one finds those tables inside the decrypted flasher. since it is symetric stuff it should be no problem to reverse the algorithm and reconstruct the table from encrypted code. So maybe thats the way to get them.
Or maybe one guy connects to the chip with JTAG? I am sure the CPU has JTAG capabilities but I do not want to open my new camera :-) at least not at this time! (maybe I destroy it anyway with further development - then the time is come to open :-)
well, I am not interested in how to get the tables for flasher at this point. I am more interested in decrypting the datachung as well in running my own code. I failed when try to patch the flasher and run it. fix the checksum alone is not enough.
I found lot of checksumming and signature stuff in the flasher.
At least there is a MD5 calculation as well as AES!
if you like to name the tables (50d fw 1.0.3)
the AES Tables at
0x990FCC - AES::SD[256] - 0x52, 9,0x6A,0xD5,0x30,0x36,0xA5,0x38
0x9910CC - AES_TE0[256] - 0xC66363A5,0xF87C7C84,0xEE777799
0x9914CC - AES::TE1[256] - 0xA5C66363,0x84F87C7C,0x99EE7777
0x9918CC - AES::TE2[256] - 0x63A5C663,0x7C84F87C,0x7799EE77
0x991CCC - AES::TE3[256] - 0x6363A5C6,0x7C7C84F8,0x777799EE
0x9920CC - AES::SE[256] - 0x63636363,0x7C7C7C7C,0x77777777 (unpacked)
0x9924CC - AES_TD0[256] - 0x51F4A750,0x7E416553,0x1A17A4C3
0x9928CC - AES_TD1[256] - 0x5051F4A7,0x537E4165,0xC31A17A4
0x992CCC - AES_TD2[256] - 0xA75051F4,0x65537E41,0xA4C31A17
0x9930CC - AES_TD3[256] - 0xF4A75051,0x4165537E,0x17A4C31
(the tables are well know, so it is no problem to find them in any code)
the stuff is referenced from within a table at 0x8A4594
so the code at 0x8A45A4 is supposed to do AES
first I thought it is not referenced but library stuff only
but there is a reference to this code as a table-entry at 0x8958CC. that address is pushed to stack at
895888 3C 30 9F E5 LDR R3, =do_AES_loc_8A45A4
89588C 00 30 8D E5 STR R3, [SP,#0]
if there is AES - there must be another key :-) if that is in ROM we are fucked at this point.
(btw. OS is DryOS of course for 50d, too)
and YES, it DOES decrypt 50d 1.0.3