Topic: XYZ Printing Da Vinci Jr (w) / Da Vinci Mini (w) Hacking
LAST UPDATE: 2017-01-10 SEE CHANGELOG AT THE END OF POST
Hello folks!
The topic regarding the cartridge reset got rather long (+48 Pages) so i took my time and summarized everything in it to give you a better overview what you can do, and what you can't do with your Jr / Mini.
Disclaimer: I am not responsible for spool errors, hardware bricks or any other errors you may occur after reading this summary. Please also note that some of the techniques described here could void your warranty.
Please read the whole post before asking questions! If you have read the post already see the changelog at the end of the post if something new has been added.
Note: I did not find out anything (maybe a little bit) about the things which will follow below. The full credit goes to the awesome community in http://www.soliforum.com/topic/11108/da … dge-reset/ which did all the work to give us the opportunity to hack our devices, and to break free from the DRM Filaments from xyzprinting.
Currently there is a solutions for everyone! We can emulate a NTAG213 with the help of EMUTAG. You can find an instructable by cgrillo here: http://www.instructables.com/id/EMUTAG- … -Printers/ The only downside of that Method is that you have to buy hardware for it. Like an arduino, emutag and the software to modify the emutag.
WARNING: Currently there is no known way of resetting the spool if you have a Da Vinci Mini (w)! And if you have Da Vinci Jr (w) with a Firmware above 2.2.7 it is also not possible to reset the NFC Chip. But there is still hope for you, please go to the http://www.soliforum.com/topic/15817/da … -requests/ Topic and help us cracking the password and pack algorithms, so that we can create our own tags from blanko tags!
We have another thread up and running where people can exchange used (unlocked!) Tags. Please see here: http://www.soliforum.com/topic/15907/da … -tag-swap/
Index:
1. Preface
2. The NFC Tag
2.1 Reading the locked NFC Tag
2.1.1 Android
2.1.2 Arduino
2.2 Find out NFC Tag Password
2.3 NFC Tag structure
2.3.1 Pages and their description
2.3.2 Important pages
2.4 Manipulate NFC Tag
2.4.1 Android
2.4.2 Arduino
2.5 Fact Database
2.5.1 Facts for both printer types
2.5.2 Facts for the Jr
2.6 Things which have to be evaluated
3. The Printer
3.1 Da Vinci Mini (w)
3.1.1 Firmware
3.2 Da Vinci Jr (1.0) (w)
3.2.1 Firmware
3.2.2 Downgrade
3.2.3 Convert to Ramps
4. XYZware
4.1 Old Versions
4.2 Decompiling
4.3 Using Advanced Mode
4.4 Blocking internet access and firmware updates
1. Preface
The Da Vinci Mini and the Da Vinci Jr are both using chipped filaments from xyzprinting. With the help of an NXP PN512 the printer reads the NFC Tag which ships with the original spools and determines various values from it, like total length, remaining length, color and material.
The problem now with that system is that you have to use the filaments from xyzprinting, and are not allowed to use different (and cheaper) ones. Because not everyone is happy with this some awesome people decided to try to hack it.
The following is a(n) (in)complete collection of everything gathered during the last months.
2. The NFC Tag
The NFC Tag used by xyzprinting for their spools it the NTAG213. A detailed datasheet of it can be found here: https://www.nxp.com/documents/data_shee … 15_216.pdf
2.1 Reading the locked NFC Tag
There are two possible ways of reading the NFC Tag. One is with the help of an NFC capable Android smartphone, and the other one is with the help of an Arduino and an Adafruit PN512 (the same Reader/Writer which is used by the Da Vinci mini and jr).
2.1.1 Android
- Take the Android smartphone of your trust and install either RFID NFC Tool or NFC Tools from the play store.
- If you are asked which type of tag you want to scan select the one in which "NTAG" is stated.
- Scan the Tag with your Android smartphone by pressing the back of your phone onto the nfc tag with one of the apps open.
- You should now see a list of pages with hex values in this format: [Page number]: Hex values
2.1.2 Arduino
I will not go into much detail regarding the Arduino variant, because i do not own one and cannot say how exactly it is done. I know that there is a instructable by greatone76 which can help you with this: http://www.instructables.com/id/XYZ-Da- … et-Hack-1/
2.2 Find out NFC Tag Password
If you want to get the password corresponding to your NFC Tag you can ask cgrillo and others in a sperate Thread: http://www.soliforum.com/topic/15817/da … -requests/
Many thanks to him for helping us out!
If you want to find out the password for your NFC Tag by yourself you will need a lot of hardware. To do it by yourself i can gladly forward you to the blog of Christopher Grill, who made a great tutorial for this: http://www.wb6cqa.com/2016/01/hacking-x … ci-jr.html
We had already one user who tried to find the algorithm regarding the NFC password, so i will just quote him here:
Anthem wrote:
Now, here's an interesting thing -- I think there are some kind of password "salt" values that *might* be used to generate the chip passwords. There is a command, XYZv3/config=, which is used at the beginning of a print job to push what appears to be four 16-bit integer values:
XYZv3/config=pda:[1591]
XYZv3/config=pdb:[4387]
XYZv3/config=pdc:[7264]
XYZv3/config=pde:[8046]
I don't know what exactly these do, or what happens if you push different values, or in a different order. You can definitely start print jobs over serial without pushing these first, so if they are used for chip passwords then the firmware stores and re-uses the last values.
The reason I *suspect* these have something to do with the password algorithm is that, using the "0x0" chip ID and password that greatone76 generated a while back you can actually zero out the 12 least significant bits of the password for chip ID 0x0 by incrementally XORing the four values in the order (pdb, pde, pdc, pda) while shifting 4 bits left.
E.g.,
chip ID 0x0 password = 0x5ADBF8F3Original password:
0x5ADBF8F3 = 1011010110110111111100011110011b
p = p ^ (pdb)
0x5ADBE9D0 = 1011010110110111110100111010000b
p = p ^ ((pdb ^ pde) << 4)
0x5ADB0D00 = 1011010110110110000110100000000b
p = p ^ ((pdb ^ pde ^ pdc) << 8)
0x5AC92000 = 1011010110010010010000000000000b
p = p ^ ((pdb ^ pde ^ pdc ^ pda) << 12)
0x5B888000 = 1011011100010001000000000000000b
So this is starting to look like some sort of checksum algorithm based on these four values. However, this simple sequence falls apart after the 12th bit and the rule no longer applies.
There's also some other aspect to this algorithm that ends up factoring higher bits of the ID (at least when non-zero) into the least significant bits of the password, since as you can see the password for chip id 0x1 is far different from that for chip id 0x0.
Also interesting is the fact that there are certain chip IDs that reproduce the same password. There are a few examples of this in greatone76's generated passwords:
(0x00000100000000, 0x44F5BB33)
(0x00010000000000, 0x44F5BB33)
(0x00000000010000, 0x9C18EBFF)
(0x00000001000000, 0x9C18EBFF)
(0x00000000000001, 0xABAA7D46)
(0x00000000000100, 0xABAA7D46)
So there's some sort of symmetry or omission that occurs between bits 1 and 3, 5 and 7, and 9 and 11 that makes them either factor the same into the password, or the algorithm ends up ignoring them in some cases.
2.3 NFC Tag structure
You can now read the NFC Tag with the help of the Android App of your choice with the help of the given password. The tag is structured into 45 Pages, each containing different HEX Values.
2.3.1 Pages and their description
PAGE DESCRIPTION
00 First part of the UID of the NFC Chip
01 Second part of the UID of the NFC Chip
02 First two bytes are a checksum generated from the serial number. The second two bytes are the lock bytes.
03 The capability container of the chip. Same for all.
04 Always 01 03 A0 0C.
05 Always 34 03 00 FE.
06 Always empty.
07 Always empty.
08 First byte is alway 5A. Second byte is the Material, which is also stated in the spools serial number. Third byte is the color of the filament. Last byte is always 00.
09 First two bytes are always 00. Last three bytes are part of the spools serial number when converted to ASCII.
10 Total capacity on the Spool. This has to be the same as Page 11.
11 Total capacity on the Spool. This has to be the same as Page 10.
12 Almost always D2 00 2D 00.
13 First two bytes are almost always 54 48. Last two bytes belong to the spools serial number when converted to ASCII.
14 All bytes belong to the spool serial number when converted to ASCII.
15 Always empty.
16 Always empty.
17 Always 34 00 00 00.
18 Always empty.
19 Always empty.
20 Remaining capacity on the Spool
21 First two bytes hash the count on Page 20. Last byte is always 54.
22 First two bytes hash the count on Page 20. Last byte is always CE.
23 First two bytes hash the count on Page 20. Last byte is always 76.
24 Always empty.
25 Always empty.
26 Always empty.
27 Always empty.
28 Always empty.
29 Always empty.
30 Always empty.
31 Always empty.
32 Always empty.
34 Always empty.
35 Always empty.
36 Always empty.
37 Always empty.
38 Always empty.
39 Always empty.
40 Always 00 00 00 BD.
41 These are configuration bytes, please see the official datasheet of the NTAG213 for informations.
42 These are configuration bytes, please see the official datasheet of the NTAG213 for informations.
43 Contains the password of the tag.
44 First two bytes are the PACK number. The last two bytes are the RFUI.
2.3.2 Important Pages
Remaining meters PAGE 20 / Total meters PAGE 10 & 11
To read the remaining or total meters from the NFC data dump you just have to read all the bytes in the page backwards.
Example:
PAGE 20 | E3 32 02 00 is read like 000232E3 if you now convert this to an Decimal you get 144099.
144099 / 1000 = ~144 m left on the spool.
The max value you can set in PAGE 10 & PAGE 11 is 300 meters. Important: Page 10 and 11 have to be the same.
Color, Temperature & Material Bytes PAGE 8
Info about the color and the Material is saved in PAGE 8.
The second byte shows the Material. It can have the following values:
41 = ABS
46 = Tree / PVA
50 = PLA
55 = UVCR
56 = Water-Soluble
The third byte stores the color and the printing temperature of the filament. It can have these values:
31 = Grey
32 = Clear Red = 191 °C
33 = Clear
34 = Bottle Green
35 = Neon Magenta
36 = Steel Blue
37 = Sun Orange
38 = Pearl White
41 = Purple
42 = Blue
43 = Neon Tangerine
44 = Virdity
45 = Olivine = 191 °C
46 = Gold
47 = Green
48 = Neon Green
49 = Snow White
4A = Neon Yellow
4B = Black
4C = Violet = 191 °C
4D = Grape Purple
4E = Purpurin
4F = Clear Yellow = 210 °C
50 = Clear Green = 210 °C
51 = Clear Tangerine
52 = Red
53 = Cyber Yellow
54 = Tangerine
55 = Clear Blue = 210 °C
56 = Clear Purple
57 = White = 210 °C
58 = Clear Magenta
59 = Yellow
5A = Nature = 191 °C
Checksums PAGE 21 / 22 / 23
In these pages is a checksum stored for the remaining spool length. If the 200 m spool is full it is always set to the following values:
PAGE 21 = 081F3154
PAGE 22 = 50B1E0CE
PAGE 23 = 52E74F76
For the 300m spool you need to set following values (thanks to Bozotclown1970 and kallt_kaffe):
Page 300m/300m
10,11 E0930400
20 E0930400
21 A8813654
22 F03FEECE
23 F26E4D76
Spool Serial PAGE 08, PAGE 09, PAGE 13, PAGE 14
It seems page 8, 9, 13 and 14 is part of the rolls serial number.
I have a roll with sn GBP68TH6740408
page 08 is 5a503800 which is ascii for ZP80
page 09 is 00363734 which is ascii for 0674
page 13 (0x0d) is 54 48 47 42 and that is ASCII for THGB
page 14 (0x0e) is 30343038 and guess what, ascii for 0408So, serial number of a roll (still not 100% certain, need to scan more rolls)
Last 2 bytes in page 13: GB
Second byte in page 8: P (PLA)
Unknown where the forth letter/number comes from
Third byte in page 8: 8 (Pearl White, btw you can add 38 = Pearl White to first post)
First 2 bytes in page 13: TH
Last 3 bytes in page 9: 674 (possibly all four in the future)
All 4 bytes in Page 14: 0408
2.4 Manipulate NFC Tag
Now that you know the basics about reading a tag, authenticating to your tag and how to read the page data, you can now manipulate the Data on the NFC Tag. For this exists a good instructable created by greatone76 on instructables.
2.4.1 Android
http://www.instructables.com/id/XYZ-Da- … eset-Hack/
2.4.2 Arduino
http://www.instructables.com/id/XYZ-Da- … et-Hack-1/
2.5 Fact Database
2.5.1 Facts for both printer types
- Once the reamining length of the spool goes down to zero, the printer will lock the nfc tag irreversible. So never let the remaining length go down to zero. This is something that only happens in newer firmware versions.
- Locking down the NFC Tag will not help preventing the printer from counting down the remaining meters. The Tag is stored in the internal memory of the printer, and if the printer can not write to the tag he just counts down the internal memory.
- If you completly remove the lock byte the printer will spit out a spool error.
- If you let xyzware access the internet, the spool you are using together with the uid is stored in the api of xyzware. So block internet access for xyzware.
- It does not help to remove the tag during the print. The printer will recognize that the tag is missing and will stop printing.
- The password of the nfc tag can be generated with the help of the UID. The algorithm has still to be found.
- If you print your valid spool down to one meter, you can just change the spool with another one (and use the tag from the first one) to print bigger objects which require more than one meter. This informations lets us guess that the printer does not check how many remaining filament is on the chip during printing. (Could be outdated with newer firmwares..)
- You can not change the nfc tag mid printing. It will give you a spool error and stops the print.
- At the moment there is no possible way in generating your own tags, with empty ntag213 tags. Once we crack the algorithm of the password generation and the algorithm behind the pack validation it will be possible.
- It is not possible to print with abs, because the PLA tags only allow up to 210 °C.
- Once we can create our own tags, we can use this aweseom 3D model from Manrobbie: http://www.thingiverse.com/thing:1362022
- Using an empty tag with its uid will generate an password made by the printer. But this password cant be used in the end effect, this is strongly related to the PACK no which is saved in the protected part of the chip. If its incorrect the printer will just say spool error.
- At the moment there are two algorithms which block us from creating our own tags: One is the Password which is generated from the UID, the other one is the PACK which is generated from an unknown source.
- There is an advanced mode in xyzware which allows us to override the temperature given by the nfc tag manually. (It is still not possible to print abs because the noozle is not able to reach the temperatures for that.)
- We can in fact only print with two temperature settings (without having to go into the advanced mode of xyzware and alter the gcode), which are 190°C and 210°C.
2.5.2 Facts for the Jr
- If you are running a firmware on or above 2.2.7 you cannot downgrade or use reseted NFC Tags.
- If you are running a firmware below 2.2.7 you can downgrade your firmware to 2.2.4 and lower and can use reseted NFC Tags.
2.6 Things which have to be evaluated
- Is it possible to hard reset the printer so that it looses the saved data about used NFC Tags?
- Can we emulate a NFC Tag with the help of an arduino?
- Is there some kind of master password for the NFC tags?
- Can we modify the firmware to just skip NFC checking?
- Can we port repetier to the Jr and the Mini?
- What role exactly does xyzware play with writing to NFC tags?
Please tell me if you miss something in this list, or somehting is wrong. Just send me a pm with your suggestions.
3. The Printers
3.1 Da Vinci Mini (w) [MODEL NO: dv1MW0A000]
Product Dimension (WxDxH): 15.35 x 13.19 x 14.17 inch (390 x 335 x 360 mm)
Package Dimension: 21.65x15.35x18.50 inch (550x 390 x 470 mm)
Gross Weight: 24.25lbs (10 kg)
Technology: FFF (Fused Filament Fabrication)
Maximum Build Volume (WxDxH): 5.9 x 5.9 x 5.9 inch (15x15x15cm)
Resolutions:
Fine 0.1 mm (100 microns)
Standard 0.2 mm (200 microns)
Speed 0.3 mm (300 microns)
Ultra Fast 0.4 mm (400 microns)
Print Head: Single Nozzle
Nozzle Diameter: 0.4 mm
Filament Diameter: 1.75 mm
Filament Material: PLA
Connectivity: USB 2.0, WiFi (802.11 b/g/n)
Software: XYZware
File Types: .stl , XYZ Format (.3w), 3mf
3.1.1 Firmware
The result of my test matches the result of the 1.0.0 Firmware. So it is now safe to say that the mini was locked down from the very beginning. Firmware downgrade will not help the mini users.
3.2 Da Vinci Jr (1.0) (w)
Product Dimension (WxDxH): 16.54 x 16.93 x 14.96 inch (42 x 43 x 38 cm )
Package Dimension: 21.53 x 22.87 x 18.7 inch (54.7 x 58.1 x 47.5 cm)
Gross Weight: 33.07 lbs (15kg)
Technology: FFF (Fused Filament Fabrication)
Maximum Build Volume (WxDxH): 5.9 x 5.9 x 5.9 inch (15x15x15cm)
Resolution:
Fine 0.1 mm (100 microns)
Standard 0.2 mm (200 microns)
Speed 0.3 mm (300 microns)
Ultra Fast 0.4 mm (400 microns)
Print Head: Single Nozzle
Maximum Printing Speed: up to 100mm/s
Nozzle Diameter: 0.4 mm
Filament Diameter: 1.75 mm
Filament Material: PLA
Display: Panel Type, 2.6” FSTN LCM
Language: Multi Language
Connectivity: USB 2.0, SD card,Wifi *Systems are compatible with SDHC cards up to 32GB in size.
Software: XYZware
File Types: .stl , XYZ Format (.3w)
3.2.1 Firmware
3.2.2 Downgrade
3.2.3 Convert to Ramps
Thanks to Anthem who created this beautiful guide: http://www.soliforum.com/topic/15273/ho … -ramps-14/
4. XYZware
XYZware is the software which is used to print on the xyz 3dprinter series.
4.1 Old Versions
Old versions may have the drm not included.
You can find one of the old Versions in this post: REMOVED
The guy who posted the old setup did not post the whole cd, just the setup.exe which does not contain the installer. Instead it is just an autorun menu which will start the real setup. (Decompiled the source code of the setup and found this out.)
If someone has older versions of XYZ Ware please PM me!
4.2 Decompiling
I (Xenolphthalein) will decompile the source of the xyzware. I have pretty good programming knowledge and will try to find out if the decompiling can help us in any way.
As far as i know totalitarian is also on the hunt. Please join the IRC from soliforum if you want to join the hunt! (Programming skills in .net or java (because they are pretty similiar) are required!)
I currently use xyzware 2.1.16.4 to find out everything that follow. It would be great if someone could send me older xyzware setups, so that i can check what they changed from version to version.
Currently i found out that there is a class named Export in the sourcecode which does various checks before printing. Eventually this check is causing the printer to give the unknown spool error. Will update this once i know more. - Software checks say that the spool is valid. Then when the data is send to the printer and the software is idle, the printer checks again on firmware level and says spool error.
Another approach which came to my mind after reading the source code is that we could alter the EEPROM through a modified xyzware, so that the printer "forgets" the already used spool nos. -> Investigating!
Internal Model Identifiers
jr 1.0 -> FJR10 -> dv1J00A000
jr 1.0 (w) -> FJR10W -> dv1JW0A000
jr 3in1 -> F1JS -> dv1dv1JS0A000
jr 1.0 pro -> FJR10PRO -> dv1JP0A000
jr 1.0 A -> FJR10A -> dv1JA0A000
minimaker -> FM1X -> dv1MX0A000
mini (w) -> FM1W -> dv1MW0A000
4.3 Using advanced mode
The advanced mode extends the functionality of the xyzware software so that you are able to edit gcode directly.
Original Post by grapefruit4: http://www.soliforum.com/topic/12741/xy … nced-mode/
4.4 Blocking internet access and firmware updates
Add this entries to your hosts file:
127.0.0.1 xyz.com
127.0.0.1 xyzprinting.com
127.0.0.1 us.xyzprinting.com
127.0.0.1 support.xyzprinting.com
127.0.0.1 xyzportal.cloudapp.net
127.0.0.1 www.xyzprinting.com
Here is a good tutorial for many operating systems: http://www.howtogeek.com/howto/27350/be … osts-file/
I'm almost always in the soliforum IRC (chat) (At European times). You can find it in the main menu of soliforum.com.
I hope this post can help you a little bit understanding everything and eventually you will be able to help us! Everyone who wants to add something to this documentation please write it below or PM me! It would be great if we could find some Da Vinci mini (w) users which can test a little bit with their tags and their printers, so that we can add more informations for them too.
Changelog
2017-01-10
- Updated 4.2 Decompiling
- Updated 2.3.2 Important Pages (added values for 300m spool)
- Added message at the beginning of post with the emutag solution.
2016-12-27
- Added model no from xyzware sourcecode for the davinci mini to 3.1
- Updated 4.2 Decompiling
- Added link to the regional tag swap topic at the beginning of this post.
- Added internal model identifiers to 4.2
2016-12-26
- Added 3.1.1 - mini firmware was locked from the beginning
2016-12-23
- Added 4.4 which gives instructions to block firmware update
2016-12-22
- Added the red Warning at the beginning of this Post.
- Added the temperature for "Clear Yellow".
- Added informations regarding spool serial number.
- Added "Pearl White" to color list.