Personal View site logo
Leica Q firmware hacking
  • paorinpaorin

    I've started taking a look at the firmware of the Leica Q camera.

    After you XOR everything with FF, you end up with something that is like the firmware of Panasonic cameras (UPD format):

    UPD is the magic, CAYMN I assume is the codename of the camera, 0316 is the version of the firmware, 0200 the size of the first header, 0312E200 the size of the file without the first header, B5435A78 the checksum.

    The firmware contains 22 sections:

    • loader1
    • loader2
    • loader3
    • program
    • storage
    • postboot1
    • postboot2
    • postboot3
    • postboot4
    • postboot5
    • dram_sleep
    • eep_ow_a
    • eep_ow_b
    • eep_adjfix
    • history
    • music
    • osdover
    • osddata
    • koutei_kao
    • eep_net_a
    • eep_net_b
    • welcom_fs

    18 of which are encrypted. I haven't been able yet to figure out what encryption they use and how to decrypt them, hence this post.

    There's an index section right after the second UPD header: I have figured out that:

    • the first 12 bytes are the name of the section
    • the next 4 bytes are the offset in the file
    • the next 4 bytes are the size (I deduce there is no compression because the size corresponds to the size in this file)
    • the next 4 bytes are the offset in memory
    • the next 4 bytes are 02 if the section is not encrypted, 03 if encrypted
    • the next 32 bytes are the SHA-256 checksum of the unencrypted section (the reason I came to this conclusion is that, since there are some sections that are unencrypted, I can see that their SHA-256 is equal to this)
    • the next 16 bytes are some key (or initial vector) to decrypt the section (sections that are not encrypted have 0s)
    • the last 16 bytes are 0s

    By just applying AES-128 ECB decryption with the 16 bytes that are a key, I don't get to decrypt the sections.

    I have also noticed that right before this UPD header there is a section starting with "leica" that contains 64 bytes that I cannot relate to any checksums: so maybe the encryption method combines those with the 16 bytes of each section in the index.

    Has any of you encountered anything similar in the firmware of other cameras? Any hints about how to proceed in order to decrypt the 18 encrypted sections?

  • 2 Replies sorted by
  • clippitclippit

    Hi @paorin thanks for the findings! It's a reply after 6 years:) I'm recently exploring my Q3 firmware and they are in the same structure. I believe this format is also widely used in Panasonic Lumix cameras. For Q3 firmware, there are 56 sections defined while some of them are 0 sized.

    The key problem here is encryption. All encrypted sections have a 16-byte data which might be IV or some key. If they are IV, then the key must be hard coded in the firmware or in the hardware directly. It's difficult to fetch them unless we can have a clean firmware dump

    boot loader1 loader2 loader3 storage program postboot1_r postboot2_r postboot3_r postboot4_r postboot5_r postboot1_r postboot3_r postboot5_r eep_ow_a eep_ow_b eep_adj eep_fix eep_act_a eep_act_b eep_exp_a eep_exp_b history lens_hist music osdover osddata wifi_info menu_save kizu_data vkizu_data usbcharge hm_c_prog hm_d_prog hm_c_ddr hm_d_ddr hm_d_nw hm_d_nw_sng hr_c_prog hr_d_prog hr_c_ddr pzm_data lns_micon lns_micon_e xtk lut_data dsp_kizu_c dsp_kizu_d bt_info lpc_data lpc_code raw_kizu_c raw_kizu_d ext_ver welcom_fs mbr_dummy_d

  • Vitaliy_KiselevVitaliy_Kiselev

    Ouch, complex.

    Wish you luck.

    All modern cameras use encryption by key that is stored inside encrypted firmware. :-)

    This is why Canon hacking had been project is very shady back in time (in some moments), as few keys appeared out of nowhere (from Canon help, I suppose).

Add a Comment