Personal View site logo
Make sure to join PV Telegram channel! Perfect to keep up with community on your smartphone.
Leica Q firmware hacking
  • I've started taking a look at the firmware of the Leica Q camera.

    After you XOR everything with FF, you end up with something that is like the firmware of Panasonic cameras (UPD format):

    UPD is the magic, CAYMN I assume is the codename of the camera, 0316 is the version of the firmware, 0200 the size of the first header, 0312E200 the size of the file without the first header, B5435A78 the checksum.

    The firmware contains 22 sections:

    • loader1
    • loader2
    • loader3
    • program
    • storage
    • postboot1
    • postboot2
    • postboot3
    • postboot4
    • postboot5
    • dram_sleep
    • eep_ow_a
    • eep_ow_b
    • eep_adjfix
    • history
    • music
    • osdover
    • osddata
    • koutei_kao
    • eep_net_a
    • eep_net_b
    • welcom_fs

    18 of which are encrypted. I haven't been able yet to figure out what encryption they use and how to decrypt them, hence this post.

    There's an index section right after the second UPD header: I have figured out that:

    • the first 12 bytes are the name of the section
    • the next 4 bytes are the offset in the file
    • the next 4 bytes are the size (I deduce there is no compression because the size corresponds to the size in this file)
    • the next 4 bytes are the offset in memory
    • the next 4 bytes are 02 if the section is not encrypted, 03 if encrypted
    • the next 32 bytes are the SHA-256 checksum of the unencrypted section (the reason I came to this conclusion is that, since there are some sections that are unencrypted, I can see that their SHA-256 is equal to this)
    • the next 16 bytes are some key (or initial vector) to decrypt the section (sections that are not encrypted have 0s)
    • the last 16 bytes are 0s

    By just applying AES-128 ECB decryption with the 16 bytes that are a key, I don't get to decrypt the sections.

    I have also noticed that right before this UPD header there is a section starting with "leica" that contains 64 bytes that I cannot relate to any checksums: so maybe the encryption method combines those with the 16 bytes of each section in the index.

    Has any of you encountered anything similar in the firmware of other cameras? Any hints about how to proceed in order to decrypt the 18 encrypted sections?