And now for a bit of EEPROM hacking

[3MAR2016 Note: A much newer, better method has been developed and is documented in this post.]

A common question among commenters to this blog when I write about my Stratasys FDM 1600 is “how did you hack the cartridge?”  Newer Stratasys machines such as the Dimension series (P-Class machines – I assume named after the Prodigy, which I think was the first Stratasys machine to use cartridges) don’t have plain old wire welding type spools like the old FDM series – instead, they have the filament stored in a large cassette.  This is nice as it keeps the filament dry without having to keep it in a dry box and it makes loading in new material (or swapping colors) a breeze.  On the down side (as many Stratasys owners have apparently discovered), Stratasys went the route of inkjet printer manufacturers and have ‘chipped’ their cartridges so that you can’t simply refill the cartridge with material and continue on.  While this isn’t a hindrance to me and my old machine, I’ve still been curious to know if there’s a way around this (if I ever come across a Dimension for cheap, I’ll need a way to feed it as well).  Note: I understand the big T-class machines (named after the Titan model, I assume) still use large spools, though I believe the spools also have a chip module (but hey, if you can afford to buy a T-class, the consumables cost probably isn’t a big concern).

Inside each Stratasys cartridge is a Maxim DS2433 one-wire EEPROM (in a SO-8 package) that the machine communicates with. This is a simple 4kb (that’s kilobits – only 512 bytes of storage) device, and reading/writing them is reasonably straightforward – a library most likely exists for 1-wire communication no matter what your microcontroller of choice is (Arduino enthusiasts, look here). Dumping the contents of one yields hexadecimal gibberish, unfortunately. What’s more, you can’t simply clone one of them, as each has a unique 48-bit serial number lasered onto the die at the time of production, and this serial (presumably) is used as the seed to encrypt/obfuscate the EEPROM data. This has been enough to dissuade most tinkerers from playing further with the system, though Bolson Materials may very well have cracked the code, as they are able to provide new EEPROMs with their cartridge refill spools.

Thanks to some hacking by the shadowy figure known as ‘Dervish’, it’s been found that only a small portion (12 bytes) of the EEPROM is dedicated to storing how much material is left on the spool.  As a cartridge was used, the EEPROM was read out at various points and only bytes 0x58-0x63 changed over the life of a cartridge.  Specifically, here’s the layout of data on the EEPROM as known thus far as a result of reading EEPROMs from several brand new cartridges:

0x00-0x41: scrambled data (commenter lgg2 noted that 0x28-0x2F is identical to 0x30-0x37, highlighted in purple)
0x42-0x45: 0x00000000
0x46-0x47: scrambled data
0x48-0x4A: 0x55AA55 (highlighted in green)
0x4B-0x4D: scrambled data
0x4E-0x4F: 0x71BE, 0x72BE, 0x73BE, 0x74BE, or 0x75BE
0x50-0x51: scrambled data
0x52-0x57: 0x000000000000
0x58-0x63: filament remaining (scrambled data, highlighted in yellow) – on an unused spool, 0x62-0x63 is always 0x4BB9, but this gets modified (along with 0x58-0x61) as the cartridge is used.  Perhaps 0x62-0x63 is an unencrypted checksum?
0x64-0x67: 0x00000000
0x68-0x70: 0x535452415441535953 (‘STRATASYS’ in ASCII, highlighted in dark blue)
0x71-0x1FF: scrambled data

Simple enough, right?  Just read in the EEPROM at 100% full, respool it with generic material when empty and write the 100% full data back to the EEPROM…  Well, not quite.  You can certainly use this respooled cartridge in a different machine, but not in the same one, as they remember what cartridges they’ve already used (that serial number on the EEPROM).  This is where Dervish tore into the guts of the machine and began the really clever hacking.  When you open up the side panel of a Dimension, here’s what you see (image taken from Brad Rigdon’s Print To 3D gallery):

Brad also has a nice video on youtube that shows the full workings of the machine. The electronics appear to be composed of 3 boards – the large PDB (Power Distribution Board) on the left, the SBC (Single Board Computer, just a PC) in the center right above the hard drive, and what appears to be a motion controller board (in the upper right, connected to the SBC via a 16-bit PC/104 header). As per the troubleshooting section of the Dimension/SST Service Guide, the motion controller board in the upper right is known as the ‘186 board’.  The SBC pictured appears to be an Ampro P5v, though some Dimensions use a Nova-600.  After connecting a keyboard and monitor to the SBC, Dervish found that the computer is running Linux (Red Hat 8, specifically – not Fedora 8, but the circa 2002 version with a 2.4.x kernel).

By rebooting the system he was able to enter single user mode (at the LILO prompt, enter ‘linux single’) and could change the root password to whatever was desired (type ‘passwd’ at the prompt, enter a new password, then enter again to confirm). After rebooting once more into standard mode as root with his newly minted password, he modified /etc/sysconfig/iptables to open up port 22 so that he could ssh into the system and hack remotely without having to be at the console itself (the sshd daemon does not run by default, so adding the line ‘/etc/init.d/sshd start’ to /etc/rc.local is also required).   While he had been able to modify temperatures on the machine by using Stratasys’s ‘Maraca’ software (the CatalystEX software offers no ability to tweak the system), direct access to the SBC allows much greater control over process parameters such as adjusting rollback.  All the configurations are stored within the /mariner/config tree (the hard drive image covers multiple models), and it can be tricky to determine which ‘gender’ (kona, lanai, spinnaker, oahu etc.) corresponds to a given machine, but noting which directory has the most recent modification date is a dead giveaway.

The holy grail turned out to be the discovery of an innocuous sounding file named ‘system.dat’ located in the root directory.  This is where the Dimension apparently stores a list (in binary) of all the cartridge EEPROM serial numbers that it has seen before.  Delete this file and the machine gets amnesia, allowing respooled cartridges (with the EEPROM rewritten to show 100% full) to be used again.  I assume creating a cron job to delete this file periodically (or using rc.local to delete it on startup) would also work.

As far as I know, this constitutes the cutting edge of Stratasys hacking – I’ve heard rumors before of people having bypassed the cartridge EEPROMs, but this is the first concrete information I’ve seen on how to accomplish it.  If anyone has further information, please leave a comment!

244 thoughts on “And now for a bit of EEPROM hacking”

  1. Hmm, I have some inconsistencies on my hard drive preventing the printer from starting and it is asking me to manually do a repair. But to get to the command prompt to do so it is asking for the root password. The only other option is to reboot which starts me at square one. Any ideas?

  2. If you have a brief LILO boot prompt, you can type ‘linux single’ at the prompt to log into single user mode, then run ‘passwd’ to change the root password. Alternatively, you can mount the drive on a Linux box (or use a live CD) and edit /etc/shadow directly to remove the hashed root password.

  3. Yes, that will work IF the printer’s firmware responds to the ‘er’ command – many people have had difficulty trying to read the EEPROM in that manner. The best method is to use a dedicated EEPROM reader (could be a BusPirate, RasPi, etc.), but for the uPrint SE, you still have the MAC authentication to deal with.

  4. I seem to be having trouble dumping the system.dat file. Can someone please walk me though exactly how to delete this file? and/or how to use the rc.local? I am quite new to Linux and can only do a few basic things. I can get as a far loging into root and then I seem to get lost. I tried this command but i dont think it did anything:

    rm system.dat

  5. Where can I get a EPROM reader and writer for reading and programing Hewlet Packard ink jet cartridge chips for models 18 and 88.

  6. What directory were you in when you did ‘rm system.dat’? Also, do you have a backup of your hard drive? Remember, you’re running as root, which means you can break things in a tremendous hurry (although it was always kinda funny to tell Unix newbs that “rm -rf” was the shortcut for “read mail real fast”). I strongly recommend reading through Dan’s posts at on how to go about the system.dat hack.

  7. Unfortunately, I’m not familiar with programming HP inkjet cartridges – however, I’ve heard that the EasyPro 90B is a fantastic programmer for Stratasys EEPROMs – maybe it will work for HP cartridges as well?

  8. Okay, so I went through the post and I’m pretty sure that I did everything correct. But I still get a message from the printer saying that the print cartridge is empty. I saved the original eeprom date and put that back onto the same one that it came from. I beginning to think that the problem is that I let the cartridge go to empty, but I don’t know why that would be a problem if your just writing the code back to full. Can someone please confirm is this is in fact a problem? On the gnurds site it says “You overwrote the near-empty value on the cartridge’s” am I hosed with the ones that I have that are empty?

  9. You made sure to delete /mariner/config/system.dat as well as /system.dat, correct? What do the contents of those files currently show?

    Also, what are the contents of the EEPROM right now?

  10. Any shot someone could forward me a service manual? Thanks.

    Replaced a limit switch in our 768 BST machine and the whole thing went haywire when I turned it back on. The lights and motor power are just flashing over and over…. this stinks.

    Might have to try plugging in a screen.

  11. I’ve been using this hack for about a year now without any problems on a BST1200. However the way I’ve been deleting the system.dat file is to remove it as part of the startup routine, meaning that after you flash the cartridge you have to restart the machine. This makes changing cartridges a 10-15 minute affair, and if you don’t have a spare “full” cartridge ready and it runs out during a job you have to restart everything. Was wondering what other people are doing for deleting the system.dat file regularly. Originally me and the guys who were working on it wanted to avoid problems with deleting the file when it might be trying to use it and possibly making the system unstable. But now I think we would like to explore something more useful, like adding a command to the list of options for the diagnostics port or something. We also don’t want to keep a keyboard and monitor plugged in to the printer all of the time.

  12. Just had a look at your blog, and you have some very cool projects and interests! Regarding EEPROM hacking, all current effort has apparently been going into bypassing any modification of the printer itself and instead creating EEPROM images ‘from scratch’. bvanheu on github managed to crack the EEPROM encryption and has created some amazing tools to extract and rebuild the EEPROM information:

    Have a look at this thread for inspiration:

  13. Thank you, although I’m afraid I’m woefully behind on updating it with all of my projects. I will definitely try to get that working on a Raspberry Pi, and that thread gave me an idea. I got a friend of mine to make up a quick version of the EEPROM PCB so people can make their own boards instead of having to hunt down used cartridges. The replacement EEPROM from Maxim might not work with the printer (details on the linked page), but it’s worth a shot. I’ve got a writeup and a link to the files on this page:


  14. Hi, thank you for this valuable info. I have a Dimension Elite and an older BST 768. I’m keen to give this a try on the BST machine since it is out of life and available for tinkering, but I may need to replace some parts first to get it back online. Which brings me to an issue I hope you may be able to shed some light on. I’m looking for a replacement Single Board Computer for my Elite machine, but the Ampro P5v reached end-of-life in 2007 and the “Littleboard” range is no longer available. Are you perhaps aware of what the latest Elite SBC might be (Stratasys does not release this information)? I’m not sure if Stratasys programs their boards prior to delivery (I’m not a programmer so you guys have the edge on me here), in which case sourcing such an item may be a waste of time. The P5v is IDE and all new SBCs seem to be SATA, but a replacement board from Stratasys is not shipped with a HDD which suggests they keep spares of the P5v SBC (for 7+ years?!?) Thanks in advance!

  15. Try checking Ebay for the old motherboards – I’ve managed to find old ones that way. No programming of the SBC is needed, as it’s just like a PC motherboard – all the ‘programming’ is on the hard drive (make sure you get a hard drive image before you start tinkering!)

  16. Hola tengo una pregunta sobre Display Panel de la impresora Dimensión BST 768-SST 768 ayer estuve instalando el Software Catalyst 4.2,no me reconocía la impresora pero podía interactuar con el Panel de visualización
    y hoy el Panel de visualización no es inicia.(no se ve nada)
    Alguien podría guiarme.
    tengo un disk 3.5″ del interior de la impresora (con la inscripción -config disk Pi949)
    Muchas Gracias

  17. My challenge continues, either to do with BIOS settings or with Stratasys proprietary features on the hardware.
    I sourced a 2nd hand P5x Single Board Computer to replace the original P5v, then hooked up a VGA monitor and keyboard.
    With the SBC connected to the power supply only, the monitor and keyboard function correctly and I can access the BIOS setup. So that works fine.
    Connecting only the Controller Board to the SBC via the PC/104 slot without ANY other cables prevents signal from being sent to/from monitor or k/b.
    The machine doesn’t boot when all components are connected as per normal operation, and I’m obliged to flick the switch on the rear to shut down.
    If I connect only the IDE HDD to the SBC, the SBC doesn’t recognise the HDD, even if I configure it manually in the BIOS.
    So it appears there’s a handshake that’s not being shook. Perhaps the Controller Board checks the HDD before allowing the POST to run? Ring a bell with you? Thanks!

  18. None of this is an issue I’ve heard of before – I’m wondering if the P5x is simply not a suitable substitution for the P5v in a Stratasys machine?

  19. 1 too many late nights, and I’d overlooked re-connecting the power cable to the HDD (urgh!). I successfully got the machine running with the X, Y and Z startup dance. All that I need to overcome now is that there is no feed to the display panel. I’m hoping it’s simply a BIOS setting.

  20. is it the same thing for a cubex duo
    what is the processe for erased all the registred nbr data

  21. Please can you help me hack “SPIT PULSA 800” GAS NAILER. It uses only original gas ballons and this ballons have RFID chip.

  22. Unfortunately, I don’t have much experience with RFID, but the first thing to do would be to determine what frequency it is using. After that, purchase an RFID reader for the correct frequency range and see if you can read any data…

  23. I have a purely software solution to the cartridge issue, which requires no messing with the EEPROM. If someone can send me a hard drive image I will be able to test it and post the results here (I’m still waiting for my 1200es). If someone is interested –

  24. it is work on HF 13,56mhz, but today i could’t read any data from this rfid tag. I found SWD connector on board of Gun. May be it is possible use this SWD connector to hack and use without RFID.
    Can you help me?

  25. Yes, I’m guessing you’re correct in reading/writing through the SWD pads. Can you remove the plastic housing to see the components on the other side of the board?

  26. this board is filled with plastic. And it is not possible to remove housing. May be we can try to scan or research SWD pads? Anyway I will try found this part on eBay for experiments with removing off plastic.

  27. this board is filled with plastic. And it is not possible to remove housing. May be we can try to scan or research SWD pads? Anyway I will try found this part on eBay for experiments with removing off plastic

  28. Without knowing what the SWD pads actually connect to, it would be very difficult to figure out how to use them – disassembling discarded units would be the best method.

  29. Please, can send me image hdd disk dimension bst 1200es,
    To satelite07@gmail,com, is very urgent! Thank !!!!

  30. Thanks for your efforts. I recently got a free 1650 FDM but it only came with the calibration disk and firmware settings (and a whole ton of tips). I don’t want to retrofit if I can help it but the software is extremely elusive. Where did you get Insight 8.1?

Leave a Reply

Your email address will not be published. Required fields are marked *