Re: Decryption of 30D firmware is possible.
« Reply #20 on: 09 / February / 2012, 07:21:31 »
Hi there,
first post here, so bear with me.

I'm sorry to resurrect such old a thread, but did anybody success in a version of CHDK or ML for a 30D?

Thank you,


In fact the encryption algorithm is the same as for the IXUS cameras. The keys are different, but are known and are the same for 20D and 30D. I found a "decrypt20D.exe" somewhere on the web (the Yahoo group?) with no source. I extracted the keys from the exe and added them into a modified copy of Alex Bernstein's firmware decrypter/unpacker. The resulting program successfully decrypts a 20D firmware update.

The only difference for the 30D is that the firmware file has an extra header of 32 bytes in the beginning. Once that is skipped the rest of the files decrypts properly. It worked just fine on "30d00104.fir" and "30d00105.fir".

The source for both the 20D and 30D decrypters is attached.


No need. The attached program decrypts 30d00105.fir ( just fine.

I have not done any further investigation of what the file format is but I know that the early IXUS unpacker does not work.

In plain text close to the beginning of both 20D and 30 files one can see:
"Copyright 1999-2001 ARM Limited
Copyright 1999-2001 Wind River Systems, Inc."

And later in the 20D file (20d00203.fir):
"VxWorks 5.5 VxWorks5.5  May 10 2005, 09:33:59"

And in the 30D file (30d00105.fir)
"VxWorks 5.5.1   VxWorks5.5.1    Nov  2 2005, 11:47:21"

So both are definitely using VxWorks just like all other DIGICII cameras.



Now "all" that is left to do is for someone to port the CHDK ;-)

Hehe, yeah..
 - And the Camera Hacking for a SLR will of course be rather different from a compact.

Wishlist for anyone that's really good:
  • The most wanted thing for me is a "reset after 5 minutes" feature: if it was longer than X minutes since last time I used the camera, I'd like exposure compensation to go to 0, color balance to auto, flash compensation to 0, ISO to 100, metering to center weighted, etc. I can't count the number of times where I've been shooting a whole bunch of images on ISO 1600 in full daylight, or getting a lot of images really dark (or having problems with too light frames) due to an image taken earlier with exposure compensation.
  • What about some mediocre "live view" on a 20D and 30D? With histogram and the lot? (One cannot do the full thing, since the hardware is lacking, as I've understood it)
  • Some "quick-mode" approximating a live-view: take a shot, but show the preview with RGB historygram overlay _right away_. Must hit a button to keep the image, or else it'll be killed by shooting again.
  • One obvious feature many of us SLR owners would like, which hopefully shouldn't be that extremely difficult, is time lapse (one can wonder very much why this isn't in there by default).
  • Large single RGB histogram when checking out the images.
  • A combined shoot-review mode - I can't stand that it is impossible to flip through and delete images when in shooting mode: pretty much all buttons throw you back to "next shot", while I'd like all buttons to work like in "play" mode, but when hitting the release button halfway or fully, I got back to shooting. So basically: some configuration where it was possible to make the shooting single-frame review instead act fully like "play" mode.

There's probably millions of things if this snowball just starts rolling sometime..


