Rotimatic

From HackerDojo Wiki
Revision as of 11:42, 14 September 2024 by Beau-K6eau (talk | contribs) (missing '/')
Jump to navigation Jump to search

All your roti's are belong to teh hackz0R!

Profile / Other Projects

ThanX Vinita for dropping a rabbit hole in the lab  ;+)

Original Teardown

https://wiki.recessim.com/view/Roti_making_robot_rotimatic


SPI dump

Initial attempt with chip in circuit, 3v3 power from Tigard, WP & HOLD tied together with 10k resistor and HOLD 10k to ground.

PIC32 held in reset by connecting MCLR to ground via pins 1 & 3 on P8 (presumably populated factory programming header) 

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-name
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi.
vendor="Eon" name="EN25QH64"

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on ft2232_spi.
===
This flash part has status NOT WORKING for operations: PROBE READ ERASE WRITE
This flash part has status UNTESTED for operations: WP
0


Same setup as above, no device detected initially. Pulled Chip Select high then low thru 10k resistor and then... 

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 -r roti-b
Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi.
Block protection could not be disabled!
Reading flash... done.
Error: WIP bit after WRSR never cleared

Generated 8MB file, saved to disk.


Revised process, leave Chip Select floating, works first time on power cycle. Momentarily ground thru 10k resistor to reset for additional commands/queries.

Or toggle between pulled high or low with 10k resistor as needed. 

~/tigard/roti$ sudo flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 --flash-size
Found Eon flash chip "EN25QH64" (8192 kB, SPI) on ft2232_spi.
8388608


Flash Memory hexdump (blank/wiped?)

The 8MB of data read only contains 0x70 0x17 0x1c over and over and over.

Here is a dump of the first 256 bytes, is the same until the end of the file. 

~/tigard/roti$ hexdump -n 256 -C roti-b
00000000  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
00000010  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
00000020  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
00000030  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
00000040  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
00000050  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
00000060  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
00000070  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
00000080  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
00000090  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
000000a0  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
000000b0  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
000000c0  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|
000000d0  17 1c 70 17 1c 70 17 1c  70 17 1c 70 17 1c 70 17  |..p..p..p..p..p.|
000000e0  1c 70 17 1c 70 17 1c 70  17 1c 70 17 1c 70 17 1c  |.p..p..p..p..p..|
000000f0  70 17 1c 70 17 1c 70 17  1c 70 17 1c 70 17 1c 70  |p..p..p..p..p..p|


Multiple attempts with tweaks to HOLD, CS, WP net the same seemingly empty dump of a 3 byte sequence. Putting this on pause and examining firmware.


Post boot re-dump

After looking at the size of the firmware, the configuration of the PIC32 and other factors, setup a new test to do a minimal boot. Using a chip clip and the Tigard I was able to verify 3v3 power rail, convenient LED and test points labeled 3v3. Probing a bit more was able to identify 5v LED and test point along with easily accessible pins via connection headers that are currently disconnected form their respective components. The 5v rail can be tapped from Pin 4 on PM5 and ground Pin 4 on PM1. I used the pin from another micro-controller pulled directly from the USB connection to bring up the 5v rail and the chip clip and Tigard in the previous configuration for the 3v3. Both of these power rails are isolated and able to use a common ground.

I reconnected the LCD & Capcitive Touch flat flexes on the main board ZEM0021-0x and powered up the 3v3 & 5v and released the PIC32 MCLR from ground to disable the reset state. In this configuration there are no other connectors or power sources attached and after a few seconds you get the customer powering on beep and a blank screen. The LCD then turns on and a Trouble powering on! (0x7) message is displayed, followed moments later by a continuous beep and a power cycle loop continually trying to restart itself.

Now trying to use the previous method of reading the 8MB SPI flash, with MCLR grounded, results in no devices being detected. Disconnecting the LCD, Capacitive Touch, and 5v supply once again enumerates the SPI memory and it can be read out to a local file. This time it appears to have actual data following all zeros up to 000dffff. 

$ hexdump -C -s 458752 -n 1681 roti-b_3v
00070000  40 5a 80 bf 64 10 88 bf  68 10 88 bf 34 10 88 bf  |@Z..d...h...4...|
00070010  5c 67 50 f1 7c a2 c4 64  1b 23 00 6b 50 f1 7c c2  |\gP.|..d.#.kP.|.|
00070020  00 6b 70 f1 60 da 70 f1  64 c2 70 f1 65 c2 3a 18  |.kp.`.p.d.p.e.:.|
00070030  eb 3e 08 6c 3a 18 3d 59  08 6c 3a 18 77 7c 08 6c  |.>.l:.=Y.l:.w|.l|
00070040  05 b2 00 6c 03 6d 14 6e  0e 6f 3a 18 d0 46 04 d2  |...l.m.n.o:..F..|
00070050  44 64 a0 e8 80 3a 07 9d  6f 45 11 eb 0e 5b f5 64  |Dd...:..oE...[.d|
00070060  25 67 19 60 0f 68 8c e8  14 6c 3a 18 90 d0 04 d3  |%g.`.h...l:.....|
00070070  40 6c 3a 18 90 d0 0d ec  04 93 3a 18 90 d0 83 67  |@l:.......:....g|
00070080  07 b2 09 e2 80 a2 3a 18  90 d0 ff 49 01 48 0f 6a  |......:....I.H.j|
00070090  11 e9 4c e8 f5 29 75 64  a0 e8 00 65 78 21 01 a0  |..L..)ud...ex!..|
000700a0  e5 64 00 6a 1c 67 51 f0  40 c0 51 f0 00 48 7d 67  |[email protected]}g|
000700b0  41 c0 20 6a 50 c3 77 6a  4b ea 51 c3 04 04 0a b2  |A. jP.wjK.Q.....|
000700c0  00 6d 05 d0 3a 18 f4 c6  06 d2 78 6a 7d 67 4b ea  |.m..:.....xj}gK.|
000700d0  01 48 04 04 01 6d 05 d0  3a 18 f4 c6 51 c3 65 64  |.H...m..:...Q.ed|
000700e0  a0 e8 00 65 4d a3 05 9d  03 6a 4e ec c3 64 15 2c  |...eM....jN..d.,|
000700f0  e1 f7 1d 4a 0b b3 40 db  0b b3 80 db 0b b3 40 db  |...J..@.......@.|
.
.
.
00074000  18 6c 05 6d 3a 18 73 85  04 6e d0 f0 5c c8 63 64  |.l.m:.s..n..\.cd|
00074010  a0 e8 00 65 c3 64 e0 f3  08 6c 0b b5 3a 18 eb 09  |...e.d...l..:...|
00074020  00 6e 3a 18 71 02 00 65  3a 18 ae c1 00 65 3a 18  |.n:.q..e:....e:.|
00074030  a6 86 00 65 3a 18 20 ce  00 65 3a 18 16 c8 00 65  |...e:. ..e:....e|
00074040  43 64 a0 e8 15 00 07 9d  c3 64 0a b4 3a 18 68 cd  |Cd.......d..:.h.|
00074050  00 65 3a 18 52 d8 00 65  02 6c 07 b5 3a 18 eb 09  |.e:.R..e.l..:...|
00074060  01 6e 64 6c 05 b5 3a 18  eb 09 01 6e 43 64 a0 e8  |.ndl..:....nCd..|
00074070  9d 5b 07 9d 59 42 07 9d  01 19 06 9d 5c 67 30 f7  |.[..YB......\g0.|
00074080  70 9a 98 6a 58 eb 0a b3  12 ea e3 64 49 e3 40 f0  |p..jX......dI.@.|
00074090  44 aa 09 2a 3a 18 44 d0  00 00 00 00 00 00 00 00  |D..*:.D.........|
000740a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

The zeros continue until another section starts at 000a0000 and there is a block of strings starting around 000a0f20. 

$ hexdump -C -s 0x000a0f20 -n 1024 roti-b_3v
000a0f20  00 10 00 00 24 d5 01 9d  55 6e 64 65 66 69 6e 65  |....$...Undefine|
000a0f30  64 20 61 63 74 69 6f 6e  20 69 6e 20 74 68 69 73  |d action in this|
000a0f40  20 73 74 61 74 65 20 25  64 00 00 65 59 65 73 00  | state %d..eYes.|
000a0f50  4e 6f 00 00 7b 22 6f 70  63 6f 64 65 22 3a 22 62  |No..{"opcode":"b|
000a0f60  61 74 63 68 43 6f 6d 70  6c 65 74 65 64 22 2c 22  |atchCompleted","|
000a0f70  70 61 79 6c 6f 61 64 22  3a 5b 22 25 64 22 2c 22  |payload":["%d","|
000a0f80  25 64 22 2c 22 25 64 22  2c 22 25 64 22 2c 22 25  |%d","%d","%d","%|
000a0f90  64 22 2c 22 25 64 22 2c  22 25 64 22 2c 22 25 64  |d","%d","%d","%d|
000a0fa0  22 2c 22 25 64 22 2c 22  25 2e 31 66 22 2c 22 25  |","%d","%.1f","%|
000a0fb0  2e 31 66 22 2c 22 25 64  22 2c 22 25 64 22 2c 22  |.1f","%d","%d","|
000a0fc0  25 64 22 2c 22 25 64 22  2c 22 25 64 22 2c 22 25  |%d","%d","%d","%|
000a0fd0  64 22 2c 22 25 64 22 2c  22 25 64 22 2c 22 25 64  |d","%d","%d","%d|
000a0fe0  22 2c 22 25 64 22 2c 22  25 64 22 2c 22 25 64 22  |","%d","%d","%d"|
000a0ff0  2c 22 25 64 22 2c 22 25  64 22 2c 22 25 64 22 2c  |,"%d","%d","%d",|
000a1000  22 25 64 22 2c 22 25 64  22 2c 22 25 64 22 2c 22  |"%d","%d","%d","|
000a1010  25 64 22 2c 22 25 64 22  2c 22 25 64 22 2c 22 25  |%d","%d","%d","%|
000a1020  64 22 2c 22 25 64 22 2c  22 25 64 22 2c 22 25 64  |d","%d","%d","%d|
000a1030  22 2c 22 25 64 22 2c 22  25 64 22 2c 22 25 64 22  |","%d","%d","%d"|
000a1040  2c 22 25 64 22 2c 22 25  64 22 2c 22 25 64 22 2c  |,"%d","%d","%d",|
000a1050  22 25 64 22 2c 22 25 64  22 2c 22 25 64 22 2c 22  |"%d","%d","%d","|
000a1060  25 64 22 2c 22 25 64 22  2c 22 25 64 22 2c 22 25  |%d","%d","%d","%|
000a1070  2e 31 66 22 2c 22 25 2e  31 66 22 2c 22 25 2e 31  |.1f","%.1f","%.1|
000a1080  66 22 2c 22 25 2e 31 66  22 2c 22 25 2e 31 66 22  |f","%.1f","%.1f"|
000a1090  5d 7d 00 00 50 6f 77 65  72 20 73 65 74 74 69 6e  |]}..Power settin|
000a10a0  67 73 0a 69 73 20 6e 6f  74 20 73 75 70 70 6f 72  |gs.is not suppor|
000a10b0  74 65 64 2e 0a 49 20 61  6d 20 69 6e 20 50 72 6f  |ted..I am in Pro|
000a10c0  64 75 63 74 69 6f 6e 20  4d 6f 64 65 2e 00 00 65  |duction Mode...e|
000a10d0  50 6f 77 65 72 20 73 65  74 74 69 6e 67 73 20 69  |Power settings i|
000a10e0  73 20 6e 6f 74 20 73 75  70 70 6f 72 74 65 64 20  |s not supported |
000a10f0  28 50 52 4f 44 29 00 00  49 20 61 6d 20 61 6c 72  |(PROD)..I am alr|
000a1100  65 61 64 79 20 6f 70 65  72 61 74 69 6e 67 20 69  |eady operating i|
000a1110  6e 0a 74 68 65 20 6f 70  74 69 6d 61 6c 20 70 6f  |n.the optimal po|
000a1120  77 65 72 20 6d 6f 64 65  2e 00 00 65 50 6f 77 65  |wer mode...ePowe|
000a1130  72 20 73 65 74 74 69 6e  67 73 20 69 73 20 6e 6f  |r settings is no|
000a1140  74 20 73 75 70 70 6f 72  74 65 64 00 49 74 6f 72  |t supported.Itor|
000a1150  53 65 72 76 20 6e 6f 74  20 69 6e 20 63 6f 72 72  |Serv not in corr|
000a1160  65 63 74 20 73 74 61 74  65 20 28 25 75 29 00 00  |ect state (%u)..|
000a1170  49 27 6d 20 61 6c 72 65  61 64 79 20 63 6f 6e 6e  |I'm already conn|
000a1180  65 63 74 65 64 0a 74 6f  20 22 25 73 22 2e 0a 44  |ected.to "%s"..D|
000a1190  6f 20 79 6f 75 20 77 61  6e 74 20 6d 65 20 74 6f  |o you want me to|
000a11a0  0a 73 77 69 74 63 68 20  74 6f 20 61 6e 6f 74 68  |.switch to anoth|
000a11b0  65 72 20 6e 65 74 77 6f  72 6b 3f 00 2a 00 00 65  |er network?.*..e|
000a11c0  25 73 2c 20 25 73 00 00  25 73 20 73 65 6c 65 63  |%s, %s..%s selec|
000a11d0  74 65 64 00 0a 53 74 6f  70 70 69 6e 67 20 6f 6e  |ted..Stopping on|
000a11e0  67 6f 69 6e 67 20 70 72  6f 63 65 73 73 2e 2e 2e  |going process...|
000a11f0  00 00 00 65 47 69 6d 6d  65 20 61 20 73 65 63 21  |...eGimme a sec!|
000a1200  00 00 00 65 49 20 61 6d  20 73 74 69 6c 6c 20 73  |...eI am still s|
000a1210  74 6f 70 70 69 6e 67 20  63 6f 6f 6b 69 6e 67 21  |topping cooking!|
000a1220  00 00 00 65 4e 6f 20 76  61 6c 69 64 20 72 65 63  |...eNo valid rec|
000a1230  69 70 65 73 20 66 6f 75  6e 64 20 69 6e 20 52 6f  |ipes found in Ro|
000a1240  74 69 6d 61 74 69 63 00  25 64 29 20 30 78 25 30  |timatic.%d) 0x%0|
000a1250  32 78 20 25 73 00 00 65  46 6c 6f 75 72 20 64 61  |2x %s..eFlour da|
000a1260  74 61 20 69 73 20 69 6e  76 61 6c 69 64 20 66 6f  |ta is invalid fo|
000a1270  72 20 52 65 63 69 70 65  20 25 64 20 69 6e 20 52  |r Recipe %d in R|
000a1280  6f 74 69 6d 61 74 69 63  00 00 00 65 44 6f 20 79  |otimatic...eDo y|
000a1290  6f 75 20 77 61 6e 74 20  74 6f 0a 70 6f 77 65 72  |ou want to.power|
000a12a0  20 6f 66 66 20 6d 61 63  68 69 6e 65 3f 00 00 65  | off machine?..e|
000a12b0  44 6f 20 79 6f 75 20 77  61 6e 74 20 74 6f 20 70  |Do you want to p|
000a12c0  6f 77 65 72 20 6f 66 66  20 6d 61 63 68 69 6e 65  |ower off machine|
000a12d0  3f 00 00 65 50 69 7a 7a  61 20 62 61 73 65 20 69  |?..ePizza base i|
000a12e0  73 20 6f 6e 20 74 68 65  20 68 6f 74 20 70 61 6e  |s on the hot pan|
000a12f0  73 2c 20 70 6c 65 61 73  65 0a 70 69 63 6b 20 69  |s, please.pick i|
000a1300  74 20 75 70 20 69 6d 6d  65 64 69 61 74 65 6c 79  |t up immediately|
000a1310  20 74 6f 20 61 76 6f 69  64 0a 6f 76 65 72 63 6f  | to avoid.overco|

Extracting all the ASCII strings yields this list. 

e(%d[%dms]->%d[%dms]) x %d -> %d
update.img
Front Door state changed: %d
Kneader Door state changed: %d
Undefined action in this state %d
{"opcode":"batchCompleted","payload":["%d","%d","%d","%d","%d","%d","%d","%d","%d","%.1f","%.1f","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%d","%.1f","%.1f","%.1f","%.1f","%.1f"]}
Power settings is not supported.
I am in Production Mode.
Power settings is not supported (PROD)
I am already operating in the optimal power mode.
Power settings is not supported
ItorServ not in correct state (%u)
I'm already connected to "%s".
Do you want me to switch to another network?
Stopping ongoing process...
Gimme a sec!
I am still stopping cooking!
No valid recipes found in Rotimatic
Flour data is invalid for Recipe %d in Rotimatic
Do you want to power off machine?
Do you want to power off machine?
Pizza base is on the hot pans, please pick it up immediately to avoid overcooking. It comes out hot! Handle with care.
Puri disc is on the hot pans, please pick it up immediately to avoid overcooking. It comes out hot! Handle with care.
%s-out notification shown
Do you want to stop making %s?
Do you want to stop making?
Do you want to start making %s?
Do you want to start making?
Make sure flour container is full. Start making?
Make sure water container is full. Start making?
Started making %s
DBG_ASSERT(): %s:%d.
No valid recipes found
Selection (%d) >= RecipeCount (%d)
Selection (%d) >= FlourCount (%d)
Roast level cannot be changed
2 Drops
1 Drop
Oil level cannot be changed
This app provides tips and support.
What do you want to cook?
Skip
Pipe cleaning. Help screen shown
Pipe cleaning. Resume screen shown
Pipe Sanitize step %u, %u
{"opcode":"feedback","payload":["%d","%d","%d","%d"]}
DecDB() %d
IncRoti() %d
eRoti was folded
Roti isn't puffy
Roti too thick
Chewy rotis
Small rotis
Unevenly cooked edges
There were errors
Rotimatic is noisy
Other
Power Saver (Recommended)
Standby
Thin
Medium
Thick
Light
Medium Well
Well Done
Do not see your Flour?
-Empty-
Change Power Settings
Warranty
About
General Cleaning
Advanced Cleaning
Recipe/Flour
Recipe Settings
Clean Rotimatic
WiFi Configuration
General Settings
Menu
Thickness
Roast Level
Oil 
Main view shown
%s pressed
Making not allowed for selftest build
Making cannot be started now
Starting up...
Final check...
Warming up...
eCooking...
Pausing...
Use + or - and press PLAY!
Invalid Configuration (Status: 0x%X)
Device ID: 0x%X
MADCTL: 0x%X
Pixel Format: 0x%X
ID: 0x%X
!"##$%&'())*+,-./12345689:;=>?ABDEGIJLNOQSUWYZ

Firmware

Will explore extracting onboard firmware from PIC32MX470F512L via P8 connection on main ZEM0021-0x board once PIC programmer is in hand.

In the meantime a "current" copy of the firmware image for use by updating via a USB thumb stick has been attained for exploration.

1_20_19.zip

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract,
                                compressed size: 286277,
                                uncompressed size: 520192,
                                name: update.img
286373        0x45EA5         End of Zip archive, footer length: 22


Image file appears to contain a signed firmware for the device 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
105156        0x19AC4         PEM certificate
105332        0x19B74         PEM certificate request
105400        0x19BB8         PEM RSA private key
105464        0x19BF8         PEM EC private key
105660        0x19CBC         PEM DSA private key
149248        0x24700         DES SP1, little endian
149504        0x24800         DES SP2, little endian
219508        0x35974         CRC32 polynomial table, little endian
356960        0x57260         SHA256 hash constants, little endian

Repair Budgeting

...and now for Round II

  • $60 busted up broken up rotimatic
  • $62 Kneading/Stirrer Cup†
  • $60 Flour Container†
  • $39 Water Container†
  • $35 Oil Container†
  • $45 Front Door†
  • $37 Dough Tray†
  • $52 Kicker Pad†
    • $390 Sub Total Machine & Parts
  • $7.99 Disinfecting Wipes
  • $3.49 Isopropyl Alcohol
  • $3.99 Pack of Sharpies
  • $13.99 Lube
  • $20 gas to here and there
    • $439.46 Estimated Total ($1,599/$1,399 new/re-manufactured)†

† Parts priced from rotimatic.com

Retrieved from "https://wiki.hackerdojo.com/index.php?title=Rotimatic&oldid=274"