Wednesday, January 6, 2016

Hacking the XYZ Davinci Jr.


If you purchased the Davinci Jr over the holiday season, or received one as a gift, you may have been surprised to find out that you have to buy XYZ filament. The salesman at Barnes and Noble was telling people you could buy any filament, which is obviously not the case. This post is to document my progress hacking the Davinci Jr.

I started doing a little research to see what other people have found out about the machine so far. There was a thread at SoliForum where people had found some information and dumped the password protected contents of the NFC chip used in the XYZ filament rolls. XYZ uses NTAG213 chips and a PN512 reader chip. My first thought was, "How are they passing the password to the NTAG213?". I couldn't find anything in the datasheet on the PN512 to indicate it supported passing encrypted data to the NFC chip so I assumed it was receiving the password in plain text from the printer. I pulled the left side cover from the printer to get a better look at what was going on with the NFC board.
Left side removed. Arduino and Saleae Logic 4 hooked up to PN512 board.
Close up of PN512 board removed from XYZ Davinci Jr.
Based on the data sheet for the PN512 and checking the board with a multimeter, the pinout  of the connector on the board was : 1. 3.6V, 2. GND, 3. NRSTPD, 4. IRQ, 5. SDA, 6. SCL.

Again, based on the datasheet it was wired for I2C. I hooked up the Saleae Logic 4 I had recently purchased and started capturing information.

Saleae Interface
Now looking at the datasheet for the NTAG213, the password authentication command is 0x1B. I typed that in the Saleae search box and found where that command was being written to the command register on the PN512 to be passed to the NTAG213. The next 4 bytes were the password for the chip: 0x22 0x66 0x52 0xC6.

Here is part 2 with information on using the password grabbed here.


25 comments:

  1. I just got a Jr myself and started looking into the NFC hack. I was going to pick up the Adafruit shield from Microcenter, but I couldn't find it on the shelf. Just as I was about to order it, I began to wonder...Why are we trying to hack the chip? Can't we hack the firmware instead?

    I have read mentions of others putting other firmware on the Jr, but I haven't dug that deep. The whole reason I bought this one was for simplicity and I keep sabotaging the one I built every time I get an idea to "upgrade" something. So I get the idea of going the NFC route. Just a thought.

    ReplyDelete
  2. Any idea on if the password is universal across all printers? I'm looking to hack mine, but I'm trying to minimize the amount of equipment I need to buy.

    ReplyDelete
  3. Hi! I've got a XYZ AiO 1.0 and I need to use some non-proprietary cartridges in it. Do you know how can I do this?

    ReplyDelete
    Replies
    1. Buy the filament you want, buy a discounted jr filament in an odd color, respool the good filament onto the chipped Jr spool

      Delete
  4. Hello again changed the firmware and it does not help a password. Are there any checksums. On algorithm I came. I left on the reel 32 m filament printing XYZ help recharge the NFC chip. It is a problem.

    Please help me.

    ReplyDelete
  5. Why don't people aim at the machine instead of the spools? It seems to me that the problem could be easier solved by changing the firmware of the printer and have it not look for any RFID tags to print.

    ReplyDelete
    Replies
    1. That voids you of the warranty, and odds are at some point you may need it repaired or need spare parts that they will no longer freely provide.

      Delete
  6. Is there any chance to hack the new Da vinci mini filaments?

    ReplyDelete
  7. Would also like to know of any hack for the Da vinci mini w filaments?

    ReplyDelete
  8. Its a pity some circuit board wizz doesn't come up with a hacked chip for the mini. Just a thought

    ReplyDelete
  9. I've given up on hacking the RFID chip - I've been able to reset them, but the printer won't accept the reset chips.

    My next project will be to replace the XYZ board with a RAMPS board - tutorials are easy enough to find online, and it looks like it'll only run about $50 to do.

    ReplyDelete
    Replies
    1. I wonder if there is a unique serial number that the printer is using to keep track of that specific spool, and then checking to see if the value has been modified. All they would have to do is compare the current value with the previously reported value and reject it if it were greater than it. Is any sort of unique identifier reported to the firmware, and is it possible to change it? I may have to start digging into this myself.

      Delete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. it's working fine for me! Thank you for sharing this with us dominations hack

    ReplyDelete
  21. Hey everyone I am so excited about this tutorial because it has helped me to I really appreciate thanks for sharing horse riding tales hack

    ReplyDelete
  22. Join the world’s largest community of ethical hackers and start hacking today! Be challenged and earn rewarding bounties. Learn more! https://www.hackerone.com/for-hackers/how-to-start-hacking

    ReplyDelete