Line 82: | Line 82: | ||
| 0xb0 || 0x70 || updater1 header. Length of flasher program in bytes (orange box) |
| 0xb0 || 0x70 || updater1 header. Length of flasher program in bytes (orange box) |
||
|- |
|- |
||
− | | 0xb4 || 4 || Length of flasher program - |
+ | | 0xb4 || 4 || Length of flasher program - 4 |
|- |
|- |
||
| 0xb8 || 4 || MBZ |
| 0xb8 || 4 || MBZ |
Revision as of 17:00, 25 April 2010
Canon EOS DSLR .FIR fomat
v1.0. April 24th, 2010 by Arm.Indy,
based on a first version by Trammell Hudson
Introduction
The following fir file format is used by Canon It is used to update code and data of EOS DSLRs, since the 1D Mark III.
The vocabulary used in this document (I.E. updater and firmware) is as used by Canon in their code. The purpose of releasing information about this file format is to allow running your own code on your camera and nothing else.
Mainly a FIR (for firmware) file contains all needed to update the camera: code that is run (updater) on the camera to do the updates and the updates themselves (called firmware).
Previous FIR file format
- 300D, 10D (fir v1)
- 1D, 1Ds, 1D Mark II, 1Ds MarkII, 1D Mark II n (.bin)
- 20D, 20Da, 350D. (fir v2)
- 5D, 30D, 400D. (fir v3). See [400d file format], by ASalina (April 28th, 2008)
- 40D, 50D, 450D, 500D, 1000D, 5D Mark II, WFT-E2, WFT-E3 (fir v4, DigicIII & Digic IV)
- 1D Mark III, 1Ds Mark III, 7D (fir v4, with hmac signature)
Previous work
- Trammell Hudson (31Oct2009), firmware file update
- emklap (11Mar2009), EOS 40D development discussion
- Tyra Misoux (Jan2009), Any developers interested in working on CHDK firmware for DSLRs ?
- emlkap (25Jul2008), This is how 40D (and 400D) code decrypth the flasher code 1(2) dissect_fw3_2.rar
- soldeersmurfje (20dec2007), 40D firmware decryption
References
- HMAC http://tools.ietf.org/html/rfc2104
- HMAC-SHA-1: http://tools.ietf.org/html/rfc2202
- SHA-1: http://tools.ietf.org/html/rfc3174
- MD5: http://tools.ietf.org/html/rfc1321
- AES: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- Block Cipher modes of operation: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
FIR file format
Offset | Len | Description |
---|---|---|
0x00 | 0x10 |
Model Id (5D Mark II=0x8000218, 7D=0x8000250). Filled with 0. See Camera Model IDs from Phil Harvey ExifTool website: http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Canon.html#CanonModelID |
0x10 | 0x10 |
Version (ASCII string). "1.1.0". filled with 0. |
0x20 | 4 | File checksum (literally the sum of all the bytes) |
0x2c | 4 | 1st updater header offset (always 0xb0) |
0x28 | 4 | ciphered (xor) updater offset (always 0x120) |
0x2c | 4 | Offset of second updater header, only with dual Digic models.
5D has 0xffffffff, 7D has 0x001c0970. Setting this to 0xFFFFFFF or any other value causes orange box on 7D. this value is noted 'updater2' |
0x30 | 4 | firmware header offset. this value is noted 'firmware' |
0x34 | 4 | Length of payload (0xFFFFFFFF == until end of file?) |
0x38 | 4 | Length of FIR file in bytes |
0x3c | 4 | 0 |
0x40 | 4 | sha1 seed value. Changing it causes orange box. |
0x44 | 4 | used for signature (always here, only verified by dual Digic Models, only tested on 7D) |
0x5c | 4 | Flasher Header+Code length. Starts at 0xb0 |
0x64 | 4 | firmware Header + firmware data section length. Starts from value at 0x30 |
0x68 | 20 | 1st flasher hmac-sha1 (hmac-sha1 is the final step) |
0x88 | 20 | firmware flasher hmac-sha1 (hmac-sha1 is the final step) |
0xb0 | 0x70 | updater1 header. Length of flasher program in bytes (orange box) |
0xb4 | 4 | Length of flasher program - 4 |
0xb8 | 4 | MBZ |
0xbc | 4 | IV for XOR decryptor. Used to compute initial offsets in 512/513 keys. (orange box) |
0x120 | var | encrypted 1st updater. Soldeersmurfje discovered how to decode it and the 512/513 bytes tables in dec 2007. |
updater2 | 4 | second updater header (only with dual digic models). model Id |
updater2+0x10 | 4 | version (ascii) |
updater2+0x20 | 4 | checksum. seems a sum of bytes, but did not manage to compute it, argh!!! |
updater2+0x24 | 4 | 0xb0. relative offset, to updater header |
updater2+0x28 | 4 | 0x120. relative offset, to ciphered updater |
updater2+0x38 | 4 | updater length (including header) |
updater2+0xb0 | 4 | updater length |
updater2+0xbc | 4 | XOR deciphering seed |
updater2+0x10 | var | updater2 xor ciphered |
firmware | 4 | offset to decryption data = 0xc |
firmware+4 | 4 | offset to encrypted data = 0x7c. starts at 'firmware' offset |
firmware+8 | 4 | total firmware length (including header). starts at 'firmware' offset |
firmware+0xc | 4 | firmware length (encrypted part). starts at 'firmware' offset |
firmware+0x7c | var | encrypted firmware |
Sample headers
produced using fir_tool.py
7D 1.1.0:
0000000 80000250 00000000 00000000 00000000 0000010 2e312e31 00000030 00000000 00000000 0000020 9e567c55 000000b0 00000120 001c0990 0000030 0022e220 ffffffff 00c41dac 00000000 0000040 df820045 00000004 00000000 00000020 0000050 00000024 00000044 000000b0 0022e170 0000060 0022e220 00a13b8c cb8fa657 9c2d78f5 0000070 e243cb66 7c27e170 587aca80 00000000 0000080 00000000 00000000 920380bb 4dc61f22 0000090 ec51474a 165c622b 2e6ab97a 00000000 00000a0 00000000 00000000 00000000 00000000 00000b0 001c0870 001c086c 00000000 4106d571 00000c0 00000000 00000000 00000000 00000000
Sample 7D header (1.0.9):
0000000 80000250 00000000 00000000 00000000 0000010 2e302e31 00000039 00000000 00000000 0000020 9e5642e5 000000b0 00000120 001c0970 0000030 0022e200 ffffffff 00c41b8c 00000000 0000040 b99b53de 00000004 00000000 00000020 0000050 00000024 00000044 000000b0 0022e150 0000060 0022e200 00a1398c 3d9250ec 89263417 0000070 e4684520 27a4132d 342246d5 00000000 0000080 00000000 00000000 116147a3 12b56111 0000090 3efd1d5c a748337f 56f9927a 00000000 00000a0 00000000 00000000 00000000 00000000 00000b0 001c0850 001c0850 00000000 6dcb1922 00000c0 00000000 00000000 00000000 00000000
Sample 5D header (1.1.0):
0000000 80000218 00000000 00000000 00000000 0000010 2e312e31 00000030 00000000 00000000 0000020 b7384f65 000000b0 00000120 ffffffff 0000030 001a0cd0 ffffffff 0092224c 00000000 0000040 9d6fd907 00000004 00000000 00000020 0000050 00000024 00000044 000000b0 001a0c20 0000060 001a0cd0 0078157c 12538b62 59432b66 0000070 de3ad22d cfe0931e ea8a2d92 00000000 0000080 00000000 00000000 6a7a4463 ff3a6731 0000090 0fefd218 adfe6ae7 6dce3526 00000000 00000a0 00000000 00000000 00000000 00000000 00000b0 001a0bb0 001a0ba4 00000000 348e2ce8 00000c0 00000000 00000000 00000000 00000000
Sample 5D header (1.0.7):
0000000 80000218 00000000 00000000 00000000 0000010 2e302e31 00000037 00000000 00000000 0000020 b7932bae 000000b0 00000120 ffffffff 0000030 001a0de0 ffffffff 009168cc 00000000 0000040 f4600670 00000004 00000000 00000020 0000050 00000024 00000044 000000b0 001a0d30 0000060 001a0de0 00775aec a3a82005 5969f763 0000070 ff0951b2 e1d8a2e5 ec8487c2 00000000 0000080 00000000 00000000 f733aad6 44ad45bd 0000090 86e85aca cad9aa2f b8c91f31 00000000 00000a0 00000000 00000000 00000000 00000000 00000b0 001a0cc0 001a0cb4 00000000 78021ac9 00000c0 00000000 00000000 00000000 00000000
|}