Hi all. I started looking at the 40D firmware yesterday for the first time using the original 105 decrypter and after trying to decrypt 108 I came to the same conclusion as you have that something in the firmware header must be used to generate the XOR tables. I've now discovered this message board so am currently playing catchup on all the hard work you guys have achieved so far.
size of flasher is the same in 1.0.5 and 1.0.8 FW files.
assuming 108 flasher is identical to 105 I XOR-ed decrypted 105 flasher with 108 encrypted one.
result of xoring is cipher tream used to encrypt file
using recreate_tables tool on such stream will recreate tables
I can verify that this worked. The decrypted 108 flasher looks good to me.
I begun encryption analysis in a hope to determine how tables depend on fw file header
you see. there is a small problem...
there are can exist 256 combinations of tables to generate the same cipher stream
recreate_tables tool can generate any of them (optional second parameter)
Well I'm not sure we need to worry about solving this problem just yet. After all we have a decrypted version of the latest firmware, and until/unless Canon change the flasher we can just use the same trick each time?
also it may be possible to patch flasher to make ROM dump to SD card.
in a such a way we could know exactly how to make decryptor instead guessing.
please check following:
- use dissect_fw3 on fir file
- use decrypt_40D10X_Flasher tool to decrypt flasher
- change some bytes in binary file (I advice you to change some strings which are displayed in flashing progresss. example: "Update Firmware?")
I did this test for you (altered some text in the flasher, re-encrypted, reassembled the .fir, applied a new checksum and tried it in my 40D). The great news is that yes it works just as you'd hoped. There doesn't appear to be any additional checksum on the flasher code itself and I didn't have to actually install the firmware to get this working.
Here's a photo of this in action, running with the 108 firmware:
http://redyeti.net/40d_test.jpgI guess the next thing to do is figure out how to dump the ROM. I've worked with x86 assembly a lot in the past including reverse-engineering but firmware hacking is new to me. Would dumping the ROM mean learning how to write to CF cards (or perhaps writing it out over USB)?
If I get time I'll try to improve on the existing programs for dissecting/decrypting/checksumming the firmware so we have a nice all-in-one solution that can do a lot of the manual stuff for us. (ie give us a flasher binary to patch as we like, then automatically reassemble the patched .fir including a checksum).