HF10 & HV30 (Digic DV II) decrypted! - page 14 - General Discussion and Assistance - CHDK Forum

HF10 & HV30 (Digic DV II) decrypted!

  • 215 Replies
  • 150390 Views
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #130 on: 30 / December / 2008, 10:01:06 »
Advertisements
A bit more news still, I think I found the PTP command jump table, with empty jump addresses for commands that are supported and NULL pointers exactly in the spaces where unsupported commands are in the array. In theory one could now put in a completely new routine address in that jump table and invoke it simply by sending the appropriate PTP command to the camera...

Unfortunately I don't have a HV30 to experiment with; I have a HV20, and the FW 1.0.0.0 on it supports a slightly different set of PTP commands, and I don't know if this should be attributed to the different camera or to the different FW version...

Jollyroger

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #131 on: 30 / December / 2008, 13:37:14 »
I found a routine that loops through the filenames "VEF9.FIM" to "VEF0.FIM" probably trying to open the file and when it finds it, it proceeds to checks for the presence of the "VEFX" string inside it, and then does something else...

That routine might give us some hints about how the check for the validity of the firmware actually happens, or maybe not?  :P :P

Jollyroger

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #132 on: 30 / December / 2008, 14:29:58 »
some checksum news:

I set the version from 1.0.1.0 to 1.0.1.1 and incremented the checksum of the first block by one, and the upgrade succeeded!!

It took a pretty long time to flash the cam (a few times longer compared to when the checksum is wrong and the error message appears) and it now also shows me version 1.0.1.1 in the menu :( Like I assumed the number in the header is the only real version number in the firmware file.

You can't belive how glad I am that the cam still works :D

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #133 on: 30 / December / 2008, 14:44:01 »
The routine that checks the validity of the firmware file seems to do all sorts of operations, many of which are in the system code, so we cannot see them.

The checking routine though seems to somehow "use" the VEFX (0x56454658) value in the calculations, and then in the very end it compares the result of all the calculations to the sign-extended 16 bit value found right after "VEFX", which is 0x0A16.

If the result is equal to 0x0A16 then te return value of the routine is zero, in all oher cases (file not found, seek error, anything else) the return value is negative (0xFFFFFFFF or others), which makes me suspect zero is "OK".

Cheers,

Jollyroger

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #134 on: 30 / December / 2008, 16:00:50 »
I saw something that Napalm did-- changing two different bytes in opposite directions.  For example, change the string "firmware" to "firmwbqe".

Tried this as well, but didn't work.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #135 on: 30 / December / 2008, 22:01:20 »
ok, need a little help here. I get 4 errors when trying to compile dhv30.c in xcode:



and


I'm still confused as to how to run this decrypter against the hv30 firmware. Is anyone that has already decrypted the firmware willing to post a link to or attach a file containing the decrypted f/w so I can begin analyzing it?

Thanks

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #136 on: 31 / December / 2008, 05:47:41 »
Please check the previous posts in the thread, you will find a pre-compiled executable and instructions on how to run the decrypter...
It's simple anyway, there is an option to skip the first 0x100010 bytes which are not encrypted, check the arguments in the code...

ok, need a little help here. I get 4 errors when trying to compile dhv30.c in xcode:



and


I'm still confused as to how to run this decrypter against the hv30 firmware. Is anyone that has already decrypted the firmware willing to post a link to or attach a file containing the decrypted f/w so I can begin analyzing it?

Thanks

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #137 on: 31 / December / 2008, 14:15:35 »
It seems that the checksum at the end is just a standard 32 bit dword checksum.  I have attached my updated decoder/encoder.  It now has an a flag to decode and a flag to encode.  The encode flag will rewrite the flash binary with the correct checksums, so you can modify your firmware and reflash.  I also tried updating the bitrates at 0x66bd48.  I originally tried all 6 bitrates updated to 24k, but after 2 seconds of recording, I get the error "Cannot write", and it stops recording.  Next I went to the XLP recording mode, which seems to start at 0x66bd18, and I shifted all the bitrates down, and added 24k to the highest bitrate.  This let it record, and my video came out to slightly larger than before (1 minute video unmodified was 118megs, and after this change it came out to 124megs).  This is still under the limit for 18k (which would result in a 132meg file), so I don't know if this proves anything, but at least the values can be changed to a limited extent and it still works.  Changing the XLP recording mode to 24k for all six values causes it to fail with the cannot write error after about 4 seconds (so it can record a bit longer).  Next I think I'm going to make some modifications to my encryptor/decryptor that will allow you to pull out and re-insert any section.  What offsets & lengths are you guys using for the code section (i.e. what exactly are you extracting)?  Which version of IDA are you guys using?  I tried loading some of the IDA scripts posted earlier into 4.9, but that failed.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #138 on: 01 / January / 2009, 05:37:47 »
Awesome, I've lost hope for a long time but now it seems that progress is made every day :)

(I always forgot the endian conversation when calculating the checksum, stupid me... there's just too much you have to think of ^^)

The code section is loaded at 0x04000000, length is 0x00306b20, data is at 0x4c8a6840 until 0x4cb97064. I'm using 5.2


edit: happy new year everyone!
« Last Edit: 01 / January / 2009, 05:41:30 by Wiesel »

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #139 on: 01 / January / 2009, 12:27:42 »
This is brilliant, we need to make sure the HV30 decoder is updated accordingly too.

I think most of what I found in the first section of the HV30 firmware should be also valid for the HF10, so it would be good to begin inspecting that piece of MIPS32 code/data to decide some places to start injecting custom code.

 

Related Topics


SimplePortal © 2008-2014, SimplePortal