You are not logged in. Please login or register.
SoliForum - 3D Printing Community → XYZ Printing Hacks & Mods → DaVinci Junior cartridge reset
Hey guys, I'm not all too versed in this but I was wondering if this would work. I heard of a guy who knocked his NFC reader out of place. Well, what if you just replace this NFC reader all together with one that tries to read custom software? Just an idea.
I would be very interested in seeing a way around the Jr's DRM.
From my perspective there are a few attack points >
- Find the NFC password in the downloadable firmware
- Find the NFC password in the firmware on the machine
- Obtain the NFC password by running a passthrough Data logger between the PN512 and the ATSAM4E83 maybe with an arduino or pi. This data stream is probably not encrypted. I have the equipment but not the experience to do this.
- Break the xyz.exe application so it doesn't write the amount of filament used to the file or it only writes 0)
- Edit the 3W file to remove the amount of filament used. (how is the file compressed or encoded?)
- Apply different firmware.
It seems editing the .3w file, finding the NFC password, or applying different firmware are going to be the best options.
I've tried converting the firmware to assembly but it is essentially unreadable to me.
The NFC password for this RFID card Mifare Ultralight C appears to be 4 different groups of 4 bytes. Essentially 256^16. This is not realistic to crack. It appears the card is set up so that you lock pages of memory at a time, and you can only lock the password protected pages if you know that password. This suggests that locking isn't an option.
I won't really have a lot of time to work on this until this college semester ends.
Or another option that I have yet to see anyone post.. Just do what all the other Da Vinci 1.0 and Duo users did to get around the XYZ crap and replace the motherboard with a RAMPS 1.4 and LCD.. It's a bit of work but not that hard and then you have no limitations as you have a full open source printer that can run on any host and slicer you desire.
Or another option that I have yet to see anyone post.. Just do what all the other Da Vinci 1.0 and Duo users did to get around the XYZ crap and replace the motherboard with a RAMPS 1.4 and LCD.. It's a bit of work but not that hard and then you have no limitations as you have a full open source printer that can run on any host and slicer you desire.
Definitely would work. I am interested in the DRM because I like to know how and why things work. It would be interesting to defeat simply because it exists.
Or another option that I have yet to see anyone post.. Just do what all the other Da Vinci 1.0 and Duo users did to get around the XYZ crap and replace the motherboard with a RAMPS 1.4 and LCD.. It's a bit of work but not that hard and then you have no limitations as you have a full open source printer that can run on any host and slicer you desire.
I just sourced my new Da Vinci Jr, and was wondering where I could help in it's hacking process. From what I've seen the it's .3w format is still not reverse engineered, so that's one thing I can probably check. Alternatively, do we know about the internals of the Da Vinci Jr, like what kind of stepper motors it has, and how the cabling is set up?
It uses an NXP PN512 to communicate with an NTAG213 chip. I have captured the communication between the printer and the PN512 controller over I2C.
From what I see the PN512 does not perform any encryption, so the password I grabbed should be good.
I am in the process of writing an Arduino sketch to communicate with the PN512.
I have successfully written commands for the NTAG213 into the FIFO of the PN512. I have not successfully executed those commands and read output.
I am hoping to be able to run the READ command of the NTAG213 within a few days. If that works I will attempt the authentication command.
If I am successful, I will post the memory contents here for further analysis.
Thank you for all the work you're doing. I don't understand half this stuff, but I really hope that you can come through with good results. I'm currently waiting for mine to come in the mail, and I'm stoked to start printing, but the one thing I'm not too keen on is the filament DRM. If you find a way to crack that, then I'd be ecstatic!
hey guys i was just doing some googling to help a friend out who bought a davinci jr over black friday.
the two of us are computer engineers and we are pretty determined to crack this thing and it seems that there are a few leads already started so I was looking to start helping there.
anyway I just wanted to say hello and I hope to start helping the rest of you get this cracked
What about trying to read the NFC signal coming from the printer during a print? I'm not experienced with NFC but could I be possible to intercept a password coming from the printer? If so you could possibly see all the data flowing too and from the chip. Unless of course that is all encrypted as well.
It uses an NXP PN512 to communicate with an NTAG213 chip. I have captured the communication between the printer and the PN512 controller over I2C.
From what I see the PN512 does not perform any encryption, so the password I grabbed should be good.
I am in the process of writing an Arduino sketch to communicate with the PN512.
I have successfully written commands for the NTAG213 into the FIFO of the PN512. I have not successfully executed those commands and read output.
I am hoping to be able to run the READ command of the NTAG213 within a few days. If that works I will attempt the authentication command.
If I am successful, I will post the memory contents here for further analysis.
Right when I think I have an AMAZING idea someone else has already executed it. XD
I am having trouble replicating the communication grabbed from I2C bus. I think there is a loop checking interrupts and status that I have not implemented correctly.
Instead, I purchased an NFC shield for the Arduino that has a library for communicating. I can read data from the chip just like the phone apps. Now I am trying to get this reader to authenticate.
In the mean time, here is the information from the three chips I have. It includes the unprotected pages on the chip as well as the password (PWD) I grabbed from I2C. Maybe someone can figure out how the passwords are being generated. My guess is it has to do with some unprotected data on the chip.
UID Value: 0x04 0x38 0xDC 0x22 0x9A 0x3D 0x81
PWD: 0x22 0x66 0x52 0xC6
PAGE 00: 04 38 DC 68 .8�h
PAGE 01: 22 9A 3D 81 "�=�
PAGE 02: 04 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
UID Value: 0x04 0x20 0x57 0x22 0x97 0x3C 0x80
PWD: 0x93 0x1B 0x18 0x0C
PAGE 00: 04 20 57 FB . W�
PAGE 01: 22 97 3C 80 "�<�
PAGE 02: 09 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
UID Value: 0x04 0x4F 0x57 0x22 0x97 0x3C 0x80
PWD: 0x75 0x9A 0x67 0x0D
PAGE 00: 04 4F 57 94 .OW�
PAGE 01: 22 97 3C 80 "�<�
PAGE 02: 09 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
ethanleep:
I watched the comms on the I2C bus. Here is the pinout on the board on the left side of the printer:
Pin Connection
1 3.3 to 5v
2 Ground
3 NRSTPD (See PN512 datasheet)
4 IRQ (See PN512 datasheet)
5 I2C SDA
6 I2C SCL
I used a Logic 4 from Saleae. I imagine a slightly cheaper option would be a Bus Pirate. I have one but have not used it yet.
Authentication success.
Spool Info: Nature,82m remaining out of 100m, PLA
Unprotected dump:
PAGE 00: 04 38 DC 68 .8�h
PAGE 01: 22 9A 3D 81 "�=�
PAGE 02: 04 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 5A 00 ZPZ.
PAGE 09: 00 35 35 36 .556
PAGE 10: A0 86 01 00 ��..
PAGE 11: A0 86 01 00 ��..
PAGE 12: D2 00 2D 00 �.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 34 37 39 0479
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: AB 41 01 00 �A..
PAGE 21: E3 53 33 54 �S3T
PAGE 22: 25 4D E1 CE %M��
PAGE 23: BF BC 49 76 ��Iv
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...�
PAGE 41: 07 00 00 08 ....
Here is a green roll. 200m of 200m, PLA
PAGE 00: 04 4F 57 94 .OW�
PAGE 01: 22 97 3C 80 "�<�
PAGE 02: 09 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 50 00 ZPP.
PAGE 09: 00 35 34 54 .54T
PAGE 10: 40 0D 03 00 @...
PAGE 11: 40 0D 03 00 @...
PAGE 12: D2 00 2D 00 �.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 31 32 33 0123
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: 40 0D 03 00 @...
PAGE 21: 08 1F 31 54 ..1T
PAGE 22: 50 B1 E0 CE P���
PAGE 23: 52 E7 4F 76 R�Ov
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...�
PAGE 41: 07 00 00 08 ....
Another 200m green roll of PLA:
PAGE 00: 04 20 57 FB . W�
PAGE 01: 22 97 3C 80 "�<�
PAGE 02: 09 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 50 00 ZPP.
PAGE 09: 00 35 34 54 .54T
PAGE 10: 40 0D 03 00 @...
PAGE 11: 40 0D 03 00 @...
PAGE 12: D2 00 2D 00 �.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 34 39 35 0495
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: 40 0D 03 00 @...
PAGE 21: 08 1F 31 54 ..1T
PAGE 22: 50 B1 E0 CE P���
PAGE 23: 52 E7 4F 76 R�Ov
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...�
PAGE 41: 07 00 00 08 ....
Nice work crgpgh. Any ideas about the encoding on that? Clearly not plain-text haha. There's clearly some similarities between spools though.
The only thing I have found so far is that the Z codes may be material and color.
P for PLA, not sure how the other letters code out or even if they are for sure the same as the other devices.
I am going to run some parts and see what values change.
Now that I think about it, what's the point of doing all this? Even if we do crack the filament DRM, doesn't it use a type of plastic that doesn't need to be heated as much as normal filament? Will we also find a way to increase the temperature? If not, then we'll just be printing with hot spools, not melted plastic. Am I looking at this wrong, or is this more like just getting one step closer to sidestepping XYZ?
Now that I think about it, what's the point of doing all this? Even if we do crack the filament DRM, doesn't it use a type of plastic that doesn't need to be heated as much as normal filament? Will we also find a way to increase the temperature? If not, then we'll just be printing with hot spools, not melted plastic. Am I looking at this wrong, or is this more like just getting one step closer to sidestepping XYZ?
The DaVinci Jr. uses PLA plastic - a very standard type of 3d printing filament. This would allow us to use 1.75mm PLA filament purchased from vendors other than XYZ.
MiningForMac wrote:Now that I think about it, what's the point of doing all this? Even if we do crack the filament DRM, doesn't it use a type of plastic that doesn't need to be heated as much as normal filament? Will we also find a way to increase the temperature? If not, then we'll just be printing with hot spools, not melted plastic. Am I looking at this wrong, or is this more like just getting one step closer to sidestepping XYZ?
The DaVinci Jr. uses PLA plastic - a very standard type of 3d printing filament. This would allow us to use 1.75mm PLA filament purchased from vendors other than XYZ.
Not true, XYZ filament is specially formulated just for them where it works at about 20 degrees below where other filament does. Yes I am talking about PLA. They do the same with their ABS.. So yes if you do crack the DRM you will still need to find a way to set a higher temp from what the stock is using.
Not true, XYZ filament is specially formulated just for them where it works at about 20 degrees below where other filament does. Yes I am talking about PLA. They do the same with their ABS.. So yes if you do crack the DRM you will still need to find a way to set a higher temp from what the stock is using.
Interesting! Well, we're still moving in the right direction. Perhaps there is a temperature value on the filament cartridges that can be altered to accommodate standard PLA temperatures.
I would be surprised if it is a truly custom formulation. Even if it is, it will most likely still fall in the same range of thermal properties of other commercially available formula.
This entry has some links to data sheets:
I would be surprised if it is a truly custom formulation. Even if it is, it will most likely still fall in the same range of thermal properties of other commercially available formula.
This entry has some links to data sheets:
Many of us here have had other XYZ printers such as the original 1.0, the 2.0, and Duo and we have all gone through the issue of the XYZ DRM game and we all found the same thing that their filament melts at 20 degrees lower than the third party stuff.. The third party stuff will cause extruder jams if you can't mod the temp.
crgpgh wrote:I would be surprised if it is a truly custom formulation. Even if it is, it will most likely still fall in the same range of thermal properties of other commercially available formula.
This entry has some links to data sheets:
Many of us here have had other XYZ printers such as the original 1.0, the 2.0, and Duo and we have all gone through the issue of the XYZ DRM game and we all found the same thing that their filament melts at 20 degrees lower than the third party stuff.. The third party stuff will cause extruder jams if you can't mod the temp.
The DV Jr looks to be running around 205 C, so the hight temp PLA (4032D) is a no-go, but the others should be alright
just printed some test whit normal pla and it prints fine. so the temperature is around 195-205
SoliForum - 3D Printing Community → XYZ Printing Hacks & Mods → DaVinci Junior cartridge reset
Powered by PunBB, supported by Informer Technologies, Inc.
