What's Inside: Metz 50 AF-1 N


Filed under WhatsInside

Metz 50 AF-1 N{% endmark -%}digital PCB

I recently bought a Metz 50 AF-1 N flash that I’m very happy with. One of the reason why I bought this one was that it has a USB port to upgrade the firmware. (Call me crazy, but that’s a valid reason for me.)

Looking at their firmware, we find a number of “.mtz” files that all look - weird. Their entropy is much too low for a real encryption scheme (plus they don’t seem to have any length alignment). One file, MB50AF1_NikonV12.mtz in my case, looks like it’s the actual firmware for the device.

Looking at a hexdump at the end of this file shows

0000029CE0: 64 64 64 64 64 13 73 D0 A0 A3 03 03 03 03 03 03
0000029CF0: 03 13 64 64 D0 A0

We could go ahead and try to find the “de-obfuscation” algorithm in the executable (or actually go and sniff the communication, with the hope that files are decrypted locally), but there is a thing that striked me: The files end with D0 A0. Other .mtz files also end with A0 or D0 A0.

Can you already spot the algorithm?

I have to admit that I didn’t spot it instantly, even though in retrospect, it’s obvious. I tried with the usual stuff (histogram to figure out a caesar or “XOR with constant” algorithm), and eventually failed. Looking at the ending again - not surprised if they would be ASCII files, we would expect them to end with 0D 0A, or 0A, depending on the encoding.

A quick python 3-liner later showed that this guess was indeed correct: They simply swap nibbles. Doing this on the largest of the files (MB50AF1_NikonV12.mtz) produces a nice Intel-Hex file.

Next step is to guess the architecture. AVR? Nope, looking at the binary it’s obvious that they have byte-aligned instructions. PIC? I didn’t even dare to try. ARM? No byte-aligned instructions either, and the code density was much too high. 8051? Nope. I tried a few more, but none of them produced sensible output. May I ask for an “heuristically identify me the architecture for this binary, please” project again?

I finally resorted to the brute-force approach: Opening up the device reveals: It’s a NEC (now Renesas) μPD78F0396! Here’s the datasheet! Happy hacking!