I have reverse engineered the decryption for .cfc; it has changed to AES256. However, unfortunately, it is signed with an RSA key. Modifying the capabilities will require a binary patch to make it accept any signature.
A decryption script is available at
https://0bin.net/paste/9Njm5R8m#AJqvDicIqTd7lbL0J4e7szDB+yQpPXYF99azLSYZrpl -- The code is a touch weird, artifact of transcribing from IDA...
E: I have successfully upgraded my camera to its stated detector resolution of 464x348.
As this is highly experimental, I will not provide a script yet, but describe the steps instead.
1. Decrypt the cfcs with the script, and do whatever changes you want.
2. Back up every file that you change on the device!!
3. Analyze CCfc::verifySign and make it always return 1. This depends on your firmware version, but in 7.8.44 it was sufficient to change the final MOV R0, R4 to MOV R0, #1 at byte 0x9867C
4. Re-encrypt the CFC, changing the length in the new header. You can reuse the rest of the header itself, but you also need to re-XOR it.
5. Replace the files (remember the backup!)
E2: hm, seems like some things are not working. Maybe a CRC check of some kind.
E3: Yep, new CRC algorithm. It can be computed by 'zlib.crc32(<data without the CRC line>, 0x71941268 ^ 0xffffffff)'
E4: Camera is now running at 484x348!