Russian

Nikon Coolpix 2500

Working with DSC through USB

 

Uploader.exe

Together with a new firmware the uploading program including also. Note, that this program is not necessary. The firmware can be updated with CF-card. Under Windows connected through USB camera is visible as "Removable Device". In a rood directory of this disk it is necessary to create "FIRMWARE" directory and copy there a file "FIRMWARE.BIN" which has new camera firmware. After switching camera in an operational mode (i.e. turn off, disconnect USB cable, turn on) camera goes to a firmware update mode. It shows the current firmware version, the new firmware version and offers to update a firmware. In my camera I replace a firmware thus.

So, a special update program is not necessary, but it is present and it is capable to communicate with camera through USB. We can watch as this occurs.

Protocol of data exchange between PC and DSC via
IOCTL_SCSI_PASS_THROUGH_DIRECT

Connection between PC and digital camera carries out by standard serial protocol from Sierra Imaging, in detail described here. The commands begin with codes 1B 43, the camera answer code is 06. Some examples of messages and their decoding:

Query of a charge level of battery
1B 43 02 00 01 10 11 00
1B the message is command
43 always follows for 0x1B
0002 the length of command
01 the command of reading from 32-bit register
10 the number of the register
0011 the check sum (the sum of all bytes: 01+10=0011)

Query of the firmware version
1B 43 02 00 04 1A 1E 00
1B the message is command
43 always follows for 0x1B
0002 the length of command
04 the command of reading from variable length register
1A the number of the register
001E the check sum (the sum of all bytes: 04+1A=001E)

However this simple protocol is realized through calls IOCTL_SCSI_PASS_THROUGH_DIRECT, that a little it complicates. For the beginning we review inquiry of the manufacturer and the type of the device (SCSIOP_INQUIRY). Many devices are capable to answer on this inquiry: HDD, CompactFlash card connected through the PC card adapter, digital camera connected through USB and so on.

 Query and responce:
 2C 00 00 00 01 00 0C 18 01 00 00 00 24 00 00 00 : ,...........$...
 0C 00 00 00 40 FA 12 00 30 00 00 00 12 00 00 00 : ....@...0.......
 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : $...............
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
 >> return OK
 0012FA40:
 00 80 02 02 1F 00 00 00 4E 49 4B 4F 4E 20 20 20 : ........NIKON...
 4E 49 4B 4F 4E 20 44 53 43 20 45 32 35 30 30 20 : NIKON.DSC.E2500.
 31 2E 30 30                                     : 1.00

Actually the inquiry is structure SCSI_PASS_THROUGH_DIRECT, described in "ntddscsi.h" from NT DDK, it is necessary to pay attention to fields alignment. So fields DataIn and DataTransferLength in structure are beside but in fact field DataTransferLength is distant from DataIn on the three bytes and begins with following position, divisible by four.

typedef struct _SCSI_PASS_THROUGH_DIRECT {
    USHORT Length;
    UCHAR ScsiStatus;
    UCHAR PathId;
    UCHAR TargetId;
    UCHAR Lun;
    UCHAR CdbLength;
    UCHAR SenseInfoLength;
    UCHAR DataIn;
    ULONG DataTransferLength;
    ULONG TimeOutValue;
    PVOID DataBuffer;
    ULONG SenseInfoOffset;
    UCHAR Cdb[16];
}SCSI_PASS_THROUGH_DIRECT, *PSCSI_PASS_THROUGH_DIRECT;

Decoding of the inquiry:
USHORT Length; 002C
UCHAR ScsiStatus; 00
UCHAR PathId; 00
UCHAR TargetId; 01
UCHAR Lun; 00
UCHAR CdbLength; 0C
UCHAR SenseInfoLength; 18 - always zeroed at return
UCHAR DataIn; 01 - attibute R/W (1 - Read, 0 - Write)
UCHAR _hidden[3]; 00 00 00
ULONG DataTransferLength; 00000024 - data buffer length
ULONG TimeOutValue; 0000000C
PVOID DataBuffer; 0012FA40 - data buffer address
ULONG SenseInfoOffset; 00000030
It is a command
ULONG Command; 00000012 - a code of SCSIOP_INQUIRY
ULONG DataLengh; 00000024 - equal to length, but in other commands is another

The responce is structure INQUIRYDATA, described is "ddk\scsi.h" from NT DDK.

#define INQUIRYDATABUFFERSIZE 36

typedef struct _INQUIRYDATA {
    UCHAR DeviceType : 5;
    UCHAR DeviceTypeQualifier : 3;
    UCHAR DeviceTypeModifier : 7;
    UCHAR RemovableMedia : 1;
    UCHAR Versions;
    UCHAR ResponseDataFormat : 4;
    UCHAR HiSupport : 1;
    UCHAR NormACA : 1;
    UCHAR ReservedBit : 1;
    UCHAR AERC : 1;
    UCHAR AdditionalLength;
    UCHAR Reserved[2];
    UCHAR SoftReset : 1;
    UCHAR CommandQueue : 1;
    UCHAR Reserved2 : 1;
    UCHAR LinkedCommands : 1;
    UCHAR Synchronous : 1;
    UCHAR Wide16Bit : 1;
    UCHAR Wide32Bit : 1;
    UCHAR RelativeAddressing : 1;
    UCHAR VendorId[8];
    UCHAR ProductId[16];
    UCHAR ProductRevisionLevel[4];
    UCHAR VendorSpecific[20];
    UCHAR Reserved3[40];
} INQUIRYDATA, *PINQUIRYDATA;
NT driver does not use last two fields. So the full length of structure is 36 bytes, that we see in the responce of the camera and in INQUIRYDATABUFFERSIZE macro.

Decoding of the responce:
UCHAR DeviceType : 5; 0 - DIRECT_ACCESS_DEVICE
UCHAR DeviceTypeQualifier : 3; 0 - DEVICE_CONNECTED
UCHAR DeviceTypeModifier : 7; 0
UCHAR RemovableMedia : 1; 1 - RemovableMedia
UCHAR Versions; 2
UCHAR ResponseDataFormat : 4; 2
UCHAR HiSupport : 1; 0
UCHAR NormACA : 1; 0
UCHAR ReservedBit : 1; 0
UCHAR AERC : 1; 0
UCHAR AdditionalLength; 0x15 (31)
UCHAR Reserved[2]; 00 00
UCHAR SoftReset : 1; 0
UCHAR CommandQueue : 1; 0
UCHAR Reserved2 : 1; 0
UCHAR LinkedCommands : 1; 0
UCHAR Synchronous : 1; 0
UCHAR Wide16Bit : 1; 0
UCHAR Wide32Bit : 1; 0
UCHAR RelativeAddressing : 1; 0
UCHAR VendorId[8]; "NIKON "
UCHAR ProductId[16]; "NIKON DSC E2500 "
UCHAR ProductRevisionLevel[4]; "1.00"

All other inquiries are constructed by the same principle, but codes of inquiries have values from 0xE0 up to 0xE5.

In the table below the general view of exchange protocol resulted. Fields Command and R/W from above mentioned structure. Data is conents of the data buffer on an input (data transmition to camera, W, DataIn=0) or an output (receiotion of the data from the camera, R, DataIn=1).
Command R/W Data Comment
Inquiry of the data from the camera
E0 W 10 00 00 00 01 00 FF 9F 00 00 00 00 00 00 00 00 begin of exchange cycle
E1 W 48 00 00 00 02 00 00 00 00 ... (*)
1B 43 02 00 04 1A 1E 00
the Sierra Imaging protocol command
E3 R 0E 00 00 00 03 00 FF 9F 00 00 00 00 00 00 acknowledgment of receiption of the command
 
E0 W 10 00 00 00 01 00 FF 9F 00 00 00 00 00 00 00 00 begin of exchange cycle
E4 R 10 00 00 00 02 00 FF 9F 00 00 00 00 4E 00 00 00 query of responce length
E2 R 4E 00 00 00 02 00 FF 9F 00 00 ... (*)
03 00 08 00 76 35 38 35 2D 37 35 00 FF FF
responce (v585-75)
E3 R 0E 00 00 00 03 00 FF 9F 00 00 00 00 00 00 acknowledgment of receiption of the command
 
E0 W 10 00 00 00 01 00 FF 9F 00 00 00 00 00 00 00 00 begin of exchange cycle
E1 W 41 00 00 00 02 00 00 00 00 00 ... (*)
06
acknowledgment of Sierra Imaging command
E3 R 0E 00 00 00 03 00 FF 9F 00 00 00 00 00 00 acknowledgment of receiption of the command
Sending the data to the camera
E0 W 10 00 00 00 01 00 FF 9F 00 00 00 00 00 00 00 00 begin of exchange cycle
E1 W 4C 00 00 00 02 00 00 00 00 00... (*)
1B 43 06 00 00 20 BE BE ED 0F 98 02
the Sierra Imaging protocol command
E3 R 0E 00 00 00 03 00 FF 9F 00 00 00 00 00 00 acknowledgment of receiption of the command
 
E0 W 10 00 00 00 01 00 FF 9F 00 00 00 00 00 00 00 00 begin of exchange cycle
E4 R 10 00 00 00 02 00 FF 9F 00 00 00 00 41 00 00 00 query of responce length
E2 R 41 00 00 00 02 00 FF 9F 00 00... (*)
06
acknowledgment of
Sierra Imaging command
E3 R 0E 00 00 00 03 00 FF 9F 00 00 00 00 00 00 acknowledgment of receiption of the command
End of session
E5 W   end of work with the camera

(*) - there are zero up to the end of header (64 bytes length). The next line, which have Sierra Imaging protocol elements, begins from 040 offset.


e2500.narod.ru
Hosted by uCoz