Decrypting Canon Camcorder Firmware Updates
Today, if you are an amateur who wants to record high quality videos on a budget, you can get a nice DSLR for less than 1000€ which comes with every feature you’ll ever need. If not, you can easily extend the functionality with software add-ons like Magic Lantern. Back in 2008, when I owned a Canon HF10 camcorder (one of the first to record Full-HD AVCHD video to an SD card), this wasn’t the case. It had a reasonable performance for its price, but sooner than later I was missing important video features like zebra patterns and manual gain. I was wondering whether these features could be unlocked with hacks, and the first step was decrypting the firmware.
The internet offers workarounds for missing functionality, but they are usually a pain, especially when you know that it’s software functionality that exists in the firmware and only got disabled on the cheap consumer model, while being enabled on the expensive model sold as the professional counterpart. I started looking around for possible hacks to enable such functions, and discovered a nice software add-on for Canon PowerShot still cameras called CHDK. The documentation of this project says that the most important thing to start working on such a firmware hack is a dump of the camera firmware or a firmware update file released by the manufacturer.
Decryption Successful
So when Canon released a firmware update for my HF10 camcorder, I opened a thread (nickname Wiesel) on the CHDK forum about this endeavor and started to analyze the file. I soon discovered how the file was encrypted and was able to reconstruct the key calculation algorithm, based on the 300D decryption keys released elsewhere, which lead to a decryption/encryption tool for HF10 and HV30 update files. This motivated others to jump in on the effort and contribute a lot of additional knowledge on the hardware, memory layout and disassembled program code. It all culminated in a hack for the HV20 and HV30 by the awesome jollyrogerxp, who documented his long journey into the depths of the camcorders on the HV20 forum (now HDDV forum). A HF10 hack never came to life (I was missing the required time and knowledge), but it was an exciting little excursion into the world of cryptography.
6 Years Later
Just recently I stumbled upon a firmware update of a newer camera model and wondered if Canon has changed the encryption scheme in the meantime - and found out they didn’t. Even better, I also found out where the only decryption parameter that changes from model to model comes from. It took me a few days of work, but I extended the firmware decryption tool to support every model that I could find a firmware update for, and most probably also every other model available until this day. I took this occasion to publish the firmware decrypter/encrypter and other tools that I have written related to the firmware files in a GitHub repository.