One more suggestion.
NOTE! This all is untested, because I have VxWorks camera - nowhere to test.
It looks like we can create script disk.
To create script disk - create file called script.req on SD card and write the string "for DC_scriptdisk" without quotes to it.
Then format card using camera and you should have scriptdisk prepared.
Or just write string "SCRIPT" at offset 0x1F0 in the bootsector - this is the same.
By the way - same for bootdisk.
To create bootdisk - create file called boot.req on SD card and write the string "for DC_bootdisk" without quotes to it.
Then format card using camera and you should have bootdisk prepared.
Then create script file A/autotest.m and lock the card to tell the camera to run it at startup (maybe lock is not required, I'm not sure).
It looks like this script file is plaintext and is not encoded, it just should start with zero byte.
I.e. <0> <plaintext script>
From this script you should be able to call any registered eventproc, so you can enter factory mode with SetFactoryMode and leave it using ClearFactoryMode.
In factory mode camera will load and start A/BootFAEXE.bin at startup, so we will be able to perform the dump if we will place the dumper with this name on card.
Or maybe if someone could contact service engineer on personal (non official) basis and get servicing diskboot.bin or upgrader.bin (resque loader) - this certainly will help.
The key could be bruteforced easy enough.
[--- added ---]
Failed here too
Digged more deeply and saw that BootFAEXE.bin is encoded with the same key as DiskBoot.bin
Looks like the only way to go is to make hardware ROM dump or try to contact service in unofficial basis...