Welcome to Our Community

Unlock hidden features. Sign Up for Free Today!

Tear down of Cubify cube 3 3D Printer + convert to RepRap

Discussion in '3D printers' started by Oderbang, Dec 6, 2015.

  1. Geezer70

    Geezer70 Journeyman
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    45
    Likes Received:
    9
    You're correct. My bad, Fat fingers....
    Pulled one off a Cube 3 cartridge to verify and read the print stamp on the back of the chip with a microscope.
    Absolutely a DS28E01.
     
  2. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    Another note: we should be able to intercept these commands... Do you suppose this part of the data stream is also protected?
    If not, it is a quick 7-place lookup table for a very simple hardware attachment. Just pull the ground pin up to RPUP levels.
    Even simpler may be to reroute a command. I suspect MATCH ROM is the write command. Just replace MATCH ROM with SKIP ROM. And to make sure, also reroute the overdrive signals.

    https://datasheets.maximintegrated.com/en/ds/DS28E01-100.pdf

    upload_2017-1-1_12-33-6.png
     
  3. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    But if the system doesnt get the cartridge to write, the cartridge serial can stay in the system. It will never get write the cartridge to zero.
    What you say is only true if we decrease the filament counter and can reset the chip to "full".
    I just testet an led, didnt have anything else:) Didnt work, as expected. voltage drop is to high.
     
  4. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    @Tom

    To reroute the commands we need to understand the routines in the firmware. We dont know which one is used for the chip.

    I didnt get my Pcikit3 yet, and it was not possible to make a backup of the firmware yet. So we cant fiddle with the firmware and write it back if something goes wrong.

    Oh Tim sorry. I think I get what you where saying. Intercept the commands Man in the middle attack.
     
  5. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    If it never writes, the cartridge remains valid, just not matching the internal information. How the system responds is another matter.

    I have a dud chip. And 3D Systems replaced the cartridge. It simply doesn't recognize a blank chip as being installed.
     
  6. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    Fully appreciate the need to interrogate the system's intent. I'm preparing for a hardware add-on with some logic. If we cannot hack the code, we could at least reroute the data.

    Very much looking forward to the disassembly of the firmware.
    And what I was getting at before about the "7 valid commands" - if we can monitor the line, it should have 1 of 7 sequences that could be interpreted into expected actions. If this command is not uniquely encrypted, it is access with a simple 8 bit word.

    With the reconstituting of the code, we will get a better view of what I/O is being exercised when. I have no quam with simply interrupting the device's intent.

    I did come across another annoying direction for the chip recognition routine. Apparently it knows when a new cartridge comes online and it forces the new cartridge install routing. Just another spider leg to look out for.
     
  7. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    Couldnt we send a fake "Vup" signal to the printer so it thinks it has actually written the chip and it deletes the "pending write" serial from its internal list? in the end this is all about pulses, right?
     
  8. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    Im also curious on the people that actually did the switch hack how do they solve the "memento" write of the 3% chip when they turn the printer back on???
     
  9. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    What ive noticed is a HUGE difference of print quality between printing an item horizontal or vertical (x or y speaking, NOT z). Check this out, both prints at 200micron but one seems HIGH resolution, while they're the same file just positioned different (please note both items are really tiny, pics are with macro on):

    [​IMG]

    [​IMG]




    Also note the first pic, seems print head leaves a mark on them before finishing the print.... Definetly shitful gcode generator in these printers!
     
  10. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    Hi everyone,

    i did find my logic analyser and sniffed on the cartridge.
    Maybe it can be useful for someone.
    File A is only the data which the Cube 3 is sending when no cartridge is present.
    File A+B is the communication when the cartridge is connected.
    The communication is only active when you click on "Cartridge Status" in the Printer Menu.
     

    Attached Files:

  11. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    Oh i did find out something else.
    If you switch the connection on and off rapidly the cartridge status jumps to 99%.
    Will upload a youtube video.
     
    #341 eychei, Jan 2, 2017
    Last edited: Jan 2, 2017
  12. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    The files just show a toggle going on. Marco/Polo? This may require a scope to see the voltage sags. This also means there is a different hook to this function. I suspect there is an voltage signal active all the time looking for a ground.
     
    #342 Tom Dirriwachter, Jan 2, 2017
    Last edited: Jan 2, 2017
  13. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    Oh, and the voltage sags will generate a binary data stream :) The data on the pins may be a sync signal.
     
  14. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    I do have a oscilloscope from rigol, i could get you the stream. I also do have a smaller one the DSOQuad.
    Do you need it?
     
  15. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    I think the issue with the switch has to be if you trigger the switch to the 0% one Cube tries to write but since its 0 already it refuses to write AND refuses to save the serial of the cart on its "pending overwritting chip" memory.

    Perhaps issuing 0% signals would be the way to go?
     
  16. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    I dont have a 0% chip installed. This happens when i disconnect the 94% chip.
     
  17. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    Sorry @eychei i was referring to a previous post where the switch hack was questioned in regards of the cube memorizing pending cart rewrites...
     
  18. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    Oh ok, i didnt find that post.

    Another way of hacking the chip is by sidechannelattack. Here is a publication on hacking the chip we have:
    https://www.cs.bham.ac.uk/~oswalddf/publications/cardis_2015_sha1_paper.pdf

    I did read through the paper and think it would be possible to extract the private key with a Chipwhisperer.
    Actually I dont have the money to get one, maybe someone else has one on his bench?
    This was also tried for the Cartridges of a Stratasys Uprint, but was never published.
    I know the CEO of the company which is selling uprint filament cartridges and chips. He told me that it did cost him approximately 10.000€ to get the private key for the chips plus new pcb and manufacturing new chips.

    Is someone willing to pay 10.000€ or does have a chipwhisperer for me:)


    P.S. Can someone send me the full datasheet of the DS28E01 please.
     
    #348 eychei, Jan 3, 2017
    Last edited: Jan 3, 2017
  19. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    Interesting thought. Do you think it forgets to check confirmation that it is the same chip?
     
  20. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    Great find on the paper, eychei.

    Funny thing is, we don't need to disable or hack the chip itself. We just need to redirect the write function.

    I think you need to get to the other pins in order to get the code from the chip.
     
  21. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    How much do the chipwhisperers go for?

    Re the switch thing, its the only explanation I can think of if people is using bulk filament over and over.

    The printer just does NOT store the failed cartidge write thinking the cart is empty already.... Given the principle of the switch hack is the printer does not check again the cartidge unique serial, i guess thats the way the hack is able to work.

    I'll check the other link now.
     
  22. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
  23. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
  24. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    @bolsoncerrado

    Thx for the link.

    Where did we get the info that the serial of the chip is actually been stored somewhere? I know the Stratasys machines are doing this but I couldnt find any info on the Cube. Is this information really accurate?

    P.S.
    Chipwhisperer costs around 300$ and you have to get a USB-FPGA too for about 200$
     
  25. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    @bolsoncerrado

    The link is not the full document i think. There are some references at page 3 to look at the "Full Document".
    Does anyone have access to a "Full" document? Or is this really the "Full" Document:)
     
  26. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
  27. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    RE Chipwhisperer perhaps u can do a quick Kickstarter to get the funds hehe
     
  28. eychei

    eychei Journeyman
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    97
    Likes Received:
    21
    The googlelink also only shows the abridged datasheets. The full one has to be requested from maxim.
     
  29. bolsoncerrado

    bolsoncerrado Veteran
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    152
    Likes Received:
    3
    ****.,

    BTW any1 considering a CubeX Duo or Triple? They look proportionally cheaper than the Cube3.... and u get almost twice the bed size and up to 3 extruders....

    http://amzn.to/2j1RpdV
     
  30. Tom Dirriwachter

    Builder

    Joined:
    Aug 30, 2016
    Messages:
    132
    Likes Received:
    10
    I have a dumb idea... what if we randomly pulled down the power on the line where no intelligent signal can get through after the initial handshake? We should be able to time "noise" to the signal after a certain interval. The datasheets are fairly specific for what is expected. There is an 8 bite limit to the initial data stream. We should be able to initiate an event after this packet is sent and responded to.

    The idea could work if the system only senses presence of the cart-chip and not the data stream. This can be done by testing the voltage on the pull-up resistor that controls this line.
     

Share This Page

  • About Us

    The OpenBuilds Team is dedicated helping you to Dream it - Build it - Share it! Collaborate on our forums and be sure to visit the Part Store for all your Building needs!
  • Like us on Facebook

  • Support Open Source FairShare Program!

    OpenBuilds FairShare Give Back Program provide resources to Open Source projects, developers and schools around the world. Invest in your future by helping others develop theirs!

    Donate to FairShare!