How does the DSLRs' firmware check/decrypt work? - DSLR Hack development - CHDK Forum supplierdeeply

How does the DSLRs' firmware check/decrypt work?

  • 8 Replies
  • 5567 Views
How does the DSLRs' firmware check/decrypt work?
« on: 14 / June / 2010, 17:01:29 »
Advertisements
I've spent a couple of hour to figure out how the firmware update works in Canon DSLRs.
I've found a lot of stuff, SHA1, HMAC-SHA1, AES128 and of course the XOR decipher routines, but haven't got the whole picture.
I'm trying to summarize now what I've found, maybe somebody could continue the work or point me to the right direction.
I'm working with the 7D 1.1.0 firmware but I can port my stuff to other camera's firmware if it needed.


FF1543AC: CERESJOB It is a jump table, I haven't found how and where this sub referenced.

if the job number is 29 then it jumps to

FF154E80: UpdateFileData_CERES This sub loads the firmware file, deciphers the updater(s) and decrypts the fimrware payload.

After it called the FIO_OpenFile, and FIO_ReadFile calls the

DecryptoFir:
Code: (asm) [Select]
FF1C3D30:E92D4010 DecryptoFir STMFD SP!, {R4, LR} ; ===== SUB =====
FF1C3D34:E1A04000 MOV R4, R0 ; .fir start address
FF1C3D38:E5900024 LDR R0, [R0,#0x24] ; Updater1 header start
FF1C3D3C:E3500030 CMP R0, #0x30
FF1C3D40:0A000012 BEQ DecryptoFir_1
FF1C3D44:E59F1084 LDR R1, =0xAFCC ; dw_FF1C3DD0
FF1C3D48:E1A00004 MOV R0, R4
FF1C3D4C:EB043B6B BL sub_FF2D2B00
FF1C3D50:E3500000 CMP R0, #0
FF1C3D54:1A00000F BNE DecryptoFir_2
FF1C3D58:E59F1070 LDR R1, =0xAFCC ; dw_FF1C3DD0
FF1C3D5C:E1A00004 MOV R0, R4
FF1C3D60:EB043BAD BL sub_FF2D2C1C
FF1C3D64:E3500000 CMP R0, #0
FF1C3D68:1A00000A BNE DecryptoFir_2
FF1C3D6C:E1A00004 MOV R0, R4
FF1C3D70:EB043C02 BL UpdaterDecipher_caller
FF1C3D74:E3500000 CMP R0, #0
FF1C3D78:1A000006 BNE DecryptoFir_2
FF1C3D7C:E59F1050 LDR R1, =0xAFAC ; dw_FF1C3DD4
FF1C3D80:E1A00004 MOV R0, R4
FF1C3D84:EB043C85 BL FirmwareDecryptAndChecksum
FF1C3D88:E3500000 CMP R0, #0
FF1C3D8C:1A000001 BNE DecryptoFir_2
FF1C3D90:E3A00000 DecryptoFir_1 MOV R0, #0
FF1C3D94:E8BD8010 LDMFD SP!, {R4, PC}
-- ------------------------------------
FF1C3D98:E3E00000 DecryptoFir_2 MVN R0, #0 ; R0=FFFFFFFF, Error
FF1C3D9C:E8BD8010 LDMFD SP!, {R4, PC}

The two unknown subroutines (sub_FF2D2B00, sub_FF2D2C1C) do a lot of things (e.g. SHA1 hash calc)
The UpdaterDecipher_caller deciphers the updater(s) using the well-known XOR tables.

FirmwareDecryptAndChecksum:
Code: (asm) [Select]
FF2D2FA0:E92D4010 FirmwareDecryptAndChecksum STMFD SP!, {R4, LR} ; ===== SUB =====
FF2D2FA4:E1A04000 MOV R4, R0 ; .fir start address
FF2D2FA8:E5900030 LDR R0, [R0,#0x30] ; Firmware start offset
FF2D2FAC:E7B02004 LDR R2, [R0,R4]!
FF2D2FB0:E0820000 ADD R0, R2, R0 ; Firmware start address
FF2D2FB4:E594202C LDR R2, [R4,#0x2C] ; Updater2 start offset
FF2D2FB8:EBFFFF83 BL FirmwareDecrypt
FF2D2FBC:E3700001 CMN R0, #1
FF2D2FC0:08BD8010 LDMEQFD SP!, {R4, PC}
FF2D2FC4:E3A00000 MOV R0, #0
FF2D2FC8:E5840020 STR R0, [R4,#0x20] ; Clear checksum
FF2D2FCC:E594C038 LDR R12, [R4,#0x38] ; Firmware file size
FF2D2FD0:E1A00004 MOV R0, R4
FF2D2FD4:E3A02000 MOV R2, #0
FF2D2FD8:E3A01000 MOV R1, #0
FF2D2FDC:E151000C FirmwareDecryptAndChecksum_1 CMP R1, R12
FF2D2FE0:34D03001 LDRCCB R3, [R0],#1
FF2D2FE4:32811001 ADDCC R1, R1, #1
FF2D2FE8:30832002 ADDCC R2, R3, R2 ; Calc checksum
FF2D2FEC:3AFFFFFA BCC FirmwareDecryptAndChecksum_1
FF2D2FF0:E1E00002 MVN R0, R2
FF2D2FF4:E5840020 STR R0, [R4,#0x20] ; Store checksum
FF2D2FF8:E3A00000 MOV R0, #0
FF2D2FFC:E8BD8010 LDMFD SP!, {R4, PC}

The FirmwareDecrypt has a lot of things: SHA1 calcs, and AES decrypt, but I can't follow that much subroutine calls.
I feel I'm close to it... I wrote a disassembler/debugger to work with the ARM binary (see here) but it's not yet perfect (means I think it doesn't do that it should be to do).

Some important routines:
FF424CE0: AES_decrypt
FFFE00DC: HMAC-SHA1
FFFE10F4: SHA1_calculator
FF3DC280: SHA1_calc
FF37221C: XOR_decipher

For further check you can download the IDC file with these labels and comments from here.

Dmit wrote:
"Firmware payload is encrypted by AES-128 in CTR mode. No SHA-256 is involved, only SHA-1 (which used twice to generate 256-bit value: 160 bits + 96 bits)"
« Last Edit: 19 / June / 2010, 14:49:21 by Pelican »

Re: How does the Canon DSLRs' firmware check/decrypt work?
« Reply #1 on: 17 / June / 2010, 05:33:27 »
Wish you can make a decrypt tool successful!

Re: How does the Canon DSLRs' firmware check/decrypt work?
« Reply #2 on: 18 / June / 2010, 14:21:26 »
look for Tyra Misoux and Dmit posts in this forum for clues on payload encryption...
yes, Dmit already got the solution in Sept 2009.

Re: How does the Canon DSLRs' firmware check/decrypt work?
« Reply #3 on: 18 / June / 2010, 19:37:48 »
yes, Dmit already got the solution in Sept 2009.
Has he shared it?
If he hasn't then that is not too much help here...  :(

I know, some people has already done this job, but if nobody tell us how then we have to do the same job again.
« Last Edit: 19 / June / 2010, 10:51:15 by Pelican »


Re: How does the Canon DSLRs' firmware check/decrypt work?
« Reply #4 on: 19 / June / 2010, 08:25:09 »
Pel,

I think this is dangerous for the openess of the Canon DSLR to make it public.
the more we tell to Canon we are able to do a given thing, they will increase the protection of the platform.
want some proof ?
1. Trammel has worked on the 5dm2, they started applying signature checking (the 2 hmac-sha1 values for updater1 and firmware) in the 7D, initial version.
2. On the 7D 1.2.0 and 1.2.1, they put a update launch counter, to avoid taking control of the camera using a modified updater (with signatures re computed). and yes, Trammel is blocked with that. and also because handling a 2 digic camera is different.
3. the 550D service firmware showed they can encrypt the updater with AES instead of the 512/513 xor scheme,
and the payload is encrypted differently than with 7D/1Dm4 and 500D. the FIR file format is designed from the beginning with the hmac-signatures and updater(s) AES encryption features, which can be enabled very easily...

The more we publically show what we have understood, the more protections will be increased.
I suggest rather collaborate in a more discreet way, so that We (camera hackers) keep a step beyond the red one (that make excellent DSLR...)

Arm.Indy
« Last Edit: 19 / June / 2010, 08:27:41 by arm.indiana »

Re: How does the Canon DSLRs' firmware check/decrypt work?
« Reply #5 on: 19 / June / 2010, 10:38:20 »
Interesting viewpoint, maybe you are right but I'm not really convinced because there is a big fact which proves the opposite:
The 2.0.7 fw of the 5DMkII came out without any of these restriction.
It could be very easy to block the whole ML thing but they don't bother to do it.
What do you think about it?
Why they don't protect the 5D2 but protect the 550D so strongly?
It makes no sense at all...

Another thing: I've tried to contact all of the hackers to get info in a more discreet way but they've ignored my questions (nobody answered my emails and messages except you, you are the only one who talk to me, sometimes). :(

I've wasted a lot of time to do the whole encrypting/decrypting stuff from zero (and not finished yet) instead of developing useful functions...
« Last Edit: 19 / June / 2010, 11:54:25 by Pelican »

Re: How does the DSLRs' firmware check/decrypt work?
« Reply #6 on: 19 / June / 2010, 15:09:32 »
Their efforts seem to be proportional to the margin on the camera, which makes sense.  If we could modify the 550d then the gap between it and the 7d would become much less.  Other hardware hacking projects have gone private for this reason e.g. XBox.

Perhaps an invitation only forum is the way forward?  Email isn't the best as you either spam everybody or leave people out.

Re: How does the DSLRs' firmware check/decrypt work?
« Reply #7 on: 19 / June / 2010, 18:31:04 »
Their efforts seem to be proportional to the margin on the camera, which makes sense.  If we could modify the 550d then the gap between it and the 7d would become much less.  Other hardware hacking projects have gone private for this reason e.g. XBox.
you're perfectly right SleeperService... they are OK with the 5dm2 price, but not cheaper ones...
I  must add that for the 550d, we have only the -service- firmware (which should contain a bonus), not the usual one...

I currently work with other people ... with who there is a mutual trust relationship

Arm.Indy
« Last Edit: 19 / June / 2010, 18:34:42 by arm.indiana »


*

Offline luastoned

  • *
  • 4
  • new :)
Re: How does the DSLRs' firmware check/decrypt work?
« Reply #8 on: 04 / July / 2010, 06:51:06 »
...
I  must add that for the 550d, we have only the -service- firmware (which should contain a bonus), not the usual one...

I currently work with other people ... with who there is a mutual trust relationship

Arm.Indy

So you are working currently for the 550D? I'd love to see progress there.

 

Related Topics