX 5.

  • Thanks a lot!

    I also examined that russian forum in details but, alas, this patcher does not work with Nex-5 firmware as it is. I suppose there is internal check for a model number.
    Still it is of huge value because it allows to understand which bytes should be patched and how.

    So I downloaded Nex-3 firmware, and successfully applied this patcher. Next I used fwtool to unpack both original and patched firmware, got main executables, compared them with winmerge, found the offsets where the patch was actually applied.

    Next I decompiled both mains with IDA, jumped to found offsets and saw the code differences. That code just allocates a list of constants in memory. Patch replaces all 9 or so constants by one (3A18DA00). I think that are the offsets where language data is located for all possible languages, so that now all languages refer to just one, possibly english.

    Well, I expected that patch could be applied to a logic when the region is read from camera. In that case user could choose any language from different region (like from Europe). But it seems replacing constant is easier, and according to old forums that patcher worked just so.

    Next I compared those constants with Nex-5 firmware at the same program offset. And there is no difference between Nex-3 and Nex-5 at those offsets. So yes, technically that patcher should work with Nex-5 (it it would be applied without protection and check for a model).

    So now I plan to apply the patch manually in Hex editor for unpacked Nex-5 firmware, then pack it and test it on my camera. I will write here about the results.

    Once again, thank you, Vitaliy_Kiselev, and all the developers worked on this patch, that was a great job!

  • @Zorl

    Thing I propose is to modify patcher, not firmware.

    Look for checks that patcher is making and make them work with NEX-5 firmware you have (you can make necessary changes in IDA Pro, btw).

    Also it allows to publish result and make it useful for other people.

  • Well... I successfully bricked my camera.

    fwtool does not pack changed data by itself. It seems it requires tar archive as an input. I used 7zip and just put new main inside of old archive and that is wrong approach causing camera to stuck in update firmare mode just after progress bar was nearly at the end.

    I dont understand why nobody wrote that in old and new forums, but after you started firmware update, you can not just stop it (at least it was so in my case), turning camera off and removing battery does not reset camera mode, so I needed to flash any working firmware just to reanimate the camera. So I unpacked normal firmware, renamed FDAT_fw.tar to FDAT_fw.mod.tar, increased minor version and flashed my camera with this firmware returning me to the point I started from.

    Next I compared the original tar and the tar created by 7zip. The file attributes were different (file owner and access to execute is missing). I suppose that is the reason. Sadly there is no messages about it from fwtool command promt (it just says - tar the files).

    -

    As for your proposition. I have strong IT background but I opened IDA a couple of days ago first time in my life. I am sure, everything is possible and even easy if you already did it before. But if I could analyse and change the code in the patcher, I suppose I could just find the code of getting region in main firmware (may be that would take a little bit more time, but the tasks are the same in general - there is condition in logic, so I need just debug the code in my mind and follow the instructions until I find the necessary condition). So, I decided to keep that way as a plan B, if everyting else will not work.

    When I have got a firmware for J1 in english, it will be easier to just calculate the difference and create new patcher applying just it. I dont think we will get any new official firmware from sony, so the firmware you want to apply will be the last one for you anyway. I will share with the result when I get it.

    -

    For now I am trying to understand how to pack tar correctly. I am not sure that is possible under windows. But lets see...

  • @Zorl

    Changing patcher is much more safe and simple thing.

    As you can even use build in debugger to find why it is not accepting firmware. Just simple procedure to find comparison.

  • Working with IDA was not very difficult indeed. There are several checks. First I located the code causing error message "Incorrect firmware", bypassed it with inconditional jump, then I located another message "Corrupted firmware", bypassed it as well, then I have got "Stream read error" after patching. I think that is dead end.

    The logic of the patcher is more complex than we expect and it seems it assumes some structures specific to Nex-3 in firmware.

  • It looks its almost impossible to preserve all file attributes in tar. When I pack it, files comes in different order, so even if change just 6 bytes in a single file, tar could be very different. It could be different even if I dont change anything at all, just untar and tar again the same folder. So we need to avoid work with tar. That is the possible explanation why packing files was not implemented in fwtools.

    Also, I noticed that tar does not apply compression, so I just located necessary bytes related to main file in tar itself and instead of editing main file I edited tar.

    But it does not work. Progress goes all the way till 100%, then updater notifies that there was error during firmware update. Camera is bricked again.

  • Again analysed the difference between Nex-3 original and patched firmware. Beside main file there is another difference I did not notice, because I compared extracted data not the tars itself - it looks like crc sum for a file. It is stored at the very end of tar. I manually updated the tar, so now I need to correctly calculate and update crc now.

    I calculated several checksums for Nex-3 and compared it with Nex-3 firmware and it is just good old crc32.

    I updated check sum in tar and camera was successfully updated. English was applied immediatelly, I even did not reset to factory settings.

  • As promised here is the result https://drive.google.com/file/d/17_7tER5j7r5E4KhG_Bi2XGwu4GlILqcW/view?usp=sharing

    The firmware has 5.2 version. Using fwtool its easy to increase version if you have already bricked you camera once. Just unpack, rename tar by mod.tar and pack specifying the necessary version number.

    I intended to create a patch. But it looks winmerge has a bug and does not generate patch file for binary files. Its strange, but I hope another person will create patch using linux diff tool later.

    In order to translate J1 Nex-5 into English: 1) download 5 version of official firmware 2) rename exe into zip and unpack it 3) replace the only dat file in Resource folder by the one I placed on my google drive temporarily (or apply diff patch, that will be created by someone else later) 4) run FirmwareUpdater from root folder 5) reset to factory setting manually if UI is still in Japaneese

  • @Zorl

    I updated check sum in tar and camera was successfully updated. English was applied immediatelly, I even did not reset to factory settings.

    Superb. I am amazed by your persistence and skill.

    Can you add resource file inside firmware zip archive? Rename it back to exe and share?

  • That will not work. Self extracting archive can be renamed from exe to zip and extracted but when you manupulate with it and change it, it will not work as executable files (possibly due to internal checks like crc sums, etc). I think there is a way to hack it also, but it looks to me that it is not necessary.

    I prepared self extracting archive using winrar, you can download it here https://drive.google.com/file/d/1AMB7tAkHIgSK-glr-KFj8u0p_RnBtnW8/view?usp=sharing When you run it, first it shows some info about what you are going to unstall, asks where it can exctract the data (can be any folder, and current folder is automatically selected, so you can just hit next button blindly) and automatically starts firmware update process. In other words it acts exactly like original sony installer, just with one more step to specify a folder to extact to. If your intention was to create standalone independent single file installer for everybody to use - that is it.

    But in my humble opinion - users don't trust exe, and especially exe on forums, personal sites, etc. These files can be infected by viruses (even if site owner did not have such intentions), so you usually download such files only from official sites you trust to. Me personally, I would trust zip much more, because normal zip does not run any additional commands, it just contains the files. The installation is still very easy: download, unpack in any folder, run the only exe in extracted folder. Just in case here is the zip to download https://drive.google.com/file/d/1s2LHouIILYKrhLGJp35k9gl7ZvJeRNMm/view?usp=sharing (by the way, when I download exe file you requested above from my own google cloud the chrome warns me that it's not safe to download such files and such warnings can scare people, so if you want to make it easier for people without IT background to get, run and update the camera, please consider a zip file option)

    For developers here is just FDAT tar in case you already bricked your camera dosens of times and you want to set the version by your own. Just unpack official firmware with fwtool, delete tar at level3 folder, put this one and pack to new firmware setting any version you want: https://drive.google.com/file/d/1eJXa4QU8jAre5mIWt-drfA9mR0EfKVfp/view?usp=sharing

    All files will stay in my cloud at least for a month.