Re: DaVinci Junior cartridge reset
Re: DaVinci Junior cartridge reset
Meanwhile I managed to decrypt the 3w format generated by XYZ into gcode. (The encryption they are using is very similar to the Da Vinci 1.1 Pro encryption, but they added a bit more obfuscation into the mix).
If you're interested this is the header and initial commands of the file:
; filename = Task.3w
; print_time = 1124
; machine = daVinciJR10W
; filamentid = 50,50
; layer_height = 0.30
; fill_density = 0.10
; raft_layers = 0
; support_material = 0
; support_material_extruder = 1
; support_density = 0.15
; shells = 2
; speed = 15
; brim_width = 0
; total_layers = 106
; version = 15062609
; total_filament = 618.55
; nozzle_diameter = 0.40
; extruder_filament = 618.55:0.00
; dimension = 31.95:33.09:31.85
; extruder = 1
G21 ; set units to millimeters
M107
;M104 S0 ; set temperature
;M109 S0 ; wait for temperature to be reached
G90 ; use absolute coordinates
G92 E0
M82 ; use absolute distances for extrusion
G1 F900.000 E-4.00000
G92 E0
G1 Z0.350 F6000.000
(lots of G1 and G92 commands up until the end)
M107
M84 ; disable motorsNote that the M104 and M109 commands are commented out. Also not sure whether the data in the header is used by the FW or not.
Next I'll try to create an encoder from gcode into 3w, and test whether the machine accepts something created from slic3r
Re: DaVinci Junior cartridge reset
Very cool sztupy! I had heard the 3w file was just base64 encoded but I couldn't seem to get anything legible from it. Though, admittedly, my cryptography skills are pretty weak.
Re: DaVinci Junior cartridge reset
Nice, how did you do it sztupy?
Re: DaVinci Junior cartridge reset
crgpgh wrote:
Nice, how did you do it sztupy?
I too am curious. It looks like the 3w files were first just base64 encoded. Then they switched to AES encryption with the following details:
key: "@xyzprinting.com"
cipher: AES/CBC/PKCS5Padding
starting byte: 0x2000
block size: 0x2010
(Source: https://github.com/tai/decrypt-xyz3w)
The result was a zip archive with the gcode inside. However, that no longer seems to be working. I tried changing the offset but could not find a value that worked.
Re: DaVinci Junior cartridge reset
XYLenTech wrote:
crgpgh wrote:Nice, how did you do it sztupy?
I too am curious. It looks like the 3w files were first just base64 encoded. Then they switched to AES encryption with the following details:
key: "@xyzprinting.com"
cipher: AES/CBC/PKCS5Padding
starting byte: 0x2000
block size: 0x2010(Source: https://github.com/tai/decrypt-xyz3w)
The result was a zip archive with the gcode inside. However, that no longer seems to be working. I tried changing the offset but could not find a value that worked.
They doubled the keysize, switched to ECB, and are also not using their weird encryption scheme where you have to restart the padding every 8208 bytes. Also no more zip compression. I'm trying to figure out how the encrypted header work, as the firmware checks that, so I can create an encryptor as well. I'll keep you posted, once I've got something in a workable state. I hope I can fix it also for the older da vincis as well, as the AES encryptor that's lying around in some forum posts also has some issues with large (>10k) files, and there is no encryptor.
107 2015-12-14 11:19:17 (edited by ChunkLady 2015-12-14 11:21:46)
Re: DaVinci Junior cartridge reset
crgpgh wrote:
In the mean time, here is the information from the three chips I have. It includes the unprotected pages on the chip as well as the password (PWD) I grabbed from I2C. Maybe someone can figure out how the passwords are being generated. My guess is it has to do with some unprotected data on the chip.
or, maybe there is a master password, used for new filaments, then its all overwritten with a password, for the specific 3d printer. Have anyone tested jr. catridges from one machine to another ?
EDIT: I have an NFC shield - and new not-used filaments, I can check this myself at some point 
EDIT (2): thanks for all the work you guys put into this !
Re: DaVinci Junior cartridge reset
I thought of that as well. To check it, I captured the I2C traffic on a brand new spool. Only one PWD_AUTH command was sent to the spool and it contained the password in my previous post. I will go back and check the capture to make sure, but it looks like the printer is able to determine the password based on the unprotected pages of the card.
I tried a truncated MD5 hash of the UID. I am going to look at other hashes as well.
Here is the dump of the spool that previously had 82m remaining (original dump in previous post):
PAGE 00: 04 38 DC 68 .8�h
PAGE 01: 22 9A 3D 81 "�=�
PAGE 02: 04 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 5A 00 ZPZ.
PAGE 09: 00 35 35 36 .556
PAGE 10: A0 86 01 00 ��..
PAGE 11: A0 86 01 00 ��..
PAGE 12: D2 00 2D 00 �.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 34 37 39 0479
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: EC 39 01 00 �9..
PAGE 21: A4 2B 33 54 �+3T
PAGE 22: E4 45 E1 CE �E��
PAGE 23: FE B4 49 76 ��Iv
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...�
PAGE 41: 07 00 00 08 ....
109 2015-12-14 12:17:13 (edited by ChunkLady 2015-12-14 13:02:39)
Re: DaVinci Junior cartridge reset
So, using a few meters of spool, and dumping it every meter, would prob. work ?
I guess its saving either float/double or 2/4-byte fixed-point (8.8/16.16), as it seems to remember decimals when printing.
EDIT:
here are the differences, based on pages:
Spool Info: Nature,82m remaining out of 100m, PLA
PAGE 08: 5A 50 5A 00 ZPZ.
PAGE 09: 00 35 35 36 .556
PAGE 10: A0 86 01 00 ��..
PAGE 11: A0 86 01 00 ��..
PAGE 14: 30 34 37 39 0479
PAGE 20: AB 41 01 00 �A..
PAGE 21: E3 53 33 54 �S3T
PAGE 22: 25 4D E1 CE %M��
PAGE 23: BF BC 49 76 ��Iv
Here is a green roll. 200m of 200m, PLA
PAGE 08: 5A 50 50 00 ZPP.
PAGE 09: 00 35 34 54 .54T
PAGE 10: 40 0D 03 00 @...
PAGE 11: 40 0D 03 00 @...
PAGE 14: 30 31 32 33 0123
PAGE 20: 40 0D 03 00 @...
PAGE 21: 08 1F 31 54 ..1T
PAGE 22: 50 B1 E0 CE P���
PAGE 23: 52 E7 4F 76 R�Ov
Another 200m green roll of PLA:
PAGE 08: 5A 50 50 00 ZPP.
PAGE 09: 00 35 34 54 .54T
PAGE 10: 40 0D 03 00 @...
PAGE 11: 40 0D 03 00 @...
PAGE 14: 30 34 39 35 0495
PAGE 20: 40 0D 03 00 @...
PAGE 21: 08 1F 31 54 ..1T
PAGE 22: 50 B1 E0 CE P���
PAGE 23: 52 E7 4F 76 R�Ov* On the 200/200m roll green, PAGE 10+11+20 match
* On the 200/200m roll green(2), PAGE 10+11+20 match
* On the 82/100m roll nature, PAGE 10+11 match, but does not match with PAGE 20
=> PAGE 20 could be the counter, PAGE 10+11 the roll-length.
note that PAGE 14 on the two greens does not match - could be a checksum including unprotected area / pwd
110 2015-12-14 12:42:47 (edited by ChunkLady 2015-12-14 12:48:08)
Re: DaVinci Junior cartridge reset
Okay (sorry for the extra post)
I've got it! The length and meters - take the 82/100 (natural) as example - read with the correct endians :-)
PAGE 10+11 = read in reverse, convert to decimal:
0x000186a0 => 100000
PAGE 20 => read in reverse, convert to decimal:
0x000141AB => 82347
Divide by a thousand, and you got your length :-)
111 2015-12-14 13:04:21 (edited by sztupy 2015-12-14 13:04:48)
Re: DaVinci Junior cartridge reset
crgpgh wrote:
I thought of that as well. To check it, I captured the I2C traffic on a brand new spool. Only one PWD_AUTH command was sent to the spool and it contained the password in my previous post. I will go back and check the capture to make sure, but it looks like the printer is able to determine the password based on the unprotected pages of the card.
I tried a truncated MD5 hash of the UID. I am going to look at other hashes as well.
Here is the dump of the spool that previously had 82m remaining (original dump in previous post):
PAGE 00: 04 38 DC 68 .8�h
PAGE 01: 22 9A 3D 81 "�=�
PAGE 02: 04 48 00 00 .H..
PAGE 03: E1 10 12 00 �...
PAGE 04: 01 03 A0 0C ..�.
PAGE 05: 34 03 00 FE 4..�
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 5A 00 ZPZ.
PAGE 09: 00 35 35 36 .556
PAGE 10: A0 86 01 00 ��..
PAGE 11: A0 86 01 00 ��..
PAGE 12: D2 00 2D 00 �.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 34 37 39 0479
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: EC 39 01 00 �9..
PAGE 21: A4 2B 33 54 �+3T
PAGE 22: E4 45 E1 CE �E��
PAGE 23: FE B4 49 76 ��Iv
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...�
PAGE 41: 07 00 00 08 ....
Maybe they do one round of AES on 4 pages of the public information (or 1 page + PKCS padding), and determine the password based on that? Of course this would only work, if the 4 pages of data are not modified at all later, otherwise the password would change. I can try to play with that with the known AES passwords used in the 3w files, maybe they reuse them here
112 2015-12-14 13:21:37 (edited by ChunkLady 2015-12-14 13:25:00)
Re: DaVinci Junior cartridge reset
sztupy wrote:
Maybe they do one round of AES on 4 pages of the public information (or 1 page + PKCS padding), and determine the password based on that? Of course this would only work, if the 4 pages of data are not modified at all later, otherwise the password would change. I can try to play with that with the known AES passwords used in the 3w files, maybe they reuse them here
Problem is, all it takes is one seed-string in the firmware, and its virtually.. well, its gonna be hard to find.
But, maybe, just maybe, its possible to order the exact same NFC chip, leave it unencrypted, copy the data over, and then maybe it will pass the authentication even though it doesn't need it. With a small interface (or arduino NFC shield) they can be reprogrammed for color and length, at will.
Im thinking a simple NFC sticker would do
Re: DaVinci Junior cartridge reset
ChunkLady wrote:
sztupy wrote:Maybe they do one round of AES on 4 pages of the public information (or 1 page + PKCS padding), and determine the password based on that? Of course this would only work, if the 4 pages of data are not modified at all later, otherwise the password would change. I can try to play with that with the known AES passwords used in the 3w files, maybe they reuse them here
Problem is, all it takes is one seed-string in the firmware, and its virtually.. well, its gonna be hard to find.
But, maybe, just maybe, its possible to order the exact same NFC chip, leave it unencrypted, copy the data over, and then maybe it will pass the authentication even though it doesn't need it. With a small interface (or arduino NFC shield) they can be reprogrammed for color and length, at will.
Im thinking a simple NFC sticker would do
I know it's a long shot, but worth a try Especially that it looks like xyz is preferring security through obscurity instead of properly implementing it (at least based on what they're doing trying to hide the gcode inside their 3w files)
On a related note: did you measure how many times does the FW update the NFC card during printing?
Re: DaVinci Junior cartridge reset
sztupy wrote:
They doubled the keysize, switched to ECB, and are also not using their weird encryption scheme where you have to restart the padding every 8208 bytes. Also no more zip compression. I'm trying to figure out how the encrypted header work, as the firmware checks that, so I can create an encryptor as well. I'll keep you posted, once I've got something in a workable state. I hope I can fix it also for the older da vincis as well, as the AES encryptor that's lying around in some forum posts also has some issues with large (>10k) files, and there is no encryptor.
Bah, I can only seem to decrypt the metadata comments at the start of the file. I guess I should leave this to the experts
115 2015-12-14 21:19:26 (edited by ChunkLady 2015-12-14 21:21:09)
Re: DaVinci Junior cartridge reset
sztupy wrote:
I know it's a long shot, but worth a try
If we can read the content of the NFC (which we can), we can write it to a non-protected NFC (like the one i linked), write the data - and stick it back in, without the original NFC. Unless the protocol requires a password to be set, when the client tries to connect with a password, it should work.
I'd call that job done. No need to solder - order a 1£ NFC from eBay, open an app and you're good to go. Of course IF we could find the password algorithm.. and the possible seed - that would be great. But imo - if the above works, the jobs done.
I ordered 10 of the NFCs to test. If it doesn't work, I can always use them for fun stuff :-)
Re: DaVinci Junior cartridge reset
ChunkLady wrote:
sztupy wrote:I know it's a long shot, but worth a try
If we can read the content of the NFC (which we can), we can write it to a non-protected NFC (like the one i linked), write the data - and stick it back in, without the original NFC. Unless the protocol requires a password to be set, when the client tries to connect with a password, it should work.
I'd call that job done. No need to solder - order a 1£ NFC from eBay, open an app and you're good to go. Of course IF we could find the password algorithm.. and the possible seed - that would be great. But imo - if the above works, the jobs done.
I ordered 10 of the NFCs to test. If it doesn't work, I can always use them for fun stuff :-)
Sounds cool. Hope the stuff arrives fast
Re: DaVinci Junior cartridge reset
Meanwhile I got the 3w encryptor working, and I'm just printing my first model that was generated with Slic3r instead of the XYZWare. The device has no problems in parsing it, but I had to mess around a bit with the speed settings, as the defaults are way to fast for the Jr. I had to set it to like 5mm/s, but it looks like it's doing okay for now. I'll keep you posted
Re: DaVinci Junior cartridge reset
Its the same as the "import gcode" option - but better?
119 2015-12-14 23:47:35 (edited by sztupy 2015-12-14 23:51:44)
Re: DaVinci Junior cartridge reset
ChunkLady wrote:
Its the same as the "import gcode" option - but better?
I could not really make XYZWare to re-export the gcode into a 3w that the device actually accepts (at least on the DVJr). Haven't tried the print option from the app though, as I prefer just moving the files onto the sd card
Re: DaVinci Junior cartridge reset
sztupy wrote:
Meanwhile I got the 3w encryptor working, and I'm just printing my first model that was generated with Slic3r instead of the XYZWare. The device has no problems in parsing it, but I had to mess around a bit with the speed settings, as the defaults are way to fast for the Jr. I had to set it to like 5mm/s, but it looks like it's doing okay for now. I'll keep you posted
Printing has finished, and it works just fine printing from the sd card
Re: DaVinci Junior cartridge reset
You guys are awesome! I'm a tech person but I wish I had gotten a computer programming degree also so I could be as familiar with coding as you guys are. Hopefully once everything is set and works someone will post a simple "How To" for those of us without Coding experience.
Re: DaVinci Junior cartridge reset
I have some NTAG213's on the way. Should be here Wednesday. I am wondering if it will work as you suggest by not adding a password to the chip. One of us should find out soon. Nice job on the length pages.
How are you doing the 3w encrypting? Python? I am anxious to get my hands on it! I hate having to use a windows machine every time I want to add a design to the sd card.
Re: DaVinci Junior cartridge reset
OK it looks like you can't just write a new value to page 20. I tried writing the original value from page 10(11) and the printer complained the spool was unidentified.
Re: DaVinci Junior cartridge reset
crgpgh wrote:
OK it looks like you can't just write a new value to page 20. I tried writing the original value from page 10(11) and the printer complained the spool was unidentified.
No im thinking that page 21 or 14 holds the key to that one. But no matter what, you should be able to use 10 meters, then write back the entire old content to the NFC - and then be back where you started.
If possible, try using 1 (one) meter of the filament, and paste another dump of the NFC - that would give an idea of what changes with every use.
It would be neat if you tried the green unused one :-)
Re: DaVinci Junior cartridge reset
crgpgh wrote:
I have some NTAG213's on the way. Should be here Wednesday. I am wondering if it will work as you suggest by not adding a password to the chip. One of us should find out soon. Nice job on the length pages.
How are you doing the 3w encrypting? Python? I am anxious to get my hands on it! I hate having to use a windows machine every time I want to add a design to the sd card.
I did this one in Java, but because Java doesn't support AES256 out of the box it's not that straightforward to install. I'm now rewriting it in client side javascript, so I can just post it up on github pages, and everyone can use it (given they have a modern enough browser)