HF10 & HV30 (Digic DV II) decrypted! - page 13 - General Discussion and Assistance - CHDK Forum  

HF10 & HV30 (Digic DV II) decrypted!

  • 215 Replies
  • 141412 Views
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #120 on: 23 / December / 2008, 18:20:38 »
Advertisements
As an additional test, I found another area that I thought might have the version number in it again at offset 0x17bd0c.  I checked the firmware update to v 1.0.2.0, and it had a similar occurance of 1.0.2.0 at a similar location (not quite the same, but same general area, with the same strings in near proximity).  I tried changing that on my firmware from 1.0.1.0 to 1.0.1.1 to match what I had in my header area at 0x10000, but it did not make any difference.  I had the same results/error in the end.

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #121 on: 24 / December / 2008, 04:21:05 »
The first firmware that was posted only changed the version number, and that version number is outside any of the sections described in the footer that we understand so far.
Thats not quite true. See, here is an unencrypted footer for HF10:
Code: [Select]
0000000000: 00 00 00 02 00 20 00 00 ? B6 7B 5C 3C 00 5F 73 64
0000000010: 64 58 2D F2 00 00 00 00 ? 00 00 00 00 00 00 00 00
0000000020: 00 00 00 00 00 00 00 00 ? 00 00 00 00

My previous guess was that it shows the sections in firmware file, which are used by the flasher to reflash the unit.
Here we have two sections, 0x200000 size and 0x5F7364 size, total size = sizeof(VEE1.FIM)-sizeof(footer).
This kind of prooves that the version number is located inside of the checksummed area.

Another version number you've found could be some kind of internal variable or static data - just a guess.

The best try IMHO is to try increment/decrement changed values accordingly, as Xcelerate suggested.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #122 on: 24 / December / 2008, 06:30:12 »
Its good to hear we have volunteers with hardware not afraid of experimenting.

Yes that's indeed great :) Now it seems it's time for some trial and error...

Regarding the checksum - the easiest try we can make is to check if this is some kind of trivial ADD/XOR checksum.

I think I already tried both and it didn't work out. But there are so many ways of making such a primitive "checksum" a little bit more complicated (additional adds, subs, shifts,...), and then think about "real" checksum algorithms...

Wiesel, since you increasing version number by one - just try to fix the checksum field also by +1. You may also try to increase it by 0x0100, 0x010000, 0x01000000 - to check possible byte offsets.
That is just a guess - at least we are safe trying it.

Good idea, I was thinking the same already.

I saw something that Napalm did-- changing two different bytes in opposite directions.  For example, change the string "firmware" to "firmwbqe".  For the camera he was analyzing, its checksum was not altered by incrementing one byte and decrementing the byte next to it, so if someone wants to see if the camera will allow an update with this modification, then it could give a clue as to what kind of checksum is being used.

Another good idea!

My previous guess was that it shows the sections in firmware file, which are used by the flasher to reflash the unit.
Here we have two sections, 0x200000 size and 0x5F7364 size, total size = sizeof(VEE1.FIM)-sizeof(footer).
This kind of prooves that the version number is located inside of the checksummed area.

I'm sure that cails guess is right. IMO the unknown number can only be an address which tells the flasher where to write the data to (which we already know that it isn't) or a checksum. I cannot think of any other purposes such a number might have.


Btw I could post direct download links from canon for both 1.0.1.0 and 1.0.2.0, but I don't know if it's legitimate!?

*

Offline PhyrePhoX

  • *****
  • 2254
  • make RAW not WAR
    • PhyreWorX
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #123 on: 24 / December / 2008, 06:32:43 »
do it in PM then :)


Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #124 on: 24 / December / 2008, 10:31:16 »
do it in PM then :)

Alright, if anybody needs them, you know what to do :xmas

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #125 on: 24 / December / 2008, 10:50:03 »
Darn, that's what I get for staring at this all day.  I figured they were offsets, and not lengths, so I drew some bad conclusions because of that.  I'm going to try various checksum/CRC algorithms and see what I come up with.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #126 on: 29 / December / 2008, 14:08:17 »
Just a quick note... from my small analysis of the first 0x200000 byes of the HV30 FW file, the self references to the address range in 0xBFA00000 combined with some patterns I think I "see" in the data suggest me that it is part MIPS code and part data, I will try to disassemble it with IDA mips big-endian settings and see what it looks like. Perhaps MIPS16, perhaps MIPS32, or perhaps I am just wrong.  ;)

If I am not wrong it could be that the same 0x200000 bytes in the HF10 FW are also MIPS + data, let's see!

Jollyroger

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #127 on: 29 / December / 2008, 14:33:00 »
Ah, also from my small analysis on the CALIB.dll and the USB trace it looks like pretty much all the exported functions contained in the CALIB are more or less wrappers on the PTP protocol.
CALIB uses COM to create instances of the WIA driver and use PTP commands to communicate to the camera.

One interesting point is that when the camera reports the list of available PTP commands (which seems to be located at D89E8 in the dump) contains many Canon PTP extension commands, some of which are known in the PTP digital camera community, while others are unknown... another place to start?

Cheers,

Jollyroger


Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #128 on: 29 / December / 2008, 19:40:48 »
Noobie question, but how do I see the actual firmware code? I cant decrypt until I see the code that has to be decrypted. Is VEF1.FIM as seen in text edit on mac the actual firmware coding?

If so, how do I run the provided decrypters against vef1.fim on Mac OS X? Im using xcode, how do I run the decrypter?
« Last Edit: 29 / December / 2008, 20:45:13 by heron88 »

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #129 on: 30 / December / 2008, 06:35:45 »
Ok some more news, from a first inspection it looks like the first segment is indeed MIPS32 code, it looks like camera has a MIPS32 core somewhere to handle the USB communication and other utilities.

*** I think *** I found some parts of the code that implements the PTP protocol on the HV30, which could be useful to start doing something.

One of the routines I found sends to the PTP host (the user's computer) the device information parameters about the camera itself, and it seems to use a simple pair of "data length, data address" to send the device info data back to the host with some additional info, so in theory we could hijack that routine to dump at least the part of MIPS32 code that we are still missing (from 0xBFC00000 onwards, probably the bootloader).

This means though that we have to manually modify the asm code to dump the addresses we want (no problem) and then re-encrypt the firmware and upgrade one HV30 to test this...

At least it's some progress...

Cheers,

Jollyroger

 

Related Topics