Guide how to start analysing 40D firmware - DSLR Hack development - CHDK Forum  
« previous next »
Pages: [1] 2   Go Down

Guide how to start analysing 40D firmware

  • 15 Replies
  • 21509 Views
*

Offline emklap

  • *
  • 45
Guide how to start analysing 40D firmware
« on: 17 / May / 2008, 09:56:33 »
Advertisements
Hi,

Can anyone give a small guide how to start analyzing the 40D firmware.
1) How to de-crypt the FW (105 I know, but 1.08 does not work yet for me)
2) How to load it in IDA ? Whar are the loading adresses and offset values
3) Are there any signatires etc to apply?
4) where the files (deryptor etc) are located

Help will be appreciated.

Regards,
EMKLAP

Logged
*

Offline emklap

  • *
  • 45
Re: Guide how to start analysing 40D firmware
« Reply #1 on: 19 / May / 2008, 05:11:19 »
Managed to decrypt 108FW,

1) Skip 1st 288bytes in FOR becuae they are not encrypted.  :D
2) use uese attached decryption keys

Next step is to load it in IDA
Logged
*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: Guide how to start analysing 40D firmware
« Reply #2 on: 19 / May / 2008, 05:37:46 »
Confirmed, I've been able to decrypt the firmware using the table you supplied. It's not easily usable for decrypt40D.c, though, so I had to convert it. The camera seems to use VxWorks.

Anyway, I haven't really been paying attention to the DSLR decryption business, can you explain how you found the encryption tables? That might be useful information for other models as well.
Logged
*

Offline emklap

  • *
  • 45
Re: Guide how to start analysing 40D firmware
« Reply #3 on: 19 / May / 2008, 05:45:25 »
Hi,

I used an excel macro to decrypt so that's wht the tables cannot be used in C directly.
I found the kesy in the tool set eos_tools_v11.rar on this forum. The executables where not working but I cound use the code to decrypt the FW (see link) and search for the word RAR
Any developers interested in working on CHDK firmware for DSLRs ?

Logged
*

ASalina

Re: Guide how to start analysing 40D firmware
« Reply #4 on: 19 / May / 2008, 12:41:19 »
Quote from: emklap on 19 / May / 2008, 05:11:19

Managed to decrypt 108FW,

1) Skip 1st 288bytes in FOR becuae they are not encrypted.  :D
2) use uese attached decryption keys

Next step is to load it in IDA


I used mx3's dissect_fw3 from 40d_v10.rar, found here,

Any developers interested in working on CHDK firmware for DSLRs ?

to split the FW file into Flasher and Data (payload) sections. However, the only way I can get string pointers, etc., to line up properly is to rejoin the header to the Flasher section ("cat 0_header.bin 1_flasher.bin > FW108flasher.bin") and load it into IDA at 0x00800000. Or load the header-less Flasher section at 0x00800120, though I haven't tried that (I like having the header in IDA for reference). You can also load the whole firmware file into IDA at 0x00800000, but the Data payload is still encrypted and just slows IDA down at this point.

The main task right now is to decrypt the Data payload section or to develop a memory dumper that will run in the camera and dump a memory image to the CF card. (I think the memory dumper would be the most helpful as it would provide a snapshot of the live environment rather than just dead code.)

Once you've got things loaded you might find the vxworks guide at colorado to be helpful.

If you need an ARM assembly language reference, then these sites may help:
ARM ASSEMBLER PROGRAMMING; tutorial, resources, and examples
ARM Assembly Language Programming

The thread in this forum entitled "code you HAVE RUN on your dslr", while not 40D specific, is very enlightening. owerlord and Seklth are working very hard at developing a memory dumper.
Logged
*

Offline emklap

  • *
  • 45
Re: Guide how to start analysing 40D firmware
« Reply #5 on: 19 / May / 2008, 14:21:56 »
I loaded the complete FW into IDA pro @ 0x800000 and am now making some IDC scripts to analyse the code.
Post them when I have some results
Logged
*

Offline DataGhost

  • ****
  • 314
  • EOS 40D, S5IS
    • DataGhost.com
Re: Guide how to start analysing 40D firmware
« Reply #6 on: 19 / May / 2008, 14:54:43 »
I also dissected the 400D firmware update today, I thought I'd apply the same method to the 40D image. I didn't interpret any header, just quick guessing work (because I didn't look into interpreting headers yet). I couldn't find a second instance of 'Copyright 1999-2001 etc' so I tried searching from the last copyright message (which is quite near the actual firmware in the 400D flasher). I distinctly saw the code pattern in the hexdumper change around 0x19DB40 (fw 108) and the hex didn't look much like assembly. Even better, it looked 'dense', I got this warm and fuzzy feeling I normally get when jumping into encrypted data. A quick code-to-image conversion shows that the main firmware seems to be encrypted, so it'll probably require a lot of flasher analysis to get that decrypted.
Logged
*

Offline emklap

  • *
  • 45
Re: Guide how to start analysing 40D firmware
« Reply #7 on: 19 / May / 2008, 16:01:11 »
Here my first  IDC to change a block of strings ointo string references.
The block of strings contains 27720 strings, in 18 languages.
It are the CF.n settings as well as the menu strings.
when we find reference to these strings we might be able to find the code that belongs to menus's and C.Fn's.
I am most interrested in the "AF Microadjustment"  at address 0x8B79E2

When I now some more about the ARM code /mnemomics I can try the same techiques to analyse the code itself

#include <idc.idc>

static main()
{
  auto sb, se, b,  Block_start, Block_end ;

  Message("*** START OF ANALYSIS ***\n");

  sb = MinEA();
  se = MaxEA();

  Block_start = 0x8E7FC;
  Block_end = 0x1035CF;

  Message("Searching for strings...\n");
  findStrings(sb+Block_start, sb+Block_end);
  Message("Please wait...\n");
  Wait();

  Message("*** END OF ANALYSIS ***\n");
}

#define MIN_STRING_LENGTH 1
#define MAX_STRING_LENGTH 100

static findStrings(sb, se)
{
  auto a, c, cnt, str, res;

 cnt = 0;
  for (a=sb; a<se; a=a+1) {
    str = a;
    do {
      c = Byte(str);
      str = str+1;
    } while (c!=0x00);

    MakeUnkn(a, str-a);
    res = MakeStr(a, str);
    cnt = cnt+1;
    a=str-1;

  }
  Message( "Strings found %d times\n", cnt);
}


Have Fun
 :D
Logged
*

ASalina

Re: Guide how to start analysing 40D firmware
« Reply #8 on: 19 / May / 2008, 18:22:12 »
Quote from: DataGhost on 19 / May / 2008, 14:54:43
I also dissected the 400D firmware update today, I thought I'd apply the same method to the 40D image. I didn't interpret any header, just quick guessing work (because I didn't look into interpreting headers yet). I couldn't find a second instance of 'Copyright 1999-2001 etc' so I tried searching from the last copyright message (which is quite near the actual firmware in the 400D flasher). I distinctly saw the code pattern in the hexdumper change around 0x19DB40 (fw 108) and the hex didn't look much like assembly. Even better, it looked 'dense', I got this warm and fuzzy feeling I normally get when jumping into encrypted data. A quick code-to-image conversion shows that the main firmware seems to be encrypted, so it'll probably require a lot of flasher analysis to get that decrypted.

The 40D and 400D FW file structures are different from each other. owerlord did an analysis of this for the 400D and I compared it to the 40D. I collected his findings for the 400D into a single post located here:
Any developers interested in working on CHDK firmware for DSLRs ?

The 40D's FW file is similar, except that there is a single firmware "payload." My next post in that thread discusses the difference.

mx3 did a lot of work analyzing the encryption of the 40D FW. The loader/flasher part of the FW file decrypted properly but the firmware payload did not. mx3's theory is that the other hash tables to decrypt the firmware payload are generated in some way by the loader/flasher code. See here for details:
Any developers interested in working on CHDK firmware for DSLRs ?

Logged
*

ASalina

Re: Guide how to start analysing 40D firmware
« Reply #9 on: 19 / May / 2008, 20:44:38 »
Quote from: emklap on 19 / May / 2008, 16:01:11

I am most interrested in the "AF Microadjustment"  at address 0x8B79E2


These are a few of my favorite strings:

ROM:008BE533 aNumberOfBrackete DCB "Number of bracketed shots",0
ROM:008BE8F0 a25Shots        DCB "2:5 shots",0
ROM:008BE9B5 a37Shots        DCB "3:7 shots",0

There are some other interesting ones, but 5 or 7 bracketed shots would be a huge boon to HDR photographers.
Logged
Pages: [1] 2   Go Up
« previous next »
 

Related Topics