601 Reply by XYLenTech

  • XYLenTech
  • Member
  • Offline
  • Registered: 2015-12-12
  • Posts: 23

Re: DaVinci Junior cartridge reset

greatone76 wrote:

@stucktheman

Its the data that is the problem not the card.  Nothing tells the printer not to send a password.  Page 41 last byte is the start of the first page of protected data.  It is set to FF or 255.  the 255th page is the start of the protected data.  Any number after 44 effectively removes the password, but nothing actually removes the password from the card it is always there the only thing to set is what pages can't be read till it is entered.  The printer knows the card it wants is password protected so it sends out a password that the card will take as wrong and send an error.

I'm curious, do you think this would work?

1. Take a fresh NFC tag and plop it on the Davinci
2. Capture the I2C traffic and get what the Davinci *expects* the password to be
3. Copy the data from an authentic spool chip to the fresh card
4. Set the password on the new card to what we snagged in step 2

602 Reply by strucktheman

  • strucktheman
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 25

Re: DaVinci Junior cartridge reset

XYLenTech wrote:
greatone76 wrote:

@stucktheman

Its the data that is the problem not the card.  Nothing tells the printer not to send a password.  Page 41 last byte is the start of the first page of protected data.  It is set to FF or 255.  the 255th page is the start of the protected data.  Any number after 44 effectively removes the password, but nothing actually removes the password from the card it is always there the only thing to set is what pages can't be read till it is entered.  The printer knows the card it wants is password protected so it sends out a password that the card will take as wrong and send an error.

I'm curious, do you think this would work?

1. Take a fresh NFC tag and plop it on the Davinci
2. Capture the I2C traffic and get what the Davinci *expects* the password to be
3. Copy the data from an authentic spool chip to the fresh card
4. Set the password on the new card to what we snagged in step 2

Haha i actually tried this after seeing the clones fail, sad yes it does generate a password from the paper tags UID and no cloning an existing chip and then locking it with the sniffed password did not seem to work.  but i did give up on that idea after about an hour of looking into that scenario.

603 Reply by XYLenTech

  • XYLenTech
  • Member
  • Offline
  • Registered: 2015-12-12
  • Posts: 23

Re: DaVinci Junior cartridge reset

strucktheman wrote:

Haha i actually tried this after seeing the clones fail, sad yes it does generate a password from the paper tags UID and no cloning an existing chip and then locking it with the sniffed password did not seem to work.  but i did give up on that idea after about an hour of looking into that scenario.

If that's the case then there may be some other check involved.  The Davinci looks at the unprotected data, calculates the expected password, uses that password to view the protected data, and then does *another* verification saying "hey, I've got this UID, this password, let's make sure these other values match up too to make sure this is authentic".

That's all speculation at this point - just thought I'd throw it out there.

604 Reply by greatone76 (edited by greatone76 2016-02-26 03:09:51)

  • greatone76
  • Member
  • Offline
  • Registered: 2016-01-12
  • Posts: 67

Re: DaVinci Junior cartridge reset

Read Section 8.8 of the NXP document on the NTAG21X.  The verification you are talking about is the PACK.  Once the tag is put in the machine.  It appears it reads the UID.  Then does some math to get the password.  Sends the password.  Once the tag has a correct password it kicks back the PACK.  The machine somehow then uses some math and checks the PACK.  So while you can put a tag up to the machine a get the password and copy it to the tag and set it all up you still don't have the PACK.  You can see the new card pass the PACK (whatever is on the tag 00 00 by default), but you can't see the machine check the PACK, so there is no way to steal the PACK.  For the record I have tried copying another cards PACK and that does not work, so it appears it is more than just a list of acceptable PACK numbers, so it appears to use some algorithm involving the UID and/or Password.  I feel we are very far off a make your own tag solution, because to do it well we would need to break the PACK algorithm which can only be accomplished through looking at UIDs, Passwords and PACKS to find the relationship.  Doing my research other projects trying to clone similar tags have had no success in breaking the verification algorithms.

605 Reply by Creek_Tha_Gray (edited by Creek_Tha_Gray 2016-02-27 02:44:22)

  • Creek_Tha_Gray
  • Member
  • Offline
  • Registered: 2016-01-16
  • Posts: 16

Re: DaVinci Junior cartridge reset

So using the following two boards and cable i have been able to get the following output. I am awaiting the logic board so I can pull the password.

Hardware

Arduino MEGA 2560
http://www.aliexpress.com/item/Freeship … 86963.html
PN532 NFC MODULE
http://www.aliexpress.com/item/Free-Shi … 74881.html
Female to Male jumper wire for Arduino
http://www.aliexpress.com/item/2PCS-40p … 39636.html

Software

Arduino 1.6.7
https://www.arduino.cc/en/Main/Software

Sketch files and Adafruit library
from Post 341

Hardware notes
use SPI mode and SS is SCL for the itead board

to make the Sketch files work with the Itead PN532 NFC board you need to edit them by

Update the pinout to
// If using the breakout with SPI, define the pins for SPI communication.
#define PN532_SCK  (52)
#define PN532_MOSI (51)
#define PN532_SS   (53)
#define PN532_MISO (50)

Un-Commenting remove the //
Adafruit_PN532 nfc(PN532_SCK, PN532_MISO, PN532_MOSI, PN532_SS);

commenting out (//)
//Adafruit_PN532 nfc(PN532_IRQ, PN532_RESET);


My current output is this as I need to sniff the password.

Hello!
TIMEOUT!
Found chip PN532
Firmware ver. 1.6
Waiting for an ISO14443A Card ...
Found an ISO14443A card
  UID Length: 7 bytes
  UID Value: 0x04 0xF3 0xE8 0x2A 0x97 0x3C 0x80

Seems to be an NTAG2xx tag (7 byte UID)
PAGE 00: 04 F3 E8 97  .óè—
PAGE 01: 2A 97 3C 80  *—<€
PAGE 02: 01 48 00 00  .H..
PAGE 03: E1 10 12 00  á...
PAGE 04: 01 03 A0 0C  .. .
PAGE 05: 34 03 00 FE  4..þ
PAGE 06: 00 00 00 00  ....
PAGE 07: 00 00 00 00  ....
PAGE 08: Unable to read the requested page!
PAGE 09: Unable to read the requested page!
PAGE 10: Unable to read the requested page!
PAGE 11: Unable to read the requested page!
PAGE 12: Unable to read the requested page!
PAGE 13: Unable to read the requested page!
PAGE 14: Unable to read the requested page!
PAGE 15: Unable to read the requested page!
PAGE 16: Unable to read the requested page!
PAGE 17: Unable to read the requested page!
PAGE 18: Unable to read the requested page!
PAGE 19: Unable to read the requested page!
PAGE 20: Unable to read the requested page!
PAGE 21: Unable to read the requested page!
PAGE 22: Unable to read the requested page!
PAGE 23: Unable to read the requested page!
PAGE 24: Unable to read the requested page!
PAGE 25: Unable to read the requested page!
PAGE 26: Unable to read the requested page!
PAGE 27: Unable to read the requested page!
PAGE 28: Unable to read the requested page!
PAGE 29: Unable to read the requested page!
PAGE 30: Unable to read the requested page!
PAGE 31: Unable to read the requested page!
PAGE 32: Unable to read the requested page!
PAGE 33: Unable to read the requested page!
PAGE 34: Unable to read the requested page!
PAGE 35: Unable to read the requested page!
PAGE 36: Unable to read the requested page!
PAGE 37: Unable to read the requested page!
PAGE 38: Unable to read the requested page!
PAGE 39: Unable to read the requested page!
PAGE 40: Unable to read the requested page!
PAGE 41: Unable to read the requested page!
PAGE 42: Unable to read the requested page!
PAGE 43: Unable to read the requested page!
PAGE 44: Unable to read the requested page!

606 Reply by greatone76 (edited by greatone76 2016-02-27 15:37:49)

  • greatone76
  • Member
  • Offline
  • Registered: 2016-01-12
  • Posts: 67

Re: DaVinci Junior cartridge reset

I think I have a set up if I can get your first 5 pages read from an android app https://play.google.com/store/apps/deta … amp;hl=en0  mentioned previously in the thread should work well and then you can authenticate through there and reset in that app as well. 

Due to my recent excessive expenses in small hardware costs I'm considering offering to do this for a nominal fee to recoup the hardware costs, but to prove to the forum it works I'll take the first person who PM's me the first 5 page read and I will run my process for free.  The 2 conditions are that you post to the forum that it works and that you provide the 4 digit PACK value (very easy to read in the app linked to above once the card is authenticated) so it can be recorded to help investigate that algorithm.

607 Reply by johnboyjr

  • johnboyjr
  • Member
  • Offline
  • Registered: 2015-12-08
  • Posts: 79

Re: DaVinci Junior cartridge reset

greatone76 just helped me with this and it works great. took no time to get it done. I did not have any problems at all. i can take screen shots on my phone of the steps you need to do if any one wants help. i tried ordering the nfc tags on amazon that the other guy talked about that did nothing. greatone76  really helped me out thanks.

608 Reply by johnboyjr

  • johnboyjr
  • Member
  • Offline
  • Registered: 2015-12-08
  • Posts: 79

Re: DaVinci Junior cartridge reset

heres what i did
1. downloaded https://play.google.com/store/apps/deta … amp;hl=en0 onto my phone
2.turn nfc on my samsunge note 2
3. in RFID NFC Tool picked Mifare Ultrlight/ Ntag
4.help the card up to the phone it beeped
5. pressed read
6. you will get Action failed ntag213 page: data and a bunch of data
7. take a screen shot and sent it to greatone76
8. he sent me my password
9. restart RFID NFC Tool and slect the little key in the upper right corner
10. click the key with a +
11.pick NTAG 21X Series
12. name it any thing and enter the key he gave you hit ok make sure its active
13.go back to Mifare Ultrlight/ Ntag
14 make sure autenicat with (key name) is checked
15.hold up chip and hit read
16. write E0930400 to page 0A , then write E0930400 to 0B, then write E0930400 to page 14
17. done you now have 300M

seems like a lot of steps but it takes less then 10 min

609 Reply by kenbob904 (edited by kenbob904 2016-02-27 18:48:28)

  • kenbob904
  • Newbie
  • Offline
  • Registered: 2016-01-04
  • Posts: 5

Re: DaVinci Junior cartridge reset

Greatone76 has successfully handed me the key to my stock nature chip I have rewritten to it on pages 0a 0b and 14 as described but I am getting a spool error I think it's a problem with it being limited to 200m anyone know what to modify to stop that or what digits to write to get 200m?

610 Reply by Creek_Tha_Gray

  • Creek_Tha_Gray
  • Member
  • Offline
  • Registered: 2016-01-16
  • Posts: 16

Re: DaVinci Junior cartridge reset

@ greatone76 prove it by using my post above and post the password. I will than post the full tag. that is if it works.

611 Reply by Creek_Tha_Gray

  • Creek_Tha_Gray
  • Member
  • Offline
  • Registered: 2016-01-16
  • Posts: 16

Re: DaVinci Junior cartridge reset

kenbob904 wrote:

Greatone76 has successfully handed me the key to my stock nature chip I have rewritten to it on pages 1a 1b and 14 as described but I am getting a spool error I think it's a problem with it being limited to 200m anyone know what to modify to stop that or what digits to write to get 200m?


200M is 40 0D 03 00

612 Reply by kenbob904

  • kenbob904
  • Newbie
  • Offline
  • Registered: 2016-01-04
  • Posts: 5

Re: DaVinci Junior cartridge reset

Ok I think I figured out what I was doing wrong mines the stock nature so i believe it's limited to 100 so I copied the values from botozclown1970's stock nature chip and was able to reset to 69.   A0860100 on pages 0a and 0b and 0e0e0100 to page 14 for some reason A0860100 on page 14 gave me spool error

613 Reply by methos0510 (edited by methos0510 2016-02-28 02:52:12)

  • methos0510
  • Newbie
  • Offline
  • Registered: 2016-02-27
  • Posts: 3

Re: DaVinci Junior cartridge reset

It works!!!!!
I got my password from Greatone76 and was having trouble reading the chip. After some thinking Greatone suggested trying a different phone. I stole the wife's phone and tried with it and BAM i was right in! Here's the screenshot

Post's attachments

IMG_0206.PNG
IMG_0206.PNG 70.71 kb, 2 downloads since 2016-02-28 

You don't have the permssions to download the attachments of this post.

614 Reply by methos0510

  • methos0510
  • Newbie
  • Offline
  • Registered: 2016-02-27
  • Posts: 3

Re: DaVinci Junior cartridge reset

kenbob904 wrote:

Ok I think I figured out what I was doing wrong mines the stock nature so i believe it's limited to 100 so I copied the values from botozclown1970's stock nature chip and was able to reset to 69.   A0860100 on pages 0a and 0b and 0e0e0100 to page 14 for some reason A0860100 on page 14 gave me spool error


kenbob904. try writing line 08 to 5A505000 and it will let you change lines 0A,0B &14 to E0930400, it worked on my nature chip.

615 Reply by greatone76

  • greatone76
  • Member
  • Offline
  • Registered: 2016-01-12
  • Posts: 67

Re: DaVinci Junior cartridge reset

I feel comfortable that my process works.  I went back in this topic and used 10 of the data dumped tags to verify it works and was 10/10 on correct keys.  As you can see above I have also has multiple susscessful people send their data and get their working password back and I'm currently perfect with the process there too.  http://www.instructables.com/id/NFC-Tag-Hack is a link to a quick Instrucutable with a link to an android app that works, what data you need to send and how to enter the password once you have it to get where you can rewrite data on the tag.  I'm looking for $10 through paypal to do this for anyone.  Make me an offer for multiple tags.  PM me your e-mail. so that I can make the paypal request.  I pay the paypal fees for the record.  I'm not looking to get rich here, I'm just looking to get a few of the dollar back that I spent on the hardware behind this process.  As you can see from the previous statements in this topic opening up the printer and connecting wires to it is required to do the work to get your own password.  Also you need to purchase at least a logic analyzer, hook it up correctly and learn to use it.  This is a cheap option with much less risk to your printer then doing it yourself.

616 Reply by strucktheman

  • strucktheman
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 25

Re: DaVinci Junior cartridge reset

greatone76 wrote:

I feel comfortable that my process works.  I went back in this topic and used 10 of the data dumped tags to verify it works and was 10/10 on correct keys.  As you can see above I have also has multiple susscessful people send their data and get their working password back and I'm currently perfect with the process there too.  http://www.instructables.com/id/NFC-Tag-Hack is a link to a quick Instrucutable with a link to an android app that works, what data you need to send and how to enter the password once you have it to get where you can rewrite data on the tag.  I'm looking for $10 through paypal to do this for anyone.  Make me an offer for multiple tags.  PM me your e-mail. so that I can make the paypal request.  I pay the paypal fees for the record.  I'm not looking to get rich here, I'm just looking to get a few of the dollar back that I spent on the hardware behind this process.  As you can see from the previous statements in this topic opening up the printer and connecting wires to it is required to do the work to get your own password.  Also you need to purchase at least a logic analyzer, hook it up correctly and learn to use it.  This is a cheap option with much less risk to your printer then doing it yourself.

Please don't try to make financial gains off others work.  There are others which will help for free.

617 Reply by Creek_Tha_Gray

  • Creek_Tha_Gray
  • Member
  • Offline
  • Registered: 2016-01-16
  • Posts: 16

Re: DaVinci Junior cartridge reset

If you buy all your hardware from aliexpress the total is around $40 and you get to use it in the future for other projects, I call that a deal.

618 Reply by kenbob904

  • kenbob904
  • Newbie
  • Offline
  • Registered: 2016-01-04
  • Posts: 5

Re: DaVinci Junior cartridge reset

Creek_Tha_Gray wrote:

If you buy all your hardware from aliexpress the total is around $40 and you get to use it in the future for other projects, I call that a deal.

This guy probably has more then just the standard parts if he's able to give passwords off of someone else's cards without physically having it I don't have a problem helping him regain his expenses on hardware

619 Reply by sangha2006

  • sangha2006
  • Newbie
  • Offline
  • Registered: 2016-01-03
  • Posts: 6

Re: DaVinci Junior cartridge reset

RAMP mod in progress.
http://soliforum.com/i/?urDmuy3.jpg

Testing version.

I get full calibration, no more nfc tag.
Only 55€ for full kit (heatbed are included).

Next step will be cable management. lol

620 Reply by kenbob904

  • kenbob904
  • Newbie
  • Offline
  • Registered: 2016-01-04
  • Posts: 5

Re: DaVinci Junior cartridge reset

methos0510 wrote:
kenbob904 wrote:

Ok I think I figured out what I was doing wrong mines the stock nature so i believe it's limited to 100 so I copied the values from botozclown1970's stock nature chip and was able to reset to 69.   A0860100 on pages 0a and 0b and 0e0e0100 to page 14 for some reason A0860100 on page 14 gave me spool error


kenbob904. try writing line 08 to 5A505000 and it will let you change lines 0A,0B &14 to E0930400, it worked on my nature chip.

Thanx dude worked perfect

621 Reply by johnboyjr

  • johnboyjr
  • Member
  • Offline
  • Registered: 2015-12-08
  • Posts: 79

Re: DaVinci Junior cartridge reset

strucktheman wrote:
greatone76 wrote:

I feel comfortable that my process works.  I went back in this topic and used 10 of the data dumped tags to verify it works and was 10/10 on correct keys.  As you can see above I have also has multiple susscessful people send their data and get their working password back and I'm currently perfect with the process there too.  http://www.instructables.com/id/NFC-Tag-Hack is a link to a quick Instrucutable with a link to an android app that works, what data you need to send and how to enter the password once you have it to get where you can rewrite data on the tag.  I'm looking for $10 through paypal to do this for anyone.  Make me an offer for multiple tags.  PM me your e-mail. so that I can make the paypal request.  I pay the paypal fees for the record.  I'm not looking to get rich here, I'm just looking to get a few of the dollar back that I spent on the hardware behind this process.  As you can see from the previous statements in this topic opening up the printer and connecting wires to it is required to do the work to get your own password.  Also you need to purchase at least a logic analyzer, hook it up correctly and learn to use it.  This is a cheap option with much less risk to your printer then doing it yourself.

Please don't try to make financial gains off others work.  There are others which will help for free.

i do not see a big deal with him charging a little it does take his time to do it. he did it for me for free and i still offered to pay after. it saved me a lot of time and headache doing it my self.

622 Reply by greatone76 (edited by greatone76 2016-02-28 19:10:32)

  • greatone76
  • Member
  • Offline
  • Registered: 2016-01-12
  • Posts: 67

Re: DaVinci Junior cartridge reset

This process is a replacement for sending someone your tag and getting the key.  I didn't want to take the time of mailing and mailing back a tag.  And my big objection to the process was just giving out my personal address.  So I took the time and invested my money into getting hardware, programing it and and creating a process to remove the mailing out of that process.  The hardware alone is expensive. 

My goal here is to get more people involved in working with the tag.  I want as many people as possible to running through the different colors and checking temperatures and using new filament and reporting back if it works.  I want more people helping this hack and connecting an analyzer to an open printer is a huge stop to people helping try things with the NFC tag. 

I invested my time and in the hardware in order to work on cracking the password.  I want to send simplified and similar combinations of data in order to track down how the algorithm works.  (For the record it appears to be fairly complex passwords when I input simple information) 

Please realize I'm in for this hack.  I don't have the password algorithm I'm still using the printer just like everyone else to get the password it passes.  I just have the hardware to take data from your tag to run the process at my house without you sending the physical tag to me.

623 Reply by crgpgh

  • crgpgh
  • Member
  • Offline
  • Registered: 2015-12-07
  • Posts: 26

Re: DaVinci Junior cartridge reset

greatone76 wrote:

This process is a replacement for sending someone your tag and getting the key.  I didn't want to take the time of mailing and mailing back a tag.  And my big objection to the process was just giving out my personal address.  So I took the time and invested my money into getting hardware, programing it and and creating a process to remove the mailing out of that process.  The hardware alone is expensive. 

My goal here is to get more people involved in working with the tag.  I want as many people as possible to running through the different colors and checking temperatures and using new filament and reporting back if it works.  I want more people helping this hack and connecting an analyzer to an open printer is a huge stop to people helping try things with the NFC tag. 

I invested my time and in the hardware in order to work on cracking the password.  I want to send simplified and similar combinations of data in order to track down how the algorithm works.  (For the record it appears to be fairly complex passwords when I input simple information) 

Please realize I'm in for this hack.  I don't have the password algorithm I'm still using the printer just like everyone else to get the password it passes.  I just have the hardware to take data from your tag to run the process at my house without you sending the physical tag to me.

I didn't ask you for money when you asked me this:
"crgpgh - The simple process you currently have working of copying the original NFC info and then using the chip and then resetting it to the original preprint conditions is all the situation I'm looking for right now.  I just want to put in the PLA colors I have for a different printer.  Would it be possible for you to write out your process.  What piece of hardware you are using.  What software you are using to communicate and a process of the copy and restore you are doing.  I would love to get the right hardware pieces on order.  I'm new to NFC and not well versed in coding in general.  I have some basics, but nothing advanced."

I sent links on my blog posts where I detail everything that I had figured out. So you took that and are now charging people for your secret process? Why not pay back the people you are biting off of by explaining what process you developed?

624 Reply by Manrobbie

  • Manrobbie
  • Member
  • Offline
  • Registered: 2016-02-21
  • Posts: 12

Re: DaVinci Junior cartridge reset

I can verify greatone76's method works. I send him all the info and received the password. I then changed the filament length and my printer reads the NFC chip as 300m smile

625 Reply by jnngill1

  • jnngill1
  • Newbie
  • Offline
  • Registered: 2016-02-22
  • Posts: 7

Re: DaVinci Junior cartridge reset

http://soliforum.com/i/?Gp95kx5.png

Here's the card dump after using the password from greatone76

Worked like a champ.