HF10 & HV30 (Digic DV II) decrypted!

  • 212 Replies
  • 64927 Views
  • Publish
    HF10 & HV30 (Digic DV II) decrypted!
    « on: 07 / June / 2008, 12:21:08 »
    Advertisements
    I just read the thread regarding the HV20 (http://chdk.setepontos.com/index.php/topic,721.0.html) where it has been said that a firmware file will be needed to be able to analyze if a hack would be possible. Now there's firmware update available for the HF10 which updates the firmware from version 1.0.0.0 to 1.0.1.0 on the japanese canon website.
    I'd do it by myself but since I'm missing the required knowledge, would someone be willing to give it a try (I can provide the file or download link) or to point me in the right direction on how to do it? I've been browsing the chdk wikia site but couldn't find any useful information on how to get started.

    I've been searching the firmware update file for strings but couldn't find a single one, so my assumtion is that the update does either only contain program code and no resources, or it is compressed or/and encrypted in some way. The file header starts with 64kb filled with FF values, followed by the firmware version and a string which resembles the filename. Then the "garbage" begins.
    « Last Edit: 08 / August / 2008, 06:53:28 by Wiesel »

  • Publish
    Re: HF10 (Digic DV II)
    « Reply #1 on: 08 / June / 2008, 06:57:12 »
    Ok since DSLR firmwares are encryped as well I tried the 300D, 20D and 40D decryption keys, and it seems like they used the 300D keys to decrypt the HF10 firmware, at least partly.

    To be able to quickly see if the key is right, I extended Alex Bernstein's firmware decrypter tool to apply decryption, search for ascii strings and print them out. Since the second key is 513 bytes long and I have no idea where the encrypted part starts, I decrypted the firmware 513 times, every time starting at the byte that equals the round, e.g. first round started at byte 0, 10th round started at byte 9, etc... My theory was that if the key is right, there should be one round where the decryption starts at the right alignment and I get a bunch of strings.
    The problem I have is that there was no round where I got a big bunch of strings, but a few rounds where I got some parts of strings... some examples: "Directory OK" (round 24), "ctest sys dget ctol" (round 64), "save virtual playList error" (round 104), ... I could post the whole list but I don't know if I'm allowed to.

    Anyway, is there someone who has an idea where the problem could be so I can decrypt the whole thing?

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: HF10 (Digic DV II) decrypting...
    « Reply #2 on: 08 / June / 2008, 08:50:15 »
    Now there's firmware update available for the HF10 which updates the firmware from version 1.0.0.0 to 1.0.1.0 on the japanese canon website.
    great

    I can provide the file or download link
    please share file.
    I can't download it without knowing serial number
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

    *

    Offline cail

    • *
    • 49
  • Publish
    Re: HF10 (Digic DV II) decrypting...
    « Reply #3 on: 08 / June / 2008, 14:32:31 »
    +1!

    mx3, do you have canon camcorder too? We could have a good talk then ;)


    *

    Offline kmaage

    • *
    • 12
    • HV20, Norway, Newborn, Software Developer

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: HF10 (Digic DV II) decrypting...
    « Reply #5 on: 10 / June / 2008, 08:18:42 »
    There is an ebay listing with clear pictures of an HF100:
    I'm not sure what do you want to say. why did you post such link?
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

  • Publish
    Re: HF10 (Digic DV II) decrypting...
    « Reply #6 on: 10 / June / 2008, 09:45:23 »
    There is an ebay listing with clear pictures of an HF100:
    I'm not sure what do you want to say. why did you post such link?

    He probably wanted to give you a serial number so you can download the firmware :)

    *

    Offline kmaage

    • *
    • 12
    • HV20, Norway, Newborn, Software Developer
  • Publish
    Re: HF10 (Digic DV II) decrypting...
    « Reply #7 on: 10 / June / 2008, 10:18:15 »
    The firmware update for the HF100 camcorder is available here http://web.canon.jp/imaging/dcp/ivis/hf10/frm/firmdownload-j.html (in japanese, and you need a serial number from an HF10 or HF100).


  • Publish
    Re: HF10 (Digic DV II) decrypting...
    « Reply #8 on: 11 / June / 2008, 03:14:33 »
    Right now running a coincidence analysis over the file.

    Searching 8-byte patterns repetition. There are many of them (this is a kind of prove that it is a XOR encoding).
    The repeat length is always (well, at most) a multipy of 0x1040:

    Normally this means that XOR key repeats itself every 0x1040 bytes.

    This is not true for two keys 512x513 giving 0x40200 single key length. Probably it is some form of modification over two keys, since Wiesel says he sees human readable patterns with 512x513 keys.

    BTW, Wiesel, which particular key are you using? Can you give an exact point since there are many of them spread over the net...

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: HF10 (Digic DV II) decrypting...
    « Reply #9 on: 11 / June / 2008, 04:03:10 »
    Right now running a coincidence analysis over the file.

    Searching 8-byte patterns repetition. There are many of them (this is a kind of prove that it is a XOR encoding).
    The repeat length is always (well, at most) a multipy of 0x1040:

    Normally this means that XOR key repeats itself every 0x1040 bytes.

    This is not true for two keys 512x513 giving 0x40200 single key length. Probably it is some form of modification over two keys, since Wiesel says he sees human readable patterns with 512x513 keys.

    BTW, Wiesel, which particular key are you using? Can you give an exact point since there are many of them spread over the net...

    asume encrypted part begins at offset 0x10010
    asume it is encrypted by 512x513 algorithm

    how to check this idea?
    Split file into 0x40200 chunks
    xor them with each other.
    xored result file will contain XOR of two unencrypted chunks
    ARM command - 4 bytes long. 4th byte - 0xE*

    XOR of 2 ARM commands should give result 0x0X
    so result XOR-ed files must contain alot of 0x0X in every 4th bytes...

    see attached files
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

     

    Related Topics