Canon Laser

[norey]

I'm wondering if this can extract Canon Laster printers' firmware (testing on a MF741C/743C model). I downloaded the firmware tool from here and then extracted a binary with a 4E 43 46 57 ... NCFW... header. I decrypted it with pixma_decrypt and ended up with a file with header:

00000000: 53 46 30 39 30 30 0d 0a 6e 76 6d 3d 10 30 30 30  SF0900..nvm=.000
00000010: 00 35 2b 66 30 30 0d 0a 53 46 30 35 30 30 30 30  .5+f00..SF050000
00000020: 34 2f c2 db 30 ad 0e 0d ab be 36 3c 3c 3d 3e 3f  4/..0.....6<<=>?
...
...

Now I'm not sure about the next step grep -v -e '^SF' decoded.asc | srec_cat -o decoded.bin -binary; is the point to concat all blocks starting with SF, other than the first one, with srec? because with such command currently, grep outputs Binary file decoded_fw.bin matches so I don't know how that is piped to srec.

I appreciate any feedback.

[leecher1337]

Looks, like the decrypter only found the key for the first 32 (2 x 16) bytes. With Pixma printer, the same key is used für every 16 byte block, but judging from your output, the firmware that you want to decrypt uses a different key scheme, as you have non-ascii characters starting at offset 32, so the key is "modified" every 32 bytes making grep output that you try to decode a binary file, which of course doesn't work.

[norey]

I see, do you have any tips on how to go through with decrypting/unpacking it? Header starts with

00000000: 4e 43 46 57 00 00 00 00 3d 31 5d 08 20 00 00 00  NCFW....=1]. ...
00000010: 1d 30 5d 08 00 00 00 00 00 01 00 00 00 00 00 00  .0].............
00000020: 29 2a b4 b5 00 9d 03 07 f8 f9 06 09 0c 0d 0e 0f  )*..............
00000030: e4 e5 d6 d7 94 15 96 97 18 19 19 0b 1c 1d 9e af  ................
00000040: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f   !"#$%&'()*+,-./
00000050: 30 31 32 33 34 35 36 37 38 39 3a 3b 39 0a e7 39  0123456789:;9..9
00000060: 34 35 4f 50 44 45 46 37 48 49 ca 4b 4d 4e 4f 50  45OPDEF7HI.KMNOP
00000070: 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60  QRSTUVWXYZ[\]^_`
...
...

I can't find any info about its format. My last resort would be to reverse the firmware tool and find out what it is doing.