And now for a bit of EEPROM hacking

[3MAR2016 Note: A much newer, better method has been developed and is documented in this post.]

A common question among commenters to this blog when I write about my Stratasys FDM 1600 is “how did you hack the cartridge?”  Newer Stratasys machines such as the Dimension series (P-Class machines – I assume named after the Prodigy, which I think was the first Stratasys machine to use cartridges) don’t have plain old wire welding type spools like the old FDM series – instead, they have the filament stored in a large cassette.  This is nice as it keeps the filament dry without having to keep it in a dry box and it makes loading in new material (or swapping colors) a breeze.  On the down side (as many Stratasys owners have apparently discovered), Stratasys went the route of inkjet printer manufacturers and have ‘chipped’ their cartridges so that you can’t simply refill the cartridge with material and continue on.  While this isn’t a hindrance to me and my old machine, I’ve still been curious to know if there’s a way around this (if I ever come across a Dimension for cheap, I’ll need a way to feed it as well).  Note: I understand the big T-class machines (named after the Titan model, I assume) still use large spools, though I believe the spools also have a chip module (but hey, if you can afford to buy a T-class, the consumables cost probably isn’t a big concern).

Inside each Stratasys cartridge is a Maxim DS2433 one-wire EEPROM (in a SO-8 package) that the machine communicates with. This is a simple 4kb (that’s kilobits – only 512 bytes of storage) device, and reading/writing them is reasonably straightforward – a library most likely exists for 1-wire communication no matter what your microcontroller of choice is (Arduino enthusiasts, look here). Dumping the contents of one yields hexadecimal gibberish, unfortunately. What’s more, you can’t simply clone one of them, as each has a unique 48-bit serial number lasered onto the die at the time of production, and this serial (presumably) is used as the seed to encrypt/obfuscate the EEPROM data. This has been enough to dissuade most tinkerers from playing further with the system, though Bolson Materials may very well have cracked the code, as they are able to provide new EEPROMs with their cartridge refill spools.

Thanks to some hacking by the shadowy figure known as ‘Dervish’, it’s been found that only a small portion (12 bytes) of the EEPROM is dedicated to storing how much material is left on the spool.  As a cartridge was used, the EEPROM was read out at various points and only bytes 0x58-0x63 changed over the life of a cartridge.  Specifically, here’s the layout of data on the EEPROM as known thus far as a result of reading EEPROMs from several brand new cartridges:

0x00-0x41: scrambled data (commenter lgg2 noted that 0x28-0x2F is identical to 0x30-0x37, highlighted in purple)
0x42-0x45: 0x00000000
0x46-0x47: scrambled data
0x48-0x4A: 0x55AA55 (highlighted in green)
0x4B-0x4D: scrambled data
0x4E-0x4F: 0x71BE, 0x72BE, 0x73BE, 0x74BE, or 0x75BE
0x50-0x51: scrambled data
0x52-0x57: 0x000000000000
0x58-0x63: filament remaining (scrambled data, highlighted in yellow) – on an unused spool, 0x62-0x63 is always 0x4BB9, but this gets modified (along with 0x58-0x61) as the cartridge is used.  Perhaps 0x62-0x63 is an unencrypted checksum?
0x64-0x67: 0x00000000
0x68-0x70: 0x535452415441535953 (‘STRATASYS’ in ASCII, highlighted in dark blue)
0x71-0x1FF: scrambled data

Simple enough, right?  Just read in the EEPROM at 100% full, respool it with generic material when empty and write the 100% full data back to the EEPROM…  Well, not quite.  You can certainly use this respooled cartridge in a different machine, but not in the same one, as they remember what cartridges they’ve already used (that serial number on the EEPROM).  This is where Dervish tore into the guts of the machine and began the really clever hacking.  When you open up the side panel of a Dimension, here’s what you see (image taken from Brad Rigdon’s Print To 3D gallery):

Brad also has a nice video on youtube that shows the full workings of the machine. The electronics appear to be composed of 3 boards – the large PDB (Power Distribution Board) on the left, the SBC (Single Board Computer, just a PC) in the center right above the hard drive, and what appears to be a motion controller board (in the upper right, connected to the SBC via a 16-bit PC/104 header). As per the troubleshooting section of the Dimension/SST Service Guide, the motion controller board in the upper right is known as the ‘186 board’.  The SBC pictured appears to be an Ampro P5v, though some Dimensions use a Nova-600.  After connecting a keyboard and monitor to the SBC, Dervish found that the computer is running Linux (Red Hat 8, specifically – not Fedora 8, but the circa 2002 version with a 2.4.x kernel).

By rebooting the system he was able to enter single user mode (at the LILO prompt, enter ‘linux single’) and could change the root password to whatever was desired (type ‘passwd’ at the prompt, enter a new password, then enter again to confirm). After rebooting once more into standard mode as root with his newly minted password, he modified /etc/sysconfig/iptables to open up port 22 so that he could ssh into the system and hack remotely without having to be at the console itself (the sshd daemon does not run by default, so adding the line ‘/etc/init.d/sshd start’ to /etc/rc.local is also required).   While he had been able to modify temperatures on the machine by using Stratasys’s ‘Maraca’ software (the CatalystEX software offers no ability to tweak the system), direct access to the SBC allows much greater control over process parameters such as adjusting rollback.  All the configurations are stored within the /mariner/config tree (the hard drive image covers multiple models), and it can be tricky to determine which ‘gender’ (kona, lanai, spinnaker, oahu etc.) corresponds to a given machine, but noting which directory has the most recent modification date is a dead giveaway.

The holy grail turned out to be the discovery of an innocuous sounding file named ‘system.dat’ located in the root directory.  This is where the Dimension apparently stores a list (in binary) of all the cartridge EEPROM serial numbers that it has seen before.  Delete this file and the machine gets amnesia, allowing respooled cartridges (with the EEPROM rewritten to show 100% full) to be used again.  I assume creating a cron job to delete this file periodically (or using rc.local to delete it on startup) would also work.

As far as I know, this constitutes the cutting edge of Stratasys hacking – I’ve heard rumors before of people having bypassed the cartridge EEPROMs, but this is the first concrete information I’ve seen on how to accomplish it.  If anyone has further information, please leave a comment!

244 thoughts on “And now for a bit of EEPROM hacking

  1. Hi, i’m having Curling Part problems on my dimension elite, and i’m looking for Maraca Software. Have an idea ? Could not find it on the web and you seems to know a lot about FDM.
    Thanks, Franck (frenchie)

  2. Hello!
    This hack work fine only with old printer models.
    The new one – stratasys uprintplus has another cartrige.
    It consists of protected eeprom with SHA-1and limit switch. (family code B3h – (maybe like ds2432 – 33h ?))
    Eeprom has secret code, and printer send data with encryption.
    I can read rom memory and find 12 “wonderful” bytes on full chip, (for used chip consist of 16 bytes)
    but i can’t rewrite this data to empty chip without secret code …. (
    now i try to logging communication protocol and analyze it… hope it helps

  3. Very interesting! I suppose this may be in response to Bolson supposedly cracking the code for the Dimension cartridges. I wonder if they’re using the same secret across all cartridges? I can’t find any mention of a 0xB3 family code for 1-wire devices – does the EEPROM have any markings on it?

    From reading the abbreviated datasheet on the DS2432 (the full datasheet is apparently confidential, but this might be it: http://www.ibutton.ru/pdf/Dallas_Sem/1-Wire/DS2432.pdf), you can supply a new secret to the chip without knowing the old one, but if the printer is still trying to use the old one, writes aren’t going to work (and since Stratasys started verifying writes to the EEPROM at some point, it will probably flag the cartridge as bad). Sure, you can sniff the communications and find the MAC for a given write command, but then you’d have to brute-force the SHA-1 hash (good luck with that).

    Seems the best way to get around this would be to build an EEPROM simulator that the printer can talk to – if the simulator accepts any MAC provided, it should be able to fool the printer.

  4. Hello!

    There is no marking on chip. It looks like piece of Si with epoxy resin around it.
    May be it is DS28E10 ( http://www.maxim-ic.com/datasheet/index.mvp/id/6577 ) . I cant find full datasheet with family number.

    The problem is – MAC calculated using a) secret code and b) data to write. So I couldn’t get chip back to 100% only to 99%, if sniff this write sequence.

    there are two ways
    1) if secret is constant – sniff first write sequence and use it in future for this chip.
    2) if secret may change (ds2432 allows that), it’s a problem, may be we need disassemble software part.

    interesting facts
    – i cant simply change eeprom to the another one (without write protection), printer constantly check authentication.
    – if i remove chip from working printer it continue his work but stay on pause after each layer of model. after reboot and connecting the chip back printer display original chip state.

    Building the full emulator is not so easy as reader/writer and I don’t know would printer check written data.

  5. As an owner of dimension 3d printer, that works on stratasys system, I am very interested in discovery you made. At this point I would like to ask, if this also works on dimension bst 768 printer.
    With best regards Jernej

  6. I owe Dervish some beer (a lot of beer!). hooking up the vga and keyboard was not a practical option on my 768 (headers,no connectors). i just pulled the hard drive and mounted it on a ubuntu linux box and turned on ssh by doing some editing.. from there, followed the lead on killing the system.dat file on bootup…
    genius!!!!!!!
    works perfect
    thanks to my genius friend TOM (who is definately getting a case of dogfish head 60 minute IPA)..

    JJ — off to print!

  7. My report about analyzing chip’s protocol with SHA1 :

    Chip has family code B3h, but seems fully compatible with ds2433 (33h) commands system.
    Authorization packet consists of write buffer command, read memory command, calculation MAC command.
    MAC calculated using a+b+c
    a) data stored in memory
    b) data stored in buffer
    c) secret code
    So I know MAC result, a), b), and i don’t know c).
    The bad news – 8 bytes unknown data is very bad.
    I wrote simple program calculating SHA1 hash – 6000 hash/s (athlon 1500MHz)
    Commercial avaible cuda GPU bruteforcer – 100M hash/s
    Possibility of FPGA bruteforcer 1-10G hash/s
    All these cases are too slow.
    Maybe it is possible to use electrical sharp tip directly inside the chip and to measure out voltage of secret code trigger’s. But i haven’t such qualification and such equipment.
    the good news – current version of program has minor bug, and it allows us using the same chips.

  8. Fantastic information, thanks! I agree, brute forcing the hash isn’t practical at this time, especially when there are weaker areas to investigate for the MAC.

  9. Hello, Arduino Enthusiast here,
    Would someone please help me or point me in the right direction to figure out how to read the hex values of the chip. I have an arduino, a 4.7k resistor, a multimeter and the small GF201 switch with the eeprom on it. THough I have all of this, I cannot figure out which pins to connect to, or what code I should be using in the arudino IDE. Any help would be much appreciated

  10. Did you notice that on new spools offsets 0x38-0x3F // 0x58-0x5F are the same???
    0x40-0x41 // 0x60-0x61 could be checksums or something

  11. I didn’t notice that – excellent catch! I think it’s safe to assume that 0x38-0x3F contains the original amount of material on the spool. I’ll have to update the post when I get a chance.

  12. And 0×4E-0×4F I think are related to manufacture date of production (week), and I’m figuring it out how to calculate them

  13. Actually, I think 0x28-0x2F and 0×30-0×37 are the manufacturing and first use dates. I noticed in a log file from a machine that these two values were identical when read – apparently Stratasys doesn’t update the ‘initial use’ field in the EEPROM.

  14. How can one read/write to EEPROM ds2433 chip using arduino?
    Does anybody have a code that we can use?

    Thank you!!

  15. Hello,
    Is it possible to contact ‘Dervish’ cause at the moment we are connecting a keyboard to a dimension 3D printer, and maybe he could provide some help for us.
    Greetings

  16. I haven’t heard from Dervish in a while, but connecting the keyboard and monitor isn’t hard – you just need the correct cable set from the maker of the SBC.

  17. Hello Blue

    I am have a FDM2000 but no software.
    Where can i get the sotware to run this machine.
    Stratasys no longer supports this model
    Any help would be great
    Thank you
    Marcio

  18. I’ve got four questions.
    1) Is there someone who can send me the maraca software
    2) Does anybody can show me, with print screens, how to open port 22?
    3) How can you modify the temperature of the heating head?
    4) Where can I modify the distance between the support and model heating heads?

    Greetings,

    Jeroen

  19. I have a stratasys prodigy plus, and while fooling around in the Linux system, accidentally overwrote a file called lcdcmds. I was wondering if anyone on this blog could get another copy for me? It doesn’t seem to be stored anywhere else! 🙁

  20. Do you have a firmware package that you can re-upload? That’s probably the best way to fix it, as that file may get changed as new firmware versions are released.

  21. I would like to reload the chip on a stratasys spool to reuse the material left on the spool. I am using an arduino uno with a maxim ds2433 eeprom to read/write the .hex file in an attempt to reload the chip. Any advice on the code to make this happen?

  22. I’m tempted to try this on my printer at work… just got a 1200es. is there a way to SSH into the SBC without having to remove it? I noticed a com port in the back of the printer.

  23. Hi guys, i have the Stratasys Fortus 250mc and i’m trying to refill the spool. I see that most of you doesn’t have the right tool to read/write the 1wire eeprom… well you can buy for cheap the buspirate from http://dangerousprototypes.com . It will let you do anything you want on some serial bus (usart, spi, i2c) 1-wire included. I’m using it and it works great, you just need to write a sw interface to fill the addresses with your data.
    My problem is that i found inside /mariner/config/ the system.dat file, but even if i remove it, the machine regenerate the file and doesn’t accept the spool with the reloaded dump (give “material error…”). do you have any idea?? Fla

  24. The system.dat file to delete is the on in the root directory, not anything in /mariner/config. [edit] I stand corrected – I wasn’t aware that it appears in /mariner/config in newer firmware versions.

  25. Bonjour, moi aussi j’aimerais bien réussir à utiliser du fil d’ABS moins cher que ce que vendent les revendeurs de STRATASYS car c’est un sérieux frein pour imprimer des objets.
    J’ai vu que tu es français et c’est plus facile pour moi qu’en anglais.
    Si tu as des infos à me communiquer, je t’en serasi très reconnaissant.
    Merci

  26. I want to refill some cartridges for a BST 768.

    Do I have to dump the EEPROM when the cartridge is new? Can I find a way to refill all the old cartridges which don’t have virgin EEPROM dumps?

    Flavio, could you provide any further information on using the BusPirate with the 1wire eeproms?

  27. Correct, you need to get an EEPROM dump before you start using a new cartridge. There is no way to refill a cartridge chip unless you read out the EEPROM when new (unless you work for Stratasys and have access to the program that generates the EEPROM data).

  28. I have access to more than a few empty cartridges, would it help if I could produce a dump for each of them? If anyone is interested in that data, let me know.

    Can someone point me to a good resource for reading/writing these EEPROMs with an Arduino or BusPirate? I googled a bit but failed to find anything good.

  29. Empty cartridge dumps won’t be of much help, but full ones might. I’ve read out the EEPROMs with a Bus Pirate, but it required cutting the trace on the EEPROM board for the resistor. I still need to try using a 12v power source, as I think that’s the trick to getting a read.

  30. Have Blue, could you detail where to cut the trace / use a 12V power source? I was under the impression one simply had to connect the ground (to pin 3), and a 4.7k ohm resistor between data and pin 4.

  31. Dan, I’m actually hoping to do a blog post on reading an EEPROM with a BusPirate. The problem with the Stratasys EEPROM board is that the resistor in place is a 4.7k pullDOWN and not a pullup. I think this is why 12v is required.

  32. Hello I have a Dimension Elite, and during the operation the power was cutted. The machine starts but the display didn´t show anything. I do the Cycling Power procedure but, the machine don´t power off. Some can help me with problem?

  33. Thank you, yesterday we connect a Keyboard and monitor and we saw that one of the file it´s damage. To repair this file I need a password, to enter into the repair console, but I don´t have one. Do you which can be password or where can I find it?

    Best Regards

    Emiliano

Leave a Reply

Your email address will not be published. Required fields are marked *