Welcome to Our Community

Some features disabled for guests. Register Today.

Tear down of Cubify cube 3 3D Printer + convert to RepRap

Discussion in '3D printers' started by Oderbang, Dec 6, 2015.

  1. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    @Kiza I would appreciate the IDA files also.

    Or, if it is ok with you eychei could share ;)
     
  2. Kiza

    Kiza New
    Builder

    Joined:
    Dec 1, 2016
    Messages:
    75
    Likes Received:
    3
  3. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    I think getting a chipkit would be easier then trying to emulate the code with qemu. But if you could get it working it would be awesome. We could run everything in the emulator and test the code before flashing.
    Maybe Geezer70 can help with the SPIs and ICs he can run the code on his development board already.
     
  4. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    When you get the *.hex file loaded in MPLAB look at the C3_peripherals, all of the register assignments by address are listed.
    Are you familiar with how the PIC32 does I/O on its Ports? It is not at all like an Arduino or other dedicated I/O chips.
    I have 3DS firmware running on the WF32. However, because I have no HID to control it, it just sits fat dumb and happy waiting
    for a command.
    I haven't been hacking the SW lately, more into coding and decoding the G-Codes, which works quit well.
    Glad you guys are poking me. I needed inspiration to get back into whacking the SW. Especially with IDA.
    L8R G70
     
  5. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    The main problem with the g-codes are that you can't control the filament cartridge. The steps of the extruder are counted.
    So g code is only helpfully for using simplify3d or other slicing software. The only problem i see with cubeprint is the support generation which can be done with another software like meshmixer. It will generate support as a second file and you can change the extruder for the support structure in cubeprint.

    Is it possible to connect the cartridge to your chip kit?
    I think we could hack the original software to write the cartridges like we want. How about changing the step counts to be negative for the extruder ?
     
  6. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    Can someone plug in a USB Cable on the side of the Cube 3 and try to get into bootloader mode.
    There is a software in the Cube Print installation directory called HIDBOOTLOADER.EXE.

    If we can connect through that, firmware backup and flashing will be easier.
     
  7. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    Another thing I did find out is that Port 30304 is open and used for file transfer. Protocol is BEEP.
    Just connect it with putty or other terminal program on Port 30304.
    Send the following command:
    {"header":{"msg_type":1,"msg_method":1,"version":1},"payload":{}}

    You can vary with the code and get other messages back, like extruder Temp and Cartridge status etc.

    I am using MobaXterm. To send the command copy paste the command from here hit Enter Key on your keyboard a "^M" command will show up, then press CTRL+ENTER to send the command. ^M is carriage return.
     
  8. bolsoncerrado

    bolsoncerrado Well-Known
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    229
    Likes Received:
    7
    Thanls for sharing all hacking guys! Would u mind crossposting these to Cube3 too? We have some tech savy people there too perhaps we can join forces ;)

    Also the wiki is set up and running in case you wanna share your findings re the mobo and such ;)

    i plan to dissassemble a brand new unit and take hi res pics of it too, just for the rest of people inclined to hack it evenn more.

    Any of you running 3rd part y filament care to share pics of their cart setups? :)

    Any of you foiund out if the LCD is propietary or open market?
     
  9. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    Connected w/Putty Raw port 30304
    i get:
    {"header":{"msg_type":3,"msg_method":0,"version":1},"payload":{"error_code":101,"error_category":1,"error_msg":"Invalid header"}}

    ^@ refreshes the above

    I never used BEEP before interesting.....

    See what I mean? Gimme, GIMME, GIMME...Lol
     
  10. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    Try this first

    {"header":{"msg_type":1,"msg_method":16,"version":1},"payload":{}}
     
  11. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    eychei asked:"Is it possible to connect the cartridge to your chip kit?

    I haven't tried a direct connection to the Dallas Chip in the Cartridge. However, it uses SHA256 so without the response key I would only get garbage.
    Different conversation:
    I tried length ".01" in the header and trailer of the G-Code and seemed to not de-increment filament used. I'll try with larger print, if I can get thru
    it without a cartridge jam...POS
     
  12. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    @eychei
    Didn't work I'll try X-Term session next.
    BTW, GREAT FIND, DUDE!!!!!
     
  13. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    Actually i tried simplify3d with that option too.

    It seemed to me that the cartridge amount wasn't changing. But didn't try a longer print yet.
    What i meant with connecting the cartridge was that when you use the original firmware it should also write to the chip without us knowing the key.

    This is also used in software keygens. Just change the code that it splits out what you want.
     
  14. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    @eychei
    I've tried getting into the Boot loader using the same method as used on the Cube 2. I'd have to Google it again
    but it was something like hold the power key down while pluging in the USB, then release the power key.
    Anyway didn't work.
    I'm going to try your find on the chipKit next.
    Are we having fun yet?
     
  15. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    Actually i am having fun with this.
    But I do have work and other stuff going and my time will be very limited soon. I know everyone has the same thing going but we need to push forward. I did ask the stratahackers group for assistance. Maybe we have to mobilise our connections and friends more.
     
  16. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    What you could try on the chip kit is the telnet port. This would be much easier:) if it works your firmware works:)
     
  17. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    "What i meant with connecting the cartridge was that when you use the original firmware it should also write to the chip without us knowing the key."
    I understand what you meant. But, from what I've read about the key exchange the Chip is master and the printer is slave,
    Printer to chip here's my key
    chip to printer here's the key for encryption
    Printer to chip here's my new key
    Chip to Printer Ok we'll talk
    Printer to chip here's my encrypted data.
    I does this for every exchange of read, write or verify
    Don't hold me to the above it's been a couple of months since I was into it. I think I'll try a port monitor using an Adruino as a logic probe.
    I'm going quiet for awhile lots of things to try. Thanks for the good info and pokes. Email me to ring my bell.....
     
  18. bolsoncerrado

    bolsoncerrado Well-Known
    Builder

    Joined:
    Nov 8, 2016
    Messages:
    229
    Likes Received:
    7
    neat stuff going on! keep it up! ;)
     
  19. Kiza

    Kiza New
    Builder

    Joined:
    Dec 1, 2016
    Messages:
    75
    Likes Received:
    3
    Oh, I see you are having fun! That's great! :) By the way, who can tell me, where are cartridge chip readers connected?, Also, what is connected to I2C bus and SPI 1 bus? Would be great for me to know.
     
  20. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    @Geezer70 can you help Kiza out. I cant help him.
     
  21. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    When you get to be my age, this IS better than sex, literally...

    I know the I2Cs are used to communicate with the cartridge chips. Just don't know without a schematic.
    The I2Cs would have to be connected to a Dallas Chip like a DS2465. The chip on the cart is a DS28E15.

    Hope this helps.

    L8R, Over and Out....
     
  22. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    Hello,

    can someone please verify which chip is on the cartridge. Is it a DS28E01-100 or is it an DS28E15.
    The original posted of this thread statet that is a DS28E01.

    Please can someone verify, maybe also take a picture of the chip.

    Thx
     
  23. Tom Dirriwachter

    Tom Dirriwachter Well-Known
    Builder

    Joined:
    Aug 30, 2016
    Messages:
    284
    Likes Received:
    32
    The original post is correct. DS28E01 is the chip on the cartridge.
     
  24. Tom Dirriwachter

    Tom Dirriwachter Well-Known
    Builder

    Joined:
    Aug 30, 2016
    Messages:
    284
    Likes Received:
    32
    Glad I started reading that tech sheet on the chip.
    There may be a hole in the system worth noting below.
    If we can get the bias voltage up high enough, it can't write.
    What do you suppose the system will do in this case?

    upload_2017-1-1_11-47-4.png
     
  25. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    Hmmm. could be something. What does the datasheet say about Vpup and Vtl?
    There was a hack on the older cartridges, if i remember correctly, they used a diode to block the chip from writing.
     
  26. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    how about putting in a zener diode like this?

    diode.JPG
     
  27. Tom Dirriwachter

    Tom Dirriwachter Well-Known
    Builder

    Joined:
    Aug 30, 2016
    Messages:
    284
    Likes Received:
    32
    I'm going at this similarly... but the Cube 3 is unique as a lot of Cube X and cube 2 hacks did not transfer.

    They are using something that pulls down the signal. If you make sure it never pulls below RPUP-V during a write command, it shouldn't be able to write.
    However, it does need to do a handshake. The second part of the equation is still to have the system forget what cartridges it saw.
     
  28. Geezer70

    Geezer70 New
    Builder

    Joined:
    Sep 30, 2016
    Messages:
    48
    Likes Received:
    12
    You're correct. My bad, Fat fingers....
    Pulled one off a Cube 3 cartridge to verify and read the print stamp on the back of the chip with a microscope.
    Absolutely a DS28E01.
     
  29. Tom Dirriwachter

    Tom Dirriwachter Well-Known
    Builder

    Joined:
    Aug 30, 2016
    Messages:
    284
    Likes Received:
    32
    Another note: we should be able to intercept these commands... Do you suppose this part of the data stream is also protected?
    If not, it is a quick 7-place lookup table for a very simple hardware attachment. Just pull the ground pin up to RPUP levels.
    Even simpler may be to reroute a command. I suspect MATCH ROM is the write command. Just replace MATCH ROM with SKIP ROM. And to make sure, also reroute the overdrive signals.

    https://datasheets.maximintegrated.com/en/ds/DS28E01-100.pdf

    upload_2017-1-1_12-33-6.png
     
  30. eychei

    eychei Well-Known
    Builder

    Joined:
    Dec 26, 2016
    Messages:
    143
    Likes Received:
    37
    But if the system doesnt get the cartridge to write, the cartridge serial can stay in the system. It will never get write the cartridge to zero.
    What you say is only true if we decrease the filament counter and can reset the chip to "full".
    I just testet an led, didnt have anything else:) Didnt work, as expected. voltage drop is to high.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice