[6D] crypto and networking

Started by Maqs, March 18, 2014, 02:20:00 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Maqs

Hello,

I've just created a wiki page for some reverse engineering done for the Canon EOS 6D at http://magiclantern.wikia.com/wiki/6D.

It contains some stuff I found out about a few month ago:

1. Networking

The same functions may or may not exist on the EOS 70D, which also has built in WiFi, and perhaps future cameras, but I think it's likely.

There's also IPv6 support, FTP functionality, DHCP, PTP over IP, ... and TLS hidden in the firmware.

2. Crypto

HMAC-SHA1, together with the networking functionality, could be used to implement OAuth and write a flickr/dropbox/... uploader.

Contributions are welcome!

Best,
Marcus

Marsu42

Quote from: Maqs on March 18, 2014, 02:20:00 PM
I've just created a wiki page for some reverse engineering done for the Canon EOS 6D

Great news you're on it, esp. since alex cannot help! The most interesting thing of course would be to get an api to interface a remote iOS/Android/Win app with ML functions and live view.

Maqs

Quote from: Marsu42 on March 18, 2014, 03:06:35 PM
The most interesting thing of course would be to get an api to interface a remote iOS/Android/Win app with ML functions and live view.

An API for that purpose is already present in the firmware itself: PTP/IP.  :)

(New) wiki page: http://magiclantern.wikia.com/wiki/PTPIP.

The GPhoto devs have already re'ed PTP/IP (http://www.gphoto.org/doc/ptpip.php). As this is just another way of accessing the PTP functionality also available via USB, the ML PTP extensions should work with it as well.

Interfacing PTP/IP works like that:

  • Connect to camera port 15740/TCP (control/data connection)
  • Send Init_Command_Request:

    • 4-byte length (little endian): 8 /* length of header */ + 16 /* length of GUID */ + len(name including "\0\0")
    • 4-byte type (little endian): 0x01 Init_Command_Request
    • 16-byte GUID (looks like "85f16f7f-ea45-32")
    • WCHAR (two-byte characters) for name, last character is NULL
  • Read reply to Init_Command_Request (Init_Command_Ack, see GPhoto page)
  • Connect to camera port 15740/TCP (event connection)
  • Send Init_Event_Request on event connection

    • 4-byte length (little endian): 12
    • 4-byte type (little endian): 0x03 Init_Event_Request
    • 4-byte session ID: taken from Init_Command_Ack reply
  • Read Init_Event_Ack on event connection
  • Use control connection to send normal PTP commands encapsulated as described in Cmd_Request and read their response (Cmd_Response)
  • ...

The event connection can somehow be used to retrieve events, but the events need to be enabled and I don't know how to do that. However, 0x9116 (PTP Get Events) may be used as well.

There may be some kind of negotiation first (authentication?). For testing purposes, I just reused the GUID and device name from the connection I captured. It does not take more than a network sniffer (e.g. Wireshark) to spy on the communication between the camera and Canon software, so this is less complicated than reverse engineering the internals of the camera. Maybe somebody with basic knowledge about a programming/scripting language with networking capabilities can give it a try. I used Perl for my experiments and could provide some basic PTP/IP module to any volunteers. It would be nice to have the whole process documented in the wiki. :)

Best,
Marcus

PS: Does anybody happen to know if those WFT transmitters implement PTP/IP, too?

Edit: wiki page

nikfreak

Quote from: Maqs on March 18, 2014, 04:36:17 PM
I used Perl for my experiments and could provide some basic PTP/IP module to any volunteers. It would be nice to have the whole process documented in the wiki. :)

Stumbled upon this hack to establish the wifi connection:
https://github.com/perlfu/6dpy

Based upon the "Paparazzi over IP" hack (scroll down to the end of the PDF starting with EOS utility mode)
[size=8pt]70D.112 & 100D.101[/size]