HF10 & HV30 (Digic DV II) decrypted!

c-letter

Re: HF10 (Digic DV II) decrypted!

« Reply #20 on: 12 / June / 2008, 08:07:25 »

Advertisements

Quote from: Wiesel on 12 / June / 2008, 05:54:39

Yes that's right... it's an algorithm based on the two 300D keys. I did a quick comparison and my result is the came as c-letters so his manually constructed xor-table is 100% right.

Thats great because it proves the unencrypted code has no "bugs".

The key can be found mostly untouched plain in the encrypted .fim - this may give you some ideas how I've discovered it manually

Regarding the firmware, all is not so positive as it could be.
The MCU is most probably some of Renesas SoC - may be m32r. It exist in IDA under name "Mitsubishi m32r".
http://eu.renesas.com/fmwk.jsp?cnt=m32r_ecu_series_landing.jsp&fp=/products/mpumcu/m32r_family/m32r_ecu_series/

There are also references to SD controller, which is also the same vendor.

Logged

kmaage

12
HV20, Norway, Newborn, Software Developer

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #21 on: 12 / June / 2008, 09:58:16 »

Quote

Regarding the firmware, all is not so positive as it could be.
The MCU is most probably some of Renesas SoC - may be m32r. It exist in IDA under name "Mitsubishi m32r".
http://eu.renesas.com/fmwk.jsp?cnt=m32r_ecu_series_landing.jsp&fp=/products/mpumcu/m32r_family/m32r_ecu_series/

Yep, "The semiconductor operations of Hitachi and Mitsubishi Electric were transferred to Renesas Technology Corporation on April 1st 2003."

Since this chip is a mitsubishi 32R, How does this relate to the DIGIC DV II chip we know the camcorder uses, and the DryOS we suspect the HF10/HF100 is running? (pardon my ignorance)

Does this firmware give us hints about how to create a dumper firmware for the HV20 camcorder? Files it looks for on the card, for instance? I noticed several intersting strings/paths in the HF10 firmware:
D:/CANON/CEV/Update/(0x00)VEEX(0x00)
B:/CANON/CEV/UPDATE/(0x00)128Z(0x00).APP(0x00)128T(0x00)
D:/VEE9.FIM(0x00)VEEX(0x00).APP
D:/CANON/CEV/Update/(0x00)CardMain(0x00)Start(0x0A)(0x00)CardCommand : 0x%X (0x0A)(0x00)

Something is looking for .APP files in the /CANON/CEV/UPDATE folder on the SD card...
CardMain
Start
CardCommand : 0x%X

Start a command from the card at hex location 0x%X

Logged

cail

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #22 on: 13 / June / 2008, 14:20:28 »

Hi All!

Quote

Since this chip is a mitsubishi 32R, How does this relate to the DIGIC DV II chip we know the camcorder uses, and the DryOS we suspect the HF10/HF100 is running? (pardon my ignorance)

I think Digic DV should be a kind of specialized videoprocessor, and m32r is only a controlling unit...
I've found some DryOs symbols in the f/w, so it looks like camera still uses this OS.

Quote

Does this firmware give us hints about how to create a dumper firmware for the HV20 camcorder? Files it looks for on the card, for instance? I noticed several intersting strings/paths in the HF10 firmware:

If compare it with still cameras, we should analyze not the main f/w, but the bootloader unit (which is not a part of firmware). And to get this bootloader code we have to manage a way to inject our code into the firmware.

Another way could be analyzing the USB protocol (or even some other hidden internal camera serial ports) - f/w contains many debug commands and a kind of debug console. Normally this is used to debug and diagnose failed units. This protocol could be discovered just analyzing the f/w we have and experimenting with usb connection.

The firmware we now have should be loaded at 0xBFA00000 address (so the encrypted part starts at 0xBFA10010).
There are many problems I see now in using IDA m32r disassembler, they downspeed the analysis heavily.

Logged

kmaage

12
HV20, Norway, Newborn, Software Developer

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #23 on: 17 / June / 2008, 10:57:37 »

cail, You are saying that the machine instructions in the HF10 firmware, are really for a completely different processor? Not the ARM processor in the canon still cameras?

How can DryOS run on two completely different processors? (pardon my ignorance)

Logged

ewavr

1057
A710IS

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #24 on: 17 / June / 2008, 11:43:17 »

Quote from: kmaage on 17 / June / 2008, 10:57:37

How can DryOS run on two completely different processors? (pardon my ignorance)

Why not? Some OS supports many processor types: Linux, WinNT 3.x, WinCE, VxWorks, QNX and many, many more...

Logged

Yin

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #25 on: 17 / June / 2008, 13:41:25 »

I own a HF100 and would like to to take a look at the firmware in IDA. Is there already some sourcecode or executable of the decrypter? Would be nice if you can help me out with it. Thanks

Update: Never mind. I just found the code visible as registered user.

« Last Edit: 17 / June / 2008, 13:58:23 by Yin »

Logged

cail

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #26 on: 18 / June / 2008, 02:50:13 »

IDA, in the way it supports m32r now, is useless.

Beside obvious bugs and fatal exceptions during processing it gives no direct references between code/code or code/data - because of the specifics of m32r instruction set.

I'm now working in parallel to improve it and adding a kind of 'intelligent' disassembling features. Hopefully this is possible because of IDA SDK exists with the sources.

Another good gift from our japanese friends is that many (not all) of the strings in the dump are in japanese language. shift_jis encoding. Studying katakana right now

Logged

Yin

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #27 on: 18 / June / 2008, 04:08:54 »

Yes, but maybe that japanese is nothing but the japanese resource file. As i have noticed some languages in there. But it was quite interesting to see some shell commands there which seem to be useful to control the camera via a terminal connection. I guess it might be a serial connection via some connection (not necessarily USB). I also monitored the USB activity and it seems there is only one device descriptor (MassStorage).

Logged

kmaage

12
HV20, Norway, Newborn, Software Developer

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #28 on: 18 / June / 2008, 07:24:27 »

Quote from: Yin on 18 / June / 2008, 04:08:54

I also monitored the USB activity and it seems there is only one device descriptor (MassStorage).

Does this mean that you monitored the USB port on your HF100, and there doesn't seem to be any useful communication going on? (to us, for hacking) Like, the HF100 isn't sending some packet saying "waiting for a command" or anything like that? There wouldn't be a way to "make the camera take a picture" by sending some command over USB, for instance?

It's just acting like a regular USB storage device, exposing the memory card for accessing and managing the files on the SD card?

Logged

Wiesel

Publish

Re: HF10 (Digic DV II) decrypted!

« Reply #29 on: 18 / June / 2008, 07:55:10 »

Great to see that there's some work going on... I'd really like to help but everything I've ever done in ASM was writing simple algorithms for a mips processor :/ If there's anything else, just post it and I'll see if I can help.

Logged