Rotimatic: Difference between revisions
Beau-K6eau (talk | contribs) m (→SPI dump) |
Beau-K6eau (talk | contribs) (binwalk'n) |
||
Line 83: | Line 83: | ||
000000f0 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| | 000000f0 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| | ||
</pre> | </pre> | ||
Multiple attempts with tweaks to HOLD, CS, WP net the same seemingly empty dump of a 3 byte sequence. Putting this on pause and examining firmware. | |||
== Firmware == | |||
Will explore extracting onboard firmware from PIC32MX470F512L via P8 connection on main ZEM0021-0x board once PIC programmer is in hand. | |||
In the meantime a "current" copy of the firmware image for use by updating via a USB thumb stick has been attained for exploration. | |||
=== 1_20_19.zip === | |||
<pre> | |||
DECIMAL HEXADECIMAL DESCRIPTION | |||
-------------------------------------------------------------------------------- | |||
0 0x0 Zip archive data, at least v2.0 to extract, | |||
compressed size: 286277, | |||
uncompressed size: 520192, | |||
name: update.img | |||
286373 0x45EA5 End of Zip archive, footer length: 22 | |||
</pre> | |||
Image file appears to contain a signed firmware for the device | |||
<pre> | |||
DECIMAL HEXADECIMAL DESCRIPTION | |||
-------------------------------------------------------------------------------- | |||
105156 0x19AC4 PEM certificate | |||
105332 0x19B74 PEM certificate request | |||
105400 0x19BB8 PEM RSA private key | |||
105464 0x19BF8 PEM EC private key | |||
105660 0x19CBC PEM DSA private key | |||
149248 0x24700 DES SP1, little endian | |||
149504 0x24800 DES SP2, little endian | |||
219508 0x35974 CRC32 polynomial table, little endian | |||
356960 0x57260 SHA256 hash constants, little endian | |||
</pre> | |||
== Repair Budgeting == | == Repair Budgeting == |
Revision as of 19:35, 13 September 2024
All your roti's are belong to teh hackz0R!
ThanX Vinita for dropping a rabbit hole in the lab ;+)
Original Teardown
https://wiki.recessim.com/view/Roti_making_robot_rotimatic
SPI dump
Initial attempt with chip in circuit, 3v3 power from Tigard, WP & HOLD tied together with 10k resistor and HOLD 10k to ground.
PIC32 held in reset by connecting MCLR to ground via pins 1 & 3 on P8 (presumably populated factory programming header)
~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-name flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi. vendor="Eon" name="EN25QH64" ~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on ft2232_spi. === This flash part has status NOT WORKING for operations: PROBE READ ERASE WRITE This flash part has status UNTESTED for operations: WP 0
Same setup as above, no device detected initially. Pulled Chip Select high then low thru 10k resistor and then...
~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 -r roti-b Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi. Block protection could not be disabled! Reading flash... done. Error: WIP bit after WRSR never cleared
Generated 8MB file, saved to disk.
Revised process, leave Chip Select floating, works first time on power cycle. Momentarily ground thru 10k resistor to reset for additional commands/queries.
Or toggle between pulled high or low with 10k resistor as needed.
~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi. 8388608
Flash Memory hexdump
The 8MB of data read only contains 0x70 0x17 0x1c over and over and over.
Here is a dump of the first 256 bytes, is the same until the end of the file.
~/tigard/roti$ hexdump -n 256 -C roti-b 00000000 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 00000010 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 00000020 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 00000030 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 00000040 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 00000050 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 00000060 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 00000070 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 00000080 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 00000090 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 000000a0 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 000000b0 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 000000c0 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 000000d0 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 000000e0 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 000000f0 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p|
Multiple attempts with tweaks to HOLD, CS, WP net the same seemingly empty dump of a 3 byte sequence. Putting this on pause and examining firmware.
Firmware
Will explore extracting onboard firmware from PIC32MX470F512L via P8 connection on main ZEM0021-0x board once PIC programmer is in hand.
In the meantime a "current" copy of the firmware image for use by updating via a USB thumb stick has been attained for exploration.
1_20_19.zip
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 286277, uncompressed size: 520192, name: update.img 286373 0x45EA5 End of Zip archive, footer length: 22
Image file appears to contain a signed firmware for the device
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 105156 0x19AC4 PEM certificate 105332 0x19B74 PEM certificate request 105400 0x19BB8 PEM RSA private key 105464 0x19BF8 PEM EC private key 105660 0x19CBC PEM DSA private key 149248 0x24700 DES SP1, little endian 149504 0x24800 DES SP2, little endian 219508 0x35974 CRC32 polynomial table, little endian 356960 0x57260 SHA256 hash constants, little endian
Repair Budgeting
...and now for Round II
- $60 busted up broken up rotimatic
- $62 Kneading/Stirrer Cup†
- $60 Flour Container†
- $39 Water Container†
- $35 Oil Container†
- $45 Front Door†
- $37 Dough Tray†
- $52 Kicker Pad†
- $390 Sub Total Machine & Parts
- $7.99 Disinfecting Wipes
- $3.49 Isopropyl Alcohol
- $3.99 Pack of Sharpies
- $13.99 Lube
- $20 gas to here and there
- $439.46 Estimated Total ($1,599/$1,399 new/re-manufactured)†
† Parts priced from rotimatic.com