EOS 550D / T2i / Kiss X4 - page 3 - DSLR Hack development - CHDK Forum

EOS 550D / T2i / Kiss X4

  • 65 Replies
  • 48192 Views
Re: EOS 550D / T2i / Kiss X4
« Reply #20 on: 20 / April / 2010, 21:32:13 »
Advertisements
Pelican: After splitting the firmware with decryption tool for the 5D there was no clear text in the resulting files when there should have been. I think it's likely that the 550D uses the same encoding format as the 7D since they are pretty close in release age.

I've dumped my 7D's firmware (1.1.0) and I've made may own dissect_fw because the original doesn't handle the two updater blocks of the 7D fw.

I've checked the 550D fw but I don't think that is similar to the 7D's. I think it is totally different.

I've found only one similar to the 7D fw that is the 1D Mk IV fw.
« Last Edit: 20 / April / 2010, 21:35:14 by Pelican »

Re: EOS 550D / T2i / Kiss X4
« Reply #21 on: 20 / April / 2010, 22:01:35 »
every dual digic camera has 2 updaters.

Pelican, do you know how to compute the updater2 checksum ?

what does mean hmac-sha1 ?

at 0x88, your fir viewer tells:
 0x088: updater1 hmac-sha1 =

but here
http://chdk.wikia.com/wiki/7D

it is written
0x088: firmware hmac-sha1 =

any idea ?

Lorenzo
« Last Edit: 20 / April / 2010, 22:03:09 by lorenzo353 »

Re: EOS 550D / T2i / Kiss X4
« Reply #22 on: 20 / April / 2010, 22:28:26 »

every dual digic camera has 2 updaters.

That was my opinion too... :)

Pelican, do you know how to compute the updater2 checksum ?
Never tried, but I thought just sum of the bytes, like the first cheksum.
What did you try already?

what does mean hmac-sha1 ?

at 0x88, your fir viewer tells:
 0x088: updater1 hmac-sha1 =

but here
http://chdk.wikia.com/wiki/7D

it is written
0x088: firmware hmac-sha1 =

My tool is wrong I'll correct it.
I think the two hmac-sha1 keys(?) needs to decrypt the firmware payload.
Unfortunately nobody wants to publish the how to.
I'm trying to get every piece of information on the ml-devel list, but it takes too much time.

Re: EOS 550D / T2i / Kiss X4
« Reply #23 on: 21 / April / 2010, 19:03:04 »
0xC0 - 0x110 bytes are null on the US 5DII 2.0.4 and 7D 1.2.1 fir files

However the 5DII 1.1.1 file I have does not have that blank area, nor does the 550D 1.0.6 file.

I am not sure of the source of the 5DII 1.1.1 file, it's possible that it's not English. I will try and find a few more non-english firmwares to take a look at.

Magic Lantern also has this analysis of the FIR format for the 5D: http://magiclantern.wikia.com/wiki/Firmware_file

chuchin: Thank you for the link, I will check it out

to JeremyOne:
service firmware updater has a similar header than classic firmware payload, thus they are encrypted using also AES 128.
where to find the 5dM2 1.1.1 file, please ?
each firmware updates contains all languages supported by the camera (about 18 if I remember)

to Pelican: just read previous post on 512/513 keys discovery, you'll see what kind of test allow to recover the XOR keys, which do not work on service firmware.

« Last Edit: 21 / April / 2010, 19:25:58 by lorenzo353 »

Re: EOS 550D / T2i / Kiss X4
« Reply #24 on: 21 / April / 2010, 21:32:09 »
service firmware updater has a similar header than classic firmware payload, thus they are encrypted using also AES 128.
where to find the 5dM2 1.1.1 file, please ?

lorenzo353: That would explain all the questions about the firmware file that came up, and it does make sense.

The file I have that I thought was the 5dM2 1.1.1 file, was actually the firmware for the 5D (not 5DM2), it is available on the canon site.

Before lorenzo353 post, I spent some time today checking all the other firmware files on the canon site, and I was able to decode the flasher part of the 7D, 5DM2, 500D, 1000D, 450D and 400D files with dissect_fw3_2.

Unless someone knows it will not help or it's a bad idea, I may flash the camera with the service release firmware and see if it enables booting from an SD card.

Re: EOS 550D / T2i / Kiss X4
« Reply #25 on: 22 / April / 2010, 14:37:30 »
Just a quick update on the firmware file:

I did flash my camera with the 1.0.6 firmware discussed, it worked fine. It did reset my settings and language, but those were easy to set back.

As far as I can tell this firmware is no different then the 1.0.6 I had before. I wasn't expecting much, but I wanted to investigate all avenues.

I did try booting from a card made with cardtricks 1.44 in every camera mode, though that did not work either. Again, my hopes were not high, but I wanted to rule it out just in case.

I am going to move my focus back to compiling a fake firmware update based on the magic lantern dumper. Once I have my cross-compiler setup it should be pretty easy to give it a try.

Re: EOS 550D / T2i / Kiss X4
« Reply #26 on: 22 / April / 2010, 15:52:59 »
Not to demotivate you but the dumper in the magic lantern repository relies on the address of several helper functions being known (like open file, write file etc) so you have kind of a chicken/egg problem there, you need a dump to find those addresses yet you need the dumper to work to obtain a dump.

A second problem would be for the cam to accept your update it'll have to be encrypted in the sameway as an 'official' update which nobody has been able to break sofar.

Re: EOS 550D / T2i / Kiss X4
« Reply #27 on: 22 / April / 2010, 16:30:49 »
Not to demotivate you but the dumper in the magic lantern repository relies on the address of several helper functions being known (like open file, write file etc) so you have kind of a chicken/egg problem there, you need a dump to find those addresses yet you need the dumper to work to obtain a dump.

A second problem would be for the cam to accept your update it'll have to be encrypted in the sameway as an 'official' update which nobody has been able to break sofar.

From what I understand the ML dumper uses the flasher code (originally from the 5D2) to dump, not the functions in the existing/running camera firmware. In reading the ML google group, I think Trammel used it to dump the 7D firmware successfully.

At any rate, I think I've exhausted all other options, and I think it's worth a try. Once my compiler is working it should be pretty easy to test.

Otherwise I'll have to wait and hope that the non-service release of the t2i firmware is xor-ed in the old/standard way. (Whenever that is)

Re: EOS 550D / T2i / Kiss X4
« Reply #28 on: 22 / April / 2010, 18:19:43 »
the 500D got announced in march'09 and we only just got a FW update for that one so it could be quite a while before we'll see an 'official' update and even then there's a good possibility it'll use the same encryption as the service one. Don't get me wrong i own a 550d too and would love nothing more then getting some custom code running, as it looks right now things don't look to good for short term, there's still plenty of other options left though.

Given how close the 550d and the 500d are and that we have a 500d dump it could be worth looking in that one to see if there's a flaw somewhere we can exploit and get a dump. My main interest would be figuring out if it has an autoxec.bin , autoboot or something similar that runs unencrypted code.

USB has mainly been unexplored on all canons there's been several reports of people getting their camera back from service and it enumerating as "DCP Connect" even in my ancient s2is there are references to a DCP mode in firmware, perhaps we can figure out how to flip a camera in/out that mode and what options are available or perhaps what undocumented commands are available in regular PTP mode, analysing dumps of camera's that we have could greatly help there.

Given that there are little repeating patterns in the 550d serice FW and none of the xor algorhitms seem to make any sense, lets look around, the point and shoots use AES-128-CBC which could account perfectly for the even distribution we see in the 550fw, I'm not having my hopes up here but I guess it couldn't hurt to try some of the known AES keys from the P&S range canon uses we might just get lucky

There was some talk on the magiclantern list about a backdoor in the firmware loader using a serial port, that could be worth exploring, has anyone ever figured out the pinout of the connector in the battery compartment? If i'd had to expose a serial / debugging port thats where i would put it

Given how there's an arm in there and most arm cores come with a JTAG (5 pin) or SWD (2 pin) support build right into the core, it could be worth exploring if they are exposed somewhere.

So plenty of idea's/options so little time :)

*

Offline luastoned

  • *
  • 4
  • new :)
Re: EOS 550D / T2i / Kiss X4
« Reply #29 on: 07 / May / 2010, 07:22:45 »
Hey, I've got a 550D too and I'd really love to help out where I can.
I'll read through some Dev articles and see if that gets me further.

If anyone wants me to do anything with my cam, no problem :D

 

Related Topics


SimplePortal © 2008-2014, SimplePortal