VerifyAndDecryptFirmware() Found! Maybe... - page 3 - DSLR Hack development - CHDK Forum

VerifyAndDecryptFirmware() Found! Maybe...

  • 36 Replies
  • 16200 Views
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #20 on: 27 / May / 2008, 11:22:42 »
Advertisements
Interresting adresses founf in the header part, the first 288 bytes that does not need decrytion.
It looks like the start of the payload and the size of the payload

On the bytes 0x60-0x63 the offset 0x19DC80 is mentioned. Add the 0x800000 => 0x99DC80 = start of payload ?
On the bytes 0x64-0x67 the size is mentioned = 0x006311EC.

Add these two together and the result is the exact last byte in the file. :D :D

So finding references to 0x19DC80 might help decrypt the FW

in the header also the offset 0x19DBD0 is mentioned which probably measn 0x99DBD0 but I do not have a clue why.
« Last Edit: 27 / May / 2008, 11:25:12 by emklap »

*

Offline mx3

  • ****
  • 372
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #21 on: 27 / May / 2008, 11:36:54 »
Interresting adresses founf in the header part, the first 288 bytes that does not need decrytion.
It looks like the start of the payload and the size of the payload

On the bytes 0x60-0x63 the offset 0x19DC80 is mentioned. Add the 0x800000 => 0x99DC80 = start of payload ?
On the bytes 0x64-0x67 the size is mentioned = 0x006311EC.

Add these two together and the result is the exact last byte in the file. :D :D

So finding references to 0x19DC80 might help decrypt the FW

in the header also the offset 0x19DBD0 is mentioned which probably measn 0x99DBD0 but I do not have a clue why.

see attached file 40d_v10.rar
Any developers interested in working on CHDK firmware for DSLRs ?
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #22 on: 28 / May / 2008, 07:23:00 »
Yes, that file was the one that triggered my mind :o
Any idear wha

*

Offline mx3

  • ****
  • 372
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #23 on: 28 / May / 2008, 07:32:14 »
Yes, that file was the one that triggered my mind :o
Any idear wha

if you guess meaning of some fields please publish new version of this(40d_v10.rar) file so we all do not do double work.
just add comments to last column and change version of file.



update: I can save this file in excel(or csv) format if you wish
« Last Edit: 28 / May / 2008, 07:34:26 by mx3 »
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler


*

Offline mx3

  • ****
  • 372
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #24 on: 28 / May / 2008, 08:06:49 »
what is the main purpose of this investigation?

1) launch code on camera without firmware modification.
 for this we must know how to pack fir file in a such way it is accepted by camera.
 code already have been launched on camera by patching flasher section and keeping "payload" section intact (see here)

owerlord managed to get bootloader of 400D
I'm sure it is almost the same for 40D
it seems to me it is possible to launch code without packing file (binary flat file. name it AUTOEXEC.bin, and mark your card as bootable. see cardtricks)

so it seems to me there are no problems with launching code.... ( vi  .fir or autoexec.bin)


2) for code to do some usefull things we need to know ROM content
until we have ROM-dump or decrypt payload section it is of little use to be able to run your code.

I see 3 ways to get ROM content:
a) analyse flasher to extract encryption algorith (it seems people working on it)
b) do bruteforce decryption attack on payload section (I think I know how to do it)
c) patch falsher so it would save ROM dump on memory card
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

ASalina

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #25 on: 28 / May / 2008, 13:07:41 »
what is the main purpose of this investigation?

1) launch code on camera without firmware modification.
 for this we must know how to pack fir file in a such way it is accepted by camera.
 code already have been launched on camera by patching flasher section and keeping "payload" section intact (see here)

owerlord managed to get bootloader of 400D
I'm sure it is almost the same for 40D

I'm working on this right now. I have written an LED scanner
program (as suggested by owerlord) and a checksum patcher.
I think I'll write a complete header generator for use in a script to package a new .fir file. This will make it simpler to make test programs and turn them into fake .fir loaders.

Quote
it seems to me it is possible to launch code without packing file (binary flat file. name it AUTOEXEC.bin, and mark your card as bootable. see cardtricks)

I have tried this with udumper, just to see what happens. I made the CF card bootable and put diskboot.bin and empty.dum on the card. Nothing happened.

Of course, since this is not an SD card I didn't expect much, but the start up process was completely normal.

One interesting thing I found: If I hold down the "direct print" button when turning power on, the camera does not start up normally. The Sensor Cleaning screen does not display. I don't remember now if any buttons worked, but I think not. I also don't remember if just turning power off and then back on restored normal startup, or if I had to remove batteries. I'll have to try again and make notes (I got interested in the LED scanner).

Quote
so it seems to me there are no problems with launching code.... ( vi  .fir or autoexec.bin)
I didn't try with AUTOEXEC.BIN. Once I find the LED addresses we can at least test this. Even just blinking out important address contents may be helpful (i.e. blinking out hash table contents rather than whole firmware!)

Quote
I see 3 ways to get ROM content:
a) analyse flasher to extract encryption algorith (it seems people working on it)
b) do bruteforce decryption attack on payload section (I think I know how to do it)
c) patch falsher so it would save ROM dump on memory card


D: Blink out hash table from running OS. :-)

*

Offline mx3

  • ****
  • 372
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #26 on: 28 / May / 2008, 18:32:37 »
I didn't try with AUTOEXEC.BIN.
why not to try?

Blink out hash table from running OS. :-)
if we have code running inside statred OS we do not need to blink anything.
running OS can work with file system....
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #27 on: 28 / May / 2008, 19:09:33 »
I vote for the blink ;-)

In fact - If you'll menage to blink the 0xFF810000 segment (even a small part) you can get the XOR table out of it and decode the rest - am I thinking right ?


*

Offline mx3

  • ****
  • 372
Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #28 on: 28 / May / 2008, 19:46:40 »
In fact - If you'll menage to blink the 0xFF810000 segment (even a small part) you can get the XOR table out of it and decode the rest - am I thinking right ?

of course you are right but it have been already proven that Flasher section contains decryptor.
so I think there is no need to make fw dump for this.

« Last Edit: 28 / May / 2008, 19:49:38 by mx3 »
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

*

ASalina

Re: VerifyAndDecryptFirmware() Found! Maybe...
« Reply #29 on: 29 / May / 2008, 01:08:58 »
I didn't try with AUTOEXEC.BIN.
why not to try?
I tried it just now. It didn't do anything.

Also, holding the "direct print" button doesn't always make the camera start up abnormally... Strange. It seems random.

Blink out hash table from running OS. :-)
if we have code running inside statred OS we do not need to blink anything.
running OS can work with file system....
Maybe I said that wrong. I meant in the running flasher. :-)

it have been already proven that Flasher section contains decryptor.
so I think there is no need to make fw dump for this.

If you could work on figuring out the decrypter I can work on blinking out part of FF810000. We can use which ever way comes first. That may be your way because I won't have much time until next week, but I'll do what I can now. Plus, this is educational for me.


 

Related Topics