Rotimatic
All your roti's are belong to teh hackz0R!
ThanX Vinita for dropping a rabbit hole in the lab ;+)
Original Teardown
https://wiki.recessim.com/view/Roti_making_robot_rotimatic
SPI dump
Initial attempt with chip in circuit, 3v3 power from Tigard, WP & HOLD tied together with 10k resistor and HOLD 10k to ground.
PIC32 held in reset by connecting MCLR to ground via pins 1 & 3 on P8 (presumably populated factory programming header)
~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-name flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi. vendor="Eon" name="EN25QH64" ~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on ft2232_spi. === This flash part has status NOT WORKING for operations: PROBE READ ERASE WRITE This flash part has status UNTESTED for operations: WP 0
Same setup as above, no device detected initially. Pulled Chip Select high then low thru 10k resistor and then...
~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 -r roti-b Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi. Block protection could not be disabled! Reading flash... done. Error: WIP bit after WRSR never cleared
Generated 8MB file, saved to disk.
Revised process, leave Chip Select floating, works first time on power cycle. Momentarily ground thru 10k resistor to reset for additional commands/queries.
Or toggle between pulled high or low with 10k resistor as needed.
~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi. 8388608
Flash Memory hexdump (blank/wiped?)
The 8MB of data read only contains 0x70 0x17 0x1c over and over and over.
Here is a dump of the first 256 bytes, is the same until the end of the file.
~/tigard/roti$ hexdump -n 256 -C roti-b 00000000 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 00000010 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 00000020 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 00000030 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 00000040 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 00000050 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 00000060 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 00000070 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 00000080 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 00000090 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 000000a0 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 000000b0 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 000000c0 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p| 000000d0 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 |..p..p..p..p..p.| 000000e0 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c |.p..p..p..p..p..| 000000f0 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 17 1c 70 |p..p..p..p..p..p|
Multiple attempts with tweaks to HOLD, CS, WP net the same seemingly empty dump of a 3 byte sequence. Putting this on pause and examining firmware.
Post boot re-dump
After looking at the size of the firmware, the configuration of the PIC32 and other factors, setup a new test to do a minimal boot. Using a chip clip and the Tigard I was able to verify 3v3 power rail, convenient LED and test points labeled 3v3. Probing a bit more was able to identify 5v LED and test point along with easily accessible pins via connection headers that are currently disconnected form their respective components. The 5v rail can be tapped from Pin 4 on PM5 and ground Pin 4 on PM1. I used the pin from another micro-controller pulled directly from the USB connection to bring up the 5v rail and the chip clip and Tigard in the previous configuration for the 3v3. Both of these power rails are isolated and able to use a common ground.
I reconnected the LCD & Capcitive Touch flat flexes on the main board ZEM0021-0x and powered up the 3v3 & 5v and released the PIC32 MCLR from ground to disable the reset state. In this configuration there are no other connectors or power sources attached and after a few seconds you get the customer powering on beep and a blank screen. The LCD then turns on and a Trouble powering on! (0x7) message is displayed, followed moments later by a continuous beep and a power cycle loop continually trying to restart itself.
Now trying to use the previous method of reading the 8MB SPI flash, with MCLR grounded, results in no devices being detected. Disconnecting the LCD, Capacitive Touch, and 5v supply once again enumerates the SPI memory and it can be read out to a local file. This time it appears to have actual data following all zeros up to 000dffff.
$ hexdump -C -s 458752 -n 1681 roti-b_3v 00070000 40 5a 80 bf 64 10 88 bf 68 10 88 bf 34 10 88 bf |@Z..d...h...4...| 00070010 5c 67 50 f1 7c a2 c4 64 1b 23 00 6b 50 f1 7c c2 |\gP.|..d.#.kP.|.| 00070020 00 6b 70 f1 60 da 70 f1 64 c2 70 f1 65 c2 3a 18 |.kp.`.p.d.p.e.:.| 00070030 eb 3e 08 6c 3a 18 3d 59 08 6c 3a 18 77 7c 08 6c |.>.l:.=Y.l:.w|.l| 00070040 05 b2 00 6c 03 6d 14 6e 0e 6f 3a 18 d0 46 04 d2 |...l.m.n.o:..F..| 00070050 44 64 a0 e8 80 3a 07 9d 6f 45 11 eb 0e 5b f5 64 |Dd...:..oE...[.d| 00070060 25 67 19 60 0f 68 8c e8 14 6c 3a 18 90 d0 04 d3 |%g.`.h...l:.....| 00070070 40 6c 3a 18 90 d0 0d ec 04 93 3a 18 90 d0 83 67 |@l:.......:....g| 00070080 07 b2 09 e2 80 a2 3a 18 90 d0 ff 49 01 48 0f 6a |......:....I.H.j| 00070090 11 e9 4c e8 f5 29 75 64 a0 e8 00 65 78 21 01 a0 |..L..)ud...ex!..| 000700a0 e5 64 00 6a 1c 67 51 f0 40 c0 51 f0 00 48 7d 67 |[email protected]}g| 000700b0 41 c0 20 6a 50 c3 77 6a 4b ea 51 c3 04 04 0a b2 |A. jP.wjK.Q.....| 000700c0 00 6d 05 d0 3a 18 f4 c6 06 d2 78 6a 7d 67 4b ea |.m..:.....xj}gK.| 000700d0 01 48 04 04 01 6d 05 d0 3a 18 f4 c6 51 c3 65 64 |.H...m..:...Q.ed| 000700e0 a0 e8 00 65 4d a3 05 9d 03 6a 4e ec c3 64 15 2c |...eM....jN..d.,| 000700f0 e1 f7 1d 4a 0b b3 40 db 0b b3 80 db 0b b3 40 db |...J..@.......@.| . . . 00074000 18 6c 05 6d 3a 18 73 85 04 6e d0 f0 5c c8 63 64 |.l.m:.s..n..\.cd| 00074010 a0 e8 00 65 c3 64 e0 f3 08 6c 0b b5 3a 18 eb 09 |...e.d...l..:...| 00074020 00 6e 3a 18 71 02 00 65 3a 18 ae c1 00 65 3a 18 |.n:.q..e:....e:.| 00074030 a6 86 00 65 3a 18 20 ce 00 65 3a 18 16 c8 00 65 |...e:. ..e:....e| 00074040 43 64 a0 e8 15 00 07 9d c3 64 0a b4 3a 18 68 cd |Cd.......d..:.h.| 00074050 00 65 3a 18 52 d8 00 65 02 6c 07 b5 3a 18 eb 09 |.e:.R..e.l..:...| 00074060 01 6e 64 6c 05 b5 3a 18 eb 09 01 6e 43 64 a0 e8 |.ndl..:....nCd..| 00074070 9d 5b 07 9d 59 42 07 9d 01 19 06 9d 5c 67 30 f7 |.[..YB......\g0.| 00074080 70 9a 98 6a 58 eb 0a b3 12 ea e3 64 49 e3 40 f0 |p..jX......dI.@.| 00074090 44 aa 09 2a 3a 18 44 d0 00 00 00 00 00 00 00 00 |D..*:.D.........| 000740a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
The zeros continue until another section starts at 000a0000 and there is a block of strings starting around 000a0f20.
$ hexdump -C -s 0x000a0f20 -n 1024 roti-b_3v 000a0f20 00 10 00 00 24 d5 01 9d 55 6e 64 65 66 69 6e 65 |....$...Undefine| 000a0f30 64 20 61 63 74 69 6f 6e 20 69 6e 20 74 68 69 73 |d action in this| 000a0f40 20 73 74 61 74 65 20 25 64 00 00 65 59 65 73 00 | state %d..eYes.| 000a0f50 4e 6f 00 00 7b 22 6f 70 63 6f 64 65 22 3a 22 62 |No..{"opcode":"b| 000a0f60 61 74 63 68 43 6f 6d 70 6c 65 74 65 64 22 2c 22 |atchCompleted","| 000a0f70 70 61 79 6c 6f 61 64 22 3a 5b 22 25 64 22 2c 22 |payload":["%d","| 000a0f80 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 |%d","%d","%d","%| 000a0f90 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 64 |d","%d","%d","%d| 000a0fa0 22 2c 22 25 64 22 2c 22 25 2e 31 66 22 2c 22 25 |","%d","%.1f","%| 000a0fb0 2e 31 66 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 |.1f","%d","%d","| 000a0fc0 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 |%d","%d","%d","%| 000a0fd0 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 64 |d","%d","%d","%d| 000a0fe0 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 64 22 |","%d","%d","%d"| 000a0ff0 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c |,"%d","%d","%d",| 000a1000 22 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 |"%d","%d","%d","| 000a1010 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 |%d","%d","%d","%| 000a1020 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 64 |d","%d","%d","%d| 000a1030 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 64 22 |","%d","%d","%d"| 000a1040 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c |,"%d","%d","%d",| 000a1050 22 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 |"%d","%d","%d","| 000a1060 25 64 22 2c 22 25 64 22 2c 22 25 64 22 2c 22 25 |%d","%d","%d","%| 000a1070 2e 31 66 22 2c 22 25 2e 31 66 22 2c 22 25 2e 31 |.1f","%.1f","%.1| 000a1080 66 22 2c 22 25 2e 31 66 22 2c 22 25 2e 31 66 22 |f","%.1f","%.1f"| 000a1090 5d 7d 00 00 50 6f 77 65 72 20 73 65 74 74 69 6e |]}..Power settin| 000a10a0 67 73 0a 69 73 20 6e 6f 74 20 73 75 70 70 6f 72 |gs.is not suppor| 000a10b0 74 65 64 2e 0a 49 20 61 6d 20 69 6e 20 50 72 6f |ted..I am in Pro| 000a10c0 64 75 63 74 69 6f 6e 20 4d 6f 64 65 2e 00 00 65 |duction Mode...e| 000a10d0 50 6f 77 65 72 20 73 65 74 74 69 6e 67 73 20 69 |Power settings i| 000a10e0 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 65 64 20 |s not supported | 000a10f0 28 50 52 4f 44 29 00 00 49 20 61 6d 20 61 6c 72 |(PROD)..I am alr| 000a1100 65 61 64 79 20 6f 70 65 72 61 74 69 6e 67 20 69 |eady operating i| 000a1110 6e 0a 74 68 65 20 6f 70 74 69 6d 61 6c 20 70 6f |n.the optimal po| 000a1120 77 65 72 20 6d 6f 64 65 2e 00 00 65 50 6f 77 65 |wer mode...ePowe| 000a1130 72 20 73 65 74 74 69 6e 67 73 20 69 73 20 6e 6f |r settings is no| 000a1140 74 20 73 75 70 70 6f 72 74 65 64 00 49 74 6f 72 |t supported.Itor| 000a1150 53 65 72 76 20 6e 6f 74 20 69 6e 20 63 6f 72 72 |Serv not in corr| 000a1160 65 63 74 20 73 74 61 74 65 20 28 25 75 29 00 00 |ect state (%u)..| 000a1170 49 27 6d 20 61 6c 72 65 61 64 79 20 63 6f 6e 6e |I'm already conn| 000a1180 65 63 74 65 64 0a 74 6f 20 22 25 73 22 2e 0a 44 |ected.to "%s"..D| 000a1190 6f 20 79 6f 75 20 77 61 6e 74 20 6d 65 20 74 6f |o you want me to| 000a11a0 0a 73 77 69 74 63 68 20 74 6f 20 61 6e 6f 74 68 |.switch to anoth| 000a11b0 65 72 20 6e 65 74 77 6f 72 6b 3f 00 2a 00 00 65 |er network?.*..e| 000a11c0 25 73 2c 20 25 73 00 00 25 73 20 73 65 6c 65 63 |%s, %s..%s selec| 000a11d0 74 65 64 00 0a 53 74 6f 70 70 69 6e 67 20 6f 6e |ted..Stopping on| 000a11e0 67 6f 69 6e 67 20 70 72 6f 63 65 73 73 2e 2e 2e |going process...| 000a11f0 00 00 00 65 47 69 6d 6d 65 20 61 20 73 65 63 21 |...eGimme a sec!| 000a1200 00 00 00 65 49 20 61 6d 20 73 74 69 6c 6c 20 73 |...eI am still s| 000a1210 74 6f 70 70 69 6e 67 20 63 6f 6f 6b 69 6e 67 21 |topping cooking!| 000a1220 00 00 00 65 4e 6f 20 76 61 6c 69 64 20 72 65 63 |...eNo valid rec| 000a1230 69 70 65 73 20 66 6f 75 6e 64 20 69 6e 20 52 6f |ipes found in Ro| 000a1240 74 69 6d 61 74 69 63 00 25 64 29 20 30 78 25 30 |timatic.%d) 0x%0| 000a1250 32 78 20 25 73 00 00 65 46 6c 6f 75 72 20 64 61 |2x %s..eFlour da| 000a1260 74 61 20 69 73 20 69 6e 76 61 6c 69 64 20 66 6f |ta is invalid fo| 000a1270 72 20 52 65 63 69 70 65 20 25 64 20 69 6e 20 52 |r Recipe %d in R| 000a1280 6f 74 69 6d 61 74 69 63 00 00 00 65 44 6f 20 79 |otimatic...eDo y| 000a1290 6f 75 20 77 61 6e 74 20 74 6f 0a 70 6f 77 65 72 |ou want to.power| 000a12a0 20 6f 66 66 20 6d 61 63 68 69 6e 65 3f 00 00 65 | off machine?..e| 000a12b0 44 6f 20 79 6f 75 20 77 61 6e 74 20 74 6f 20 70 |Do you want to p| 000a12c0 6f 77 65 72 20 6f 66 66 20 6d 61 63 68 69 6e 65 |ower off machine| 000a12d0 3f 00 00 65 50 69 7a 7a 61 20 62 61 73 65 20 69 |?..ePizza base i| 000a12e0 73 20 6f 6e 20 74 68 65 20 68 6f 74 20 70 61 6e |s on the hot pan| 000a12f0 73 2c 20 70 6c 65 61 73 65 0a 70 69 63 6b 20 69 |s, please.pick i| 000a1300 74 20 75 70 20 69 6d 6d 65 64 69 61 74 65 6c 79 |t up immediately| 000a1310 20 74 6f 20 61 76 6f 69 64 0a 6f 76 65 72 63 6f | to avoid.overco|
Firmware
Will explore extracting onboard firmware from PIC32MX470F512L via P8 connection on main ZEM0021-0x board once PIC programmer is in hand.
In the meantime a "current" copy of the firmware image for use by updating via a USB thumb stick has been attained for exploration.
1_20_19.zip
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract,
compressed size: 286277,
uncompressed size: 520192,
name: update.img
286373 0x45EA5 End of Zip archive, footer length: 22
Image file appears to contain a signed firmware for the device
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 105156 0x19AC4 PEM certificate 105332 0x19B74 PEM certificate request 105400 0x19BB8 PEM RSA private key 105464 0x19BF8 PEM EC private key 105660 0x19CBC PEM DSA private key 149248 0x24700 DES SP1, little endian 149504 0x24800 DES SP2, little endian 219508 0x35974 CRC32 polynomial table, little endian 356960 0x57260 SHA256 hash constants, little endian
Repair Budgeting
...and now for Round II
- $60 busted up broken up rotimatic
- $62 Kneading/Stirrer Cup†
- $60 Flour Container†
- $39 Water Container†
- $35 Oil Container†
- $45 Front Door†
- $37 Dough Tray†
- $52 Kicker Pad†
- $390 Sub Total Machine & Parts
- $7.99 Disinfecting Wipes
- $3.49 Isopropyl Alcohol
- $3.99 Pack of Sharpies
- $13.99 Lube
- $20 gas to here and there
- $439.46 Estimated Total ($1,599/$1,399 new/re-manufactured)†
† Parts priced from rotimatic.com