40D
What do you mean by "generated on the fly"? Do you think the hash tables in the file header have yet another level of encryption, or do you mean that they are just taken from the file and each FW version has different hash tables?
Actually, I guess the tables really would need to be generated, since the data in the FW file is each only 19 bytes long and the decrypter uses two hash tables that are 512 and 513 bytes long.
I wonder if those other CRC's at 0x40 and 0xBC are actually used along with the data at 0x68 and 0x88 in a formula to make the keys?
I think tables are generated at run time (on the fly) because decrypter for 1.0.5 do not work on 1.0.8 fw file.
I'm working on recreation of hash tables for flasher(loader) 1.0.8 .
I hope I will manage this.
As soon we have tables it would be possible to guess how file header fields are used to generate of hash table.
I made it.
size of flasher is the same in 1.0.5 and 1.0.8 FW files.
assuming 108 flasher is identical to 105 I XOR-ed decrypted 105 flasher with 108 encrypted one.
result of xoring is cipher tream used to encrypt file
using recreate_tables tool on such stream will recreate tables
I begun encryption analysis in a hope to determine how tables depend on fw file header
you see. there is a small problem...
there are can exist 256 combinations of tables to generate the same cipher stream
recreate_tables tool can generate any of them (optional second parameter)
to
ASalina,
any 40D ownerI hope this information and tools will help you with further analysis
also it may be possible to patch flasher to make ROM dump to SD card.
in a such a way we could know exactly how to make decryptor instead guessing.
please check following:
- use dissect_fw3 on fir file
- use decrypt_40D10X_Flasher tool to decrypt flasher
- change some bytes in binary file (I advice you to change some strings which are displayed in flashing progresss. example: "Update Firmware?")
- encrypt flasher back using the same tool
- join files in new fir file
- use eos_fsum.exe to know new check sum
- update manualy bytes at offset 0x20-0x23 with new checksum
- try new fir file in camera
you managed to see changed text inside your camera it would be possible to make ROM dump
this test is for checking if some of fw file header fields used for additional checksuming of flasher