All firmware files for K20D and GX20 are encrypted


Below you'll find information about used encryption.

As you know Canon 5D Mark II hacking is based on firmware dump.

But we managed to decrypt firmware and also discovered how to dump any firmware.



Some known information about encryption


Used encryption is not  very advanced, not DES or AES :-)

Based on statistical analysis I found that it uses dynamic 256 byte key and  XOR operations.

Encrypted part starts at 0x100.


All firmware files also have second part, also encrypted (for GX20 firmware it is located at 0x800000).

Decryption of this part is similar to first part, and is already successfully performed by decryptor.



Encrypted file (GX20 firmware v1.01):



Decrypted firmware file :



Goto Download section to download command-line decryption program.




Other methods to obtain unencrypted firmware


1) In End User page look at [OPEN_DEBUG_MENU] menu.

2) Use Camera_Control_V2.dll as it have necessary commands in export section and works with K20D, GX20.


Tools you can use to research this topic


Free programming languages compiler.

Any freeware hex viewer.






(c) 2009 Pentax Hacking Community