HF10 & HV30 (Digic DV II) decrypted!

  • 213 Replies
  • 80173 Views
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #110 on: 21 / December / 2008, 00:38:07 »
Advertisements
I attempted the update by copying the firmware onto the card, going into system settings, selecting the firmware option.  At that point it asked me if I wanted to update the firmware from version 1.0.1.0 to version 1.0.1.1.  I selected OK, and it said "Updating Firmware.  Don't turn the power off" for about 1 minute, and then it came up with the error message "Firm Update Error!  Check the card.", and had a box to select OK.  It dropped me back into the system settings menu, and the firmware did not seem to be updated.  I've attached images of the update process, I apologize in advance for the blurryness, my camera's macro mode isn't particularly good.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #111 on: 21 / December / 2008, 04:56:46 »
I selected OK, and it said "Updating Firmware.  Don't turn the power off" for about 1 minute, and then it came up with the error message "Firm Update Error!  Check the card.", and had a box to select OK.

Damn, I hate such generic error messages! So what could that mean? Checksum, another version check, or is there really a problem with your card?

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #112 on: 21 / December / 2008, 13:10:15 »
I'm fairly sure its not the card not initialized correctly, since its able to read the firmware, and its doing something for a good minute before displaying the message.  I think its a safe bet that there's a checksum or some other sort of authentication mechanism that is failing.  Looking at the firmware analysis, I'm fairly sure that the last 0x2C sized tail is not encrypted.  The only reason that it works is that the decrypt mechanism is the same as the encrypt.  But if you look at 1.0.2.0, the non-decrypted footer looks very similar to the non-decrypted footer on 1.0.1.0.  If you decrypt it, they vary a great deal.  I've been trying to make some progress on what the footer actually contains, I suspect that it contains whatever the checksum/CRC values are that are used to authenticate the ROM.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #113 on: 21 / December / 2008, 13:48:45 »
Looking at the firmware analysis, I'm fairly sure that the last 0x2C sized tail is not encrypted.

Yeah we know that already, it's discussed somewhere in this thread. It contains a kind of index that consists of (address,size) pairs (if I remember correctly) that devide the firmware file into sections. And then it contains an unknown field that is suspected to be a checksum, but I've tried many known algorithms and couldn't verify it.

edit: it's (size,?checksum?) pairs. look here: http://chdk.setepontos.com/index.php/topic,1641.msg20402.html#msg20402
« Last Edit: 21 / December / 2008, 13:54:46 by Wiesel »


Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #114 on: 21 / December / 2008, 22:54:09 »
Does anyone have or know where the hf updater for firmware 1.0.1.0 is?  I have the 1.0.2.0 one from Canon's website as well as the HV30 updater, but I wanted to compare the firmwares for 1.0.1.0 and 1.0.2.0 in case the first file contains a new (or maybe the same) checksum checking code (wherever that may be) for the next firmware in sequence.

It would also be interesting to compare other differences in the files.

EDIT: I think I got it, but is the Japanese firmware update (VEE1.fim) for iVIS HF10 the same as the VEE1.fim for the American version?

EDIT2: Just had a thought, after reading Canon's webpage.  If the camera can be updated from either 1.0.0.0 or 1.0.1.0 to 1.0.2.0, then both firmwares would have to have the same checksum checker.  Maybe this was obvious to everyone but it took me a minute  ::)
« Last Edit: 21 / December / 2008, 23:12:20 by Xcelerate »

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #115 on: 22 / December / 2008, 07:33:16 »
Damn, I hate such generic error messages! So what could that mean? Checksum, another version check, or is there really a problem with your card?
Wiesel, note that version number field is a part of the section body - because of this I think your guess is right - unfortunately thats a checksum check failure.

Its good to hear we have volunteers with hardware not afraid of experimenting.

Regarding the checksum - the easiest try we can make is to check if this is some kind of trivial ADD/XOR checksum.

Wiesel, since you increasing version number by one - just try to fix the checksum field also by +1. You may also try to increase it by 0x0100, 0x010000, 0x01000000 - to check possible byte offsets.
That is just a guess - at least we are safe trying it.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #116 on: 22 / December / 2008, 13:03:41 »
I saw something that Napalm did-- changing two different bytes in opposite directions.  For example, change the string "firmware" to "firmwbqe".  For the camera he was analyzing, its checksum was not altered by incrementing one byte and decrementing the byte next to it, so if someone wants to see if the camera will allow an update with this modification, then it could give a clue as to what kind of checksum is being used.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #117 on: 23 / December / 2008, 11:21:13 »
I would certainly be interested in trying something like that.  Does someone have a v1.0.1.0 unmodified firmware update that they can post a link for?  I only have an unmodified 1.0.2.0.


Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #118 on: 23 / December / 2008, 12:45:37 »
Yeah, you can find it at http://web.canon.jp/imaging/dcp/ivis/hf10/frm/firmdownload-j.html#serial The website's in Japanese but I think it is the same firmware as for the American one 'cause its file is really similar to the 1.0.2.0 one.  You'll need to enter your (or a) serial number at the bottom of the page.  I will try modifying the 1.0.1.0 in the manner I described, although since I'm a bit new to this, it might be a bit faster if someone like Wiesel or Cail did it.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #119 on: 23 / December / 2008, 18:02:11 »
I had no luck on the Japanese site with my serial number.  It seems it redirects me to a page saying I already had it installed, as I have a later serial number.  I tried the old Ebay trick, but the old link is down, so no go on getting the firmware for me.  If someone could PM me an old serial number or the original firmware, it would be much appreciated.  In the meantime, here's my contribution.  I used Wiesel's 2 decoding program as a start.  I was having a lot of difficulty modifying the software to do anything more, so I cleaned it up.  This new decoder uses a single table instead of the 2 XOR's.  It also doesn't decode the tail, and prints info on the different sections of the decoded firmware.  You can use it to encrypt, decrypt, or just print info from either a decrypted or encrypted firmware.  I'm including the code so you guys can use it as a template.  If you make any changes, please post them into the forum.  Using my software, I started looking at the different sections, and I've made some conclusions.  Feel free to comment or disagree.  Whatever the Checksum/CRC we are having that is failing is probably not in the footer section of the ROM, or at least not in the footer sections we understand yet.  Its an array of structures that seem to point to different offsets in the file, and includes an unknown value.  Earlier posts theorized that this was a checksum/CRC of some sort, and that may still be true, but its not the one we are failing on.  The first firmware that was posted only changed the version number, and that version number is outside any of the sections described in the footer that we understand so far.  Most likely, the checksum/CRC that we are failing on is in the footer (or at least at the end of the file somewhere).  The bytes before the version # are all 0xFF, which means its somewhere after the version #.  It would most likely be in the footer then, because you can't have the checksum/CRC value somewhere where the checksum is actually checking, because you would never be able to generate the value.  So either there's a second check for the version number, or there's a second version number somewhere (or a third option, which is that 1.0.1.1 is not a valid version for some other reason).  Thoughts?

 

Related Topics