Generic 512+513 key decryptor: 5D Mark II 1.0.7 keys inside - DSLR Hack development - CHDK Forum supplierdeeply

Generic 512+513 key decryptor: 5D Mark II 1.0.7 keys inside

  • 5 Replies
Generic 512+513 key decryptor: 5D Mark II 1.0.7 keys inside
« on: 09 / February / 2009, 01:46:59 »
Hi all,

I'm a professional Engineer / web developer and hobbyist photographer.  I recently got a 5D2 and became interested in the intersection of these two passions.  I've read about the 512+513 byte encryption scheme and became fascinated with the math involved in the encryption.  With help from a guy who deciphered the 40D keys (thanks Lex!), I wrote a program which attempts to decipher the 512+513 byte keys automatically on a .fir file.

The generic decryptor, naturally, depends on strings and is targeted to those found in DSLR firmware.

I've only tried it on the 40D and 5D2 firmware - I actually have no idea which other cameras use the encryption scheme - probably most of the dSLRs...  But it works surprisingly well.  Below is a quick program (not the generic decryptor) which uses the keys I discovered to decrypt (and subsequently encrypt) the 5D2 v1.0.7 firmware file, 5d200107.fir.

Obviously the next step is to have at the firmware with a good disassembler, and having never played with one, I'm hoping others can work on this in parallel.  If anyone uses this in their quest to obtain the reward, I'd appreciate a little kickback.   :D

Personally I'm very interested in the possibility of minimally modifying the firmware to be able to execute arbitrary code from the CF card.  This is probably obvious, given the cost of the camera - bricking it is not an option.  I'll be watching these forums for developments.


BTW, being very new here, if someone wants to brief me on CHDK and the most probable developments for DSLRs, that'd be great.   :)

PS - Use this or any firmware modification at your own risk!   :D

Code: (cpp) [Select]
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stddef.h>

unsigned char a[512] = {
 0x69, 0xbf, 0xf8, 0xf0, 0x4c, 0x22, 0xdf, 0x8c, 0xe4, 0x2f, 0xb1, 0x42, 0x81, 0x67, 0x1b, 0xb4,
 0x34, 0xf2, 0xde, 0x0d, 0x92, 0xf4, 0x2f, 0x83, 0x25, 0xda, 0xed, 0x40, 0x85, 0x09, 0xbe, 0xb9,
 0xf9, 0x6d, 0xd4, 0x4a, 0xcf, 0x71, 0x16, 0x1a, 0xf2, 0xe5, 0xf6, 0x5d, 0x35, 0xe8, 0x8f, 0x78,
 0x77, 0x29, 0x9b, 0x6d, 0x4e, 0xf3, 0xdb, 0x61, 0x55, 0x42, 0xea, 0xef, 0x74, 0x9b, 0xa6, 0xd9,
 0x18, 0x1c, 0x34, 0x62, 0xcf, 0x7b, 0x14, 0x7d, 0x71, 0x48, 0x21, 0x04, 0xdf, 0x0f, 0xcc, 0x18,
 0x7c, 0xcc, 0xbc, 0xa4, 0x7f, 0xde, 0x49, 0x2a, 0xb3, 0xf8, 0x73, 0x34, 0x98, 0xcb, 0x06, 0x3a,
 0x88, 0xec, 0x8f, 0x90, 0x74, 0x15, 0x45, 0xc1, 0xd3, 0x00, 0xa1, 0x39, 0xb4, 0xcb, 0x94, 0x79,
 0x80, 0xa8, 0xa9, 0x6d, 0x65, 0xe3, 0x55, 0x89, 0x8d, 0x8a, 0x66, 0xc1, 0x74, 0xe0, 0xbe, 0xf5,
 0xa1, 0x8a, 0x1e, 0x9d, 0x8c, 0x55, 0x4b, 0x27, 0xa1, 0x9b, 0x0b, 0xad, 0xf6, 0x64, 0xec, 0x79,
 0xf4, 0xa5, 0x21, 0x8f, 0xa7, 0xdc, 0x45, 0x07, 0x91, 0x3f, 0xbe, 0x0e, 0x59, 0x3c, 0x61, 0x4b,
 0x4a, 0xbe, 0xac, 0x3f, 0x46, 0x29, 0x7f, 0x54, 0xc1, 0xbd, 0xf9, 0xda, 0x33, 0x94, 0x46, 0xc6,
 0x41, 0xd4, 0xab, 0x75, 0xba, 0xf7, 0xdd, 0x50, 0x10, 0xe9, 0xc7, 0xa2, 0x65, 0x58, 0x0c, 0x4f,
 0xea, 0x72, 0xd6, 0xbe, 0xd4, 0xee, 0xbc, 0xae, 0xdb, 0x49, 0x6b, 0x84, 0x39, 0x49, 0xe6, 0xdf,
 0x61, 0x86, 0xa2, 0xc4, 0x83, 0xe4, 0xc5, 0xee, 0x70, 0xed, 0x2a, 0xf9, 0xff, 0xf8, 0xc1, 0x53,
 0xa4, 0x13, 0x48, 0x4b, 0xf7, 0x07, 0x9c, 0x9a, 0xfd, 0x6a, 0x27, 0x17, 0xbe, 0x7f, 0x64, 0x72,
 0x86, 0xfa, 0x0c, 0x54, 0xdd, 0xda, 0x82, 0xbd, 0x4d, 0x7f, 0xa5, 0xad, 0x52, 0x1c, 0x97, 0xde,
 0x00, 0x29, 0x8f, 0xc5, 0x4b, 0x98, 0x45, 0x40, 0x38, 0x75, 0xb9, 0x31, 0xe9, 0x3b, 0x45, 0xde,
 0xcf, 0x0d, 0x45, 0xa4, 0x13, 0x25, 0xf5, 0x6e, 0x8f, 0xfd, 0x0a, 0x78, 0x75, 0x7c, 0xdb, 0xa6,
 0x64, 0x39, 0xdb, 0xc4, 0x90, 0x1a, 0xd6, 0xad, 0x97, 0xb4, 0x80, 0x61, 0x78, 0xec, 0xf0, 0xa4,
 0xf3, 0xd5, 0x00, 0x5f, 0x01, 0x94, 0x1a, 0xa9, 0x68, 0x19, 0xb0, 0x93, 0xae, 0x6f, 0xb7, 0x00,
 0xfa, 0x55, 0xc8, 0x22, 0x81, 0x8a, 0xe1, 0xee, 0x18, 0xf1, 0x7b, 0x52, 0x90, 0xe9, 0x92, 0x8c,
 0x6c, 0x69, 0x72, 0x80, 0x68, 0x45, 0x48, 0x52, 0x3d, 0x5e, 0x66, 0xa4, 0x5f, 0x02, 0xf7, 0xfd,
 0xee, 0x12, 0x0b, 0xf4, 0x73, 0xb9, 0x4c, 0xd5, 0x0c, 0x34, 0xf8, 0xd4, 0x36, 0x35, 0xd8, 0xf0,
 0x0b, 0x54, 0xd9, 0xdf, 0x69, 0x5a, 0x69, 0xe0, 0xae, 0x69, 0x3f, 0xe3, 0x1a, 0x94, 0x08, 0xf3,
 0x22, 0x3f, 0x07, 0x70, 0xfb, 0x50, 0x32, 0x14, 0x3d, 0x62, 0x52, 0x94, 0x58, 0x31, 0x86, 0xa6,
 0x6e, 0xc6, 0x10, 0xec, 0xa1, 0xe6, 0x06, 0x33, 0x68, 0x50, 0x1c, 0x37, 0xe4, 0xa6, 0xf6, 0x48,
 0xfd, 0x58, 0x7d, 0xc6, 0x9e, 0x48, 0xd6, 0x28, 0xe3, 0xed, 0xe2, 0x75, 0x09, 0xd6, 0x31, 0xb9,
 0x66, 0x47, 0x38, 0xc2, 0x1f, 0x9e, 0xb6, 0x4e, 0xbc, 0xef, 0x4c, 0xcb, 0x4b, 0x27, 0xe7, 0x85,
 0xc8, 0x76, 0xb5, 0xb8, 0x7f, 0x87, 0xb2, 0xe8, 0x9d, 0xb0, 0x17, 0xb5, 0x6e, 0x00, 0x50, 0x39,
 0x59, 0x19, 0x46, 0x9c, 0x3c, 0x34, 0x49, 0x2a, 0x50, 0x3c, 0x26, 0x3e, 0x5a, 0xc9, 0x6b, 0xab,
 0xc2, 0x06, 0x52, 0x73, 0x28, 0xdc, 0x99, 0x3f, 0xee, 0x86, 0x19, 0xe7, 0x49, 0x4f, 0x5b, 0x8c,
 0xf2, 0x1a, 0xa2, 0x92, 0xd7, 0x9e, 0x71, 0xc9, 0x74, 0xa9, 0x0f, 0xfc, 0x0b, 0xa6, 0x72, 0xa0

unsigned char b[513] = {
 0x9c, 0xa6, 0xcc, 0x60, 0x4e, 0xe8, 0x18, 0x91, 0x23, 0xdb, 0x50, 0xb7, 0x27, 0x20, 0x08, 0x40,
 0x8a, 0x27, 0xcf, 0x75, 0x54, 0x2a, 0xff, 0xe6, 0xb5, 0x6f, 0x0a, 0xa8, 0x14, 0xf8, 0x90, 0x85,
 0x5c, 0x31, 0x2e, 0xf0, 0x9d, 0x69, 0xad, 0x23, 0x4b, 0x81, 0xb1, 0x78, 0x3d, 0xb2, 0xeb, 0xcd,
 0xfd, 0xe8, 0xf9, 0xb4, 0x85, 0x3b, 0x95, 0x95, 0x6a, 0x17, 0x51, 0x17, 0x61, 0x3f, 0xe6, 0xd3,
 0x96, 0xec, 0xcf, 0x3b, 0xdb, 0xd2, 0xe3, 0x6f, 0xb7, 0xfd, 0xbd, 0xa9, 0xef, 0x2b, 0xab, 0xec,
 0x7c, 0x61, 0xd0, 0x2e, 0xc0, 0xd7, 0x2d, 0xb1, 0x9a, 0x5e, 0x35, 0x06, 0x41, 0xc9, 0x1f, 0x8e,
 0x7f, 0xdd, 0xc6, 0xd9, 0x98, 0xb5, 0x95, 0xbc, 0x4c, 0x78, 0x32, 0x4e, 0x64, 0xe2, 0xf4, 0x53,
 0x62, 0xc3, 0x51, 0xb2, 0x9b, 0xc7, 0x21, 0x6b, 0xc8, 0x2c, 0xa3, 0x02, 0xd3, 0x37, 0xcd, 0x62,
 0xe7, 0x7c, 0xfd, 0x9f, 0xe8, 0x15, 0xe6, 0xf1, 0x91, 0x89, 0x6c, 0x52, 0x49, 0xe2, 0x1f, 0x8e,
 0x89, 0xb6, 0x72, 0xf8, 0x20, 0xa8, 0xfe, 0x7f, 0x91, 0x5d, 0x6f, 0x53, 0xee, 0x45, 0x43, 0x7e,
 0x40, 0x0c, 0x21, 0xa8, 0xad, 0x2d, 0x4a, 0xb9, 0xa0, 0x51, 0xae, 0xfc, 0xb5, 0x80, 0xdd, 0x74,
 0x0f, 0x4b, 0x92, 0xaf, 0xfa, 0xe0, 0x13, 0xae, 0x8a, 0x5d, 0xc7, 0x27, 0x9c, 0x8a, 0xb3, 0x08,
 0x2a, 0x35, 0x63, 0x99, 0xc5, 0xeb, 0xb2, 0x37, 0xd3, 0xa6, 0xe1, 0xa7, 0x7b, 0x89, 0x25, 0x02,
 0xa3, 0x22, 0x46, 0xd0, 0x3a, 0x42, 0x21, 0x06, 0xe9, 0xc3, 0x4c, 0xa4, 0x45, 0x00, 0x24, 0x15,
 0x02, 0xcf, 0xeb, 0xb8, 0xe7, 0x91, 0xaa, 0x3d, 0x7d, 0x15, 0xa2, 0x57, 0x4b, 0xf1, 0x91, 0x36,
 0x4a, 0x0e, 0xc6, 0xc8, 0xb7, 0x64, 0x1c, 0xe4, 0x70, 0x57, 0x3c, 0x22, 0x2d, 0x84, 0x6d, 0x0c,
 0xa5, 0xae, 0xba, 0xe3, 0x10, 0x7e, 0x14, 0x65, 0xca, 0xee, 0xff, 0x68, 0x98, 0x68, 0xd2, 0x60,
 0xad, 0xf6, 0x97, 0x49, 0x0e, 0x37, 0xbf, 0x82, 0xb7, 0xa4, 0x0d, 0x99, 0x58, 0xce, 0xde, 0x1e,
 0xfd, 0xd8, 0x57, 0x3a, 0x1f, 0xc4, 0xb0, 0xf2, 0x13, 0xfd, 0x5f, 0x0f, 0x6e, 0xf5, 0x65, 0x74,
 0x22, 0x6c, 0xb0, 0x41, 0x5e, 0xd6, 0xe7, 0x98, 0x08, 0xec, 0xc0, 0x29, 0x9e, 0x10, 0x70, 0x41,
 0x2e, 0xfd, 0x84, 0x38, 0x0a, 0xef, 0x96, 0xba, 0xd0, 0x88, 0x42, 0xbb, 0xca, 0x5c, 0x5d, 0xc0,
 0xec, 0x59, 0x26, 0xeb, 0x0d, 0x95, 0x4a, 0xfe, 0xe7, 0x29, 0xa7, 0x5c, 0x99, 0x5b, 0x14, 0xcf,
 0x3d, 0x17, 0xa8, 0x9d, 0x9c, 0x0c, 0x98, 0x07, 0xc7, 0xfd, 0xfb, 0xf5, 0x33, 0x47, 0x52, 0xee,
 0xe6, 0xe8, 0x07, 0xa2, 0xfe, 0x15, 0xcf, 0xb6, 0x71, 0x22, 0x45, 0x55, 0x6f, 0x3b, 0x15, 0x22,
 0x21, 0x59, 0x17, 0x85, 0xc2, 0x5c, 0xd0, 0xaa, 0x66, 0x3c, 0x6b, 0x77, 0xd0, 0xae, 0x52, 0xa4,
 0x26, 0x8c, 0xb4, 0xd4, 0x79, 0x92, 0xd8, 0x80, 0x79, 0x53, 0x45, 0xf5, 0xa3, 0x05, 0xa2, 0x5c,
 0x7c, 0x82, 0xe9, 0x8f, 0xa3, 0xa5, 0xa0, 0x0f, 0x5d, 0x4c, 0x20, 0x6a, 0x92, 0x10, 0x97, 0x3a,
 0x26, 0x34, 0x00, 0x6c, 0xc4, 0xf2, 0xac, 0x80, 0x7f, 0x71, 0xc2, 0x89, 0xeb, 0x4f, 0xdf, 0x7f,
 0xbd, 0x8d, 0xe9, 0xdd, 0x59, 0x34, 0xf7, 0xbf, 0x03, 0x9a, 0xae, 0xe4, 0x23, 0x18, 0xc8, 0xc4,
 0xed, 0x57, 0x2b, 0x7b, 0x0a, 0xda, 0x5f, 0x3c, 0x87, 0x2d, 0x8e, 0x36, 0x03, 0xbd, 0xdd, 0x00,
 0xb6, 0xc2, 0xf6, 0xe0, 0x87, 0x34, 0x02, 0xe1, 0x94, 0x3c, 0x3f, 0xb7, 0x59, 0xda, 0x43, 0x21,
 0x74, 0x4f, 0xe0, 0x3d, 0x02, 0x3b, 0xf7, 0x2c, 0x4e, 0x1e, 0xa3, 0x81, 0x4e, 0x44, 0x08, 0x2b,

typedef unsigned short uint16;

int main(int argc, char *argv[])
  FILE *in;
  FILE *out;
  int i = 0, j = 0, val;

  if (argc != 3) {
    printf("Usage: decrypt inputfile outfile\n");
    return -1;

  if ((in = fopen(argv[1], "rb")) == NULL) {
    printf("Cant't open file name %s\n", argv[1]);
    return -1;

  if ((out = fopen(argv[2], "wb")) == NULL) {
    printf("Cant't open file name %s\n", argv[2]);
    return -1;

  while ((val = fgetc(in)) != EOF) {
    fputc(val ^ a[i] ^ b[j], out);
    if (i >= 512) i=0;
    if (j >= 513) j=0;
  return 0;

Re: Generic 512+513 key decryptor: 5D Mark II 1.0.7 keys inside
« Reply #2 on: 09 / February / 2009, 08:36:36 »
Thanks for the link.  I hadn't seen that thread because it barely mentions 5D2, and fore me that was the whole point.   :)  Nice work.

What are you using to disassemble?  Can the free version of IDA be used?  It seems it may not support ARM architectures, though again, I haven't played with it much.

ETA: I see that the actual firmware payload is still encrypted...  Mmm, more games to play.   :)
« Last Edit: 09 / February / 2009, 08:53:50 by jeffco »

Re: Generic 512+513 key decryptor: 5D Mark II 1.0.7 keys inside
« Reply #3 on: 09 / February / 2009, 11:41:48 »
Try IDA pro V 5.2, this has ARM support

Re: Generic 512+513 key decryptor: 5D Mark II 1.0.7 keys inside
« Reply #4 on: 16 / February / 2009, 18:10:18 »
Does anyone have a program to do the reverse for a 50D/5D2?  ie reencrypt the update and fix any checksums?

I'm also very anxious not to brick my 5D2 but I understand this method can be used to run user code without updating the firmware.

Re: Generic 512+513 key decryptor: 5D Mark II 1.0.7 keys inside
« Reply #5 on: 17 / February / 2009, 02:50:55 »
The 512/513 keys to de-crypt the FW are also used to en-crypt the FW :D.


Related Topics

SimplePortal 2.3.6 © 2008-2014, SimplePortal