login

laurent clevy
.ical

I do reverse engineering as a personnal activity since years (https://github.com/lclevy/Uvk, https://connect.ed-diamond.com/MISC/mischs-006/mecanisme-de-controle-d-authenticite-des-photographies-numeriques-dans-les-reflexes-canon) and recently applying this passion as a full time job. Before I was a Digital Forensic analyst and working in computer security long before it was call Cyber :-)

Session

10-22
15:15
30min
Digic8 Oracle
laurent clevy

Digic8 Oracle

Decrypting camera updates without knowing neither the key, nor algorithms (at first)

Since years, Canon cameras firmware has been enhanced by hackers, via the [CHDK] project for Powershot models and [MagicLantern] for DSLR/mirrorless ones, applied to DIY drone photography for example [DRONES].
Starting 2011, the Magic Lantern team is able to execute code by enabling an hidden Canon payload loaded from the SD card : autoexec.bin. Enabling this feature requires forging valid signatures for camera updates, and required the team to fully understand cryptography of these .FIR files. But since the EOS R camera launch in 2018, FIR cryptography changed and no one publicly explored this new FIR version.

We will introduce the technical context as well as FIR file format version 4 (before 2018), then, we will use :
1 - the fact some recent Canon cameras (R, RP, R6) allow dumping their firmware via an embedded basic interpreter and
2 - Unicorn emulation to decrypt easily camera update files of the same hardware (Digic) generation, because a unique key is used.

As a first step, emulation will allows access to FIR content (camera firmware updated code), without the need to understand neither the underlying cryptographic algorithms, nor keys : dumped code will be used "as oracle" by emulation. Then we will describe how is working decryption key generation for Digic 8, and finally the scheme of asymnetric signatures and how to verify them for both Digic 8 and Digic 10 cameras.

Two python tools will be released: d8_oracle.py to decrypt Digic 8 updates via emulation of dumped firmware, and d810_verif.py to verify FIR digital signatures, based on secp256r1 curve.
d8_oracle.py requires you first to dump yourself a firmware via CBasic or to obtain such camera dump via Magic Lantern community for example.

No decryption key neither firmware dump will be released with this talk.

Laurent Clévy already reversed Canon picture authentication scheme (Original Data Decision in Canon terms) years ago, as well as a python tool to recompute signatures [ODD]. He also rediscovered FIR cryptography before 2018 and described it at BeeRump 2022 [BeeRump].

EOS, Digic and Powershot are Canon trademarks.

References:
* CHDK
* MagicLantern
* DRONES
* ODD
* BeeRump

topic: hack.lu
Europe