Friday, January 8, 2016

Hacking the XYZ Davinci Jr. Part 2

In my previous post I explained how I was able to capture the passwords for the NFC chips on my XYZ Davinci Jr. In this post I will share some Arduino code I used to read the password protected data, where the remaining length data is, and how to write to the chip.

I started by trying to work through the PN512 chip on the printer itself. I connected the Arduino and could write to the FIFO on the PN512, but could not get it to execute the transceive command. I opted to purchase the PN532 shield from Adafruit. The library for working with the shield is on GitHub here, however it does not support password authentication of NTAG213 cards.  I started working on adding a method to the library for authenticating but was trying to use the wrong communication mode. Thanks to use dcorovia on the Adafruit forums, I was able to authenticate using the following addition to the Adafruit library:

byte Adafruit_PN532::NFC_PWD_AUTH(byte *pwd){
byte result;
#if DEBUG_NFC_PWD_AUTH
Serial.print(F("NFC_PWD_AUTH : "));
#endif
/* Prepare the command */
pn532_packetbuffer[0] = PN532_COMMAND_INCOMMUNICATETHRU;
pn532_packetbuffer[1] = 0x1B; 
memcpy (pn532_packetbuffer+2, pwd, 4); // 4 bytes or 32 bit password.

/* Send the command */

result=sendCommandCheckAck(pn532_packetbuffer, 2+4);
#if DEBUG_NFC_PWD_AUTH
Adafruit_PN532::PrintHexChar(pn532_packetbuffer, 40);
#endif 
if (!result)
{
#if DEBUG_NFC_PWD_AUTH
Serial.println(F("Failed to receive ACK for NFC_PWD_AUTH"));
#endif
return 0;
}
/* Read the response packet 8 + 4 */
readdata(pn532_packetbuffer, 12);
#if DEBUG_NFC_PWD_AUTH
Adafruit_PN532::PrintHexChar(pn532_packetbuffer, 12);
#endif
if (pn532_packetbuffer[7] == 0x00)
{
// response is 00 00 FF 05 FB D5 43 00 00 00 E8 00
pwd[0] = pn532_packetbuffer[8];
pwd[1] = pn532_packetbuffer[9];
}
else
{
// Is pwd is wrong we get 00 00 FF 03 FD D5 43 01 E7 00
// Byte 8 is 01
#if DEBUG_NFC_PWD_AUTH
Serial.println(F("Unexpected response NFC_PWD_AUTH: "));
#endif
return 0;

return 1;
}

With a small modification to the NTAG213 example included with the Adafruit library, I was able to authenticate and read the protected pages of memory:

      byte pwd[] = {0x22, 0x66, 0x52, 0xC6};
      //byte pwd[] = {0x93, 0x1B, 0x18, 0x0C};
      //byte pwd[] = {0x75, 0x9A, 0x67, 0x0D};
      nfc.NFC_PWD_AUTH(pwd);
     // nfc.ntag2xx_Authenticate(pwd);
      for (uint8_t i = 0; i < 42; i++) 
      {
        success = nfc.ntag2xx_ReadPage(i, data);
        
        // Display the current page number
        Serial.print("PAGE ");
        if (i < 10)
        {
          Serial.print("0");
          Serial.print(i);
        }
        else
        {
          Serial.print(i);
        }
        Serial.print(": ");

        // Display the results, depending on 'success'

        if (success) 
        {
          // Dump the page data
          nfc.PrintHexChar(data, 4);
        }
        else
        {
          Serial.println("Unable to read the requested page!");
        }

 See this post for the memory contents. 

I posted the contents to SoliForum. We could see that some of the pages remained unchanged when compared after running a part, but some changed. We knew the changing pages must have the length encoded and  SoliForum user ChunkLady realized they were stored in little-endian (right to left). ChunkLady pointed out that page 10 never changed and was 1000000 in decimal. Page 20 was 82347. This corresponded to 100 meters (original length) and 82 meters (remaining length as reported by the printer itself.

The other pages that change are 21,22, and 23. The function of these pages still needs to be identified. They do have something to do with verifying the remaining length information. When I tried to write just to the remaining length (Page 20), the printer complained that the spool was unrecognized. After writing all the original information back to the chip, the printer accepted it and reported the original remaining length. So the key to the current state here is to capture the state of the chip preferably when it is new and then reset the chip to the known state when you load a roll of 3rd party filament.

Writing to the pages was simple using the Adafruit library:

      byte spoolLen[]={0xAB, 0x41, 0x01, 0x00};
      byte page21[]={0xE3, 0x53, 0x33, 0x54};
      byte page22[]={0x25, 0x4D, 0xE1, 0xCE};
      byte page23[]={0xBF, 0xBC, 0x49, 0x76};
      nfc.ntag2xx_WritePage(20,spoolLen);
      nfc.ntag2xx_WritePage(21,page21);
      nfc.ntag2xx_WritePage(22,page22);
      nfc.ntag2xx_WritePage(23,page23);

I hope this information helps and maybe we can get some more eyes on the remaining problems like cracking the password on the chips so they do not need to be captured with hardware and the function of the other memory pages. It would also be cool to get something working with the on-board PN512 to read and write to the chips without having to have an additional shield.

11 comments:

  1. Nice work! Any chance of spoofing the onboard PN512 with a microcontroller and just telling the mainboard what it wants to hear when it attempts to read /write to the spool?

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Anything preventing the possibility of you providing a copy of the data of your password cracked tag to be copied to a fresh tag or an existing tag that has been cleared?

    ReplyDelete
  4. Please continue to update us about unlocking the Da Vinci Junior. Your work and many others, have taught people more about hacking electronics and also about how companies lock down the devices to control what we can do.

    ReplyDelete
  5. Is there a video on YouTube demonstrate this

    ReplyDelete
  6. Is there a video on YouTube demonstrate this

    ReplyDelete
  7. I just purchased a Nobel 1.0 SLA from xyzprinting not knowing about the RFID they use. I have RFID encoders and readers. I can look at the data that way and program writeable RFID chips. However, looking at this mess, I think I will just replace the controller with Adruino tech without any of the RFID nonsense.

    ReplyDelete
  8. Does anybody know if this item works? I'm planning to buy a Da Vinci printer but then i have to be sure this works :-) http://www.ebay.com/itm/XYZprinting-da-Vinci-Filament-Cartridge-Counter-Resetter-Reset-Tool-/131394592808?hash=item1e97ba6028:g:DG4AAOSwQoFWOYid

    ReplyDelete
  9. Hi,

    I am having trouble following your steps. I plugged a numeric oscilloscope (picoscope) to the printer (Da Vinci mini, with the same RFID card system), I think I caught the password. But I ask for the page content using the Adafruit PN532 + library + you athentication code I got "Unable to read ...".
    Thus I connect the picoscope to the Adafruit card to look at what happened and communication is a bit different : whole message in serial for Adafruit, instead of packet message for printer (i got images if needed). Could this be a reason I can't authenticate ?

    ReplyDelete
    Replies
    1. Actually, it works great. The RFID card i was working with may be locked because it reaches the 0 length. With new cards I can perfectly acces to data and modify pages of length.
      Thanks a lot for this pages

      Delete