Hello,
Is there any progress? I also bought 2 of these damaged cameras for a fair price and would like to unlock them.
I've read and compared their firmware, and all encrypted blobs are identical. The only differences are some mostly repeated unencrypted areas (sensor calibration?), serial numbers and some small binary data near to them. The "NV4-Authblock-Release-60" blob at the end is exactly same, so I would expect that the unlock key may be same for all devices. It may even be the old good Johan and Lennie, but I have no idea how to apply it.
The camera speaks the standard FLIR Boson binary protocol over GMSL UART - I can read the model, serial number, etc... There should be some extension for the car authentication, but command codes are 32-bit - it would take some long time to brute-force them (assuming that malformed and non-existent commands give different statuses - FLIR appnote does not specify this). Unfortunately, these cars are relatively rare, and eavesdropping GMSL link should be tricky.
JTAG tools (MoviDebug) are included in the Movidius MDK, but I was unable to find it. The same processor is used in DJI and Ryze Tello copters, and I found some mentions about these tools in DJI security researchers wiki, so, I think, at least somebody has that MDK.
Does anybody know where is it connected in the car? It might be useful to reverse-engineer the receiver unit. I tried to google, but cannot find anything like "Cadillac Escalade night vision ECU". There is some ECU for cameras on eBay, but it has several coax connectors, unlike the camera's HSD connector. There was a Veoneer press-release revealing a photo of two devices, the lower one is NV3 and the upper one expected to be NV4, and also I found a schematic picture of the same unit in some Jeep parts catalog, but I can not find its part number or any live photo. Looks like it is not really used. Also there is a photo of the Cadillac Escalade camera cable - one end is HSD, and another is some square connector. The similar connector is on the cluster display, but it would be generally uncommon in a car to connect the camera directly to the cluster. Also the connector seems water-proof, which is unneeded if it is connected inside the car interior.