supplierdeeply

Any developers interested in working on CHDK firmware for DSLRs ?

  • 202 Replies
  • 71495 Views
  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #170 on: 31 / December / 2008, 12:51:49 »
    Advertisements
    I am looking for the xor tables for my 50d. I tried with all tables I found here but no success.
    fw-files is the 1.0.3 of course that is available as an upgrade.

  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #171 on: 08 / January / 2009, 03:16:22 »
    pffffff..... forum is back.... What a scare.
    Some tables fallen from heaven - just after writing the message. Thanks :-)
    I finally had a deja vu at the end of de-eor-ed flasher code.
    I did some work on 50d code. but could not manage to run code after change a byte in the flasher and fix the checksum.
    Although checksum at 0x20 is calculated same as for 40d and checksum-utility works.
    Maybe there is another checksum? Or maybe I should read the posts again (unfortunaltey lot of noise "want this, want that" in here).
    I think you've seen the md5-calc code within the flasher.
    Of course I do not want to make work twice. So my question is, if there is some progress? Anybody already know how to decrypt the data-chunk?
    Otherwise I would take the (really lot of code used for de-obfuscation) run in an emulator to RE that part.

    I did not know how efficient this ARM stuff is. The code used for flasher-decryption (in 50d it is at 0x848188) is less code than the same stuff done in "C" :-)

    --
    everything I do is for educational purposes only. There is no commercial interest and no sponsors. My job is about programming emedded devices but far away from cameras and far away from canon and competitors
    « Last Edit: 08 / January / 2009, 03:54:55 by Tyra Misoux »

    *

    Offline quietschi

    • ***
    • 116
    • Ixus70 102a
  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #172 on: 08 / January / 2009, 11:28:41 »
    Some tables fallen from heaven - just after writing the message. Thanks :-)
    From where did you get the tables?
    I did not know how efficient this ARM stuff is. The code used for flasher-decryption (in 50d it is at 0x848188) is less code than the same stuff done in "C" :-)
    How did you found this address for 50d?

    Theres also now a fw update available for the Eos 5d MarkII. So this is interesting for others too.

    Canon EOS 5D MarkII Firmware Update

    thanks quietschi

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #173 on: 09 / January / 2009, 05:21:08 »

    see attached file.
    it seems it can decrypt 50d flasher
    I'm not sure but I heard it can decrypt 450d and 1DmarkIII also.
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler


    *

    Offline quietschi

    • ***
    • 116
    • Ixus70 102a
  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #174 on: 09 / January / 2009, 07:37:13 »
    Thanks mx3

    can confirm it works for 5d2, decrypts flasher
    OS = DRYOS

  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #175 on: 09 / January / 2009, 07:59:30 »
    one finds those tables inside the decrypted flasher. since it is symetric stuff it should be no problem to reverse the algorithm and reconstruct the table from encrypted code. So maybe thats the way to get them.
    Or maybe one guy connects to the chip with JTAG? I am sure the CPU has JTAG capabilities but I do not want to open my new camera :-) at least not at this time! (maybe I destroy it anyway with further development - then the time is come to open :-)

    well, I am not interested in how to get the tables for flasher at this point. I am more interested in decrypting the datachung as well in running my own code. I failed when try to patch the flasher and run it. fix the checksum alone is not enough.

    I found lot of checksumming and signature stuff in the flasher.
    At least there is a MD5 calculation as well as AES!
    if you like to name the tables (50d fw 1.0.3)
    the AES Tables at
    0x990FCC - AES::SD[256] - 0x52, 9,0x6A,0xD5,0x30,0x36,0xA5,0x38
    0x9910CC - AES_TE0[256] - 0xC66363A5,0xF87C7C84,0xEE777799
    0x9914CC - AES::TE1[256] - 0xA5C66363,0x84F87C7C,0x99EE7777
    0x9918CC - AES::TE2[256] - 0x63A5C663,0x7C84F87C,0x7799EE77
    0x991CCC - AES::TE3[256] - 0x6363A5C6,0x7C7C84F8,0x777799EE
    0x9920CC - AES::SE[256] - 0x63636363,0x7C7C7C7C,0x77777777 (unpacked)
    0x9924CC - AES_TD0[256] - 0x51F4A750,0x7E416553,0x1A17A4C3
    0x9928CC - AES_TD1[256] - 0x5051F4A7,0x537E4165,0xC31A17A4
    0x992CCC - AES_TD2[256] - 0xA75051F4,0x65537E41,0xA4C31A17
    0x9930CC - AES_TD3[256] - 0xF4A75051,0x4165537E,0x17A4C31

    (the tables are well know, so it is no problem to find them in any code)
    the stuff is referenced from within a table at 0x8A4594
    so the code at 0x8A45A4 is supposed to do AES

    first I thought it is not referenced but library stuff only
    but there is a reference to this code as a table-entry at 0x8958CC. that address is pushed to stack at
    895888 3C 30 9F E5                 LDR     R3, =do_AES_loc_8A45A4
    89588C 00 30 8D E5                STR     R3, [SP,#0]

    if there is AES - there must be another key :-) if that is in ROM we are fucked at this point.

    (btw. OS is DryOS of course for 50d, too)
    and YES, it DOES decrypt 50d 1.0.3

  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #176 on: 09 / January / 2009, 22:47:04 »
    mx3, thank you so much for that. It works on the 5D MKII firmware and that was a huge help.

    Lost of really interesting stuff in the flasher. I'm still trying to figure out the proper start addresses to use and what's the best way to search for strings and references with IDC scripts. (IDA Pro newb) Once I'm more familiar with the process I can help with the data chunk decrypt.

    I picked up "Reverse Engineering Code with IDA Pro" by Dan Kaminsky. Anyone else have any material they recommend?

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #177 on: 10 / January / 2009, 01:15:13 »
    mx3, thank you so much for that.
    you are welcome.
    actually I downloaded it somewhere about month ago.
    I was sure it was on this forum.
    * mx3 shrugs

    It works on the 5D MKII firmware and that was a huge help.
    that is great

    Lots of really interesting stuff in the flasher. I'm still trying to figure out the proper start addresses to use
    5d200107.fir_1_flasher.bin should be loaded at 800120
    and what's the best way to search for strings and references with IDC scripts.

    I'm not sure.
    I think first you apply signatures file then IDC.
    it is because smal part of IDC script uses function names to do it's work.
    see DryOS Porting - CHDK Wiki



    and maybe it is worth to split this thread from now
    I think separate threads for 5dmk2, 50d, 450D would be fine :-)
    « Last Edit: 10 / January / 2009, 01:17:26 by mx3 »
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler


  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #178 on: 10 / January / 2009, 05:48:22 »
    hm, I do not use any scripts and stuff but searching for familiar looking stuff by my own (for example well known hash tables)
    I also found some kind of SHA256, yesterday (it is used together with AES to generate/verify the signature). It looks like the code is used on the data-chunk.
    it is a not optimized SHA1 algorithm. I call code at 0x894DD4 "sha1_do_hash_loc_894DD4" for example

    I wonder why there are strings concerning to camera functions inside the flasher?! there are a shitload of them.
    data from about 0x8B3A00 - 0x8FDE00 is FONT-data (so not of too much interesst :-)

    btw I linked flasher_header and flasher togother and load the whole stuff to 0x800000 so I have it for reference.

    guess I need some kind of debugger now to singlestep the stuff. Might be much faster than walk through the code by hand (we will succeed anyway). Wonder where it takes the AES key from, now.

    sure, AES is supposed to be save.... but is the key used for descrambling save, also? I hope not :-)
    « Last Edit: 10 / January / 2009, 06:23:50 by Tyra Misoux »

  • Publish
    Re: Any developers interested in working on CHDK firmware for DSLRs ?
    « Reply #179 on: 10 / January / 2009, 07:28:50 »
    5d200107.fir_1_flasher.bin should be loaded at 800120

    Thank you for this. I'm starting to get a feel for IDA and the general process.

    Here is what I've done so far, please feel free to point out any errors.

    - loaded flasher at 0x800120
    - applied DryOS signatures from the A series. Not much result from this.
    - applied CHDK.idc. This yields a readable format I can follow.

    IDA's graphing function = awesome

    I wonder why there are strings concerning to camera functions inside the flasher?! there are a shitload of them.

    I'm seeing the same thing in the 5D MKII. Lots and lots of strings from camera functions. Odd.

    I've tried searching for your AES table values, but can't seem to find them in the 5D MKII fir. Maybe I'm doing something wrong. Would it be possible to describe your process (are you using IDA Pro?) and maybe I can try and replicate it.

    I may have found the decrypter though:

    I think it starts at:
    0x0080A840
    Where it BL's at 0x0080A870  to 0x0080A62C. I think everything at 0x0080A62C is the decrypt function. I don't know enough ARM assembly to confirm. I'm working on that. Maybe someone could take a peek and see what they think.

    Should I just start a "General 5D MKII development" thread?


     

    Related Topics