Hi.
About FI2 and "Update File Error!!!" message.
I checked your FIR for ProductID -- it looks correct (0x315D).
So we need to investigate new encoding scheme and, maybe, new file format.
Does anyone have official PS.FI2 for any model? Learning its structure may help a lot.Some ideas about cypher scheme:
1. Models a620, s2is and s3is use the same cypher algorithm and the same encryption key.
It appears to lay at the memory address 0xff803fe1 in all three models (it's sounds good for us).
Notice that, AFAIK, the key exists on that address not all the time, but it's appearing there at some special (unknown) moments, so not every dump containts the key.
So, maybe we must search for new key around address 0xff803fe1.
2. WxW models have the special upgrade log ("A/UpgradeLog.txt"). It is created by camera on each (even unsucceful) try of FW upgrading. Content of that log is encrypted, and (that's nice) it is encrypted using the same method and same key.
I tried to find something similar in a720 FW, but it neither makes upgrade log (at least for unsucceful tries), not contains functions, that looks like ones for upgrade process logging.
Nethertheless, if somebody will found such encrypted log somehow, we can try to use it for key RE (since the content of log is predictable).
3. WxW models have a special ("Factory") mode. Nobody can reach it yet (there are some clues saing that we need a special shaped SD-card for accessing the factory mode). Nethertheless, according of FW-dumps, inside factory mode we can run our scripts (files named like "A/*.m"). Actually, we have no prove of it yet, but probably these scripts are encrypted too, and probably the encrypting scheme and the key are the same as above.
At a720 I found factory mode functions, and they almost indentical to WxW models'.
There are:
0xFFC55570 FactoryMode_m_Execute
0xFFAD05A0 ShowScript
0xFFAD0ADC FactoryMode_m_ParseScript
So, we can try to RE these ones and find the place there script decryption take place.
4. I tried to find and decompile function what used to do firmware upgrading.
I found the following things:
There is an interesting function (I called it "FIRhandler") at 0xFFE2CB20.
It calls from itself another function -- Compander_inner (0xFFD0E410) -- it's inner function of some kind of packer/depacker (Compander, 0xFFD0E4E8). The Compander itself is called from some other places.
Compander_inner function contains interesting string "1.1.3.LZC.1.0.1" -- so, we can thing about LZC compressing method (from UNIX COMPRESS,
http://en.wikipedia.org/wiki/Compress ).
FIRhandler neightbour function uses another strange string -- "SLSYS+SDS1SKY;b=P" -- i don't know what is it.
Any ideas?
5. At least, since we can run our code from diskboot, we can install some kind of tracer/debugger and try to investigate what happens then we select "Update Firmware" from menu -- this is the way to found and understand all checks of FW-update integrity.
Am i too late?
