Wednesday, January 6, 2016

Hacking the XYZ Davinci Jr.

If you purchased the Davinci Jr over the holiday season, or received one as a gift, you may have been surprised to find out that you have to buy XYZ filament. The salesman at Barnes and Noble was telling people you could buy any filament, which is obviously not the case. This post is to document my progress hacking the Davinci Jr.

I started doing a little research to see what other people have found out about the machine so far. There was a thread at SoliForum where people had found some information and dumped the password protected contents of the NFC chip used in the XYZ filament rolls. XYZ uses NTAG213 chips and a PN512 reader chip. My first thought was, "How are they passing the password to the NTAG213?". I couldn't find anything in the datasheet on the PN512 to indicate it supported passing encrypted data to the NFC chip so I assumed it was receiving the password in plain text from the printer. I pulled the left side cover from the printer to get a better look at what was going on with the NFC board.
Left side removed. Arduino and Saleae Logic 4 hooked up to PN512 board.
Close up of PN512 board removed from XYZ Davinci Jr.
Based on the data sheet for the PN512 and checking the board with a multimeter, the pinout  of the connector on the board was : 1. 3.6V, 2. GND, 3. NRSTPD, 4. IRQ, 5. SDA, 6. SCL.

Again, based on the datasheet it was wired for I2C. I hooked up the Saleae Logic 4 I had recently purchased and started capturing information.

Saleae Interface
Now looking at the datasheet for the NTAG213, the password authentication command is 0x1B. I typed that in the Saleae search box and found where that command was being written to the command register on the PN512 to be passed to the NTAG213. The next 4 bytes were the password for the chip: 0x22 0x66 0x52 0xC6.

Here is part 2 with information on using the password grabbed here.


  1. I just got a Jr myself and started looking into the NFC hack. I was going to pick up the Adafruit shield from Microcenter, but I couldn't find it on the shelf. Just as I was about to order it, I began to wonder...Why are we trying to hack the chip? Can't we hack the firmware instead?

    I have read mentions of others putting other firmware on the Jr, but I haven't dug that deep. The whole reason I bought this one was for simplicity and I keep sabotaging the one I built every time I get an idea to "upgrade" something. So I get the idea of going the NFC route. Just a thought.

  2. Any idea on if the password is universal across all printers? I'm looking to hack mine, but I'm trying to minimize the amount of equipment I need to buy.

  3. Hi! I've got a XYZ AiO 1.0 and I need to use some non-proprietary cartridges in it. Do you know how can I do this?

  4. Hello again changed the firmware and it does not help a password. Are there any checksums. On algorithm I came. I left on the reel 32 m filament printing XYZ help recharge the NFC chip. It is a problem.

    Please help me.

  5. Why don't people aim at the machine instead of the spools? It seems to me that the problem could be easier solved by changing the firmware of the printer and have it not look for any RFID tags to print.

    1. That voids you of the warranty, and odds are at some point you may need it repaired or need spare parts that they will no longer freely provide.

  6. Is there any chance to hack the new Da vinci mini filaments?

  7. Would also like to know of any hack for the Da vinci mini w filaments?

  8. Its a pity some circuit board wizz doesn't come up with a hacked chip for the mini. Just a thought