Managed to decrypt 108FW,
1) Skip 1st 288bytes in FOR becuae they are not encrypted.
2) use uese attached decryption keys
Next step is to load it in IDA
I used mx3's dissect_fw3 from 40d_v10.rar, found here,
Any developers interested in working on CHDK firmware for DSLRs ?to split the FW file into Flasher and Data (payload) sections. However, the only way I can get string pointers, etc., to line up properly is to rejoin the header to the Flasher section ("cat 0_header.bin 1_flasher.bin > FW108flasher.bin") and load it into IDA at 0x00800000. Or load the header-less Flasher section at 0x00800120, though I haven't tried that (I like having the header in IDA for reference). You can also load the whole firmware file into IDA at 0x00800000, but the Data payload is still encrypted and just slows IDA down at this point.
The main task right now is to decrypt the Data payload section or to develop a memory dumper that will run in the camera and dump a memory image to the CF card. (I think the memory dumper would be the most helpful as it would provide a snapshot of the live environment rather than just dead code.)
Once you've got things loaded you might find the vxworks guide at colorado to be helpful.
If you need an ARM assembly language reference, then these sites may help:
ARM ASSEMBLER PROGRAMMING; tutorial, resources, and examplesARM Assembly Language ProgrammingThe thread in this forum entitled "code you HAVE RUN on your dslr", while not 40D specific, is very enlightening. owerlord and Seklth are working very hard at developing a memory dumper.