Ok since DSLR firmwares are encryped as well I tried the 300D, 20D and 40D decryption keys, and it seems like they used the 300D keys to decrypt the HF10 firmware, at least partly.
To be able to quickly see if the key is right, I extended Alex Bernstein's firmware decrypter tool to apply decryption, search for ascii strings and print them out. Since the second key is 513 bytes long and I have no idea where the encrypted part starts, I decrypted the firmware 513 times, every time starting at the byte that equals the round, e.g. first round started at byte 0, 10th round started at byte 9, etc... My theory was that if the key is right, there should be one round where the decryption starts at the right alignment and I get a bunch of strings.
The problem I have is that there was no round where I got a big bunch of strings, but a few rounds where I got some parts of strings... some examples: "Directory OK" (round 24), "ctest sys dget ctol" (round 64), "save virtual playList error" (round 104), ... I could post the whole list but I don't know if I'm allowed to.
Anyway, is there someone who has an idea where the problem could be so I can decrypt the whole thing?