Canon EOS DSLR .FIR fomat
v1.1. September 4th, 2010 by Arm.Indy,
based on a first version by Trammell Hudson
- 550D/T2i update: the updater is now encrypted with AES like the payload, and new keys are used. The file format is the same.
The following fir file format is used by Canon It is used to update code and data of EOS DSLRs, since the 1D Mark III.
The vocabulary used in this document (I.E. updater and firmware) is as used by Canon in their code. The purpose of releasing information about this file format is to allow running your own code on your camera and nothing else.
Mainly a FIR (for firmware) file contains all needed to update the camera: code that is run (updater) on the camera to do the updates and the updates themselves (called firmware).
Previous FIR file format
- 300D, 10D (fir v1)
- 1D, 1Ds, 1D Mark II, 1Ds MarkII, 1D Mark II n (.bin)
- 20D, 20Da, 350D. (fir v2)
- 5D, 30D, 400D. (fir v3). See [400d file format], by ASalina (April 28th, 2008)
- 40D, 50D, 450D, 500D, 1000D, 5D Mark II, WFT-E2, WFT-E3 (fir v4, DigicIII & Digic IV)
- 1D Mark III, 1Ds Mark III, 7D, 1D Mark IV (fir v4, with hmac signature)
- 550D (updater encrypted with AES, same format as 40D etc.)
- Trammell Hudson (31Oct2009), firmware file update
- Dmit (24Sept2009), payload encryption
- emklap (11Mar2009), EOS 40D development discussion
- Tyra Misoux (Jan2009), Any developers interested in working on CHDK firmware for DSLRs ?
- emlkap (25Jul2008), This is how 40D (and 400D) code decrypth the flasher code 1(2) dissect_fw3_2.rar
- soldeersmurfje (20dec2007), 40D firmware decryption
- HMAC http://tools.ietf.org/html/rfc2104
- HMAC-SHA-1: http://tools.ietf.org/html/rfc2202
- SHA-1: http://tools.ietf.org/html/rfc3174
- MD5: http://tools.ietf.org/html/rfc1321
- AES: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- Block Cipher modes of operation: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
FIR file format
Model Id (5D Mark II=0x8000218, 7D=0x8000250). Filled with 0.
See Camera Model IDs from Phil Harvey ExifTool website: http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Canon.html#CanonModelID
Version (ASCII string). "1.1.0". filled with 0.
|0x20||4||File checksum (literally the sum of all the bytes)|
|0x24||4||1st updater header offset (always 0xb0)|
|0x28||4||ciphered (xor) updater offset (always 0x120)|
|0x2c||4||Offset of second updater header, only with dual Digic models.
5D has 0xffffffff, 7D has 0x001c0970. Setting this to 0xFFFFFFF or any other value causes orange box on 7D. this value is noted 'updater2'
|0x30||4||firmware header offset. this value is noted 'firmware'|
|0x34||4||Length of payload (0xFFFFFFFF == until end of file?)|
|0x38||4||Length of FIR file in bytes|
|0x40||4||sha1 seed value.|
|0x44||4||used for signature (always here, only verified by dual Digic Models, only tested on 7D)|
|0x5c||4||Flasher Header+Code length. Starts at 0xb0|
|0x64||4||firmware Header + firmware data section length. Starts from value at 0x30|
|0x68||20||flashers hmac-sha1 (hmac-sha1 is the final step)|
|0x88||20||firmware flasher hmac-sha1 (hmac-sha1 is the final step)|
|0xb0||0x70||updater1 header. Length of flasher program in bytes (orange box)|
|0xb4||4||Length of flasher program - 4|
|0xbc||4||IV for XOR decryptor. Used to compute initial offsets in 512/513 keys. (orange box)|
|0x70||0xb0-0x120 is not zero when AES encryption is used. Like payload + 0xc...|
|0x120||var||encrypted 1st updater. Soldeersmurfje discovered how to decode it and the 512/513 bytes tables in dec 2007.|
|updater2||4||second updater header (only with dual digic models). model Id|
|updater2+0x20||4||checksum. sum of bytes, but computed on cleartext version of the 2nd updater!|
|updater2+0x24||4||0xb0. relative offset, to updater header|
|updater2+0x28||4||0x120. relative offset, to ciphered updater|
|updater2+0x2c||12||12 bytes = 0xff|
|updater2+0x38||4||updater length (including header)|
|updater2+0xbc||4||XOR deciphering seed|
|updater2+0x120||var||updater2 xor ciphered|
|firmware||4||offset to decryption data = 0xc|
|firmware+4||4||offset to encrypted data = 0x7c. starts at 'firmware' offset|
|firmware+8||4||total firmware length (including header). starts at 'firmware' offset|
|firmware+0xc||4||firmware length (encrypted part). starts at 'firmware' offset|
produced using fir_tool.py
- 1D Mark IV 1.0.8