1 Topic by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Topic: DaVinci Mini JTAG access

Success at last!
I have successfully soldered a JTAG (actually SWD) to my Da Vinci MiniMaker.
XYZ could easily have disabled remote debugging, but obviously they didn't :-)
With a Atmel-ICE device I can now dump/write flash, read/modify ALL memory, single step instructions, etc.

I'm pretty new to all this low level hardware hacking, but hopefully I can dump the AES (ECB) firmware key and also figure out the NFC algorithm. Stay tuned as I try to learn both Atmel Studio and some assembler programming.

I'll attach some pictures and a flash dump, for all you non-believers (I'm looking at you cgrillo).

Post's attachments

Atmel-ICE.jpg
Atmel-ICE.jpg 129.36 kb, 1 downloads since 2017-11-07 

AtmelStudioScreen.jpg
AtmelStudioScreen.jpg 786.52 kb, 5 downloads since 2017-11-07 

DaVinci-pcb.jpg
DaVinci-pcb.jpg 235.28 kb, 3 downloads since 2017-11-07 

MiniMaker-dump.bin 512 kb, 56 downloads since 2017-11-07 

You don't have the permssions to download the attachments of this post.

2 Reply by Bozotclown1970

  • Bozotclown1970
  • Bozotclown1970
  • Member
  • Offline
  • From: USA
  • Registered: 2016-01-05
  • Posts: 1,516

Re: DaVinci Mini JTAG access

Looks a little funny compared to a JR 2.2.0 bin file

http://soliforum.com/i/?nqnCJOB.jpg

3 Reply by nilezon (edited by nilezon 2017-11-07 22:19:21)

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

Bozotclown1970 wrote:

Looks a little funny compared to a JR 2.2.0 bin file

http://soliforum.com/i/?nqnCJOB.jpg

Isn't the JR using a Cortex M3?
The Mini (and Mini Maker) is using a Cortex M4 (ATSAM4E8E) processor.

Edit: Oh, and your image is showing the AES ECB encrypted fw file. The file I attached is a raw flash dump directly from the processor.

4 Reply by Bozotclown1970

  • Bozotclown1970
  • Bozotclown1970
  • Member
  • Offline
  • From: USA
  • Registered: 2016-01-05
  • Posts: 1,516

Re: DaVinci Mini JTAG access

You are probably correct, but I would have thought XYZ would have setup some standards for their firmware with just minor changes between models.

5 Reply by carl_m1968

  • carl_m1968
  • carl_m1968
  • Member
  • Offline
  • From: Far North almost not Dallas
  • Registered: 2014-10-17
  • Posts: 6,512

Re: DaVinci Mini JTAG access

nilezon wrote:
Bozotclown1970 wrote:

Looks a little funny compared to a JR 2.2.0 bin file

http://soliforum.com/i/?nqnCJOB.jpg

Isn't the JR using a Cortex M3?
The Mini (and Mini Maker) is using a Cortex M4 (ATSAM4E8E) processor.

Edit: Oh, and your image is showing the AES ECB encrypted fw file. The file I attached is a raw flash dump directly from the processor.


Are you able to decompile the BIN file? Unless you can do that it really won't make much progress. Changes need to be made in that file as it is the compiled version of the Firmware they use. The other issue is once it is decompiled do we even know what firmware is and what it takes to edit it? Flash dumps are easy, decompiling and getting/knowing the key and software they used to compile is the tricky part. Of course now that you have the BIN, you can use it in the event you trash the firmware playing around with it. You also need to be careful not to trash the bootloader or your board will be useless unless you find a way to dump it as well. It is usually programmed to a protected block though.

Printing since 2009 and still love it!
Anycubic 4MAX best $225 ever invested.
Voxelabs Proxima SLA. 6 inch 2k Mono LCD.
Anycubic Predator, massive Delta machine. 450 x 370 print envelope.

6 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: DaVinci Mini JTAG access

Can this be used to downgrade firmware?

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

7 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

carl_m1968 wrote:

Are you able to decompile the BIN file? Unless you can do that it really won't make much progress. Changes need to be made in that file as it is the compiled version of the Firmware they use. The other issue is once it is decompiled do we even know what firmware is and what it takes to edit it? Flash dumps are easy, decompiling and getting/knowing the key and software they used to compile is the tricky part. Of course now that you have the BIN, you can use it in the event you trash the firmware playing around with it. You also need to be careful not to trash the bootloader or your board will be useless unless you find a way to dump it as well. It is usually programmed to a protected block though.

I can disassemble it. It is a huge progress since I can single step/debug the code. I can also modify and flash back, or write my own homebrew firmware. I have full development access to the device, using the same hardware and software as XYZ did when they created the board and firmware.
There is no way I can brick the device now, since I can read/write bootloader as well.

8 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

yizhou.he wrote:

Can this be used to downgrade firmware?

Yes, but what's the point in doing that, since I'm having a MiniMaker?

9 Reply by yizhou.he (edited by yizhou.he 2017-11-08 15:18:43)

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: DaVinci Mini JTAG access

nilezon wrote:
yizhou.he wrote:

Can this be used to downgrade firmware?

Yes, but what's the point in doing that, since I'm having a MiniMaker?

Can you do the same thing to Jr.? they use same processor ATSAM4E8E - the Cortex-M4

http://www.soliforum.com/topic/13769/da … tier-port/

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

10 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

yizhou.he wrote:
nilezon wrote:
yizhou.he wrote:

Can this be used to downgrade firmware?

Yes, but what's the point in doing that, since I'm having a MiniMaker?

Can you do the same thing to Jr.? they use same processor ATSAM4E8E - the Cortex-M4

http://www.soliforum.com/topic/13769/da … tier-port/

Yes, you can probably do this to any DaVinci printer. All you need to do is soldering six cables to the board and buy an Atmel-ICE.

11 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: DaVinci Mini JTAG access

http://soliforum.com/i/?znaL2gg.jpg

solder to the spot right next to the AMTEL chip?

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

12 Reply by Bozotclown1970

  • Bozotclown1970
  • Bozotclown1970
  • Member
  • Offline
  • From: USA
  • Registered: 2016-01-05
  • Posts: 1,516

Re: DaVinci Mini JTAG access

http://soliforum.com/i/?gGkx4tT.jpg

13 Reply by Bozotclown1970

  • Bozotclown1970
  • Bozotclown1970
  • Member
  • Offline
  • From: USA
  • Registered: 2016-01-05
  • Posts: 1,516

Re: DaVinci Mini JTAG access

nilezon wrote:
yizhou.he wrote:
nilezon wrote:

Yes, but what's the point in doing that, since I'm having a MiniMaker?

Can you do the same thing to Jr.? they use same processor ATSAM4E8E - the Cortex-M4

http://www.soliforum.com/topic/13769/da … tier-port/

Yes, you can probably do this to any DaVinci printer. All you need to do is soldering six cables to the board and buy an Atmel-ICE.


Man those things are expensive!

14 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: DaVinci Mini JTAG access

OMG, you are so right, it cost more than my Jr.

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

15 Reply by nilezon (edited by nilezon 2017-11-08 22:48:28)

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

yizhou.he wrote:

OMG, you are so right, it cost more than my Jr.

You can by it for ~€50.
For example:
http://shop.myavr.com/systemboards%20an … tID=200142

https://octopart.com/atatmel-ice-pcba-m … p-77759566

Or you can buy a Segger J-Link EDU Mini for €15, it will also work.
https://www.segger.com/products/debug-p … -edu-mini/

16 Reply by nilezon (edited by nilezon 2017-11-13 22:01:00)

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

Quick update: NXP chip flash and memory dumped. Now I just need to figure out where the key algorithm is.
The NXP chip is controlling the NFC reader.

17 Reply by modfreakz

  • modfreakz
  • modfreakz
  • Member
  • Offline
  • Registered: 2017-12-02
  • Posts: 199

Re: DaVinci Mini JTAG access

Im going to buy one of this Atmel-ICE device. Do I need something else?

What about software?

18 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

modfreakz wrote:

Im going to buy one of this Atmel-ICE device. Do I need something else?

What about software?

You probably shouldn't.
The Atmel-ICE can only be used with Atmel chips.
I had to buy an additional J-Link Edu to dump the NFC chip (from NXP).

I think you can use a "J-Link EDU Mini" for all chips on these printers, and it's very cheap (less than $20).

Atmel-ICE uses "Atmel Studio". J-Link devices works with a variety of software, I tried "Segger Ozone" and liked it.

19 Reply by modfreakz (edited by modfreakz 2017-12-14 21:34:17)

  • modfreakz
  • modfreakz
  • Member
  • Offline
  • Registered: 2017-12-02
  • Posts: 199

Re: DaVinci Mini JTAG access

As far as I understand, the firmware is stored after update in Atmel ATSAM4E8E and in MX25L3206E SPI ?
Removing the SPI chip or downgrading the firmware on SPI chip make no difference, the firmware in Atmel always starts.

I need something to change/delete/reflash firmware inside Atmel.
Is the recommended device "J-Link EDU Mini" sufficient for this?

Sorry Im also new on this low level hardware hacking, but I learning fast.  ;-)

20 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

modfreakz wrote:

As far as I understand, the firmware is stored after update in Atmel ATSAM4E8E and in MX25L3206E SPI ?
Removing the SPI chip or downgrading the firmware on SPI chip make no difference, the firmware in Atmel always starts.

I need something to change/delete/reflash firmware inside Atmel.
Is the recommended device "J-Link EDU Mini" sufficient for this?

Sorry Im also new on this low level hardware hacking, but I learning fast.  ;-)

The ATSAM4E8E is the main chip of the printer and contains it's own firmware.
The eeprom MX25L3206E is an external "storage" used by ATSAM4E8E to cache the decrypted firmware before updating. It is also used to store known NFC tag details. No code is every run on or from MX25L3206E, it's just storage (a bit simplified).

To read/write/debug the ATSAM4E8E you need to connect using JTAG or SWD. SWD is easier since it's fewer cables to solder.
You can probably use any SWD reader that support Atmel ATSAM4E8E, including Atmel-ICE and all J-Link debuggers. You can probably also use a BusPirate or other generic SWD device.
So for I have only used Atmel-ICE and J-Link EDU (not Mini), but I'm quite sure the J-Link EDU Mini works as well.

21 Reply by modfreakz

  • modfreakz
  • modfreakz
  • Member
  • Offline
  • Registered: 2017-12-02
  • Posts: 199

Re: DaVinci Mini JTAG access

ok ordered "J-Link EDU Mini" and spare ATSAM4E8E ICs (I can solder them easily)

Stupid idea. Why we can't erase the flash and program the decrypted firmware, since we have it?

22 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

modfreakz wrote:

ok ordered "J-Link EDU Mini" and spare ATSAM4E8E ICs (I can solder them easily)

Stupid idea. Why we can't erase the flash and program the decrypted firmware, since we have it?

We can. I have downgraded fw this way

23 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: DaVinci Mini JTAG access

Hi, nilezon, Can this be used to decompile the firmware?

https://github.com/avast-tl/retdec

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

24 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: DaVinci Mini JTAG access

yizhou.he wrote:

Hi, nilezon, Can this be used to decompile the firmware?

https://github.com/avast-tl/retdec


Should work, yes.
I tried the online version and it timed out :-(


https://retdec.com/decompilation/
Use the dump (first post).
Select Raw machine code, ARM and Little endian.
Entry address: 0x00000000
VM address: 0x20000000

25 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: DaVinci Mini JTAG access

nilezon wrote:

Should work, yes.
I tried the online version and it timed out :-(


https://retdec.com/decompilation/
Use the dump (first post).
Select Raw machine code, ARM and Little endian.
Entry address: 0x00000000
VM address: 0x20000000

Thank you very much for the information, the readme file mentioned it use lots of memory, so I'm downloading the standalone version. I'm sure it will end up with codes that I don't necessary understood, but it is fun to see if I can compile it back.

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1