EOS 550D / T2i / Kiss X4 - page 5 - DSLR Hack development - CHDK Forum
supplierdeeply
« previous next »
Pages: 1 2 3 4 [5] 6 7   Go Down

EOS 550D / T2i / Kiss X4

  • 65 Replies
  • 41962 Views
*

Offline Zibri

  • **
  • 53
Re: EOS 550D / T2i / Kiss X4
« Reply #40 on: 23 / July / 2010, 15:39:52 »
Advertisements
Hmm.. I got an idea.. if there's a xor involved I hope I'll find it..

edit: false alarm :(

I tried a stupid thing.. I cerated a file which was a xor of the first firmware and the second. if there was a recurring xor pattern I should have seen it unless it's a variable algo.

I didn't :(

back to square one.

By the way, did anyone check the Service firmware?? It's much bigger than the normal one.. so maybe there are some useful backdoors/functions in there..
« Last Edit: 23 / July / 2010, 16:09:10 by Zibri »
Logged
*

Offline Yarvieh

  • *
  • 26
Re: EOS 550D / T2i / Kiss X4
« Reply #41 on: 23 / July / 2010, 16:34:15 »
Think I saw someone somwhere who uploaded the service FW to his cam but didn't see any differences in the menu's. Other then that we can't really check for backdoors given its encrypted.  I Wrote a quick app a while ago that was able to recover the XOR keys for any firmware given there was a big enough block of 00's in it, but it wasn't able to recover anything from the service 550d fw, so fairly sure they switched to something more secure, given they used it before my best guess would be AES128-CBC but in all honesty its a [admin: avoid swearing please] shoot, until someone obtains a dump in some other way its a guessing game with the odds heavily heavily stacked against you.

 
Logged
*

Offline arm.indiana

  • ***
  • 105
Re: EOS 550D / T2i / Kiss X4
« Reply #42 on: 25 / July / 2010, 15:38:58 »
Quote from: Zibri on 23 / July / 2010, 15:38:41
Hmm.. firmware seems to start at offset $bc
Use this
http://groups.google.com/group/ml-devel/browse_thread/thread/79f08172a021fae3#
to parse the fir file...

yes, new protection on 550D updater, no more the xor scheme.

Arm.Indy
Logged
*

Offline nouchi

  • *
  • 1
Re: EOS 550D / T2i / Kiss X4
« Reply #43 on: 25 / July / 2010, 17:17:18 »
Hello,

Is it possible to use an USB packet sniffer, to capture all the data exchanged during updating process, and eventually catch encryptions keys?
It was just an idea.......
Bad idea, update is made by SD card  :( :(

Emmanuel
« Last Edit: 26 / July / 2010, 03:15:23 by nouchi »
Logged
*

Offline lorenzo353

  • *
  • 38
Re: EOS 550D / T2i / Kiss X4
« Reply #44 on: 26 / July / 2010, 07:09:29 »
Quote from: nouchi on 25 / July / 2010, 17:17:18
Hello,

Is it possible to use an USB packet sniffer, to capture all the data exchanged during updating process, and eventually catch encryptions keys?
It was just an idea.......
Bad idea, update is made by SD card  :( :(

Emmanuel
the update can be made using EOS utility (via PTP) or using a FIR file stored on the SDcard. and of course, the decryption is always done inside the camera: keys never leave the camera.

if you want to learn more see this discussion:
http://chdk.setepontos.com/index.php/topic,1999.0.html

Lorenzo
Logged
*

Offline Zibri

  • **
  • 53
Re: EOS 550D / T2i / Kiss X4
« Reply #45 on: 01 / August / 2010, 09:26:33 »
The updater just copies the fir file on the sdcard root then launches the built-in update routine.

I dissected all the SDK DLL searching for undocumented things.. I found a few, but nothing relevant.
Logged
*

Offline Zibri

  • **
  • 53
Re: EOS 550D / T2i / Kiss X4
« Reply #46 on: 01 / August / 2010, 09:34:19 »
Code: [Select]
(e8kr7108.fir)
 ---flasher1---
 0x000: modelId = 0x80000270, (550D/T2i, DryOS)
 0x010: version = 1.0.8
 0x020: cheksum = 0xb783b90c OK
 0x024: flasher1 header start = 0xb0
 0x028: flasher1 payload start = 0x120
 0x02c: flasher2 start = 0xffffffff
 0x030: firmware start = 0x1beb40
 0x034: 0xffffffff
 0x038: file size = 0x918b9c (9.538.460 bytes) OK
 0x03c: 0x0
 0x040: xor seed = 0x76293ff4
 0x044: 0x00000004 0x00000000 0x00000020 0x00000024
 0x054: 0x00000044 0x000000b0
 0x05c: fw start-0xb0 ???  0x1bea90
 0x060: firmware start =  0x1beb40
 0x064: firmware length = 0x75a05c
 0x068: hmac-sha1 = 029090f19224f258cfdfe4d61c4f73c0af0def7c
 0x088: hmac-sha1 = 7698c8436744945e762bcf0a96935c17e973636f
 0x09c - 0x0af: 0x0
 ---flasher1 header---
 0x0b0: flasher1 payload length = 0x1bea20 starts at 0x120
 0x0b4: flasher1 ??? = 0x1bea20
 0x0b8: 0x0
 0x0bc: xor seed = 0x87353d20
 ---flasher1 payload---
 0x120 - 0x1beb3f: (ciphered data)
 ---firmware---
 0x1beb40: (+0x000), firmware header start = 0xc
 0x1beb44: (+0x004), firmware payload start = 0x7c
 0x1beb48: (+0x008), total firmware length = 0x75a05c. starts at 0x1beb40
 ---firmware header---
 0x1beb4c: (+0x00c), firmware payload length = 0x759fe0
 0x1beb50: (+0x010), firmware ??? = 0x759fda
 0x1beb54: (+0x014), 0x0
 ---firmware payload---
 0x1bebbc (+0x07c) - 0x918b9b: (encrypted data)
Logged
*

Offline Zibri

  • **
  • 53
Re: EOS 550D / T2i / Kiss X4
« Reply #47 on: 01 / August / 2010, 09:40:33 »
It seems someone hacked / decrypted and re-encrypted the firmware!



Where to get more infos on how to decrypt/modify it?
Logged
*

Offline arm.indiana

  • ***
  • 105
Re: EOS 550D / T2i / Kiss X4
« Reply #48 on: 01 / August / 2010, 10:11:06 »
Logged
*

Offline arm.indiana

  • ***
  • 105
Re: EOS 550D / T2i / Kiss X4
« Reply #49 on: 14 / August / 2010, 06:07:51 »
Quote from: Tarren on 08 / July / 2010, 15:48:05
Quote from: holamanola on 08 / July / 2010, 13:19:50
New firmware update!

Download it here:

http://www.canonrumors.com/2010/07/rebel-t2i550d-firmware-1-0-8/

I updated the firmware on the Kiss 4 Japanese model, with 1.0.8..........to no avail.

Only Japanese and English in the menu :(

I'm very surprised, but there are functions in 550d/Kiss 4 (1.0.8) called "LimitLangJapan" (0xFF0978BC)
and "LimitLangOther" (0xFF097908). I strongly suspect it is to restrict available languages for models sold in Japan... which are cheaper than anywhere in the world.

Arm.Indy
Logged
Pages: 1 2 3 4 [5] 6 7   Go Up
« previous next »
 

Related Topics