Hi all,
I'm a professional Engineer / web developer and hobbyist photographer. I recently got a 5D2 and became interested in the intersection of these two passions. I've read about the 512+513 byte encryption scheme and became fascinated with the math involved in the encryption. With help from a guy who deciphered the 40D keys (thanks Lex!), I wrote a program which attempts to decipher the 512+513 byte keys automatically on a .fir file.
The generic decryptor, naturally, depends on strings and is targeted to those found in DSLR firmware.
I've only tried it on the 40D and 5D2 firmware - I actually have no idea which other cameras use the encryption scheme - probably most of the dSLRs... But it works surprisingly well. Below is a quick program (not the generic decryptor) which uses the keys I discovered to decrypt (and subsequently encrypt) the 5D2 v1.0.7 firmware file, 5d200107.fir.
Obviously the next step is to have at the firmware with a good disassembler, and having never played with one, I'm hoping others can work on this in parallel. If anyone uses this in their quest to obtain the canonhack.com reward, I'd appreciate a little kickback.
Personally I'm very interested in the possibility of minimally modifying the firmware to be able to execute arbitrary code from the CF card. This is probably obvious, given the cost of the camera - bricking it is not an option. I'll be watching these forums for developments.
Cheers,
-Jeff
BTW, being very new here, if someone wants to brief me on CHDK and the most probable developments for DSLRs, that'd be great.
PS - Use this or any firmware modification at your own risk!
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stddef.h>
unsigned char a[512] = {
0x69, 0xbf, 0xf8, 0xf0, 0x4c, 0x22, 0xdf, 0x8c, 0xe4, 0x2f, 0xb1, 0x42, 0x81, 0x67, 0x1b, 0xb4,
0x34, 0xf2, 0xde, 0x0d, 0x92, 0xf4, 0x2f, 0x83, 0x25, 0xda, 0xed, 0x40, 0x85, 0x09, 0xbe, 0xb9,
0xf9, 0x6d, 0xd4, 0x4a, 0xcf, 0x71, 0x16, 0x1a, 0xf2, 0xe5, 0xf6, 0x5d, 0x35, 0xe8, 0x8f, 0x78,
0x77, 0x29, 0x9b, 0x6d, 0x4e, 0xf3, 0xdb, 0x61, 0x55, 0x42, 0xea, 0xef, 0x74, 0x9b, 0xa6, 0xd9,
0x18, 0x1c, 0x34, 0x62, 0xcf, 0x7b, 0x14, 0x7d, 0x71, 0x48, 0x21, 0x04, 0xdf, 0x0f, 0xcc, 0x18,
0x7c, 0xcc, 0xbc, 0xa4, 0x7f, 0xde, 0x49, 0x2a, 0xb3, 0xf8, 0x73, 0x34, 0x98, 0xcb, 0x06, 0x3a,
0x88, 0xec, 0x8f, 0x90, 0x74, 0x15, 0x45, 0xc1, 0xd3, 0x00, 0xa1, 0x39, 0xb4, 0xcb, 0x94, 0x79,
0x80, 0xa8, 0xa9, 0x6d, 0x65, 0xe3, 0x55, 0x89, 0x8d, 0x8a, 0x66, 0xc1, 0x74, 0xe0, 0xbe, 0xf5,
0xa1, 0x8a, 0x1e, 0x9d, 0x8c, 0x55, 0x4b, 0x27, 0xa1, 0x9b, 0x0b, 0xad, 0xf6, 0x64, 0xec, 0x79,
0xf4, 0xa5, 0x21, 0x8f, 0xa7, 0xdc, 0x45, 0x07, 0x91, 0x3f, 0xbe, 0x0e, 0x59, 0x3c, 0x61, 0x4b,
0x4a, 0xbe, 0xac, 0x3f, 0x46, 0x29, 0x7f, 0x54, 0xc1, 0xbd, 0xf9, 0xda, 0x33, 0x94, 0x46, 0xc6,
0x41, 0xd4, 0xab, 0x75, 0xba, 0xf7, 0xdd, 0x50, 0x10, 0xe9, 0xc7, 0xa2, 0x65, 0x58, 0x0c, 0x4f,
0xea, 0x72, 0xd6, 0xbe, 0xd4, 0xee, 0xbc, 0xae, 0xdb, 0x49, 0x6b, 0x84, 0x39, 0x49, 0xe6, 0xdf,
0x61, 0x86, 0xa2, 0xc4, 0x83, 0xe4, 0xc5, 0xee, 0x70, 0xed, 0x2a, 0xf9, 0xff, 0xf8, 0xc1, 0x53,
0xa4, 0x13, 0x48, 0x4b, 0xf7, 0x07, 0x9c, 0x9a, 0xfd, 0x6a, 0x27, 0x17, 0xbe, 0x7f, 0x64, 0x72,
0x86, 0xfa, 0x0c, 0x54, 0xdd, 0xda, 0x82, 0xbd, 0x4d, 0x7f, 0xa5, 0xad, 0x52, 0x1c, 0x97, 0xde,
0x00, 0x29, 0x8f, 0xc5, 0x4b, 0x98, 0x45, 0x40, 0x38, 0x75, 0xb9, 0x31, 0xe9, 0x3b, 0x45, 0xde,
0xcf, 0x0d, 0x45, 0xa4, 0x13, 0x25, 0xf5, 0x6e, 0x8f, 0xfd, 0x0a, 0x78, 0x75, 0x7c, 0xdb, 0xa6,
0x64, 0x39, 0xdb, 0xc4, 0x90, 0x1a, 0xd6, 0xad, 0x97, 0xb4, 0x80, 0x61, 0x78, 0xec, 0xf0, 0xa4,
0xf3, 0xd5, 0x00, 0x5f, 0x01, 0x94, 0x1a, 0xa9, 0x68, 0x19, 0xb0, 0x93, 0xae, 0x6f, 0xb7, 0x00,
0xfa, 0x55, 0xc8, 0x22, 0x81, 0x8a, 0xe1, 0xee, 0x18, 0xf1, 0x7b, 0x52, 0x90, 0xe9, 0x92, 0x8c,
0x6c, 0x69, 0x72, 0x80, 0x68, 0x45, 0x48, 0x52, 0x3d, 0x5e, 0x66, 0xa4, 0x5f, 0x02, 0xf7, 0xfd,
0xee, 0x12, 0x0b, 0xf4, 0x73, 0xb9, 0x4c, 0xd5, 0x0c, 0x34, 0xf8, 0xd4, 0x36, 0x35, 0xd8, 0xf0,
0x0b, 0x54, 0xd9, 0xdf, 0x69, 0x5a, 0x69, 0xe0, 0xae, 0x69, 0x3f, 0xe3, 0x1a, 0x94, 0x08, 0xf3,
0x22, 0x3f, 0x07, 0x70, 0xfb, 0x50, 0x32, 0x14, 0x3d, 0x62, 0x52, 0x94, 0x58, 0x31, 0x86, 0xa6,
0x6e, 0xc6, 0x10, 0xec, 0xa1, 0xe6, 0x06, 0x33, 0x68, 0x50, 0x1c, 0x37, 0xe4, 0xa6, 0xf6, 0x48,
0xfd, 0x58, 0x7d, 0xc6, 0x9e, 0x48, 0xd6, 0x28, 0xe3, 0xed, 0xe2, 0x75, 0x09, 0xd6, 0x31, 0xb9,
0x66, 0x47, 0x38, 0xc2, 0x1f, 0x9e, 0xb6, 0x4e, 0xbc, 0xef, 0x4c, 0xcb, 0x4b, 0x27, 0xe7, 0x85,
0xc8, 0x76, 0xb5, 0xb8, 0x7f, 0x87, 0xb2, 0xe8, 0x9d, 0xb0, 0x17, 0xb5, 0x6e, 0x00, 0x50, 0x39,
0x59, 0x19, 0x46, 0x9c, 0x3c, 0x34, 0x49, 0x2a, 0x50, 0x3c, 0x26, 0x3e, 0x5a, 0xc9, 0x6b, 0xab,
0xc2, 0x06, 0x52, 0x73, 0x28, 0xdc, 0x99, 0x3f, 0xee, 0x86, 0x19, 0xe7, 0x49, 0x4f, 0x5b, 0x8c,
0xf2, 0x1a, 0xa2, 0x92, 0xd7, 0x9e, 0x71, 0xc9, 0x74, 0xa9, 0x0f, 0xfc, 0x0b, 0xa6, 0x72, 0xa0
};
unsigned char b[513] = {
0x9c, 0xa6, 0xcc, 0x60, 0x4e, 0xe8, 0x18, 0x91, 0x23, 0xdb, 0x50, 0xb7, 0x27, 0x20, 0x08, 0x40,
0x8a, 0x27, 0xcf, 0x75, 0x54, 0x2a, 0xff, 0xe6, 0xb5, 0x6f, 0x0a, 0xa8, 0x14, 0xf8, 0x90, 0x85,
0x5c, 0x31, 0x2e, 0xf0, 0x9d, 0x69, 0xad, 0x23, 0x4b, 0x81, 0xb1, 0x78, 0x3d, 0xb2, 0xeb, 0xcd,
0xfd, 0xe8, 0xf9, 0xb4, 0x85, 0x3b, 0x95, 0x95, 0x6a, 0x17, 0x51, 0x17, 0x61, 0x3f, 0xe6, 0xd3,
0x96, 0xec, 0xcf, 0x3b, 0xdb, 0xd2, 0xe3, 0x6f, 0xb7, 0xfd, 0xbd, 0xa9, 0xef, 0x2b, 0xab, 0xec,
0x7c, 0x61, 0xd0, 0x2e, 0xc0, 0xd7, 0x2d, 0xb1, 0x9a, 0x5e, 0x35, 0x06, 0x41, 0xc9, 0x1f, 0x8e,
0x7f, 0xdd, 0xc6, 0xd9, 0x98, 0xb5, 0x95, 0xbc, 0x4c, 0x78, 0x32, 0x4e, 0x64, 0xe2, 0xf4, 0x53,
0x62, 0xc3, 0x51, 0xb2, 0x9b, 0xc7, 0x21, 0x6b, 0xc8, 0x2c, 0xa3, 0x02, 0xd3, 0x37, 0xcd, 0x62,
0xe7, 0x7c, 0xfd, 0x9f, 0xe8, 0x15, 0xe6, 0xf1, 0x91, 0x89, 0x6c, 0x52, 0x49, 0xe2, 0x1f, 0x8e,
0x89, 0xb6, 0x72, 0xf8, 0x20, 0xa8, 0xfe, 0x7f, 0x91, 0x5d, 0x6f, 0x53, 0xee, 0x45, 0x43, 0x7e,
0x40, 0x0c, 0x21, 0xa8, 0xad, 0x2d, 0x4a, 0xb9, 0xa0, 0x51, 0xae, 0xfc, 0xb5, 0x80, 0xdd, 0x74,
0x0f, 0x4b, 0x92, 0xaf, 0xfa, 0xe0, 0x13, 0xae, 0x8a, 0x5d, 0xc7, 0x27, 0x9c, 0x8a, 0xb3, 0x08,
0x2a, 0x35, 0x63, 0x99, 0xc5, 0xeb, 0xb2, 0x37, 0xd3, 0xa6, 0xe1, 0xa7, 0x7b, 0x89, 0x25, 0x02,
0xa3, 0x22, 0x46, 0xd0, 0x3a, 0x42, 0x21, 0x06, 0xe9, 0xc3, 0x4c, 0xa4, 0x45, 0x00, 0x24, 0x15,
0x02, 0xcf, 0xeb, 0xb8, 0xe7, 0x91, 0xaa, 0x3d, 0x7d, 0x15, 0xa2, 0x57, 0x4b, 0xf1, 0x91, 0x36,
0x4a, 0x0e, 0xc6, 0xc8, 0xb7, 0x64, 0x1c, 0xe4, 0x70, 0x57, 0x3c, 0x22, 0x2d, 0x84, 0x6d, 0x0c,
0xa5, 0xae, 0xba, 0xe3, 0x10, 0x7e, 0x14, 0x65, 0xca, 0xee, 0xff, 0x68, 0x98, 0x68, 0xd2, 0x60,
0xad, 0xf6, 0x97, 0x49, 0x0e, 0x37, 0xbf, 0x82, 0xb7, 0xa4, 0x0d, 0x99, 0x58, 0xce, 0xde, 0x1e,
0xfd, 0xd8, 0x57, 0x3a, 0x1f, 0xc4, 0xb0, 0xf2, 0x13, 0xfd, 0x5f, 0x0f, 0x6e, 0xf5, 0x65, 0x74,
0x22, 0x6c, 0xb0, 0x41, 0x5e, 0xd6, 0xe7, 0x98, 0x08, 0xec, 0xc0, 0x29, 0x9e, 0x10, 0x70, 0x41,
0x2e, 0xfd, 0x84, 0x38, 0x0a, 0xef, 0x96, 0xba, 0xd0, 0x88, 0x42, 0xbb, 0xca, 0x5c, 0x5d, 0xc0,
0xec, 0x59, 0x26, 0xeb, 0x0d, 0x95, 0x4a, 0xfe, 0xe7, 0x29, 0xa7, 0x5c, 0x99, 0x5b, 0x14, 0xcf,
0x3d, 0x17, 0xa8, 0x9d, 0x9c, 0x0c, 0x98, 0x07, 0xc7, 0xfd, 0xfb, 0xf5, 0x33, 0x47, 0x52, 0xee,
0xe6, 0xe8, 0x07, 0xa2, 0xfe, 0x15, 0xcf, 0xb6, 0x71, 0x22, 0x45, 0x55, 0x6f, 0x3b, 0x15, 0x22,
0x21, 0x59, 0x17, 0x85, 0xc2, 0x5c, 0xd0, 0xaa, 0x66, 0x3c, 0x6b, 0x77, 0xd0, 0xae, 0x52, 0xa4,
0x26, 0x8c, 0xb4, 0xd4, 0x79, 0x92, 0xd8, 0x80, 0x79, 0x53, 0x45, 0xf5, 0xa3, 0x05, 0xa2, 0x5c,
0x7c, 0x82, 0xe9, 0x8f, 0xa3, 0xa5, 0xa0, 0x0f, 0x5d, 0x4c, 0x20, 0x6a, 0x92, 0x10, 0x97, 0x3a,
0x26, 0x34, 0x00, 0x6c, 0xc4, 0xf2, 0xac, 0x80, 0x7f, 0x71, 0xc2, 0x89, 0xeb, 0x4f, 0xdf, 0x7f,
0xbd, 0x8d, 0xe9, 0xdd, 0x59, 0x34, 0xf7, 0xbf, 0x03, 0x9a, 0xae, 0xe4, 0x23, 0x18, 0xc8, 0xc4,
0xed, 0x57, 0x2b, 0x7b, 0x0a, 0xda, 0x5f, 0x3c, 0x87, 0x2d, 0x8e, 0x36, 0x03, 0xbd, 0xdd, 0x00,
0xb6, 0xc2, 0xf6, 0xe0, 0x87, 0x34, 0x02, 0xe1, 0x94, 0x3c, 0x3f, 0xb7, 0x59, 0xda, 0x43, 0x21,
0x74, 0x4f, 0xe0, 0x3d, 0x02, 0x3b, 0xf7, 0x2c, 0x4e, 0x1e, 0xa3, 0x81, 0x4e, 0x44, 0x08, 0x2b,
0x84};
typedef unsigned short uint16;
int main(int argc, char *argv[])
{
FILE *in;
FILE *out;
int i = 0, j = 0, val;
if (argc != 3) {
printf("Usage: decrypt inputfile outfile\n");
return -1;
}
if ((in = fopen(argv[1], "rb")) == NULL) {
printf("Cant't open file name %s\n", argv[1]);
return -1;
}
if ((out = fopen(argv[2], "wb")) == NULL) {
printf("Cant't open file name %s\n", argv[2]);
fclose(in);
return -1;
}
while ((val = fgetc(in)) != EOF) {
fputc(val ^ a[i] ^ b[j], out);
i++;
j++;
if (i >= 512) i=0;
if (j >= 513) j=0;
}
fclose(out);
fclose(in);
return 0;
}