Introduction[edit | edit source]

With the 5Dm2, it was "easy" to run code on it using a custom updater (.fir file) because no real protection was applied. Since the 7D, the .fir file is digitally signed, and with with version 1.1.0, a 'max update counter' does exist to block further update (See this discussion anyway). Signature is understood since January 2010.

With 550D/T2i/Kiss X4, the updater part of the .fir file is no more ciphered using the 512/513 keys XOR scheme, but encrypted like the update payload with AES.

In July 2010, the 550D keys were found see the announce and dedicated page.

So a bootstrap "magiclantern.fir" (for 550D/1.0.8) is supplied, to be run once (using firmware update). This custom update does nothing but allowing the later boot using "autoexec.bin" file.

All MagicLantern features are in this file which can be recompiled.

But you can not build the "magiclantern.fir" as non public AES keys are required.

Development[edit | edit source]

See the main 550D page to to get the source code. The source code is the best source of information.

Then use the search feature of the mail-list, which contains a LOT of information, for example Trammel had released an IDA Pro database dump for the 1.0.8 dump.

Be sure to explore the Wiki: Aj Newmann is doing an amazing work by documenting the important elements and functions of the firmware for 5Dm2 2.0.4, most information are relevant for the 550D.

As this is a reverse engineering project, you've got to find the missing information by yourself. You may ask on the list if you really had searched by yourself before.

I'll post a dump of my 550d/1.0.8 database as soon as I finished the code/data separation and naming most functions.

latest IDC database

This ARM tool chain

has been tested succefully on a fresh Ubuntu:

Trammel is really busy, so do not ask him if it is not REALLY required.

Remember that you can damage your camera (be careful of the FA_ (Factory) functions for example).

Stay tuned, follow the mail-list, more information is coming.

550D/T2i 1.0.8 and 1.0.9 start to differ at FF355F48, before functions address are equal.


Development pages[edit | edit source]

Working with Magic Lantern source:

ASM related:

Community content is available under CC-BY-SA unless otherwise noted.