Rotimatic: Difference between revisions

All your roti's are belong to teh hackz0R!

Profile / Other Projects

ThanX Vinita for dropping a rabbit hole in the lab  ;+)

Original Teardown

https://wiki.recessim.com/view/Roti_making_robot_rotimatic

SPI dump

Initial attempt with chip in circuit, 3v3 power from Tigard, WP & HOLD tied together with 10k resistor and HOLD 10k to ground.

PIC32 held in reset by connecting MCLR to ground via pins 1 & 3 on P8 (presumably populated factory programming header)

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-name
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi.
vendor="Eon" name="EN25QH64"

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on ft2232_spi.
===
This flash part has status NOT WORKING for operations: PROBE READ ERASE WRITE
This flash part has status UNTESTED for operations: WP
0

Same setup as above, no device detected initially. Pulled Chip Select high then low thru 10k resistor and then...

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 -r roti-b
Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi.
Block protection could not be disabled!
Reading flash... done.
Error: WIP bit after WRSR never cleared

Generated 8MB file, saved to disk.

Revised process, leave Chip Select floating, works first time on power cycle. Momentarily ground thru 10k resistor to reset for additional commands/queries.

Or toggle between pulled high or low with 10k resistor as needed.

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size
Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi.
8388608

Flash Memory hexdump

The 8MB of data read only contains 0x70 0x17 0x1c over and over and over.

Here is a dump of the first 256 bytes, is the same until the end of the file.

~/tigard/roti$ hexdump -n 256 -C roti-b
00000000  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
00000010  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
00000020  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
00000030  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
00000040  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
00000050  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
00000060  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
00000070  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
00000080  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
00000090  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
000000a0  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
000000b0  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
000000c0  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
000000d0  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
000000e0  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
000000f0  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|

Multiple attempts with tweaks to HOLD, CS, WP net the same seemingly empty dump of a 3 byte sequence. Putting this on pause and examining firmware.

Firmware

Will explore extracting onboard firmware from PIC32MX470F512L via P8 connection on main ZEM0021-0x board once PIC programmer is in hand.

In the meantime a "current" copy of the firmware image for use by updating via a USB thumb stick has been attained for exploration.

1_20_19.zip

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract,
                                compressed size: 286277,
                                uncompressed size: 520192,
                                name: update.img
286373        0x45EA5         End of Zip archive, footer length: 22

Image file appears to contain a signed firmware for the device

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
105156        0x19AC4         PEM certificate
105332        0x19B74         PEM certificate request
105400        0x19BB8         PEM RSA private key
105464        0x19BF8         PEM EC private key
105660        0x19CBC         PEM DSA private key
149248        0x24700         DES SP1, little endian
149504        0x24800         DES SP2, little endian
219508        0x35974         CRC32 polynomial table, little endian
356960        0x57260         SHA256 hash constants, little endian

Repair Budgeting

...and now for Round II

• $60 busted up broken up rotimatic
• $62 Kneading/Stirrer Cup†
• $60 Flour Container†
• $39 Water Container†
• $35 Oil Container†
• $45 Front Door†
• $37 Dough Tray†
• $52 Kicker Pad†
  • $390 Sub Total Machine & Parts
• $7.99 Disinfecting Wipes
• $3.49 Isopropyl Alcohol
• $3.99 Pack of Sharpies
• $13.99 Lube
• $20 gas to here and there
  • $439.46 Estimated Total ($1,599/$1,399 new/re-manufactured)†

† Parts priced from rotimatic.com