Friday, January 8, 2016

Hacking the XYZ Davinci Jr. Part 2

In my previous post I explained how I was able to capture the passwords for the NFC chips on my XYZ Davinci Jr. In this post I will share some Arduino code I used to read the password protected data, where the remaining length data is, and how to write to the chip.

 I started by trying to work through the PN512 chip on the printer itself. I connected the Arduino and could write to the FIFO on the PN512, but could not get it to execute the transceive command. I opted to purchase the PN532 shield from Adafruit. The library for working with the shield is on GitHub here, however it does not support password authentication of NTAG213 cards.  I started working on adding a method to the library for authenticating but was trying to use the wrong communication mode. Thanks to use dcorovia on the Adafruit forums, I was able to authenticate using the following addition to the Adafruit library:

byte Adafruit_PN532::NFC_PWD_AUTH(byte *pwd){
byte result;
#if DEBUG_NFC_PWD_AUTH
Serial.print(F("NFC_PWD_AUTH : "));
#endif
/* Prepare the command */
pn532_packetbuffer[0] = PN532_COMMAND_INCOMMUNICATETHRU;
pn532_packetbuffer[1] = 0x1B; 
memcpy (pn532_packetbuffer+2, pwd, 4); // 4 bytes or 32 bit password.

/* Send the command */
result=sendCommandCheckAck(pn532_packetbuffer, 2+4);
#if DEBUG_NFC_PWD_AUTH
Adafruit_PN532::PrintHexChar(pn532_packetbuffer, 40);
#endif 
if (!result)
{
#if DEBUG_NFC_PWD_AUTH
Serial.println(F("Failed to receive ACK for NFC_PWD_AUTH"));
#endif
return 0;
}
/* Read the response packet 8 + 4 */
readdata(pn532_packetbuffer, 12);
#if DEBUG_NFC_PWD_AUTH
Adafruit_PN532::PrintHexChar(pn532_packetbuffer, 12);
#endif
if (pn532_packetbuffer[7] == 0x00)
{
// response is 00 00 FF 05 FB D5 43 00 00 00 E8 00
pwd[0] = pn532_packetbuffer[8];
pwd[1] = pn532_packetbuffer[9];
}
else
{
// Is pwd is wrong we get 00 00 FF 03 FD D5 43 01 E7 00
// Byte 8 is 01
#if DEBUG_NFC_PWD_AUTH
Serial.println(F("Unexpected response NFC_PWD_AUTH: "));
#endif
return 0;

return 1;
}

 With a small modification to the NTAG213 example included with the Adafruit library, I was able to authenticate and read the protected pages of memory:

       byte pwd[] = {0x22, 0x66, 0x52, 0xC6};
      //byte pwd[] = {0x93, 0x1B, 0x18, 0x0C};
      //byte pwd[] = {0x75, 0x9A, 0x67, 0x0D};
      nfc.NFC_PWD_AUTH(pwd);
     // nfc.ntag2xx_Authenticate(pwd);
      for (uint8_t i = 0; i < 42; i++) 
      {
        success = nfc.ntag2xx_ReadPage(i, data);
        
        // Display the current page number
        Serial.print("PAGE ");
        if (i < 10)
        {
          Serial.print("0");
          Serial.print(i);
        }
        else
        {
          Serial.print(i);
        }
        Serial.print(": ");

        // Display the results, depending on 'success'
        if (success) 
        {
          // Dump the page data
          nfc.PrintHexChar(data, 4);
        }
        else
        {
          Serial.println("Unable to read the requested page!");
        }

  See this post for the memory contents. 

 I posted the contents to SoliForum. We could see that some of the pages remained unchanged when compared after running a part, but some changed. We knew the changing pages must have the length encoded and  SoliForum user ChunkLady realized they were stored in little-endian (right to left). ChunkLady pointed out that page 10 never changed and was 1000000 in decimal. Page 20 was 82347. This corresponded to 100 meters (original length) and 82 meters (remaining length as reported by the printer itself.

 The other pages that change are 21,22, and 23. The function of these pages still needs to be identified. They do have something to do with verifying the remaining length information. When I tried to write just to the remaining length (Page 20), the printer complained that the spool was unrecognized. After writing all the original information back to the chip, the printer accepted it and reported the original remaining length. So the key to the current state here is to capture the state of the chip preferably when it is new and then reset the chip to the known state when you load a roll of 3rd party filament.

 Writing to the pages was simple using the Adafruit library:

       byte spoolLen[]={0xAB, 0x41, 0x01, 0x00};
      byte page21[]={0xE3, 0x53, 0x33, 0x54};
      byte page22[]={0x25, 0x4D, 0xE1, 0xCE};
      byte page23[]={0xBF, 0xBC, 0x49, 0x76};
      nfc.ntag2xx_WritePage(20,spoolLen);
      nfc.ntag2xx_WritePage(21,page21);
      nfc.ntag2xx_WritePage(22,page22);
      nfc.ntag2xx_WritePage(23,page23);

 I hope this information helps and maybe we can get some more eyes on the remaining problems like cracking the password on the chips so they do not need to be captured with hardware and the function of the other memory pages. It would also be cool to get something working with the on-board PN512 to read and write to the chips without having to have an additional shield.
Posted by at 12 comments:
Labels: , , , ,

Thursday, January 7, 2016

JunkBot

Here is a bot I made from some stuff I had lying around. It is kind of a typical RC car platform with an Arduino Uno. I had picked up a few Unos and Seeed Motor Shields at some Radio Shack clearance sales.



The "eyes" are a Parallax Ping ultrasound sensor from the same Radio Shack sale.




Right now it just backs up when it detects something within 5 inches of the ultrasound device.
Posted by at 1 comment:
Labels: , ,

XYZ NFC Chip Passwords

Here are the authenticated dumps from a few XYZ spools:

 UID Value: 0x04 0x38 0xDC 0x22 0x9A 0x3D 0x81
PWD: 0x22 0x66 0x52 0xC6  
PAGE 00: 04 38 DC 68  .8�h
PAGE 01: 22 9A 3D 81  "�=�
PAGE 02: 04 48 00 00  .H..
PAGE 03: E1 10 12 00  �...
PAGE 04: 01 03 A0 0C  ..�.
PAGE 05: 34 03 00 FE  4..�
PAGE 06: 00 00 00 00  ....
PAGE 07: 00 00 00 00  ....
PAGE 08: 5A 50 5A 00  ZPZ.
PAGE 09: 00 35 35 36  .556
PAGE 10: A0 86 01 00  ��..
PAGE 11: A0 86 01 00  ��..
PAGE 12: D2 00 2D 00  �.-.
PAGE 13: 54 48 47 42  THGB
PAGE 14: 30 34 37 39  0479
PAGE 15: 00 00 00 00  ....
PAGE 16: 00 00 00 00  ....
PAGE 17: 34 00 00 00  4...
PAGE 18: 00 00 00 00  ....
PAGE 19: 00 00 00 00  ....
PAGE 20: AB 41 01 00  �A..
PAGE 21: E3 53 33 54  �S3T
PAGE 22: 25 4D E1 CE  %M��
PAGE 23: BF BC 49 76  ��Iv
PAGE 24: 00 00 00 00  ....
PAGE 25: 00 00 00 00  ....
PAGE 26: 00 00 00 00  ....
PAGE 27: 00 00 00 00  ....
PAGE 28: 00 00 00 00  ....
PAGE 29: 00 00 00 00  ....
PAGE 30: 00 00 00 00  ....
PAGE 31: 00 00 00 00  ....
PAGE 32: 00 00 00 00  ....
PAGE 33: 00 00 00 00  ....
PAGE 34: 00 00 00 00  ....
PAGE 35: 00 00 00 00  ....
PAGE 36: 00 00 00 00  ....
PAGE 37: 00 00 00 00  ....
PAGE 38: 00 00 00 00  ....
PAGE 39: 00 00 00 00  ....
PAGE 40: 00 00 00 BD  ...�
PAGE 41: 07 00 00 08  ....

 UID Value: 0x04 0x20 0x57 0x22 0x97 0x3C 0x80
PWD: 0x93 0x1B 0x18 0x0C
PAGE 00: 04 20 57 FB  . W�
PAGE 01: 22 97 3C 80  "�<�
PAGE 02: 09 48 00 00  .H..
PAGE 03: E1 10 12 00  �...
PAGE 04: 01 03 A0 0C  ..�.
PAGE 05: 34 03 00 FE  4..�
PAGE 06: 00 00 00 00  ....
PAGE 07: 00 00 00 00  ....
PAGE 08: 5A 50 50 00  ZPP.
PAGE 09: 00 35 34 54  .54T
PAGE 10: 40 0D 03 00  @...
PAGE 11: 40 0D 03 00  @...
PAGE 12: D2 00 2D 00  �.-.
PAGE 13: 54 48 47 42  THGB
PAGE 14: 30 34 39 35  0495
PAGE 15: 00 00 00 00  ....
PAGE 16: 00 00 00 00  ....
PAGE 17: 34 00 00 00  4...
PAGE 18: 00 00 00 00  ....
PAGE 19: 00 00 00 00  ....
PAGE 20: 40 0D 03 00  @...
PAGE 21: 08 1F 31 54  ..1T
PAGE 22: 50 B1 E0 CE  P���
PAGE 23: 52 E7 4F 76  R�Ov
PAGE 24: 00 00 00 00  ....
PAGE 25: 00 00 00 00  ....
PAGE 26: 00 00 00 00  ....
PAGE 27: 00 00 00 00  ....
PAGE 28: 00 00 00 00  ....
PAGE 29: 00 00 00 00  ....
PAGE 30: 00 00 00 00  ....
PAGE 31: 00 00 00 00  ....
PAGE 32: 00 00 00 00  ....
PAGE 33: 00 00 00 00  ....
PAGE 34: 00 00 00 00  ....
PAGE 35: 00 00 00 00  ....
PAGE 36: 00 00 00 00  ....
PAGE 37: 00 00 00 00  ....
PAGE 38: 00 00 00 00  ....
PAGE 39: 00 00 00 00  ....
PAGE 40: 00 00 00 BD  ...�
PAGE 41: 07 00 00 08  ....

 UID Value: 0x04 0x4F 0x57 0x22 0x97 0x3C 0x80
PWD: 0x75 0x9A 0x67 0x0D
PAGE 00: 04 4F 57 94  .OW�
PAGE 01: 22 97 3C 80  "�<�
PAGE 02: 09 48 00 00  .H..
PAGE 03: E1 10 12 00  �...
PAGE 04: 01 03 A0 0C  ..�.
PAGE 05: 34 03 00 FE  4..�
PAGE 06: 00 00 00 00  ....
PAGE 07: 00 00 00 00  ....
PAGE 08: 5A 50 50 00  ZPP.
PAGE 09: 00 35 34 54  .54T
PAGE 10: 40 0D 03 00  @...
PAGE 11: 40 0D 03 00  @...
PAGE 12: D2 00 2D 00  �.-.
PAGE 13: 54 48 47 42  THGB
PAGE 14: 30 31 32 33  0123
PAGE 15: 00 00 00 00  ....
PAGE 16: 00 00 00 00  ....
PAGE 17: 34 00 00 00  4...
PAGE 18: 00 00 00 00  ....
PAGE 19: 00 00 00 00  ....
PAGE 20: 40 0D 03 00  @...
PAGE 21: 08 1F 31 54  ..1T
PAGE 22: 50 B1 E0 CE  P���
PAGE 23: 52 E7 4F 76  R�Ov
PAGE 24: 00 00 00 00  ....
PAGE 25: 00 00 00 00  ....
PAGE 26: 00 00 00 00  ....
PAGE 27: 00 00 00 00  ....
PAGE 28: 00 00 00 00  ....
PAGE 29: 00 00 00 00  ....
PAGE 30: 00 00 00 00  ....
PAGE 31: 00 00 00 00  ....
PAGE 32: 00 00 00 00  ....
PAGE 33: 00 00 00 00  ....
PAGE 34: 00 00 00 00  ....
PAGE 35: 00 00 00 00  ....
PAGE 36: 00 00 00 00  ....
PAGE 37: 00 00 00 00  ....
PAGE 38: 00 00 00 00  ....
PAGE 39: 00 00 00 00  ....
PAGE 40: 00 00 00 BD  ...�
PAGE 41: 07 00 00 08  ....
Posted by at 4 comments:
Labels: ,

Wednesday, January 6, 2016

Davinci Jr Parts Separating from Platen

I was reading that some people were using hairspray to keep parts from lifting off the glass on their Davinci Jr. I took it a step further and tried some 3M Super 77 spray adhesive. It works great! Parts are firmly bonded to the glass platen for the duration of the print. They are a little tough to remove so I would suggest only using it on larger  parts(these are the ones where I was having a lifting problem). Also, remove any tape you have on the glass. The Super 77 lays on fairly thick and if you leave the tape on the nozzle ends up in the Super 77.
Posted by at 1 comment:
Labels: , ,

Hacking the XYZ Davinci Jr.


If you purchased the Davinci Jr over the holiday season, or received one as a gift, you may have been surprised to find out that you have to buy XYZ filament. The salesman at Barnes and Noble was telling people you could buy any filament, which is obviously not the case. This post is to document my progress hacking the Davinci Jr.

I started doing a little research to see what other people have found out about the machine so far. There was a thread at SoliForum where people had found some information and dumped the password protected contents of the NFC chip used in the XYZ filament rolls. XYZ uses NTAG213 chips and a PN512 reader chip. My first thought was, "How are they passing the password to the NTAG213?". I couldn't find anything in the datasheet on the PN512 to indicate it supported passing encrypted data to the NFC chip so I assumed it was receiving the password in plain text from the printer. I pulled the left side cover from the printer to get a better look at what was going on with the NFC board.
Left side removed. Arduino and Saleae Logic 4 hooked up to PN512 board.
Close up of PN512 board removed from XYZ Davinci Jr.
Based on the data sheet for the PN512 and checking the board with a multimeter, the pinout  of the connector on the board was : 1. 3.6V, 2. GND, 3. NRSTPD, 4. IRQ, 5. SDA, 6. SCL.

Again, based on the datasheet it was wired for I2C. I hooked up the Saleae Logic 4 I had recently purchased and started capturing information.

Saleae Interface
Now looking at the datasheet for the NTAG213, the password authentication command is 0x1B. I typed that in the Saleae search box and found where that command was being written to the command register on the PN512 to be passed to the NTAG213. The next 4 bytes were the password for the chip: 0x22 0x66 0x52 0xC6.

 Here is part 2 with information on using the password grabbed here.


Posted by at 25 comments:
Labels: , ,
Subscribe to: Posts (Atom)