Sadly the sub on location FFBC54C8 only decrypts the flasher code and not the FW paiload at the end. I am still figuring out where this is decrypted but I have not been able to find it. Does anyone have a clue?
flasher decrypts payload :-)
Sub Decrypt()Rootpath = "C:\40D Hack\Decrypt\"Dim HexArray1(512) As StringDim HexArray2(513) As StringDim DecArray1(512) As ByteDim DecArray2(513) As ByteOpen Rootpath + "Generic_40D_table.txt" For Input As #1For teller = 1 To 512 Input #1, HexArray1(teller) DecArray1(teller) = CByte(HexArray1(teller))NextLine Input #1, Inline ' Read empty line of data.For teller = 1 To 513 Input #1, HexArray2(teller) DecArray2(teller) = CByte(HexArray2(teller))NextClose #1Dim MyChar As ByteDim OutChar As ByteDim XorVal As ByteOpen Rootpath + "40d00111.fir" For Binary Access Read As #1 ' Open file for input.Open Rootpath + "40d00111.bin.txt" For Binary Access Write As #2 ' Open file for output.'FW 1.0.5' Key1 offset = 0x92' Key2 offset = 0x1B0''FW 1.0.8' Key1 offset = 0x100' Key2 offset = 0x1A7''FW 1.1.0' Key1 offset = 0xAC' Key2 offset = 0x1E8''FW 1.1.1' Key1 offset = 0x27' Key2 offset = 0x191'Offset_Key1 = &H27Offset_Key2 = &H191ArrayTeller1 = 1 + Offset_Key1ArrayTeller2 = 1 + Offset_Key2current = 0Do While current < LOF(1) Get #1, , MyChar ' Read 1 byte of data from input file If current >= &H120 Then XorVal = DecArray1(ArrayTeller1) Xor DecArray2(ArrayTeller2) Xor 55 OutChar = MyChar Xor XorVal ArrayTeller1 = ArrayTeller1 + 1 If ArrayTeller1 > 512 Then ArrayTeller1 = 1 ArrayTeller2 = ArrayTeller2 + 1 If ArrayTeller2 > 513 Then ArrayTeller2 = 1 Else OutChar = MyChar End If Put #2, , OutChar ' Write 1 byte to output filecurrent = Loc(1)LoopClose #2 ' Close file.Close #1 ' Close file.Result = MsgBox("Ready", vbOKOnly, "Finished")End Sub
Quoteflasher decrypts payload :-)yes I know that but how can we do it ourselves? I have found 4 smaller keys and also the XOR statements where these are used but it takes a lot of time to try to figure out how these are used exactly and how to decrypt the payload ourselvesSee data head 2 and the 4 smaller keys at 0x19DC9C and later in the attached file.If we can figure out where these keys are located and how they are used automatic decryption of any 40D firmware must become possible. Unfortunalely I have very little time to work on this problem
Started by hudson DSLR Hack development
Started by ju1234 General Help and Assistance on using CHDK stable releases
Started by obi General Discussion and Assistance
Started by pigeonhill Script Writing
Started by pigeonhill General Help and Assistance on using CHDK stable releases