Ricoh GR - Firmware hacking

jokob · 10-24-2017, 06:21 PM - **1 Like**

Hi Guys,

I think that this camera is amazing, but I'd welcome some more customisation options.

custom mapping of all buttons.
customised folder or naming
other tweaks which could be done via software update (list yours?)

So, I'm exploring options on altering the firmware and found some resources:

GitHub - crypto512/ricohdec

Ricoh Theta S Updater and Firmware Analysis | Matthew Petroff

Long story short: I am not sure if Ricoh is going to update this camera range or release any great firmware updates. It's a great camera which could be amazing with some little tweaks. Some of the wishlist items could be theoretically achieved by some tweaking of the software. To do that:

We need to be able to decompile correctly the available firmware
be able to alter it and connect what changes affect which functionality
be able to compile our own version

The code I referenced on top is not 100% working (some code is readable, some is still obfuscated, so additional work will be needed). I am regrettably not a crypto analytic, but I can code, so once the above 3 points are sorted modification of the code should be quite straightforward.

I am posting here to see if there is support for such an idea and endeavour.

If yes, and if there is someone with such skill set available in this sub willing to work on this, then great. Otherwise we could post a bounty / ask on other subs or websites for help.

So, let me know guys what you think!

Cheers, Jokob

Last edited by jokob; 12-16-2017 at 06:44 PM.

bootcoder · 10-25-2017, 07:39 AM

You better open file attributes in fopen from "r" to "rb" and from "w" to "wb" or decoder fails built with Mingw on WIndows.

bootcoder · 10-25-2017, 08:45 AM

For ricoh GR firmware downloaded from official website rg1_v051.zip: you just have to run ricohdec first on rg1_v051.frm, then again on resulting rg1_v001up.bin.
Then you get camera firmware file b01firm8.bin. File b01firm6.bin is firmware updater.

bootcoder · 10-25-2017, 05:07 PM - **1 Like**

Ugh, finally fetched load address of firmware file b01firm8.bin: 0xA0020200. Powered by Fujitsu RealOS. Have a fun analysing!

Attached Images

jokob · 10-25-2017, 08:41 PM

@bootcoder Thanks for the investigative work! This is very much appreciated! Could you please let me know how you've got the nicely formatted output? I've run ricohdec exactly as you've described but part of the file is still not properly readable: https://preview.ibb.co/cbLzbR/ricoh_frm.png. Here is my file after 2 run-throughs: ricohdec/b01firm8.bin at master · jokob/ricohdec · GitHub

Thanks in advance!

bootcoder · 10-26-2017, 01:27 AM - **1 Like**

You should disassemble b01firm8.bin with any tool like IDA/.../objdump that supports ARMv7-A and Thumb 2, taking in account .bin load address 0xA0020200 and big endian byte order.
There is no VFP.

Firmware runs on fujitsu m6 LSI chip (milbeaut 6th-generation). Function names (kernelInit, kernel_err_def_max) were added manually.

jokob · 10-26-2017, 03:41 PM

Originally posted by bootcoder

You should disassemble b01firm8.bin with any tool like IDA/.../objdump that supports ARMv7-A and Thumb 2, taking in account .bin load address 0xA0020200 and big endian byte order.
There is no VFP.

Firmware runs on fujitsu m6 LSI chip (milbeaut 6th-generation). Function names (kernelInit, kernel_err_def_max) were added manually.

This is supper helpful. Thank you so much!

bootcoder · 10-27-2017, 02:32 AM

RealOS Manual

In fact I am able to locate all these functions in firmware. It seems there is a powerfull script engine embedded in Ricoh GR firmware with access to all hardware. Investigating this and reversing debug shell could help you locate button code.

bootcoder · 11-24-2017, 11:38 AM

I do not know if it is already mentioned: Ricoh GR uses Sony IMX071 CMOS sensor that is same as in Nikon D5100/D7000.

10-24-2017, 06:21 PM - 1 Like	#1
jokob New Member Join Date: Oct 2017 Posts: 3	Ricoh GR - Firmware hacking Hi Guys, I think that this camera is amazing, but I'd welcome some more customisation options. custom mapping of all buttons. customised folder or naming other tweaks which could be done via software update (list yours?) So, I'm exploring options on altering the firmware and found some resources: GitHub - crypto512/ricohdec Ricoh Theta S Updater and Firmware Analysis \| Matthew Petroff Long story short: I am not sure if Ricoh is going to update this camera range or release any great firmware updates. It's a great camera which could be amazing with some little tweaks. Some of the wishlist items could be theoretically achieved by some tweaking of the software. To do that: We need to be able to decompile correctly the available firmware be able to alter it and connect what changes affect which functionality be able to compile our own version The code I referenced on top is not 100% working (some code is readable, some is still obfuscated, so additional work will be needed). I am regrettably not a crypto analytic, but I can code, so once the above 3 points are sorted modification of the code should be quite straightforward. I am posting here to see if there is support for such an idea and endeavour. If yes, and if there is someone with such skill set available in this sub willing to work on this, then great. Otherwise we could post a bounty / ask on other subs or websites for help. So, let me know guys what you think! Cheers, Jokob Last edited by jokob; 12-16-2017 at 06:44 PM.

10-25-2017, 07:39 AM	#2
bootcoder Banned Join Date: Oct 2014 Posts: 93	You better open file attributes in fopen from "r" to "rb" and from "w" to "wb" or decoder fails built with Mingw on WIndows. Last edited by bootcoder; 10-25-2017 at 08:41 AM.

10-27-2017, 02:32 AM	#8
bootcoder Banned Join Date: Oct 2014 Posts: 93	RealOS Manual In fact I am able to locate all these functions in firmware. It seems there is a powerfull script engine embedded in Ricoh GR firmware with access to all hardware. Investigating this and reversing debug shell could help you locate button code. Last edited by bootcoder; 11-07-2017 at 06:36 AM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Order Your Ricoh GR / GR II!	Adam	Ricoh GR	5	04-23-2019 07:35 PM
Resurrecting Pentax firmware hacking	Shodan	Pentax DSLR Discussion	765	02-23-2019 05:24 AM
k-5 firmware hacking anyone?	secateurs	Pentax K-5 & K-5 II	33	10-05-2012 03:05 PM

10-25-2017, 08:45 AM	#3
bootcoder Banned Join Date: Oct 2014 Posts: 93	For ricoh GR firmware downloaded from official website rg1_v051.zip: you just have to run ricohdec first on rg1_v051.frm, then again on resulting rg1_v001up.bin. Then you get camera firmware file b01firm8.bin. File b01firm6.bin is firmware updater.

10-25-2017, 05:07 PM - 1 Like	#4
bootcoder Banned Join Date: Oct 2014 Posts: 93	Ugh, finally fetched load address of firmware file b01firm8.bin: 0xA0020200. Powered by Fujitsu RealOS. Have a fun analysing! Attached Images

10-25-2017, 08:41 PM	#5
jokob New Member Join Date: Oct 2017 Posts: 3 Original Poster	@bootcoder Thanks for the investigative work! This is very much appreciated! Could you please let me know how you've got the nicely formatted output? I've run ricohdec exactly as you've described but part of the file is still not properly readable: https://preview.ibb.co/cbLzbR/ricoh_frm.png. Here is my file after 2 run-throughs: ricohdec/b01firm8.bin at master · jokob/ricohdec · GitHub Thanks in advance!

10-26-2017, 01:27 AM - 1 Like	#6
bootcoder Banned Join Date: Oct 2014 Posts: 93	You should disassemble b01firm8.bin with any tool like IDA/.../objdump that supports ARMv7-A and Thumb 2, taking in account .bin load address 0xA0020200 and big endian byte order. There is no VFP. Firmware runs on fujitsu m6 LSI chip (milbeaut 6th-generation). Function names (kernelInit, kernel_err_def_max) were added manually.

10-26-2017, 03:41 PM	#7
jokob New Member Join Date: Oct 2017 Posts: 3 Original Poster	Originally posted by bootcoder You should disassemble b01firm8.bin with any tool like IDA/.../objdump that supports ARMv7-A and Thumb 2, taking in account .bin load address 0xA0020200 and big endian byte order. There is no VFP. Firmware runs on fujitsu m6 LSI chip (milbeaut 6th-generation). Function names (kernelInit, kernel_err_def_max) were added manually. This is supper helpful. Thank you so much!

11-24-2017, 11:38 AM	#9
bootcoder Banned Join Date: Oct 2014 Posts: 93	I do not know if it is already mentioned: Ricoh GR uses Sony IMX071 CMOS sensor that is same as in Nikon D5100/D7000.