51

Re: DaVinci Junior cartridge reset

ChunkLady wrote:

Well, I suppose we can. The 3w files are just base64 encoded special GCode files, with a few extra lines. So my guess is you can slice with whatever program you want (XYZWare seems horrible at slices sometimes), then change the few lines, up the temperature - and base64 encode it for davinci support.


This has been done since the first Da Vinci 1.0 rolled out. You Junior and Press owners should really read all the other Da Vinci and XYZ threads as most of them apply to your devices as well.

Printing since 2009 and still love it!
Anycubic 4MAX best $225 ever invested.
Voxelabs Proxima SLA. 6 inch 2k Mono LCD.
Anycubic Predator, massive Delta machine. 450 x 370 print envelope.

52

Re: DaVinci Junior cartridge reset

thanks for your input carl, but I've read through many of the other da vinci threads and unfortunately this particular aspect is still unresolved. I haven't yet seen a successful attempt at creating the 3w file from a base64 encoded gcode file.

53

Re: DaVinci Junior cartridge reset

ChunkLady wrote:

Just joined to follow up on this one. I just took my depleted filament, read it through my RFID RC522 reader for Arduino, and the output was

Card UID: 04 5F B9 2A 97 3C 80
PICC type: MIFARE Ultralight or Ultralight C
Page  0  1  2  3
  0   04 5F B9 6A
  1   2A 97 3C 80
  2   01 48 00 00
  3   E1 10 12 00
  4   01 03 A0 0C
  5   34 03 00 FE
  6   00 00 00 00
  7   00 00 00 00

(and then an error, since its crypted/protected).

I don't know how encrypted rfids work, but unless they send out separate signals depending on the input they get, it would be entirely possible to just fake the singal of a new filament, basically all the time, with a little arduino. All it takes is the RFID dump of a clean chip - and discarding all write attempts. Theres an off-chance the printer checks if the changes written, have been implemented, in which case, the new values from the da vinci jr. needs to be accepted - if possible.

Edit (1)
My chip was on a filament with color natural, 600g - came with the printer. The numbers printed on the spool itself is; printed on a label RFPLCFGBP3ZTH53S0044 - and handwritten on a label 50740120202.

Edit (2)
As I understand it these chips can actually lock out any continuous attempt at password guessing. In the hope that it does not, I have (or I think I have, if my code is correct) at the moment tried the first 16.581.375 combinations (0xff 0xff 0xff 0x0 0x0 0x0 0x0 0x0 0x0) by shear brute force - no luck. Problem is of course, that brute forcing took ~8 hours on the Atmega328 - it has to be repeated 4.228.250.625 times - which is longer than I will (probably) live. I might attempt another 16 mil combinations, with just random number-generating instead.

One way of guesstimating the passphrase, would be, maybe, to sniff the traffic coming from the Da Vinci Jr printer itself. Alas, I do not know how to do this at the moment.

Edit (3)
My guess is that the Da Vinci firmware has some kind of master password, which is seeded with the ID of each unique RFID. In other words, even if I get the key from mine, it will probably not work for anyone else.

Also, theres the off chance, that the firmware stores RFID-tags and their "last known size and usage" to prevent spool-meters to go up again - which in turn, would mean the passphrase either needs to be found, or the memory containing the RFID-tags, erased for each machine.

were you able to get keys for either sectors 0-5 key a&b, if so, what were they? try to crack this bad boy.

thanks

54

Re: DaVinci Junior cartridge reset

HI guys.  Coming into this a bit late but experiencing the same issue.  I personally don't mind using their filament but seeing as they only appear to have 4 damned colours, we need to find a workaround until they do.  If we can hack a single chip to always say "I have 300 m available" that would be great.  The thread regarding locking the chip for writing seemed to have gone cold.  Was there any progress on that or was it in fact a dead end?

We can do this.

55

Re: DaVinci Junior cartridge reset

I was under the impression that that was a dead end. I couldn't get my chips to ever lock with the phones we have anyway. I really hope we figure this out because I'm getting tired of limited colors and a higher price for half the standard filament.

56

Re: DaVinci Junior cartridge reset

Ok late to the party,  this sounds like quite the pickle.    I am starting up my JR this week and want to participate in this project. 

What exactly do I need to be able to read these chips?  I didn't quite comprehend it,  something about a phone app?

I have a series of projects I need to print in bottle-green PLA,  I bought several rolls of it from DaVinci.    Once I know what I need to read the chip I'll document the changes in detail to the content of the chip,  and attempt to pull machine-states from the printer itself.   If we can find when it writes we can hopefully devise a way to stop it from writing entirely.   Possibly by blocking an output on the board or something.     All depends how dependent the machine is on two-way communication between the chip and the motherboard.     

IF the software says "I calculate X number of meters are needed for this project" and the printer says "I used X number of meters for that project" then we intercept it before it alters the chip data (300 meters minus X).    Either by hacking the DaVinci software, the printer board or whatever.

It's a broad brushstroke and more than likely some of this has been gone over or attempted...   BUT a second/third/fourth look at it might yield new insight.

*cracks knuckles*   This thing.   Lets do it.

MonoPrice Mini Select,  Orion Delta, HeartlessTech I3 2020, TWO Taz-5,  8 Wanhao Clones
Filistruder (Operational)  (Scanners RMA'd Due To Missing Components)
Benchtop Molding Press,  Arburg All-Arounder IMM,   Bridgeport ProTrac, Monarch 10EE Lathe,  Light Machine CNC Mill & Lathe
(THIS IS JUST MY HALF OF THE WORKSHOP MUAHAHAHAHA)

57

Re: DaVinci Junior cartridge reset

Why not just get together and port Repetier Firmware over to the Jr.? Then you don't even have to bother with the chip.

All you guys need to do is figure out the pins and where they come out at on the board then just remap the firmware for it.

The version for the current Da Vinci models could be a very good base to start at.

This would be much easier than your current path.

Printing since 2009 and still love it!
Anycubic 4MAX best $225 ever invested.
Voxelabs Proxima SLA. 6 inch 2k Mono LCD.
Anycubic Predator, massive Delta machine. 450 x 370 print envelope.

58

Re: DaVinci Junior cartridge reset

I would be down with this.    How can I help?

MonoPrice Mini Select,  Orion Delta, HeartlessTech I3 2020, TWO Taz-5,  8 Wanhao Clones
Filistruder (Operational)  (Scanners RMA'd Due To Missing Components)
Benchtop Molding Press,  Arburg All-Arounder IMM,   Bridgeport ProTrac, Monarch 10EE Lathe,  Light Machine CNC Mill & Lathe
(THIS IS JUST MY HALF OF THE WORKSHOP MUAHAHAHAHA)

59

Re: DaVinci Junior cartridge reset

I'd also like to help but I don't have enough programming experience to know where to go. Whatever I can do let me know I want to help crack this so we can all benefit.

60

Re: DaVinci Junior cartridge reset

I no longer have a Da Vinci so I can't help but I would start by getting a copy of the Repetier firmware for the regular Da Vinci printers.

Then look at at the pin.h file to get an idea of what I mean by pin mapping. You will also need a pinout of the Samba3 processor used on the mainboard so you can see how the pins relate to ports on it as well.

The Normal version of the firmware will show you the necessary pins that need to be found. Then somebody will need to remove their mainboard and using a continuity meter as well as eyesight trace the paths from the processor out to each of the outputs or from the outputs back. Some will not go directly to outputs and those get tricky, But if you can Identify the output from how it is used on your printer then it will not be too hard. Start with easy ones that appear to be direct then go for the ones that run through things like an ADC for temperature and such.

Printing since 2009 and still love it!
Anycubic 4MAX best $225 ever invested.
Voxelabs Proxima SLA. 6 inch 2k Mono LCD.
Anycubic Predator, massive Delta machine. 450 x 370 print envelope.

61

Re: DaVinci Junior cartridge reset

I thought I posted this earlier but I guess I didn't so here it goes: I was on Reddit and found a post about the Junior with some guy claiming he has a friend that figured out how to use Arduino to rewrite the chips. Here is what was said:
"It can be done using an Arduino to reprogram the drm chip. The temperature needs to be changed then the chip can be reprogrammed when it's counter is running low."

I don't know if this opens up any doors but I thought it was interesting.

62

Re: DaVinci Junior cartridge reset

I was playing around with a hex editor and a .3w file and discovered the face that the encoding is BIG 5. I have no idea if this helps or not. I have a nfc tag copier and emulators coming in the mail so I can see if copies of the nfc tag work.

63 (edited by graepfruit4 2015-11-04 21:11:50)

Re: DaVinci Junior cartridge reset

I just ordered a Jr earlier this week, with knowledge of its NFC filament system prior to purchasing. I'm pretty good at programming and disassembling, and have fair electronics knowledge and equipment from my business.

I hope to make some progress on this. Probably not a full port of Repetier, but maybe a short patch idea.

I'll post my initial impressions tomorrow once I get a good look at the insides.

-graepfruit4

edit:

Here is a pic of the Jr's circuit board/mainboard. I haven't seen any others on the internet.

http://i.imgur.com/ym8bOOP.jpg

64 (edited by graepfruit4 2015-11-05 03:25:33)

Re: DaVinci Junior cartridge reset

I have made good progress today. It looks like the best way to go about disabling the filament check is to modify the firmware before it's uploaded to the SAM4E8E microcontroller. I've got to make a little program to flash the MCU the same way XYZ's program does (which I have identified, I just need to replicate the process). I still need to do some tweaking to my methods of disassembling the firmware binary, then I can track down where all the NFC stuff is happening. From there I'll have to decide where to modify it.

Good news: The method for removing the filament check will be easy to use, as simple as downloading a program (<5mb) and running it.

Bad news: The firmware .bin is obfuscated in some manor, seeing references of AES.

65

Re: DaVinci Junior cartridge reset

Sooooo glad someone who has the programming experience has gotten on board. This sounds very promising. When you talk about running a program will this likely reset the chip or permanently alter the printers firmware to stop the filament tracking?

66

Re: DaVinci Junior cartridge reset

The idea is that it will modify the firmware, so you won't have to do it again unless you want to update the firmware.

67

Re: DaVinci Junior cartridge reset

While looking around I found something really cool that will apply to all XYZ machines. I've just gotta wrap it up nice and I'll post it in a couple hours.

68

Re: DaVinci Junior cartridge reset

graepfruit4 wrote:

While looking around I found something really cool that will apply to all XYZ machines. I've just gotta wrap it up nice and I'll post it in a couple hours.

Dude, we need ur help right now. Tell us what u found out!

69 (edited by carl_m1968 2015-11-07 21:23:49)

Re: DaVinci Junior cartridge reset

mioandhiscats wrote:
graepfruit4 wrote:

While looking around I found something really cool that will apply to all XYZ machines. I've just gotta wrap it up nice and I'll post it in a couple hours.

Dude, we need ur help right now. Tell us what u found out!


It's not what you think, but just look at his post history and you will find it. He already posted it in a different section. Point of interest, XYZware advanced mode.

Printing since 2009 and still love it!
Anycubic 4MAX best $225 ever invested.
Voxelabs Proxima SLA. 6 inch 2k Mono LCD.
Anycubic Predator, massive Delta machine. 450 x 370 print envelope.

70

Re: DaVinci Junior cartridge reset

I realize that sounded a bit hype-y, considering it wasn't all that interesting after all. I'll get back on the subject tomorrow evening. I ended up having to kick in my back door yesterday, and have been fixing it since neutral

I'm still working on taking apart the firmware. I'm trying to find out for certain if it is obfuscated, or if I'm not disassembling it right. The jr runs on a Atmel SAM4E8E, with a Cortex M4 inside with an ARMv6M(?) . Finding out exactly how its code is structured has proven not the simplest task when unsure if it is obfuscated or not. I'm thinking yes, because there would normally be an interrupt vector table starting at address 0x0, but all I see are numbers that are far larger than 256k.

Worst case is I have to dump the firmware off of the SAM in my printer and see how it decodes the firmware once it's sent. This would possibly require some soldering if I can't grab the leads with a grabber probe. I hope to return the unit after hopefully solving this filament reset problem for the community.

71

Re: DaVinci Junior cartridge reset

graepfruit4 wrote:

I realize that sounded a bit hype-y, considering it wasn't all that interesting after all. I'll get back on the subject tomorrow evening. I ended up having to kick in my back door yesterday, and have been fixing it since neutral

I'm still working on taking apart the firmware. I'm trying to find out for certain if it is obfuscated, or if I'm not disassembling it right. The jr runs on a Atmel SAM4E8E, with a Cortex M4 inside with an ARMv6M(?) . Finding out exactly how its code is structured has proven not the simplest task when unsure if it is obfuscated or not. I'm thinking yes, because there would normally be an interrupt vector table starting at address 0x0, but all I see are numbers that are far larger than 256k.

Worst case is I have to dump the firmware off of the SAM in my printer and see how it decodes the firmware once it's sent. This would possibly require some soldering if I can't grab the leads with a grabber probe. I hope to return the unit after hopefully solving this filament reset problem for the community.

thanks for everything u do for us! good luck

72

Re: DaVinci Junior cartridge reset

Late to the party but interested in the results. Our school is thinking about purchasing a Jr, but not if we have to use their filament. Keep up the good work!

FuseBox 1.5 CoreXY - e3dv6 - Graphic Smart Display
Solidoodle 2 - e3dv6 - Hobb Goblin - e3d Titan - lawsy carriages - Direct Drive Y Axis - T8 Z axis - OctoPi

73

Re: DaVinci Junior cartridge reset

I've just ordered a segger j-link and a QFN adapter for dumping the SAM4E8E. They won't be here until the late this month (18-4).

74

Re: DaVinci Junior cartridge reset

Any update on this?

75

Re: DaVinci Junior cartridge reset

graepfruit4 wrote:

I've just ordered a segger j-link and a QFN adapter for dumping the SAM4E8E. They won't be here until the late this month (18-4).

It can only be dumped as a bin file. Unless you know what software XYZ used to compile it, you won't be able to decompile it and see anything readable much less usable. I already tried dumping my 1.0 which uses the same processor using tools from my tech job and no luck on the decompile.

Printing since 2009 and still love it!
Anycubic 4MAX best $225 ever invested.
Voxelabs Proxima SLA. 6 inch 2k Mono LCD.
Anycubic Predator, massive Delta machine. 450 x 370 print envelope.