what is the main purpose of this investigation?
1) launch code on camera without firmware modification.
for this we must know how to pack fir file in a such way it is accepted by camera.
code already have been launched on camera by patching flasher section and keeping "payload" section intact (
see here)
owerlord managed to get bootloader of 400D
I'm sure it is almost the same for 40D
it seems to me it is possible to launch code without packing file (binary flat file. name it AUTOEXEC.bin, and mark your card as bootable. see cardtricks)
so it seems to me there are no problems with launching code.... ( vi .fir or autoexec.bin)
2) for code to do some usefull things we need to know ROM content
until we have ROM-dump or decrypt payload section it is of little use to be able to run your code.
I see 3 ways to get ROM content:
a) analyse flasher to extract encryption algorith (it seems people working on it)
b) do bruteforce decryption attack on payload section (I think I know how to do it)
c) patch falsher so it would save ROM dump on memory card