I started working on this tag beginning of 2010, but was not able to identify a salt value used. But in november, Dmitry Sklyarov explained most of the algorithms at Confidence 2.0 in Prague (Forging Canon Original Decision Data), see the related press release here Canon Original Data Security System Vulnerability, and gave me the missing piece of the puzzle. We'll see slide 23 of his presentation contains an error.
Canon removed this feature starting 2011 with the 600D/T3i camera. The 60D is the last one with ODD features.
The following sections explain the format of the 3 versions of the ODD tag. A tool is also provided to recompute / check it if you own the right key: odd_verif.py.
The ODD tag is located at the end of the file.
FF FF FF FF 00 00 00 01 A1 AB 6B 35 C1 60 0C 3E E7 C5 39 7F 9B 03 DD 3A 07 A5 EF 80 00 00 00 02 00 00 00 00 00 04 69 40 00 89 06 00 BF 5A F6 DD 6F 8B 29 91 00 6A AD 0D 0F A0 7B 8A 37 8A 42 05 00 00 00 01 00 00 00 00 00 02 AE 00 47 B4 61 74 C3 F8 97 A5 F8 B1 E5 13 7F 66 5F 80 8E E0 D6 05odd_verif.py output is:
0xffffffff , version = 0x00000001 filehash=a1ab6b35c1600c3ee7c5397f9b03dd3a07a5ef80 hash_nb = 0x00000002 i=00, offset=0x00046940, length=0x00890600 hash= bf5af6dd6f8b2991006aad0d0fa07b8a378a4205 md5=bd72593242d6d168cb40aa424e110fc5 i=01, offset=0x00000000, length=0x0002ae00 hash= 47b46174c3f897a5f8b1e5137f665f808ee0d605 md5=d1dea7d4c53ce37513ddd7c3b14395d2File format is
values are stored in big endian order (Motorola) Offset Size Value or comments ----------------------------------------- 00/00 1 long 0xffffffff 04/04 1 long tag version 08/08 20 bytes file hash (HMAC-SHA1 ?) 28/1c 1 long sub region numbers (always 2) region record is: 00/00 1 long region number, starting 0 04/04 1 long region offset 08/08 1 long region size in bytes 12/0c 20 bytes region hashthe Tag data must not be part of the file hash. The algorithm is unknow. It is certainly a per model key.
Again, at the end of a 20D file:
FF FF FF FF 02 00 00 00 80 3F 02 5B 99 F6 51 11 CC 76 F6 FE C5 18 0B C8 8F E0 A3 42 04 00 00 00 00 00 00 00 CA 34 09 00 EC 91 65 00 F2 98 0E CD FB 70 6D AD 20 E0 4C B2 16 20 37 4C 06 1F 23 25 01 00 00 00 00 00 00 00 6E 00 00 00 49 25 70 4C A3 6C CD EF 55 A6 F7 AC 3C 10 38 CA 5F F9 1A DA 02 00 00 00 72 00 00 00 08 03 00 00 DE 69 A0 D4 B6 A2 FB 99 93 75 99 CC 82 D3 0D 21 28 4B 97 5D 03 00 00 00 7E 03 00 00 4C 31 09 00 4C 42 87 24 CB F0 81 0C E5 16 46 2F A0 6A A0 A2 8B 1E 95 27odd_verif.py gives us (with the right and non public key):
0xffffffff , version = 0x00000002 filehash=803f025b99f65111cc76f6fec5180bc88fe0a342 hash_nb = 0x00000004 i=00, offset=0x000934ca, length=0x006591ec hash= f2980ecdfb706dad20e04cb21620374c061f2325 md5=f9dcfd0a2607b16c5f54a92b6291fdfd hmac=f2980ecdfb706dad20e04cb21620374c061f2325 i=01, offset=0x00000000, length=0x0000006e hash= 4925704ca36ccdef55a6f7ac3c1038ca5ff91ada md5=095df37e994a3f746d7ccc518871c540 hmac=4925704ca36ccdef55a6f7ac3c1038ca5ff91ada i=02, offset=0x00000072, length=0x00000308 hash= de69a0d4b6a2fb99937599cc82d30d21284b975d md5=0465560ccf5900a84af926d82117e3e4 hmac=de69a0d4b6a2fb99937599cc82d30d21284b975d i=03, offset=0x0000037e, length=0x0009314c hash= 4c428724cbf0810ce516462fa06aa0a28b1e9527 md5=9af6fc2bafcd347c67cde17d8c27e532 hmac=4c428724cbf0810ce516462fa06aa0a28b1e9527 computed filehmac=803f025b99f65111cc76f6fec5180bc88fe0a342 okThis figure explains relation between ODDv2 region records and their localization in the CR2 files.
For a 60D, here at offset 0x0D40.
FF FF FF FF 03 00 00 00 14 00 00 00 FD 86 C9 ED C4 22 E3 69 14 A6 80 36 BA 98 25 E8 40 06 4C 9B 14 00 00 00 AC 0F D2 7D 41 E0 0C BB 76 80 00 50 02 31 E8 DF C9 B6 C6 CF 28 02 00 00 04 00 00 00 08 9B 5A 74 03 00 00 00 99 1D CE 01 03 00 00 00 04 00 00 00 01 D8 0F 82 32 0E F0 68 08 00 00 00 01 00 00 00 04 00 00 00 68 81 EE 0B 14 00 00 00 63 56 90 76 B9 28 3B 0E 64 C5 A7 A7 04 2C 1F 42 87 1D 0F C9 01 00 00 00 FA 63 4E 00 9D B9 7F 01 02 00 00 00 04 00 00 00 0D FC 84 D5 14 00 00 00 02 6D B8 3C B6 18 1D 6B BB F7 7E F9 50 02 28 2B 4D 26 EF 11 09 00 00 00 00 00 00 00 6E 00 00 00 72 00 00 00 C6 05 00 00 3C 06 00 00 04 07 00 00 A0 0F 00 00 CC A4 00 00 74 B5 00 00 02 22 00 00 E8 0D 01 00 0E 00 00 00 F6 E3 33 00 02 00 00 00 F8 63 4E 00 02 00 00 00 97 1D CE 01 02 00 00 00 03 00 00 00 04 00 00 00 6B 25 26 75 14 00 00 00 23 A9 3A 3A A7 D3 A8 BB E3 75 3E CF BC 57 11 66 E1 96 BA 0E 01 00 00 00 6E 00 00 00 04 00 00 00 04 00 00 00 04 00 00 00 E3 94 36 4D 14 00 00 00 0A 24 5B DD 4C 36 69 31 CB 08 E1 6E DA 74 9E 4D DC 1E A6 A0 01 00 00 00 6C B4 00 00 08 01 00 00 05 00 00 00 04 00 00 00 FE F1 82 B5 14 00 00 00 03 A0 13 AB 30 94 75 C2 10 D2 AA 9F 0A 3D 56 41 20 9F 2E E3 01 00 00 00 38 06 00 00 04 00 00 00 06 00 00 00 04 00 00 00 F4 FB 87 0E 14 00 00 00 AA 37 4C B9 8D 24 BB AE 9E 00 4F A4 62 DE D4 29 7A 6F 5E 63 01 00 00 00 76 D7 00 00 72 36 00 00 07 00 00 00 04 00 00 00 FB A7 FE 65 14 00 00 00 95 4A 9E E5 00 9D CF E9 E8 D1 87 2D 51 4B AF 05 FB 2E 64 91 01 00 00 00 F6 0D 01 00 00 D6 32 00 08 00 00 00 04 00 00 00 51 C5 F4 51 14 00 00 00 CB D2 FE F0 FB D6 08 71 E3 1C 98 12 E2 BA 5B 71 30 8B 35 7C 01 00 00 00 F8 E3 33 00 00 80 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Format is:
Offset Size Value or comments ----------------------------------------- 000/00 1 long 0xffffffff 004/04 1 long tag version 008/08 1 long 20 = length of the following hash 012/0c 20 bytes file hmac 032/20 1 long 20 = length of the following hash 036/24 20 bytes ODD hmac 056/38 1 long ODD tag length 060/3c 1 long 4 (size of following value?) 064/40 1 long random value 068/44 1 long 3 072/48 1 long file length 076/4c 1 long hash version (vhash) 080/50 1 long keyid 084/54 1 long boardid 088/58 1 long hmac_rand (my missing value ;-) 092/5c 1 long area number. Region is similar, but Canon is using area.Area record format (except area#2, starting offset 0x24) is:
000/00 1 long area number (starting 1) 004/04 1 long 4 = length of following value? 008/08 1 long salt 012/0c 1 long 20 = length of following hash 016/10 20 bytes area hash 036/24 1 long 1 040/28 1 long area offset 044/2c 1 long area size 048/30 end of recordArea #2 is subdivided into multiple sub-area, only one hash calculation is done on the concatenation of these sub-area data. The format is:
the first part is idetical to other area records: 000/00 1 long area number 004/04 1 long 4 = length of following value? 008/08 1 long salt 012/0c 1 long 20 = length of following hash 016/10 20 bytes area hash then 020/14 1 long sub-area number for each sub-region: 00/00 1 long area offset 04/04 1 long area size
0xffffffff , version = 0x00000003 0x00000014 fd86c9edc422e36914a68036ba9825e840064c9b (file hmac) 0x00000014 ac0fd27d41e00cbb768000500231e8dfc9b6c6cf (ODD hmac) tag len=0x00000228 4=0x00000004 rand=0x745a9b08 3=0x00000003 filesize=0x01ce1d99 vhash=0x00000003 keyid=0x00000004 boardid=0x820fd801 hmac_rand=0x68f00e32 n_area = 8 1 4 salt=0x0bee8168 0x14 63569076b9283b0e64c5a7a7042c1f42871d0fc9 1 0x004e63fa 0x017fb99d sha256=f498ae4693f7518ef6bf9350f1723278ac65dceb57726200dfa03f274a501462 hmac=63569076b9283b0e64c5a7a7042c1f42871d0fc9 2 4 0xd584fc0d 0x14 026db83cb6181d6bbbf77ef95002282b4d26ef11 n_other = 9 0x00000000 0x0000006e, 0x00000072 0x000005c6, 0x0000063c 0x00000704, 0x00000fa0 0x0000a4cc, 0x0000b574 0x00002202, 0x00010de8 0x0000000e, 0x0033 e3f6 0x00000002, 0x004e63f8 0x00000002, 0x01ce1d97 0x00000002, sha256=fb1a01710223fd236dc20db2296dda063dc8900748a8b9e8f28df8e2827bb586 hmac=026db83cb6181d6bbbf77ef95002282b4d26ef11 3 4 salt=0x7526256b 0x14 23a93a3aa7d3a8bbe3753ecfbc571166e196ba0e 1 0x0000006e 0x00000004 sha256=67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450 hmac=23a93a3aa7d3a8bbe3753ecfbc571166e196ba0e 4 4 salt=0x4d3694e3 0x14 0a245bdd4c366931cb08e16eda749e4ddc1ea6a0 1 0x0000b46c 0x00000108 sha256=44b8aa4d28701168922acf61435ea4bb442f97b0b14ad7a2510ed68874ee2a72 hmac=0a245bdd4c366931cb08e16eda749e4ddc1ea6a0 5 4 salt=0xb582f1fe 0x14 03a013ab309475c210d2aa9f0a3d5641209f2ee3 1 0x00000638 0x00000004 sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 hmac=03a013ab309475c210d2aa9f0a3d5641209f2ee3 6 4 salt=0x0e87fbf4 0x14 aa374cb98d24bbae9e004fa462ded4297a6f5e63 1 0x0000d776 0x00003672 sha256=5e7756ad6be5f2c06555d7ce5721b15803da965bfa68dcc8f47616be8ec67456 hmac=aa374cb98d24bbae9e004fa462ded4297a6f5e63 7 4 salt=0x65fea7fb 0x14 954a9ee5009dcfe9e8d1872d514baf05fb2e6491 1 0x00010df6 0x0032d600 sha256=4cdc2e2f1d7b06aab6d8b1392d8c2d0c536cce59e42400b21628b301d5f17a1a hmac=954a9ee5009dcfe9e8d1872d514baf05fb2e6491 8 4 salt=0x51f4c551 0x14 cbd2fef0fbd60871e31c9812e2ba5b71308b357c 1 0x0033e3f8 0x001a8000 sha256=9cc97295fc75896feb377b29637fa297a2cdce5045078cb67830de10192dba13 hmac=cbd2fef0fbd60871e31c9812e2ba5b71308b357c 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ODD size = 0x228, offset = 0xd78 sha256=b5359104639139647ea152c648f04046795d62f3362d33dd0c5e2a8090f9d4a9 hmac=ac0fd27d41e00cbb768000500231e8dfc9b6c6cf file hmac= fd86c9edc422e36914a68036ba9825e840064c9b ok
version vhash keyid area/region ----------------------------------------- 1D | no ODD feature 1Ds | ODDv1 NA NA 2 20D | ODDv2 per model key 4 5D | ODDv2 NA NA 4 1Dm3 | ODDv3 1 1 8 40D | ODDv3 1 1 8 450D | ODDv3 1 2 8 5Dm2 | ODDv3 2 1 8 1Dm4 | ODDv3 2 3 6 550D | ODDv3 2 4 8 7D | ODDv3 2 4 8 60D | ODDv3 3 4 8 600D | feature removed