wingnutmedia wrote:I just got the Jr. for xmas, so a total noob at 3D printing, but familiar with G-Code on my homebrew CNC. Anyway, congratulations to crcasey and Alien_ant_farm for the progress and status! Is there and 'easy' list of parts and programming needed to accomplish the 200m reset?
ex:
1. get part (nfc reader)
2. use arm/arduino/etc to push code to nfc
3. Print like a free man/person.
I am sure everyone would appreciate a nice writeup or howto on this process. Thanks again!
The first thing you need to do is open the left side of your printer, this will give you access to the NFC reader board. The on board micro controller uses 400KHz I2C to talk to this chip.
The bus pirate is not fast enough and does not have a deep enough buffer to capture the password on the NFC chip. Saleae logic 4 is about the cheapest logic analyser you would buy, there may be some knock off's of this product.
With that in hand you use the pin out Crgpgh posted to grab the two channels of clock and data.
Pin 2 - Ground
Pin 5 - Data
Pin 6 - Clock
Hook it up, start the logic capture, power up the printer. In about 10 seconds the capture is done, use the logic software to decode the I2C and search for the value 1B in the data streem. The following 4 returned bytes are the NFC chip password. I2C has to do two writes to get a read back, don't get confused.
Now you need an NFC writer, I think the people that have captured dumps here are all using an arduino and the Adafruit NFC shield. Splicing in Crgpgh's password authentication patch into the Adafruit library.
If you don't know C, this may be beyond your range.
Next you modify the example reader sketch to send the password to the chip, and read and dump the contents of your spool chip.
1
Finally you use a sketch to write the blocks you want back to the RFC chip. The blocks you want are 8-11 ykamlsand 20-23. Replacing those blocks from any spool with any other set from another spool will let you clone it.
It may not be as simple as you would wish, but I am sure we could post the hacked library and the sketches somewhere.
Good luck, maybe someone will figure out how to decode the password from the unprotected blocks, then someone could just write a smartphone spool reset program. In the mean time this is the hack.
Finally, the more unused spools we dump the larger the set of 'blanks' we can clone from. So sniff those new spools of PLA, once you know what they smell like, read the chip and post the data here. The last reason to dump the fresh spool is that it fixes one variable of the encryption hash of the length to a known number. To put it another way, it would greatly simplify hunting for the keys to not need a I2C logic sniffer.
Let me be clear here i am not the source of this hack the 1B hack was prior work of another hacker.
Thanks!
-Cecil
