HF10 & HV30 (Digic DV II) decrypted! - page 9 - General Discussion and Assistance - CHDK Forum

HF10 & HV30 (Digic DV II) decrypted!

  • 215 Replies
  • 150388 Views
*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #80 on: 18 / August / 2008, 05:11:26 »
Advertisements
That's why it would be cool if someone with a 1.0.0.0 cam could test it (no Japanese users here?). If it shows the modified version number after the upgrade (e.g. 1.0.0.1) and not the real one, he could still upgrade to 1.0.1.0 and have an "official number" and wouldn't loose anything by this test.
Note that in this case he'll have only ten tries ;)
A better way is to findout the place where f/w version is compared and patch it. After this you'll always be able to install official 1.0.1.0 after any number of "test builds" ;)

I still can't find this for HV30, but for HF100 note some discovered symbols:
        actions_with_canon_cev_update
        firmware_FIM_refs
these refers to "VEF9.FIM" and most probably should contain loading and version number comparison logic.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #81 on: 18 / August / 2008, 05:15:29 »
I agree with Cail - a bit of effort into patching the version checking mechanism which is hopefully on the update firmware will solve this issue - keep up the good work guys

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #82 on: 18 / August / 2008, 07:25:01 »
Note that in this case he'll have only ten tries ;)

He'll have 255 tries... but anyway, only one try is needed so we know if the value at 0x10000 is the value that the upgraded firmware uses to compare it's version with other fw files, or if it's stored somewhere else.

A better way is to findout the place where f/w version is compared and patch it. After this you'll always be able to install official 1.0.1.0 after any number of "test builds" ;)

Sure, that's possible and probably just a changed jump instruction, but if it works without it, it would still be better.

I still can't find this for HV30, but for HF100 note some discovered symbols:
        actions_with_canon_cev_update
        firmware_FIM_refs
these refers to "VEF9.FIM" and most probably should contain loading and version number comparison logic.

I already looked into them but didn't find anything obvious... I'll give it another try today.

I agree with Cail - a bit of effort into patching the version checking mechanism which is hopefully on the update firmware will solve this issue - keep up the good work guys

Like I said above, IMO this is like fighting the symptoms of an illness instead of fighting the illness itself ;)
But if we find the switch so we can patch it, we woudn't need a 1.0.0.0 cam to test if the hack is needed or not so we ideally don't need it afterwards any more.

The next point is, what if it's just not possible to downgrade the firmware and it bricks the cam? Maybe Canon put in the check for a good reason? We can never know without trying... then such a patch wouldn't be good at all.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #83 on: 19 / August / 2008, 18:32:18 »
I looked again through the "actions_with_canon_cev_update" and "firmware_FIM_refs" functions but didn't notice anything referring to the firmware version - but I didn't look into all subcalls, that would take me a few weeks I'm afraid ^^

There's also another function which I called "SERVICEMODE_FW_VERSION"***. It gets called by a complex servicemode function that probably switches through various commands and prepares servicemode data to be viewed. Anyway, this function inserts the version numbers into a string by some kind of printf and could help in finding the version check routine (there should be a reference to the same data location from both functions). I just don't get it where the version numbers come from. Anybody cares to help?


I have also started to analyze the data part 0x0 - 0x200000. Nearly half of it are bitmaps - those icons that you can see on the screen, various fonts (latin, chinese, russian, arabic, ...), etc.
Among those icons are PF24, PF25, PF30, 30i, 60i, 1080, 480, 576 (these are also contained as 2-byte strings) which could be interpreted as another sign that the firmware is universial (pal & ntsc).


*** I can provide an IDA map-file if anyone wants to help - It's been started by cail some time ago and extended by me with many additional functions.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #84 on: 21 / August / 2008, 19:03:14 »
another update:
The bitmaps in the first data part are located at (first header to last header [not last byte]):
10608C - 14049C
142CA4 - 179A8C
The header is 2 bytes log, the first being the width of the image, the second I couldn't find out yet what it is. The bitmaps are always 18 pixels high and aligned to 4 bytes.

The same bitmaps can be found at another location as well, this time in one continuous section and 2-byte aligned:
5F3434 - 663C46
At 5EFC34 begins a bitmap lookup table going until the first bitmap (5F3434), which is referenced by a procedure that is probably part of the osd drawing system.

for the HV30 the bitmap section is at 49EC00 - 52719E (first to last bitmap header)

all bitmaps are 8 bit monochromatic.


that doesn't really help with hacking but it helps understanding what the data is... if anyone's interested I can post a tool I've quickly hacked together that shows the bitmaps.

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #85 on: 25 / August / 2008, 02:56:33 »
Wiesel, could you please share it?

I'm trying to understand data section content of HV30 - but for some reasons I can't find any references to this area from the main code segment :(

BTW, I've got an idea on how FIM file is structured.

In boths firmwares there is a footer at the end of file (unencrypted!), size 0x2C:
Code: [Select]
0000000000: 00 00 00 02 00 20 00 00 ? B6 7B 5C 3C 00 5F 73 64
0000000010: 64 58 2D F2 00 00 00 00 ? 00 00 00 00 00 00 00 00
0000000020: 00 00 00 00 00 00 00 00 ? 00 00 00 00
This says us: we have two encrypted sections, first of size 0x00200000 with 0xB67B5C3C checksum(??)
and second of size 0x005F7364 with a checksum of 0x64582DF2.

In case of HV30:
Code: [Select]
0000000000: 00 00 00 01 00 60 00 00 ? 29 70 46 BE 00 00 00 00
0000000010: 00 00 00 00 00 00 00 00 ? 00 00 00 00 00 00 00 00
0000000020: 00 00 00 00 00 00 00 00 ? 00 00 00 00
Single section size 0x600000 checksum 0x297046BE.

I'm not sure yet about the algorithm for checksum calculation. Have tried common crc32 and raw checksum - but don't have a match yet.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #86 on: 25 / August / 2008, 16:37:09 »
I have the same problem... the data 0 - 0x200000 (first section) of the HF10 FW isn't referenced either, it only references to itself - very strange. But even stranger is that the first section contains the same data than the second.

Great finding on the firmware structure, I first thought the checksum is in the header of the code section but I couldn't calculate the right number. I have also tried calculating for the two sections like you posted before - I tried: Adler-32, Cksum-32, CRC-32, CRC-32-MPEG-2, ELF-32, FNV-32, PJW-32, SDBM-32, Sum-32, XUM-32, FCS-32, GHash-32-3, GHash-32-5, XOR and Addition. These are all I could find a tool for or could think of and nothing gave me the right result. I did the calculations on the encrypted and decrypted sections each with and without the header. Maybe they use a custom checksum algorithm :( If they for example use a custom polynomial for CRC how can we ever find that out? Seems impossible to me.
I mean maybe they don't even validate the checksum, but without trying to update a modified file everything we do is just speculation.


Attached is the bitmap viewer, you need the .NET 2.0 runtime... I haven't found the color palette yet so for now they are just monochromatic. I'll update it when I find out where it is.
edit: updated version available a few posts below
« Last Edit: 26 / August / 2008, 18:47:24 by Wiesel »

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #87 on: 26 / August / 2008, 02:56:56 »
Hey Wiesel - maybe you should include/exclude the footer in the tests as well...

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #88 on: 26 / August / 2008, 03:12:38 »
Hey Wiesel - maybe you should include/exclude the footer in the tests as well...
The sections don't have a footer... would be kind of pointless to add the file footer to the second section since the first is without (even if I did, the first section should have given me a valid result), and also I cannot include data in the calculation that doesn't really exist at the time of calculation ;) Sure the checksum field could be filled with a placeholder value at the time of calculation but I don't think this is the case here.

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #89 on: 26 / August / 2008, 07:15:00 »
I have the same problem... the data 0 - 0x200000 (first section) of the HF10 FW isn't referenced either, it only references to itself - very strange. But even stranger is that the first section contains the same data than the second.
Yea, thats really strange. HV30 doesn't have such duplication. One reason of why we can't find any references could be a relocation. This section could be a RAM section and f/w may copy it upon startup somewhere into RAM. I've found some similar copy actions, but with parts of code section in hv30.

Still, this doesn't explain, why we see many valid internal references within this data section ;(


Maybe they use a custom checksum algorithm :( If they for example use a custom polynomial for CRC how can we ever find that out? Seems impossible to me.
Thanks for trying all this, I even don't know some of these algorithm names ;)
Since all of them failed, the only way we have is probably to findout the place where f/w file is loaded and checked.

Quote
Attached is the bitmap viewer, you need the .NET 2.0 runtime... I haven't found the color palette yet so for now they are just monochromatic. I'll update it when I find out where it is.
Thanks, good piece of s/w. It works fine for HV30 also. Its code section contains all the font glyphs and icons.

 

Related Topics


SimplePortal © 2008-2014, SimplePortal