HF10 & HV30 (Digic DV II) decrypted!

  • 213 Replies
  • 73655 Views
Re: HF10 (Digic DV II) decrypted!
« Reply #50 on: 01 / August / 2008, 04:08:30 »
Advertisements
No problem, I was just joking :) Their website is is pretty confusing at some parts...

It's not necessarily the full firmware, you could compare it to a patch of some software or game, some contain the whole executable, some only the modified parts that get rewritten in the existing executable. Also if the FW upgrade would contain all code including the bootloader it can brick your camera if the upgrade fails (e.g. power outage or whatever). By keeping that part untouched you can recover from a bad upgrade (if implemented).

Anyway, I spent some time the last few days reading about the P&S and DSLR cameras and how CHDK is being developed for them and as far as I understood, the officially available FW upgrades don't contain for example the bootloader which is the place where we probably would have to search for an autoboot feature...

To read out all code from the cam, we need
 - to boot/execute custom code from SD or over USB/Firewire
 - to output the read data to somewhere which again could be realized by
     - writing to an SD card (the SD driver seems to be in the HF10 upgrade "RENESAS SD Driver Ver1.14")
     - doing the blinker thing like on the P&S cams
     - or some other creative idea...

It seems that the Renesas SD driver isn't publicly available, otherwise we could search for signatures in the firmware and easily locate the functions if they're really there.

*

Offline cail

  • *
  • 49
Re: HF10 (Digic DV II) decrypted!
« Reply #51 on: 01 / August / 2008, 04:11:11 »
Under "working" I meant I can load mr32 code from firmware and start executing it step by step. Of course it fails on a first attempt to read an unmapped RAM memory location ;)
Technically we may try to setup simulator and see how it performs, but I suspect this will not give us much.
As Wiesel said, probably the only way simulator can be used is to simplify understanding of some "hardware unrelated" algorithms (like CRC counting, or XOR encryption ;-)

Wiesel is right, any autoloading code (if it is possible at all), should be in the bootloader - and this area of ROM is normally not upgraded via F/W upgrade.

Regarding the further steps on HF100, I can say it worth to try to understand how upgrade procedure works.
Some function analysis could help with this:
 0000:002BA9D8       vee9_fim_actions
 0000:002BADBC       actions_with_canon_cev_update
 0000:002CE508       fim_actions_super
 0000:002DBB50       firmware_FIM_refs
(base offset 0x04000000)

Unfortunately HV30 seems to be quite different, so we probably will have two branches in the analysis (although some core parts - like FW upgrade logic, bootstrapping - could be similar).

Re: HF10 (Digic DV II) decrypted!
« Reply #52 on: 08 / August / 2008, 06:51:46 »
did anyone make any progress?

cail, are you working on the HF10 or HV30?


I was digging through the HF10 firmware the last couple of days and there are few interesting things:
  • it includes functions to read and write sd cards (but I assume you need a running OS to use them?)
  • there seems to be some kind of shell through which you can control all camera settings (shutter, zoom, gain, aperture, squelch, edge enhancement, ...) and also monitor/read/write the memory
  • service menue

I have no idea how to figure out how to access the service menue or shell (there could be sooo many ways) but it would be awesome...

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #53 on: 10 / August / 2008, 15:10:11 »
Hi.

Working on HV30 (I own HV-10).

No much things to share, I'm in a slow progress of discovering lowlevel OS APIs.
The things are:
- HV30 also has a kind of system dryos shell with many commands.
- Not sure about service menu, how've you discovered this? By language resource strings?

Most probably that system shell should work via usb(?), therefore I'm looking now into how camera interact via USB with PC.

In case someone also works with HV30, I can share IDA db and fixed FR disassembler module.


*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #54 on: 11 / August / 2008, 02:52:42 »
HV30 Firmware Analysis - CHDK Wiki

Investigations for HV30 Owners (not risky, f/w reflashing is not required)

   1. Understand how camera detects a presence of firmware file.
   2. What happens if file exists, but is empty.
   3. The same, but the file contains garbage.
   4. The same, file contains removed/changed "VEFX" string.

Risky guy (or someone with a broken cam) may try

   1. Changing some minor resource string and reflash the firmware. Does it still work? Is the change visible?
   2. TODO: Firmware cryptor should be coded to test this.

*

Offline mx3

  • ****
  • 372
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #55 on: 11 / August / 2008, 03:00:52 »
Risky guy (or someone with a broken cam) may try
   1. Changing some minor resource string and reflash the firmware. Does it still work? Is the change visible?

I don't see here any risk.
worst thing is - camera will not accept firmware file due to checkum mismatch.
I would suggest to do this at first step.
successfull complition of this step would prove checksum / encryption algorithms understanding
skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #56 on: 11 / August / 2008, 04:31:03 »
Investigations for HV30 Owners (not risky, f/w reflashing is not required)

   1. Understand how camera detects a presence of firmware file.
   2. What happens if file exists, but is empty.
   3. The same, but the file contains garbage.
   4. The same, file contains removed/changed "VEFX" string.

I already tested most of that on the HF10 and I guess it'll be the same on the HV30 (HF10 is VEE, not VEF):
   1. Don't know how but filename must be VEE[0-9].FIM
   2. nothing happens
   3. nothing happens
   4. nothing happens
The file must include the "header" at 0x10000 with the FW version and the VEEX string to be detected, everything else can be missing or garbage.
edit: can't remember exactly but it might have to include more, but at most the part until 0x1004F. I'll recheck that in the evening and post the results then.


   2. TODO: Firmware cryptor should be coded to test this.

The decrypter can be used for encryption as well.


Btw, the 2 keys are part of the firmware update, and I think I found the decryption routine as well... that probably means that Canon could change the de-/encryption routine and keys with every firmware update. Also it should be possible to create an unencrypted firmware update.
« Last Edit: 11 / August / 2008, 04:38:22 by Wiesel »

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #57 on: 11 / August / 2008, 06:10:05 »
Quote
I already tested most of that on the HF10 and I guess it'll be the same on the HV30 (HF10 is VEE, not VEF):
Ok, thanks.

Quote
and I think I found the decryption routine as well...
Could you give me an address? Or at least the logic on how you've searched it?


Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #58 on: 11 / August / 2008, 06:51:36 »
I can give you the address in a few hours (in the evening when I'm at home)... but like I said I'm not really sure if it is the right function because I didn't have time yet to analyze it decently. I searched for "XOR Rx Ry" operations and looked through all functions that use it. I assumed that there has to be a cycle with an exit condition, that bytes have to be loaded, xor-ed and saved in every cycle and that the pointers to the read and written bytes have to be increased in every cycle. There's just one function that fulfills that all, but sure there are also other ways to implement the decryption (e.g. it doesn't necessarily need a cycle - could be a straight subroutine)...
« Last Edit: 11 / August / 2008, 07:15:16 by Wiesel »

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #59 on: 11 / August / 2008, 15:40:08 »
Ok so here are my updated FW file investigations (HF10):

filename: VEE[1-9].FIM
if you have multiple files on the sd card, the file with the highest number gets chosen

minimal requirements for the file to be detected as firmware update:
poslength
0x00x10000originally filled with 0xFF, but can be any data
0x100000x4FW version x.x.x.x
0x100040x4"VEEX" (must not be changed, gets compared with same string located at 0x4CA4D426)
0x100080x20x0207 (must not be changed)
0x1000A0x6originally filled with 0x20, but can be any data


btw, do you know the s10sh utility (http://s10sh.sourceforge.net/)? some canon still cams also have a shell which you can use with this utility. I thought that maybe it's possible to extend it so it works with the video cams as well.
I just spent 5 hours trying to get the newest version to compile and run on my ubuntu 8.04 and win xp but I couldn't manage to get it working so I gave up. damn.


the address of the function we talked about is 0x002BACF0

 

Related Topics