2025-10-22 –, Europe
Digic8 Oracle
Decrypting camera updates without knowing neither the key, nor algorithms (at first)
Since years, Canon cameras firmware has been enhanced by hackers, via the [CHDK] project for Powershot models and [MagicLantern] for DSLR/mirrorless ones, applied to DIY drone photography for example [DRONES].
Starting 2011, the Magic Lantern team is able to execute code by enabling an hidden Canon payload loaded from the SD card : autoexec.bin. Enabling this feature requires forging valid signatures for camera updates, and required the team to fully understand cryptography of these .FIR files. But since the EOS R camera launch in 2018, FIR cryptography changed and no one publicly explored this new FIR version.
We will introduce the technical context as well as FIR file format version 4 (before 2018), then, we will use :
1 - the fact some recent Canon cameras (R, RP, R6) allow dumping their firmware via an embedded basic interpreter and
2 - Unicorn emulation to decrypt easily camera update files of the same hardware (Digic) generation, because a unique key is used.
As a first step, emulation will allows access to FIR content (camera firmware updated code), without the need to understand neither the underlying cryptographic algorithms, nor keys : dumped code will be used "as oracle" by emulation. Then we will describe how is working decryption key generation for Digic 8, and finally the scheme of asymnetric signatures and how to verify them for both Digic 8 and Digic 10 cameras.
Two python tools will be released: d8_oracle.py to decrypt Digic 8 updates via emulation of dumped firmware, and d810_verif.py to verify FIR digital signatures, based on secp256r1 curve.
d8_oracle.py requires you first to dump yourself a firmware via CBasic or to obtain such camera dump via Magic Lantern community for example.
No decryption key neither firmware dump will be released with this talk.
Laurent Clévy already reversed Canon picture authentication scheme (Original Data Decision in Canon terms) years ago, as well as a python tool to recompute signatures [ODD]. He also rediscovered FIR cryptography before 2018 and described it at BeeRump 2022 [BeeRump].
EOS, Digic and Powershot are Canon trademarks.
References:
* CHDK
* MagicLantern
* DRONES
* ODD
* BeeRump
The presentation will introduce the technical context: what kind of computing platform a recent DSLR/Mirrorless camera is, with several computing units (ARM, Xtensa...) and operating systems (Real time or not).
Then previous hacking activities on this platform will be described, as well as recent work by Magic Lantern team on EOS R. Next step will describe how a camera update is done, using the FIR file format: 1 - verifiying digital signatures, 2 - decrypting a mini OS version, rebooting on it, then 3 - applying the software updates: writing them in Flash ROM and reboot to main software.
We will explain for the first time how the FIR format is providing confidentiality (AES encryption) and content authentication (based on digital sighatures). Before 2018, signature scheme was based on HMAC-SHA1 with complex key generation. Because the key material was inside firmware and Magic Lantern reversed the whole mechanisms, they was able to forge valid FIR signatures to later launch their payload 'autoexec.bin' in memory. But this changed in 2018 and release of the EOS R model. Do not be afraid, only high level cryptography concepts will be used.
It must be reminded that dumping the firmware of some cameras using an hidden Basic interpreter is possible on EOS R, RP (digic 8 hardware generation), and EOS R5 / R6 cameras (digic 10 hardware). This was discovered years ago on Powershots models.
The original approach of this talk is to use a dump of the EOS R to decrypt, first, its own FIR updates, without doing deep reverse engineering. We use a trick -because it is more elegant- : by emulating the cryptographic functions embedded in the obtained firmware dump, as an Oracle, almost as black box.
And because a same decryption key is used for all Digic 8 cameras, our trick will also work for another Digic 8 models. Then our python tool based on Unicorn emulation will be enhanced to also decrypt firmware updates records. This gives access to all Digic 8 camera updates content to port Magic Lantern or other hacking projects for cameras you do not own yourself. The python decryption tool based on emulation d8_oracle.py will be released before the talk.
No firmware dumps neither decryption key will be released along this presentation, you'll need to obtain a dump by yourself, which is easy, and we'll explain how.
Because we are not so lazy and you're hopefully curious, decryption and signature algorithms will be explained, and you'll be able to verify yourself ECDSA signatures for Digic8 and Digic 10 camera updates (FIR files) with a dedicated python tool : d810_verify.py. Evolution and improvements of the FIR features will also be compared.
Now we can emulate this ECDSA implementation, we can easily study it. Because unless a serious problem, as an asymnetric signature algorithm, it will be not possible to forge valid signatures for recent FIR updates without the private key, which make native code execution on recent camera a problem, as opposite as before 2018.
I do reverse engineering as a personnal activity since years (https://github.com/lclevy/Uvk, https://connect.ed-diamond.com/MISC/mischs-006/mecanisme-de-controle-d-authenticite-des-photographies-numeriques-dans-les-reflexes-canon) and recently applying this passion as a full time job. Before I was a Digital Forensic analyst and working in computer security long before it was call Cyber :-)