Canon .CR2 Original Data Decision tag format

1. Introduction

Starting with the 1Ds camera, Canon introducted a mecanism to prove authenticity of their digital pictures, this is called Original Decision Data (ODD). The related ODD TIFF Tag (0x0083) in Makernote provides digital signature that can be verified using Verification Kit from Canon.

I started working on this tag beginning of 2010, but was not able to identify a salt value used. But in november, Dmitry Sklyarov explained most of the algorithms at Confidence 2.0 in Prague (Forging Canon Original Decision Data), see the related press release here Canon Original Data Security System Vulnerability, and gave me the missing piece of the puzzle. We'll see slide 23 of his presentation contains an error.

Canon removed this feature starting 2011 with the 600D/T3i camera. The 60D is the last one with ODD features.

The following sections explain the format of the 3 versions of the ODD tag. A tool is also provided to recompute / check it if you own the right key: odd_verif.py.

2. Tag formats

2.1 ODD version 1

This tag is used by the 1Ds camera, which uses jpeg and TIFF file format. 1D Mark II is unknown to use version 1 or 2 of the tag. 1D seems not to have ODD.

The ODD tag is located at the end of the file.

FF FF FF FF 00 00 00 01 A1 AB 6B 35 C1 60 0C 3E 
E7 C5 39 7F 9B 03 DD 3A 07 A5 EF 80 00 00 00 02 
00 00 00 00 00 04 69 40 00 89 06 00 BF 5A F6 DD 
6F 8B 29 91 00 6A AD 0D 0F A0 7B 8A 37 8A 42 05 
00 00 00 01 00 00 00 00 00 02 AE 00 47 B4 61 74 
C3 F8 97 A5 F8 B1 E5 13 7F 66 5F 80 8E E0 D6 05

odd_verif.py output is:

0xffffffff , version = 0x00000001
filehash=a1ab6b35c1600c3ee7c5397f9b03dd3a07a5ef80

hash_nb = 0x00000002
i=00, offset=0x00046940, length=0x00890600
hash=  bf5af6dd6f8b2991006aad0d0fa07b8a378a4205
 md5=bd72593242d6d168cb40aa424e110fc5

i=01, offset=0x00000000, length=0x0002ae00
hash=  47b46174c3f897a5f8b1e5137f665f808ee0d605
 md5=d1dea7d4c53ce37513ddd7c3b14395d2

File format is

values are stored in big endian order (Motorola)

Offset  Size       Value or comments   
-----------------------------------------
00/00   1 long     0xffffffff
04/04   1 long     tag version
08/08   20 bytes   file hash  (HMAC-SHA1 ?)
28/1c   1 long     sub region numbers (always 2)

region record is:

00/00   1 long     region number, starting 0
04/04   1 long     region offset
08/08   1 long     region size in bytes
12/0c   20 bytes   region hash

the Tag data must not be part of the file hash. The algorithm is unknow. It is certainly a per model key.

2.2 ODD version 2

The format is identical to version 1, except:

values are in little endian order (Intel)
there are 4 regions

this version is used up to the 30D camera (and all DigicII camera?).

Again, at the end of a 20D file:

FF FF FF FF 02 00 00 00 80 3F 02 5B 99 F6 51 11 
CC 76 F6 FE C5 18 0B C8 8F E0 A3 42 04 00 00 00 
00 00 00 00 CA 34 09 00 EC 91 65 00 F2 98 0E CD 
FB 70 6D AD 20 E0 4C B2 16 20 37 4C 06 1F 23 25 
01 00 00 00 00 00 00 00 6E 00 00 00 49 25 70 4C 
A3 6C CD EF 55 A6 F7 AC 3C 10 38 CA 5F F9 1A DA 
02 00 00 00 72 00 00 00 08 03 00 00 DE 69 A0 D4 
B6 A2 FB 99 93 75 99 CC 82 D3 0D 21 28 4B 97 5D 
03 00 00 00 7E 03 00 00 4C 31 09 00 4C 42 87 24 
CB F0 81 0C E5 16 46 2F A0 6A A0 A2 8B 1E 95 27

odd_verif.py gives us (with the right and non public key):

0xffffffff , version = 0x00000002
filehash=803f025b99f65111cc76f6fec5180bc88fe0a342

hash_nb = 0x00000004
i=00, offset=0x000934ca, length=0x006591ec
hash=  f2980ecdfb706dad20e04cb21620374c061f2325
 md5=f9dcfd0a2607b16c5f54a92b6291fdfd
 hmac=f2980ecdfb706dad20e04cb21620374c061f2325

i=01, offset=0x00000000, length=0x0000006e
hash=  4925704ca36ccdef55a6f7ac3c1038ca5ff91ada
 md5=095df37e994a3f746d7ccc518871c540
 hmac=4925704ca36ccdef55a6f7ac3c1038ca5ff91ada

i=02, offset=0x00000072, length=0x00000308
hash=  de69a0d4b6a2fb99937599cc82d30d21284b975d
 md5=0465560ccf5900a84af926d82117e3e4
 hmac=de69a0d4b6a2fb99937599cc82d30d21284b975d

i=03, offset=0x0000037e, length=0x0009314c
hash=  4c428724cbf0810ce516462fa06aa0a28b1e9527
 md5=9af6fc2bafcd347c67cde17d8c27e532
 hmac=4c428724cbf0810ce516462fa06aa0a28b1e9527

computed filehmac=803f025b99f65111cc76f6fec5180bc88fe0a342 ok

This figure explains relation between ODDv2 region records and their localization in the CR2 files.

ODDv2

2.3 ODD version 3

Starting with the 1D Mark III camera (and all Digic III and Digic 4 ?), up to the 60D.

For a 60D, here at offset 0x0D40.

FF FF FF FF 03 00 00 00 14 00 00 00 FD 86 C9 ED 
C4 22 E3 69 14 A6 80 36 BA 98 25 E8 40 06 4C 9B 
14 00 00 00 AC 0F D2 7D 41 E0 0C BB 76 80 00 50 
02 31 E8 DF C9 B6 C6 CF 28 02 00 00 04 00 00 00 
08 9B 5A 74 03 00 00 00 99 1D CE 01 03 00 00 00 
04 00 00 00 01 D8 0F 82 32 0E F0 68 08 00 00 00 
01 00 00 00 04 00 00 00 68 81 EE 0B 14 00 00 00 
63 56 90 76 B9 28 3B 0E 64 C5 A7 A7 04 2C 1F 42 
87 1D 0F C9 01 00 00 00 FA 63 4E 00 9D B9 7F 01 
02 00 00 00 04 00 00 00 0D FC 84 D5 14 00 00 00 
02 6D B8 3C B6 18 1D 6B BB F7 7E F9 50 02 28 2B 
4D 26 EF 11 09 00 00 00 00 00 00 00 6E 00 00 00 
72 00 00 00 C6 05 00 00 3C 06 00 00 04 07 00 00 
A0 0F 00 00 CC A4 00 00 74 B5 00 00 02 22 00 00 
E8 0D 01 00 0E 00 00 00 F6 E3 33 00 02 00 00 00 
F8 63 4E 00 02 00 00 00 97 1D CE 01 02 00 00 00 
03 00 00 00 04 00 00 00 6B 25 26 75 14 00 00 00 
23 A9 3A 3A A7 D3 A8 BB E3 75 3E CF BC 57 11 66 
E1 96 BA 0E 01 00 00 00 6E 00 00 00 04 00 00 00 
04 00 00 00 04 00 00 00 E3 94 36 4D 14 00 00 00 
0A 24 5B DD 4C 36 69 31 CB 08 E1 6E DA 74 9E 4D 
DC 1E A6 A0 01 00 00 00 6C B4 00 00 08 01 00 00 
05 00 00 00 04 00 00 00 FE F1 82 B5 14 00 00 00 
03 A0 13 AB 30 94 75 C2 10 D2 AA 9F 0A 3D 56 41 
20 9F 2E E3 01 00 00 00 38 06 00 00 04 00 00 00 
06 00 00 00 04 00 00 00 F4 FB 87 0E 14 00 00 00 
AA 37 4C B9 8D 24 BB AE 9E 00 4F A4 62 DE D4 29 
7A 6F 5E 63 01 00 00 00 76 D7 00 00 72 36 00 00 
07 00 00 00 04 00 00 00 FB A7 FE 65 14 00 00 00 
95 4A 9E E5 00 9D CF E9 E8 D1 87 2D 51 4B AF 05 
FB 2E 64 91 01 00 00 00 F6 0D 01 00 00 D6 32 00 
08 00 00 00 04 00 00 00 51 C5 F4 51 14 00 00 00 
CB D2 FE F0 FB D6 08 71 E3 1C 98 12 E2 BA 5B 71 
30 8B 35 7C 01 00 00 00 F8 E3 33 00 00 80 1A 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00

Format is:

Offset   Size       Value or comments   
-----------------------------------------
000/00   1 long     0xffffffff
004/04   1 long     tag version
008/08   1 long     20 = length of the following hash
012/0c   20 bytes   file hmac
032/20   1 long     20 = length of the following hash
036/24   20 bytes   ODD hmac
056/38   1 long     ODD tag length
060/3c   1 long     4 (size of following value?)
064/40   1 long     random value
068/44   1 long     3 
072/48   1 long     file length
076/4c   1 long     hash version (vhash)
080/50   1 long     keyid
084/54   1 long     boardid
088/58   1 long     hmac_rand (my missing value ;-)
092/5c   1 long     area number. Region is similar, but Canon is using area.

Area record format (except area#2, starting offset 0x24) is:

000/00   1 long     area number (starting 1)
004/04   1 long     4 = length of following value?
008/08   1 long     salt
012/0c   1 long     20 = length of following hash
016/10   20 bytes   area hash         
036/24   1 long     1
040/28   1 long     area offset
044/2c   1 long     area size
048/30   end of record

Area #2 is subdivided into multiple sub-area, only one hash calculation is done on the concatenation of these sub-area data. The format is:

the first part is idetical to other area records:
000/00   1 long     area number 
004/04   1 long     4 = length of following value?
008/08   1 long     salt
012/0c   1 long     20 = length of following hash
016/10   20 bytes   area hash         
then
020/14   1 long     sub-area number
for each sub-region:
00/00    1 long     area offset
04/04    1 long     area size

4. Recomputation/check of ODDv3 data

0xffffffff , version = 0x00000003
0x00000014 fd86c9edc422e36914a68036ba9825e840064c9b (file hmac)
0x00000014 ac0fd27d41e00cbb768000500231e8dfc9b6c6cf (ODD hmac)
tag len=0x00000228  4=0x00000004  rand=0x745a9b08  3=0x00000003  filesize=0x01ce1d99
vhash=0x00000003  keyid=0x00000004  boardid=0x820fd801  hmac_rand=0x68f00e32

n_area = 8
 1   4  salt=0x0bee8168 0x14  63569076b9283b0e64c5a7a7042c1f42871d0fc9  1  0x004e63fa 0x017fb99d
     sha256=f498ae4693f7518ef6bf9350f1723278ac65dceb57726200dfa03f274a501462
     hmac=63569076b9283b0e64c5a7a7042c1f42871d0fc9
 2   4  0xd584fc0d  0x14  026db83cb6181d6bbbf77ef95002282b4d26ef11 n_other = 9
0x00000000 0x0000006e,  0x00000072 0x000005c6,  0x0000063c 0x00000704,  0x00000fa0 0x0000a4cc,  0x0000b574 0x00002202,  0x00010de8 0x0000000e,  0x0033
e3f6 0x00000002,  0x004e63f8 0x00000002,  0x01ce1d97 0x00000002,
 sha256=fb1a01710223fd236dc20db2296dda063dc8900748a8b9e8f28df8e2827bb586
 hmac=026db83cb6181d6bbbf77ef95002282b4d26ef11
 3   4  salt=0x7526256b 0x14  23a93a3aa7d3a8bbe3753ecfbc571166e196ba0e  1  0x0000006e 0x00000004
     sha256=67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450
     hmac=23a93a3aa7d3a8bbe3753ecfbc571166e196ba0e
 4   4  salt=0x4d3694e3 0x14  0a245bdd4c366931cb08e16eda749e4ddc1ea6a0  1  0x0000b46c 0x00000108
     sha256=44b8aa4d28701168922acf61435ea4bb442f97b0b14ad7a2510ed68874ee2a72
     hmac=0a245bdd4c366931cb08e16eda749e4ddc1ea6a0
 5   4  salt=0xb582f1fe 0x14  03a013ab309475c210d2aa9f0a3d5641209f2ee3  1  0x00000638 0x00000004
     sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
     hmac=03a013ab309475c210d2aa9f0a3d5641209f2ee3
 6   4  salt=0x0e87fbf4 0x14  aa374cb98d24bbae9e004fa462ded4297a6f5e63  1  0x0000d776 0x00003672
     sha256=5e7756ad6be5f2c06555d7ce5721b15803da965bfa68dcc8f47616be8ec67456
     hmac=aa374cb98d24bbae9e004fa462ded4297a6f5e63
 7   4  salt=0x65fea7fb 0x14  954a9ee5009dcfe9e8d1872d514baf05fb2e6491  1  0x00010df6 0x0032d600
     sha256=4cdc2e2f1d7b06aab6d8b1392d8c2d0c536cce59e42400b21628b301d5f17a1a
     hmac=954a9ee5009dcfe9e8d1872d514baf05fb2e6491
 8   4  salt=0x51f4c551 0x14  cbd2fef0fbd60871e31c9812e2ba5b71308b357c  1  0x0033e3f8 0x001a8000
     sha256=9cc97295fc75896feb377b29637fa297a2cdce5045078cb67830de10192dba13
     hmac=cbd2fef0fbd60871e31c9812e2ba5b71308b357c
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
ODD size = 0x228, offset = 0xd78
 sha256=b5359104639139647ea152c648f04046795d62f3362d33dd0c5e2a8090f9d4a9
 hmac=ac0fd27d41e00cbb768000500231e8dfc9b6c6cf
file hmac=  fd86c9edc422e36914a68036ba9825e840064c9b ok

4. ODD variations between camera models

Please send me missing samples!

      version     vhash   keyid    area/region 
     -----------------------------------------
1D   |           no ODD feature  
1Ds  | ODDv1       NA       NA      2
20D  | ODDv2      per model key     4
5D   | ODDv2       NA       NA      4
1Dm3 | ODDv3       1        1       8
40D  | ODDv3       1        1       8
450D | ODDv3       1        2       8
5Dm2 | ODDv3       2        1       8
1Dm4 | ODDv3       2        3       6
550D | ODDv3       2        4       8
7D   | ODDv3       2        4       8
60D  | ODDv3       3        4       8
600D |           feature removed

5. References

Canon DVK-E2. Specified to work with the Canon EOS 1D, 1D Mark II N, 1Ds, 1Ds Mark II, 5D, 20D, 20Da, and 30D cameras
1D Mark II personal function #31: DPReview