76 Reply by cgrillo

  • cgrillo
  • cgrillo
  • Member
  • Offline
  • From: UK
  • Registered: 2016-06-14
  • Posts: 929

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

mjf55 wrote:
Woody565 wrote:

Thanks for your your work nilezon.

Will the website be available for the foreseeable future?

With the algorithm available how difficult would it be to male a standalone application that can be run without the need for the site?

nilezon created ( at least to my eyes) 3 versions of the program.  a javascript, c# ( i think, as it ends  in .cs) and a c version.  I am sure, at least for the c version, it can be compiled to a command line version.

But, I'll let the more experienced (aka real ) programmers chime in.

You're correct wink
A command line app could be made with the .cs or .c file very easily.
I don't think Nielzon will take down the website (not by choice anyway) - besides, the code is in the public domain now and so it will be out there forever.

77 Reply by nilezon (edited by nilezon 2017-12-11 06:20:31)

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Woody565 wrote:

Thanks for your your work nilezon.

Will the website be available for the foreseeable future?

With the algorithm available how difficult would it be to male a standalone application that can be run without the need for the site?

I have a stand alone C# app I personally use to create tags. I also have a lua script to create working tags from NTAG stickers using a Proxmark3. However, I don't think these tools would be very useful to other people.
I see three possible ways forward:
1. Build an Android app to easily create working tags using NTAG stickers. I started but it's not as fun as hacking firmware.
2. Modify rhys' emulator to auto create a random tag on every power cycle. No need to update the "tag" ever again. I believe rhys will have a go at this.
3. Crack the firmware encryption and create a modified firmware that doesn't validate (or update) filament length / NFC tags.

Also, I have heard there's third party web shops that will start selling pre-configured (working) NTAG stickers. That would be a good solution for "common people" (no offence).

78 Reply by Bozotclown1970

  • Bozotclown1970
  • Bozotclown1970
  • Member
  • Offline
  • From: USA
  • Registered: 2016-01-05
  • Posts: 1,516

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

But the last solution is to easy.

79 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

nilezon wrote:

I have a stand alone C# app I personally use to create tags. I also have a lua script to create working tags from NTAG stickers using a Proxmark3. However, I don't think these tools would be very useful to other people.
I see three possible ways forward:
1. Build an Android app to easily create working tags using NTAG stickers. I started but it's not as fun as hacking firmware.
2. Modify rhys' emulator to auto create a random tag on every power cycle. No need to update the "tag" ever again.
3. Crack the firmware encryption and create a modified firmware that doesn't validate (or update) filament length / NFC tags. I believe rhys will have a go at this.

Also, I have heard there's third party web shops that will start selling pre-configured (working) NTAG stickers. That would be a good solution for "common people" (no offence).

I would like to see Opensourced firmware get flashed in. It will not only ignore the NFC tags, but also improve the overall print quality. I RAMPS converted Jr. and get much better print quality with 0.4mm nozzle, however, after I change nozzle to 0.5mm, I get the same quality as stock Jr. and stock miniMaker print quality.

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

80 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Bozotclown1970 wrote:

But the last solution is to easy.

It will be easier if they sell the tags with filament. smile

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

81 Reply by modfreakz

  • modfreakz
  • modfreakz
  • Member
  • Offline
  • Registered: 2017-12-02
  • Posts: 199

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Hello together!

@nilezon: It’s a while now, I have also figured out thru reverse engineering those mystery key table. After looking deeper I came across this magic RC5 key witch generates such key table like yours. Of course I may wrong!

So using that magic RC5 key: 915F4619BE41B2516355A50110A9CE91
and the Init function of RC5, generates us an expanded key table.

void RC5_INIT(unsigned char *Key) //secret input key
const uint32 S[] = { 
    0x6D835AFC, 0x7D15CD97, 0x0942B409, 0x32F9C923, 0xA811FB02, 0x64F121E8, 
    0xD1CC8B4E, 0xE8873E6F, 0x61399BBB, 0xF1B91926, 0xAC661520, 0xA21A31C9, 
    0xD424808D, 0xFE118E07, 0xD18E728D, 0xABAC9E17, 0x18066433, 0x00E18E79, 
    0x65A77305, 0x5AE9E297, 0x11FC628C, 0x7BB3431F, 0x942A8308, 0xB2F8FD20, 
    0x5728B869, 0x30726D5A};

Password key encryption was hard to find out, then I stuck at PACK key encryption and gave up.
Well done nilezon, I'm very impressed!


Looking at your code, its similar to pseudocode of RC5

Encryption:
A = A + S[0];
B = B + S[1];

for i = 1 to x do
A = ((A B) <<< B) + S[2i];
B = ((B A) <<< A) + S[2i+ 1];

82 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

modfreakz wrote:

Hello together!

@nilezon: It’s a while now, I have also figured out thru reverse engineering those mystery key table. After looking deeper I came across this magic RC5 key witch generates such key table like yours. Of course I may wrong!

So using that magic RC5 key: 915F4619BE41B2516355A50110A9CE91
and the Init function of RC5, generates us an expanded key table.

void RC5_INIT(unsigned char *Key) //secret input key
const uint32 S[] = { 
    0x6D835AFC, 0x7D15CD97, 0x0942B409, 0x32F9C923, 0xA811FB02, 0x64F121E8, 
    0xD1CC8B4E, 0xE8873E6F, 0x61399BBB, 0xF1B91926, 0xAC661520, 0xA21A31C9, 
    0xD424808D, 0xFE118E07, 0xD18E728D, 0xABAC9E17, 0x18066433, 0x00E18E79, 
    0x65A77305, 0x5AE9E297, 0x11FC628C, 0x7BB3431F, 0x942A8308, 0xB2F8FD20, 
    0x5728B869, 0x30726D5A};

Password key encryption was hard to find out, then I stuck at PACK key encryption and gave up.
Well done nilezon, I'm very impressed!


Looking at your code, its similar to pseudocode of RC5

Encryption:
A = A + S[0];
B = B + S[1];

for i = 1 to x do
A = ((A B) <<< B) + S[2i];
B = ((B A) <<< A) + S[2i+ 1];

Good find!
I did see a key expansion algorithm but I didn't bother to "decode" it.
Also, I did see some unreachable code in the key/pack assembler, so I figured they used some standard algorithm, but I didn't understand it was RC5. Instead I tried to simplify the code as much as possible, removing the unused code and using the expanded integers.
It's very possible the firmware encryption is RC5 as well. Did you have a look at it?

83 Reply by deko

  • deko
  • Newbie
  • Offline
  • Registered: 2017-12-07
  • Posts: 3

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

deko wrote:

great stuff nilezon, i will donate regardless.
have a noob question however, hope someone can help:
i own a da vinci mini FW 1.2.2, i read my chip and used the NFC key calculator,
got the data (UID, KEY and pack) but how should i alter the data from the chip using my android phone.
Downloaded the RFID NFC tool, and got the whole listing out by authenticating with the key, from there just dont know how and what to change..
Found an example online from a da vinci junior, but the data is different.  Any help appreciated!


any help?

84 Reply by modfreakz

  • modfreakz
  • modfreakz
  • Member
  • Offline
  • Registered: 2017-12-02
  • Posts: 199

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

nilezon wrote:

It's very possible the firmware encryption is RC5 as well. Did you have a look at it?

I see that the manufacturer use weak or outdated security (maybe as a result of hardware limitation??), so it quite possible that the firmware is RC5 encrypted, packed or used some kind of XOR mask.

No I haven't looked yet, but I can do this. Could you or someone else provide the all available firmware files?

85 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

modfreakz wrote:
nilezon wrote:

It's very possible the firmware encryption is RC5 as well. Did you have a look at it?

I see that the manufacturer use weak or outdated security (maybe as a result of hardware limitation??), so it quite possible that the firmware is RC5 encrypted, packed or used some kind of XOR mask.

No I haven't looked yet, but I can do this. Could you or someone else provide the all available firmware files?

I'm quite sure it's not XOR, and if it's AES it's ECB mode (no IV). Most likely it's not AES though, since it's not available (at hw level) in older DaVinci models. RC5 seems like a good bet.
You can find my clear-text miniMaker dump (fw v1.1.0) here:
http://www.soliforum.com/post/139626/#p139626

86 Reply by modfreakz

  • modfreakz
  • modfreakz
  • Member
  • Offline
  • Registered: 2017-12-02
  • Posts: 199

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

I looked at different encrypted firmware (offset 0x00) starting with eg. "dv1J00A000+2.2.6", I can confirm its not simply XOR encryption.

On first view, it remind me at Blowfish.
But I can say for sure it uses a 128-bit key to encrypt and decrypt data.
The offset 0x10 or the last 16 bytes could contain the MD5 of decrypted firmware.
And each printer type use different encryption key.

More later!

btw. here is my daVinci mini w firmare dump from MX25L3206E SPI chip. Read out with programmer.

87 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

modfreakz wrote:

I looked at different encrypted firmware (offset 0x00) starting with eg. "dv1J00A000+2.2.6", I can confirm its not simply XOR encryption.

On first view, it remind me at Blowfish.
But I can say for sure it uses a 128-bit key to encrypt and decrypt data.
The offset 0x10 or the last 16 bytes could contain the MD5 of decrypted firmware.
And each printer type use different encryption key.

More later!

btw. here is my daVinci mini w firmare dump from MX25L3206E SPI chip. Read out with programmer.

Last 16 bytes of firmware bin is checksum (or similar). I have not been able to figure out how to calculate this though. I've tried most (common) hash algorithms on both encrypted and decrypted fw.

It's a bit weird that in your dump (MiniW v1.2.2) the NFC tag data seem to be stored in a different place than in a previous fw (MiniW v1.0.6). Not sure what to make of this.

88 Reply by modfreakz

  • modfreakz
  • modfreakz
  • Member
  • Offline
  • Registered: 2017-12-02
  • Posts: 199

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

The last firmware update to v1.2.2 takes very long, maybe reorganized something?!?!

Looking at "XYZ.exe" there are very promising stings:

FWcheckHead
FWVersionHead
FWVersion_Aes_Head
FWHeaddata
AESFWHeaddata
MachineModelString
fw_aes128
internet_sha256
aes128_string

Also I have now "dv1MW0A000+1.2.2" (MiniW v1.2.2) encrypted and decrypted fimware.
dv1MW0A000+1.2.2_dec.rar
dv1MW0A000+1.2.2_enc.rar

Analysing them I could quote this:

To figure out which mode of operation you're dealing with, you can submit some plaintexts for encryption and compare the resulting ciphertexts:
ECB mode is easy to detect by submitting a plaintext that consists of the same byte repeated over and over. If the resulting ciphertext repeats with a period of one cipher block (16 bytes = 128 bits for AES), you're definitely dealing with ECB mode. Coincidentally, this also tells you the length of the cipher block, if you don't know it already.


Forget about the offset 0x10 which might have MD5/checksum (or similar), there is nothing!
Yes only last 16 bytes of encrypted firmware seems to have hash/checksum.
I've also tried a couple of algorithms, no success so far.


Here is interesting finding on this folder: "C:\Users\USERNAME\AppData\Roaming\Temp"

There are several firmware files from printer updating, also backup firmware.
- firmware.bin
- firmwarelast.bin

please check if it same for you?

89 Reply by kostas.sampanis88

  • kostas.sampanis88
  • Newbie
  • Offline
  • Registered: 2017-12-19
  • Posts: 1

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Please tell me the key. Thank you! http://soliforum.com/i/?ykg3qsG.jpg

90 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

www.nfckey.xyz

UID:  04 63 9D 9A 78 4D 81
KEY:  85 F9 39 01
PACK: 4B 60

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

91 Reply by Bozotclown1970

  • Bozotclown1970
  • Bozotclown1970
  • Member
  • Offline
  • From: USA
  • Registered: 2016-01-05
  • Posts: 1,516

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

If you provide the bread. They will have bread for one day. If you teach them how to make the bread. They will have bread forever.

92 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Bozotclown1970 wrote:

If you provide the bread. They will have bread for one day. If you teach them how to make the bread. They will have bread forever.

Provided the link. Very straight forward to make the bread. Try to say as little as possible to avoid language issue caused complications.

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

93 Reply by mjf55

  • mjf55
  • Member
  • Offline
  • From: Raleigh, NC
  • Registered: 2017-06-01
  • Posts: 336

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Bozotclown1970 wrote:

If you provide the bread. They will have bread for one day. If you teach them how to make the bread. They will have bread forever.

How true.  ;-)

94 Reply by Bozotclown1970

  • Bozotclown1970
  • Bozotclown1970
  • Member
  • Offline
  • From: USA
  • Registered: 2016-01-05
  • Posts: 1,516

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

yizhou.he wrote:
Bozotclown1970 wrote:

If you provide the bread. They will have bread for one day. If you teach them how to make the bread. They will have bread forever.

Provided the link. Very straight forward to make the bread. Try to say as little as possible to avoid language issue caused complications.

Yes, but you also did the work for him. If you do this they will always rely on you to provide the tag information for them. This is a lesson I personally learned the hard way.

95 Reply by yizhou.he

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Bozotclown1970 wrote:
yizhou.he wrote:
Bozotclown1970 wrote:

If you provide the bread. They will have bread for one day. If you teach them how to make the bread. They will have bread forever.

Provided the link. Very straight forward to make the bread. Try to say as little as possible to avoid language issue caused complications.

Yes, but you also did the work for him. If you do this they will always rely on you to provide the tag information for them. This is a lesson I personally learned the hard way.

OK, link only next time.

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

96 Reply by deko

  • deko
  • Newbie
  • Offline
  • Registered: 2017-12-07
  • Posts: 3

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

yizhou.he wrote:
Bozotclown1970 wrote:
yizhou.he wrote:

Provided the link. Very straight forward to make the bread. Try to say as little as possible to avoid language issue caused complications.

Yes, but you also did the work for him. If you do this they will always rely on you to provide the tag information for them. This is a lesson I personally learned the hard way.

OK, link only next time.

I have my codes worked out (thats the easy part for me), but still complete silence regarding my question.
Even donated as i hate to leech and run.

97 Reply by yizhou.he (edited by yizhou.he 2017-12-21 13:59:15)

  • yizhou.he
  • yizhou.he
  • Member
  • Offline
  • From: Boston, MA
  • Registered: 2017-07-05
  • Posts: 1,322

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

deko wrote:

I have my codes worked out (thats the easy part for me), but still complete silence regarding my question.
Even donated as i hate to leech and run.

Ok, I was not allowed to give you the answer directly, so here is the link.

http://www.instructables.com/id/XYZ-Da- … eset-Hack/

For Da Vinci mini tag, the length of filament and checksum are different:

http://www.soliforum.com/topic/15815/xy … w-hacking/

What you need is after "2.3 NFC Tag structure"

(Da Vinci 1.0, Jr. 1.0 RAMPS, miniMaker) X4, (Creality CR-10S, CR-10 mini, Ender-3) X4, Anycubic MEGA X4, Anycubic Chrion X1, ADMILAB Gantry X2 (MonoPrice Maker Select V2, Plus, Ultimate)X4--Select mini X1, Anycubic photon X4, Wanhao duplicate D7 X1.
iNSTONE Inventor Pro X2, CTC Dual X2, ANET-A8, Hictop 3DP-11, Solidoodle Press, FLSUN I3 2017X1

98 Reply by sicicop

  • sicicop
  • Member
  • Offline
  • Registered: 2017-01-04
  • Posts: 20

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Thanks for the great work done in the NTAG project.
I've gave you a tip for a couple of beers

99 Reply by nilezon

  • nilezon
  • Member
  • Offline
  • Registered: 2017-10-18
  • Posts: 102

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

sicicop wrote:

Thanks for the great work done in the NTAG project.
I've gave you a tip for a couple of beers

Thank you!

100 Reply by docromano (edited by docromano 2018-01-02 15:20:28)

  • docromano
  • Member
  • Offline
  • Registered: 2018-01-01
  • Posts: 14

Re: XYZprinting Open Source NFC key calculator online: www.nfckey.xyz

Bozotclown1970 wrote:
johnboyjr wrote:

Can any one give me step by step how to use a NTAG213 sticker with my android phone thanks


I cannot explain to you how to use the Anroid application because I do not have a NFC enabled phone, but the steps are:

1: Get password by entering the UID in the NFCkey wen site
2: Enter the desired length in pages 10(0A), 11(0B) and 20(14) of tag
3: Enter the password from NFCket web page in page 43(2B) of tag
4: Enter Pack Code from NFCkey web page in page 44(2C) of tag
5: Write tag with Ardoid.

@Bozotclown1970

Thanks for that answer, I had the same question. Still I cant figure it out on a Davinci Mini:

1. The pack code is only 2 bytes, instead of four on all the other pages. Is that correct ?
2. On an empty Tag, do I really only need pages 10,11,20,43 and 44 ? Because looking at the big thread, there´s much more stuff on the tag:

PAGE    DESCRIPTION
00        First part of the UID of the NFC Chip
01        Second part of the UID of the NFC Chip
02        First two bytes are a checksum generated from the serial number. The second two bytes are the lock bytes.
03        The capability container of the chip. Same for all.
04        Always 01 03 A0 0C.
05        Always 34 03 00 FE.
06        Always empty.
07        Always empty.
08        First byte is alway 5A. Second byte is the Material, which is also stated in the spools serial number. Third byte is the color of the filament. Last byte is always 00.
09        First two bytes are always 00. Last three bytes are part of the spools serial number when converted to ASCII.
10        Total capacity on the Spool. This has to be the same as Page 11.
11        Total capacity on the Spool. This has to be the same as Page 10.
12        Almost always D2 00 2D 00.
13        First two bytes are almost always 54 48. Last two bytes belong to the spools serial number when converted to ASCII.
14        All bytes belong to the spool serial number when converted to ASCII.
15        Always empty.
16        Always empty.
17        Always 34 00 00 00.
18        Always empty.
19        Always empty.
20        Remaining capacity on the Spool
21        First two bytes hash the count on Page 20. Last byte is always 54.
22        First two bytes hash the count on Page 20. Last byte is always CE.
23        First two bytes hash the count on Page 20. Last byte is always 76.
24        Always empty.
25        Always empty.
26        Always empty.
27        Always empty.
28        Always empty.
29        Always empty.
30        Always empty.
31        Always empty.
32        Always empty.
34        Always empty.
35        Always empty.
36        Always empty.
37        Always empty.
38        Always empty.
39        Always empty.
40        Always 00 00 00 BD.
41        These are configuration bytes, please see the official datasheet of the NTAG213 for informations.
42        These are configuration bytes, please see the official datasheet of the NTAG213 for informations.
43        Contains the password of the tag.
44        First two bytes are the PACK number. The last two bytes are the RFUI.