Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Disassemble XYZ Firmware
#1
Has anyone tried disassembling the XYZ firmware? It looks to be uncompressed in part (there's a load of plaintext in there), but I've not been able to find any sensible code yet using Thumb or ARM.
Reply
#2
It would help if I selected the right processor variant. Huh

Ok, disassembles fine. Why hasn't anyone just removed the filament check from the firmware?
Reply
#3
May be because reverse engineering is illegal and no one claimed it on public forum

Do you mind to share what tool do you use ? in spirit of educational knowledge of course Smile

FYI : There an old G version that exists for 1.0, when no G existed at this time, I am pretty sure it was done like this :whistle: but I am just guessing :whistle:
Reply
#4
What was the processor variant you used for disassembly and what info have you found in the firmware?

@luc - I'm in Australia where reverse engineering and modifying something you have purchased for your own use is 100% legal, so more than happy to post and share anything I learn.
Reply
#5
Thanks I am really interested about tools an method actually
Reply
#6
I thought after the iPhone jailbreaking debacle opening things up like this was legal?

The processor on the Da Vinci board is a SAM3X8E which is a Cortex-M3 core. You can use any dis-assembler capable of disassembling that instruction set (IDA Pro is very good if you can afford it). You can get the datasheet for the processor here which gives the memory map.

Things disassemble fine, so the processor variant is good, but the address code is located at is wrong. I'm guessing the firmware image is split into multiple memory areas, although I don't know what they are yet. Once you know this its easy to work backwards from strings to find out what variables are (printing filament left on the LCD for example) and then modify the code which tests for filament length.
Reply
#7
Thanks a lot I will have a look
Reply
#8
If you load it to 0xa0000 it disassembles correctly and you can start tracing the text back.
Reply
#9
Please post the exact settings you used. Also which copy of the firmware are you working on?
Reply
#10
Ok, I found out where it gets the filament length left to print on the display and where it reads the cartridge eeproms. In theory I should just be able to return a constant number from the get filament length function and as long as that function is used consistently this will effectively disable the filament lock.

Does anyone know how to actually manually flash the printer? There is a reference to FW_upgrade.dat, but that would need access to the SD card. Is there a manual flash selection in the XYZ software?

Edit: Ok, you can do a manual flash with:

1. Disconnect from the internet
2. Try to upgrade firmware using the button in the About / Help dialog box within XYZware
3. After a while, it times out and opens a file browser to select a firmware file.

Anyone know where I can download the latest firmware? I've been working on 1.0.3 -- not sure how new that is.
Reply
#11
Will it really work with XYZWare though? I'd presume that there is some sort of code signing enforced, or at least some form of validation to prevent uploading corrupted firmware files.

Although you could always use the bossac utility that comes with Arduino IDE to flash your custom firmware, just as it's done with Repetier.
Reply
#12
another way is to use one of the zip - there is a manual tool - just need to rename bin file like the one the tool use
http://xyzware.linzh.tw/beta/fw/
Reply
#13
The firmware image looks to be a straight dump, there's no headers or encryption or compression or anything. I'll find out later today. Smile I can believe there is no CRC check however -- I did a similar hack on an oscilloscope firmware and that had no CRC check either.

The bigger question for me is if there are any other checks. It does appear to just use this one function for testing before printing etc, to ensure you have enough filament, so I hope we're good. Once I'm sure it works and reports a constant filament length I'll post it up for others to try. Hopefully this will do away with the chip resetting stuff, unless you wanted to change any of the other parameters in the EEPROM....
Reply
#14
Anyone know the difference between the 1.x and 2.x firmwares? Is it just 1.x firmware for "1" machines and 2.x for "2" machines?
Reply
#15
in the link I gave it is the case 2 = duo 1 = 1.0
Reply
#16
My understanding is the tool use the Dave command to do the FW update:
https://forum.voltivo.com/showthread.php?tid=7974

[email protected]:3 - Goes into firmware update , send M1:firmware,# of bytes , eg M1:firmware,249344 , then send bin file
Reply
#17
Ok latest V2.0.J disassembled -- there's a fair bit more logging detail in there, which is handy to figure out what's going on. I've patched it to return 240m for capacity and remaining length at all times. I'll flash my printer tomorrow now and see how we go.
Reply
#18
Ah, well, that was a bit of a letdown. I cant use the firmware as I have the 2.0A which needs a different firmware due to the newer mainboard, which is encrypted so it cant be modified. I believe what I have will work, but I cant test it. Sad

I've now switched to Repetier instead.
Reply
#19
Post it anyway, it may be of use to others.
Reply
#20
I find myself very intrigued by this possibility, I have a 1.0. I am a beginner in the 3d printer world so my satisfaction with the XYZ software is actually quite high. I have yet to experience a failed print and other than a challenging first bed leveling experience I am happy with my purchase.

I hope that you can share with us the tools that you are using to do the dis-assembly and reassembly of the firmware. I'm not a machine language guy but have been programming in the microsoft world for years but not at the expert level.

I am shying away from loading repetier since my experience so far has been so good.

Any information that you can share on the steps you have taken would be great!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)