-
I've started taking a look at the firmware of the Leica Q camera.
After you XOR everything with FF, you end up with something that is like the firmware of Panasonic cameras (UPD format):
UPD is the magic, CAYMN I assume is the codename of the camera, 0316 is the version of the firmware, 0200 the size of the first header, 0312E200 the size of the file without the first header, B5435A78 the checksum.
The firmware contains 22 sections:
- loader1
- loader2
- loader3
- program
- storage
- postboot1
- postboot2
- postboot3
- postboot4
- postboot5
- dram_sleep
- eep_ow_a
- eep_ow_b
- eep_adjfix
- history
- music
- osdover
- osddata
- koutei_kao
- eep_net_a
- eep_net_b
- welcom_fs
18 of which are encrypted. I haven't been able yet to figure out what encryption they use and how to decrypt them, hence this post.
There's an index section right after the second UPD header:
I have figured out that:- the first 12 bytes are the name of the section
- the next 4 bytes are the offset in the file
- the next 4 bytes are the size (I deduce there is no compression because the size corresponds to the size in this file)
- the next 4 bytes are the offset in memory
- the next 4 bytes are 02 if the section is not encrypted, 03 if encrypted
- the next 32 bytes are the SHA-256 checksum of the unencrypted section (the reason I came to this conclusion is that, since there are some sections that are unencrypted, I can see that their SHA-256 is equal to this)
- the next 16 bytes are some key (or initial vector) to decrypt the section (sections that are not encrypted have 0s)
- the last 16 bytes are 0s
By just applying AES-128 ECB decryption with the 16 bytes that are a key, I don't get to decrypt the sections.
I have also noticed that right before this UPD header there is a section starting with "leica" that contains 64 bytes that I cannot relate to any checksums:
so maybe the encryption method combines those with the 16 bytes of each section in the index.Has any of you encountered anything similar in the firmware of other cameras? Any hints about how to proceed in order to decrypt the 18 encrypted sections?
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- Topics List23,965
- Blog5,723
- General and News1,343
- Hacks and Patches1,151
- ↳ Top Settings33
- ↳ Beginners254
- ↳ Archives402
- ↳ Hacks News and Development56
- Cameras2,361
- ↳ Panasonic990
- ↳ Canon118
- ↳ Sony154
- ↳ Nikon96
- ↳ Pentax and Samsung70
- ↳ Olympus and Fujifilm99
- ↳ Compacts and Camcorders299
- ↳ Smartphones for video97
- ↳ Pro Video Cameras191
- ↳ BlackMagic and other raw cameras121
- Skill1,961
- ↳ Business and distribution66
- ↳ Preparation, scripts and legal38
- ↳ Art149
- ↳ Import, Convert, Exporting291
- ↳ Editors191
- ↳ Effects and stunts115
- ↳ Color grading197
- ↳ Sound and Music280
- ↳ Lighting96
- ↳ Software and storage tips267
- Gear5,414
- ↳ Filters, Adapters, Matte boxes344
- ↳ Lenses1,579
- ↳ Follow focus and gears93
- ↳ Sound498
- ↳ Lighting gear314
- ↳ Camera movement230
- ↳ Gimbals and copters302
- ↳ Rigs and related stuff272
- ↳ Power solutions83
- ↳ Monitors and viewfinders339
- ↳ Tripods and fluid heads139
- ↳ Storage286
- ↳ Computers and studio gear560
- ↳ VR and 3D248
- Showcase1,859
- Marketplace2,834
- Offtopic1,319
