You are not logged in. Please login or register.
SoliForum - 3D Printing Community → XYZ Printing Hacks & Mods → DaVinci Junior cartridge reset
Hi
Is there anyone willing to hack me a drum if I pay you I can send you a few drums if you need them be very grateful if some one can help us out
I can send you a load you can keep the rest hack the RFID and sell them on ebay to other users that cannot hack the RFID them selfs
Hope some willing to help many thanks
Pete
Hi guys.
The idea of locking page 20 occurred to me a while ago... sounds good until you realize that an attempt to write to that page would generate a write error resulting in an NACK or Error ACK from the card, sending you down the "SPOOL ERROR" path.
The key here is to be able to generate our own tags cheap and quick using a $0.10 paper NTAG213 you can get on amazon.
The stumbling block is the password algorithm. But, don't get depressed, I have a plan.
If I can control the UID sent to the printer I can then see the generated response. If I sent a uid of 00 00 00 00 00 00 00 or FF FF FF FF FF FF FF the password generated from that would yield a lot of progress toward cracking the algorithm.
The NTAG213 does not allow you to set the UID, this is both good and bad for us. Its good because if we can't set the UID, XYZ cant do it either and the algorithm must accommodate factory set UID codes.
My plan is to use my PN532 in TARGET mode, and on the RASBERRY PI, I will write the code necessary to EMULATE a NTAG213.
Not for the purpose of spoofing a tag, but with the goal of cracking the algorithm. I will be able to see the effects that the UID bytes have directly on the Password string and hopefully this will yield the pattern necessary to crack it.I will be very annoyed if it turns out to be a simple algorithm.
wish me luck.
Good luck and godspeed charleshyman, I was just thinking about the exact same thing. It would be worth being annoyed to have the "paper NTAG213" option.
Thanks to all who have dedicated time and effort to this process, I signed up on this forum (normally just a lurker) to say that I appropriate everything that has been done. You know who is awesome? You are.
Hi guys.
The idea of locking page 20 occurred to me a while ago... sounds good until you realize that an attempt to write to that page would generate a write error resulting in an NACK or Error ACK from the card, sending you down the "SPOOL ERROR" path.
The key here is to be able to generate our own tags cheap and quick using a $0.10 paper NTAG213 you can get on amazon.
The stumbling block is the password algorithm. But, don't get depressed, I have a plan.
If I can control the UID sent to the printer I can then see the generated response. If I sent a uid of 00 00 00 00 00 00 00 or FF FF FF FF FF FF FF the password generated from that would yield a lot of progress toward cracking the algorithm.
The NTAG213 does not allow you to set the UID, this is both good and bad for us. Its good because if we can't set the UID, XYZ cant do it either and the algorithm must accommodate factory set UID codes.
My plan is to use my PN532 in TARGET mode, and on the RASBERRY PI, I will write the code necessary to EMULATE a NTAG213.
Not for the purpose of spoofing a tag, but with the goal of cracking the algorithm. I will be able to see the effects that the UID bytes have directly on the Password string and hopefully this will yield the pattern necessary to crack it.I will be very annoyed if it turns out to be a simple algorithm.
wish me luck.
thank you for working on it i can not pay for all the stuff to reset a chip hope this works
not sure if this helps at all but has an one noticed if you take a spool off and just hold up the chip to the reader and go to spool info it shows it then if you go back to the main menu hold up a different chip and go back to the spool info it shows you the info for that one. so it must read the password every time you go to spool info too. that's probably worthless
Been busy with work and such but I did fork the Adafruit library on github.com and merged the method for authenticating.
Should make it a little easier for people just getting started.
https://github.com/chrisgrill/Adafruit-PN532
I sent them a pull request so maybe it will get merged into their library at some point.
As for some of the questions recently regarding the password, it would seem that the password is generated based on the serial number of the NTAG213 chip and a key. It seems doubtful it has anything to do with the serial number of the printer.
The more people capture the passwords and post both the password and the unprotected information on their NTAG213 chip, the closer we will get to someone cracking the password generation.
I tried using this to get the info off my card but at line 113 it fails to compile 'class adafruit_PN532' has no member named 'ntag2xx_authenticate'
I may sound like a complete noob here and I admit I am but this is my first time using an Arduino and I'm by no means a programmer so any help will be appreciated
Let's take this offline and I will help you. I will PM you.
crgpgh wrote:Been busy with work and such but I did fork the Adafruit library on github.com and merged the method for authenticating.
Should make it a little easier for people just getting started.
https://github.com/chrisgrill/Adafruit-PN532
I sent them a pull request so maybe it will get merged into their library at some point.
As for some of the questions recently regarding the password, it would seem that the password is generated based on the serial number of the NTAG213 chip and a key. It seems doubtful it has anything to do with the serial number of the printer.
The more people capture the passwords and post both the password and the unprotected information on their NTAG213 chip, the closer we will get to someone cracking the password generation.
I tried using this to get the info off my card but at line 113 it fails to compile 'class adafruit_PN532' has no member named 'ntag2xx_authenticate'
I may sound like a complete noob here and I admit I am but this is my first time using an Arduino and I'm by no means a programmer so any help will be appreciated
Did you get this resolved? I tested here and it seems ok.
Did you have a version of the library installed previously?
I will gladly refill(rewrite) your used tags for free. PM me for the details and I will turn them around back to you the next day.
I am doing this as an aid to helping crack the thing!!!.
Chas
Has anyone actually tried resetting a tag for a different printer? If the password is calculated from an internal serial number or something. I would think the passwords would not be the same on any two printers. I may be off base here, just thinking out loud.
indeskize85 wrote:crgpgh wrote:Been busy with work and such but I did fork the Adafruit library on github.com and merged the method for authenticating.
Should make it a little easier for people just getting started.
https://github.com/chrisgrill/Adafruit-PN532
I sent them a pull request so maybe it will get merged into their library at some point.
As for some of the questions recently regarding the password, it would seem that the password is generated based on the serial number of the NTAG213 chip and a key. It seems doubtful it has anything to do with the serial number of the printer.
The more people capture the passwords and post both the password and the unprotected information on their NTAG213 chip, the closer we will get to someone cracking the password generation.
I tried using this to get the info off my card but at line 113 it fails to compile 'class adafruit_PN532' has no member named 'ntag2xx_authenticate'
I may sound like a complete noob here and I admit I am but this is my first time using an Arduino and I'm by no means a programmer so any help will be appreciated
Did you get this resolved? I tested here and it seems ok.
Did you have a version of the library installed previously?
yes I did get this resolved, I'm still having an issue capturing my passwords but that is most likely me not the sketch its just the passwords I thought I got from my logic analyzer are not working so time to try again.
The Arduino is not used at all for capturing the Password just the Logic Analyzer. So there is no sketch involved.
As Cris mentioned in an earlier post. You look through the data from your Logic Analyzer for the first 1B. The password will follow. Here is what I got from one of my cards. I placed bold on the pertinent data.
0x1B + ACK
Setup Write to [0x50] + ACK
0x09 + ACK
0x81 + ACK
Setup Write to [0x50] + ACK
0x09 + ACK
0x7B + ACK
Setup Write to [0x50] + ACK
0x09 + ACK
0xE8 + ACK
Setup Write to [0x50] + ACK
0x09 + ACK
0xC1 + ACK
Has anyone actually tried resetting a tag for a different printer? If the password is calculated from an internal serial number or something. I would think the passwords would not be the same on any two printers. I may be off base here, just thinking out loud.
I did not see a command to set a password before the machine tried to authenticate.
In every instance it seems to pass the password the first time.
This is why it looks like the printer is able to take unprotected information from the tag and derive the password.
so, hypothetically, what all copper traces on the PCB would need to be traced back? just the ones that go to all the different connectors?
id be willing to take a crack at tracing some pins back to the processor.
so, hypothetically, what all copper traces on the PCB would need to be traced back? just the ones that go to all the different connectors?
id be willing to take a crack at tracing some pins back to the processor.
All 3 axis stepper controllers, extruded stepper controller, all the end stops/feed detectors, hot end temp sensor, heater control, and lights if possible. LCD, I understand, is goofy but should be able to figure it out.
transparent. it was the original chip with the printer. only 2M left
PW=D4, AD, BD, 79
Found an ISO14443A card
UID Length: 7 bytes
UID Value: 0x04 0xCF 0xCB 0x2A 0x97 0x3C 0x80
Seems to be an NTAG2xx tag (7 byte UID)
PAGE 00: 04 CF CB 88 .Ïˈ
PAGE 01: 2A 97 3C 80 *—<€
PAGE 02: 01 48 00 00 .H..
PAGE 03: E1 10 12 00 á...
PAGE 04: 01 03 A0 0C .. .
PAGE 05: 34 03 00 FE 4..þ
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 5A 00 ZPZ.
PAGE 09: 00 35 33 44 .53D
PAGE 10: A0 86 01 00 †..
PAGE 11: A0 86 01 00 †..
PAGE 12: D2 00 2D 00 Ò.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 33 33 34 0334
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: 54 08 00 00 T...
PAGE 21: 1C 1A 32 54 ..2T
PAGE 22: 4C B4 E3 CE L´ãÎ
PAGE 23: 66 FA 4A 76 fúJv
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...½
PAGE 41: 07 00 00 08 ....
PAGE 42: 80 05 00 00 €...
PAGE 43: 00 00 00 00 ....
PAGE 44: 00 00 00 00 ....
you guys are the greatest I was able to reset my chips. now to make a wood companion cube!
What was the color of the tag you posted. I am keeping a spreadsheet of tag info.
What was the color of the tag you posted. I am keeping a spreadsheet of tag info.
Sorry, I did not see that you said it was Transparent.
I know im late to the party, all I was missing from the equation was the adafruit nfc reader/writer. Just arrived in the mail today so i should have a few tags to share later tonight or early tomorrow. Glad to see this got reverse engineered so quickly.
When resetting chip you need reset only page 20 do not mess with another pages. If need change color reset page 8. If you turn off password protection on chip, possible reset in with android phone, no need NFC shield and arduino.
Heres my $0.02
PASS = 0x17, 0xF7, 0xA9, 0x36
Nature 6m/100m
Found an ISO14443A card
UID Length: 7 bytes
UID Value: 0x04 0x48 0x29 0x22 0x97 0x3C 0x80
Seems to be an NTAG2xx tag (7 byte UID)
PAGE 00: 04 48 29 ED .H)í
PAGE 01: 22 97 3C 80 "—<€
PAGE 02: 09 48 00 00 .H..
PAGE 03: E1 10 12 00 á...
PAGE 04: 01 03 A0 0C .. .
PAGE 05: 34 03 00 FE 4..þ
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 5A 00 ZPZ.
PAGE 09: 00 35 34 47 .54G
PAGE 10: A0 86 01 00 †..
PAGE 11: A0 86 01 00 †..
PAGE 12: D2 00 2D 00 Ò.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 31 33 38 0138
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: B1 1A 00 00 ±...
PAGE 21: F9 08 32 54 ù.2T
PAGE 22: 23 A6 E3 CE #¦ãÎ
PAGE 23: C5 95 4A 76 Å•Jv
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...½
PAGE 41: 07 00 00 08 ....
PAGE 42: 80 05 00 00 €...
PAGE 43: 00 00 00 00 ....
PAGE 44: 00 00 00 00 ....
PASS = 0x3C, 0x29, 0xBE, 0x9F
Black 56m/200m
Found an ISO14443A card
UID Length: 7 bytes
UID Value: 0x04 0x1C 0xC6 0x22 0x9A 0x3D 0x80
Seems to be an NTAG2xx tag (7 byte UID)
PAGE 00: 04 1C C6 56 ..ÆV
PAGE 01: 22 9A 3D 80 "š=€
PAGE 02: 05 48 00 00 .H..
PAGE 03: E1 10 12 00 á...
PAGE 04: 01 03 A0 0C .. .
PAGE 05: 34 03 00 FE 4..þ
PAGE 06: 00 00 00 00 ....
PAGE 07: 00 00 00 00 ....
PAGE 08: 5A 50 4B 00 ZPK.
PAGE 09: 00 35 34 57 .54W
PAGE 10: 40 0D 03 00 @...
PAGE 11: 40 0D 03 00 @...
PAGE 12: D2 00 2D 00 Ò.-.
PAGE 13: 54 48 47 42 THGB
PAGE 14: 30 32 33 33 0233
PAGE 15: 00 00 00 00 ....
PAGE 16: 00 00 00 00 ....
PAGE 17: 34 00 00 00 4...
PAGE 18: 00 00 00 00 ....
PAGE 19: 00 00 00 00 ....
PAGE 20: 3C DC 00 00 <Ü..
PAGE 21: 74 CE 32 54 tÎ2T
PAGE 22: 54 E0 E2 CE TàâÎ
PAGE 23: 4E D6 49 76 NÖIv
PAGE 24: 00 00 00 00 ....
PAGE 25: 00 00 00 00 ....
PAGE 26: 00 00 00 00 ....
PAGE 27: 00 00 00 00 ....
PAGE 28: 00 00 00 00 ....
PAGE 29: 00 00 00 00 ....
PAGE 30: 00 00 00 00 ....
PAGE 31: 00 00 00 00 ....
PAGE 32: 00 00 00 00 ....
PAGE 33: 00 00 00 00 ....
PAGE 34: 00 00 00 00 ....
PAGE 35: 00 00 00 00 ....
PAGE 36: 00 00 00 00 ....
PAGE 37: 00 00 00 00 ....
PAGE 38: 00 00 00 00 ....
PAGE 39: 00 00 00 00 ....
PAGE 40: 00 00 00 BD ...½
PAGE 41: 07 00 00 08 ....
PAGE 42: 80 05 00 00 €...
PAGE 43: 00 00 00 00 ....
PAGE 44: 00 00 00 00 ....
anyone try coding PAGE 20 with 60 13 09 00 if it works it would be 300m I hope. trying to match the length of the hatchbox spool still waiting on some items to start working on my chip.
Yes I try it not working, card not recognized.
Did anyone figure out the temp situation yet, because i have a feeling it is set in PAGE's 8 and 9 along with the color
Well, once I entered the correct code, which was 00 04 93 E0. I was able to see a spool of 300m. Now what is interesting about this is. That was my original spool that was a 100m spool not 200m.
That's awesome! Now try a very large number like 1000 or 10000 and see if it will take. If it does then I'm betting some, including myself would be willing to send you several empty chips to be rewritten with a much higher number and pay you for it.
Unless we can come up with a step by step to do this on our own with what parts to buy. I wonder though if it would be possible to buy a chip that has had the password protection removed and a program written that can be used repeatedly using our phones.
SoliForum - 3D Printing Community → XYZ Printing Hacks & Mods → DaVinci Junior cartridge reset
Powered by PunBB, supported by Informer Technologies, Inc.
