And now for a bit of EEPROM hacking

[3MAR2016 Note: A much newer, better method has been developed and is documented in this post.]

A common question among commenters to this blog when I write about my Stratasys FDM 1600 is “how did you hack the cartridge?”  Newer Stratasys machines such as the Dimension series (P-Class machines – I assume named after the Prodigy, which I think was the first Stratasys machine to use cartridges) don’t have plain old wire welding type spools like the old FDM series – instead, they have the filament stored in a large cassette.  This is nice as it keeps the filament dry without having to keep it in a dry box and it makes loading in new material (or swapping colors) a breeze.  On the down side (as many Stratasys owners have apparently discovered), Stratasys went the route of inkjet printer manufacturers and have ‘chipped’ their cartridges so that you can’t simply refill the cartridge with material and continue on.  While this isn’t a hindrance to me and my old machine, I’ve still been curious to know if there’s a way around this (if I ever come across a Dimension for cheap, I’ll need a way to feed it as well).  Note: I understand the big T-class machines (named after the Titan model, I assume) still use large spools, though I believe the spools also have a chip module (but hey, if you can afford to buy a T-class, the consumables cost probably isn’t a big concern).

Inside each Stratasys cartridge is a Maxim DS2433 one-wire EEPROM (in a SO-8 package) that the machine communicates with. This is a simple 4kb (that’s kilobits – only 512 bytes of storage) device, and reading/writing them is reasonably straightforward – a library most likely exists for 1-wire communication no matter what your microcontroller of choice is (Arduino enthusiasts, look here). Dumping the contents of one yields hexadecimal gibberish, unfortunately. What’s more, you can’t simply clone one of them, as each has a unique 48-bit serial number lasered onto the die at the time of production, and this serial (presumably) is used as the seed to encrypt/obfuscate the EEPROM data. This has been enough to dissuade most tinkerers from playing further with the system, though Bolson Materials may very well have cracked the code, as they are able to provide new EEPROMs with their cartridge refill spools.

Thanks to some hacking by the shadowy figure known as ‘Dervish’, it’s been found that only a small portion (12 bytes) of the EEPROM is dedicated to storing how much material is left on the spool.  As a cartridge was used, the EEPROM was read out at various points and only bytes 0x58-0x63 changed over the life of a cartridge.  Specifically, here’s the layout of data on the EEPROM as known thus far as a result of reading EEPROMs from several brand new cartridges:

0x00-0x41: scrambled data (commenter lgg2 noted that 0x28-0x2F is identical to 0x30-0x37, highlighted in purple)
0x42-0x45: 0x00000000
0x46-0x47: scrambled data
0x48-0x4A: 0x55AA55 (highlighted in green)
0x4B-0x4D: scrambled data
0x4E-0x4F: 0x71BE, 0x72BE, 0x73BE, 0x74BE, or 0x75BE
0x50-0x51: scrambled data
0x52-0x57: 0x000000000000
0x58-0x63: filament remaining (scrambled data, highlighted in yellow) – on an unused spool, 0x62-0x63 is always 0x4BB9, but this gets modified (along with 0x58-0x61) as the cartridge is used.  Perhaps 0x62-0x63 is an unencrypted checksum?
0x64-0x67: 0x00000000
0x68-0x70: 0x535452415441535953 (‘STRATASYS’ in ASCII, highlighted in dark blue)
0x71-0x1FF: scrambled data

Simple enough, right?  Just read in the EEPROM at 100% full, respool it with generic material when empty and write the 100% full data back to the EEPROM…  Well, not quite.  You can certainly use this respooled cartridge in a different machine, but not in the same one, as they remember what cartridges they’ve already used (that serial number on the EEPROM).  This is where Dervish tore into the guts of the machine and began the really clever hacking.  When you open up the side panel of a Dimension, here’s what you see (image taken from Brad Rigdon’s Print To 3D gallery):

Brad also has a nice video on youtube that shows the full workings of the machine. The electronics appear to be composed of 3 boards – the large PDB (Power Distribution Board) on the left, the SBC (Single Board Computer, just a PC) in the center right above the hard drive, and what appears to be a motion controller board (in the upper right, connected to the SBC via a 16-bit PC/104 header). As per the troubleshooting section of the Dimension/SST Service Guide, the motion controller board in the upper right is known as the ‘186 board’.  The SBC pictured appears to be an Ampro P5v, though some Dimensions use a Nova-600.  After connecting a keyboard and monitor to the SBC, Dervish found that the computer is running Linux (Red Hat 8, specifically – not Fedora 8, but the circa 2002 version with a 2.4.x kernel).

By rebooting the system he was able to enter single user mode (at the LILO prompt, enter ‘linux single’) and could change the root password to whatever was desired (type ‘passwd’ at the prompt, enter a new password, then enter again to confirm). After rebooting once more into standard mode as root with his newly minted password, he modified /etc/sysconfig/iptables to open up port 22 so that he could ssh into the system and hack remotely without having to be at the console itself (the sshd daemon does not run by default, so adding the line ‘/etc/init.d/sshd start’ to /etc/rc.local is also required).   While he had been able to modify temperatures on the machine by using Stratasys’s ‘Maraca’ software (the CatalystEX software offers no ability to tweak the system), direct access to the SBC allows much greater control over process parameters such as adjusting rollback.  All the configurations are stored within the /mariner/config tree (the hard drive image covers multiple models), and it can be tricky to determine which ‘gender’ (kona, lanai, spinnaker, oahu etc.) corresponds to a given machine, but noting which directory has the most recent modification date is a dead giveaway.

The holy grail turned out to be the discovery of an innocuous sounding file named ‘system.dat’ located in the root directory.  This is where the Dimension apparently stores a list (in binary) of all the cartridge EEPROM serial numbers that it has seen before.  Delete this file and the machine gets amnesia, allowing respooled cartridges (with the EEPROM rewritten to show 100% full) to be used again.  I assume creating a cron job to delete this file periodically (or using rc.local to delete it on startup) would also work.

As far as I know, this constitutes the cutting edge of Stratasys hacking – I’ve heard rumors before of people having bypassed the cartridge EEPROMs, but this is the first concrete information I’ve seen on how to accomplish it.  If anyone has further information, please leave a comment!

244 thoughts on “And now for a bit of EEPROM hacking

  1. Hey there
    I have a BST, which doesn’t get past boot up stage, I am wondering if I may be able to have a direct copy of the firmware data? it passes the HD testing stage, requires a password ( to which it says incorrect, and says expected 1×72344 (or something, i cannot remember the numbers) found FxFFFFF
    Im a little clueless 😀 so any help would be very gratefully received! Thanks

  2. As you can see, the bytes from $0038 to $003F are same than $0058 to $005F, where the spool material left lives. Can you tell me the name of the cartridge where you do this dump?. Usually, the cartridge has the follow names: P401_GRY or similar (depending the material features and color). I’m sure the cartridfe name’s is inside this bytes (between $0058 and $005F).

    Best regards.

  3. If it’s asking for the root password, there is no valid root password by default – you’ll need to boot the machine into single user mode and create a valid password.

  4. I don’t know what specific material code that dump would have read out, though I think it was probably just ‘P400’. For various reasons, I really don’t think that specific string is encoded on the EEPROM – I’m sure it’s just a numeric identifier which corresponds to ‘P400’, ‘PC_ABS’, ‘P430_NAT’, etc.

  5. Maybe! i can login as single and change the root password however i am still coming up against the same problems which says

    Master login : DPM: Invalid signature: Expected 53595353 got ffffffff
    DPM : Failed to aquire 28 byte I/O memory range at 0xd1000

    DPM : revision 1 controller with memory size of 8188 bytes

    DPM : revision 1 little endian controller with a 8188 byte dual port memory

    I know the hard drive is on its way out (noisy!), and have tried to get a ghost image of it before it dies with little success as it skips some partitions saying they are damaged. could this be the problem? Thanks!

  6. Ah, that error seems to indicate difficulty with communicating with the controller board. It’s possible that hard drive corruption could be causing the issue, but it’s hard to say. I’ve used SpinRite (http://www.grc.com/sr/spinrite.htm) before to recover/repair bad sectors – might be worth a try.

  7. i am not an expert. But do you guys know if i put diode on the eeprom which is 100% so machine can’t write on eeprom.
    Does it make sence?

  8. I understand what you’re suggesting, but it won’t work – since the EEPROM is a 1-wire unit, there is no write protect pin or any other line that can be toyed with. Since there’s only a single pin for input data, output data, and parasitic power supply, anything that affects writing will also affect reading.

  9. Dear have blue

    Im Daniel, from Buenos Aires Argentina.
    I have read your explanation and was enjoy it, English isnt my lenguage, but I understood in genral.
    I dont know nothing about electronic, but I looking for about haked a uprint material chip , and you give me a good information about Bloson material.

    I by pass the security equipment, and could used a genric material in the machin, but I couls made this in the mechanical way .
    The proces its not complicate, you need put a original spool and when the equipment pull the material in, you must disconect the house and at the same time introduce by the house the generic material, when the generic material arrived to the extruder the original one stop and the machine pull for the genric one, during the construction proces the counting stop , you preserve the total live of the original spool and chip but used the generic one.

    I whish you could understand my primitive english.

    By

  10. Daniel I am very interested in understanding more abbout what you did. Are we talking about the old spool that came incased? Hoy did yuo manage to introduce the material in the house??

  11. Dear Monko

    i have the Uprint model, its a small one, on the back have two hose, one for the material and other for the support, in other models the hoses are inside the equipment.

    The steps are the following.

    Firts, discharge the material
    Secomd disconect the material hose, and introduce the generic material in the machine , but stop before arrived into the extruder.

    Introduce the original material cartridge in the machine and charge it, the filament will into the machine and go out ( becouse you desconected the hose).
    When the material go out you must push the generic material into the machine until will be catch for the extruder motor, at this moment the original material stop, becouse the extruder motor take que control and pull the material, but are pulling the generic one,

    Conclusion, all the time you used the generic material an d not the original , and because the counting mechanism work when the original material run, the chip didnt change in the charge percent.

    So sorry for my dab explanation, if you need I could take some pictures for you.

    Daiel

  12. Sorry, one detaill, the generic material must be introduce in the machine by the hose, like if the original material continue through the hose.

  13. Daniel –

    When does the printer actually write back to the EEPROM? Is there an encoder on the uPrint that monitors how much filament has been fed out of the cartridge itself?

  14. I really dont know which is the eeprom, I guess understand your question and I try to response.

    I used this process every time when the spool chip have only 1 or 2% , and I could print practicaly one generic spool whith 1 or 2% .

    Im not understand very well the electronic mechanism and in particular what do the machine to count the filament, but probing i could by pass this counting.

    If you whised ask me other think please dont hesitate.

    Daniel

  15. Assuming the guts are at the rear of the machine, does the entire metal case need to be removed to get to it? Once open and I get SSH working, how do I then connect?

    I need to calibrate the table/head distance so will be hunting for a config or knowing my luck it will be in binary

    thanks

  16. The guts are at the rear – you’ll need to use appropriate keyboard and monitor adapter cables to get into single user mode. It’s just a panel that you’ll need to open – should be easy to access the SBC. Once you have SSH running, you can connect directly over the network – no further need for the monitor and keyboard.

  17. Does anybody know of the current, new, Stratasys cartridges can still be hacked as described in this post? Is it the same EEPROM being used?

    Also, thought on disconnecting the spool sensor with the new cartridge, such that the amount of material remaining is never decreased, and it can be continually reloaded?

  18. I have lots of Model Material which is showing 0%. Let me know if any one is interested.
    I would be happy if some one can use them.
    My coordinates are
    43.754227,-79.632016

  19. Daniel- you are a genius. The mechanical hack worked on my Uprint ESplus.

    So all you folks who are reprogramming your code – which i don’t understand- if you pull the hose off the back and jam in the generic filament it sucks it in- but does not remove % from the chip. Done. sounds crazy but works.
    I’ve been running a test- I pulled out a spool and put new filament in the cartridge- but with the original chip. i started the loading process. when the new filament came out of the hose i pushed the original filament manually into the now open hole till it was recognized and the pulled in from the head by the motor. My part has been building but the chip has NOT been counting down. its weird because you have to have an extra spool on the outside of the machine, and i have no idea what in cartridge would make it count down… but apparently if the filament isn’t moving thru the cartridge it doesn’t count down.
    Now i can get material from other places!! 4 spools for the price of one from SYS. Glow in the Dark her i come.

  20. and in return…. my hack.
    You can reuse the trays about a million times.
    After each use- scrape flat.
    Fold a paper towel into a flat pad. dip it in Acetone and give it a series of quick wipes. The tray will look shiny but parts will stick great. In fact i was having trouble with my factory trays when i was being meticulous and buying new ones. Now i am abusive- a quick wipe of Acetone and boom, never a peeling part.

  21. I’ve not confirmed chip swap actually works on my Uprint ESplus- but would be happy to swap a chip to test it with you. If it works I too have several 0’ed chips– we could swap all. what machine do you have?
    write me at MrGreatRakes@Gmail.com

  22. For the record, I tried imaging the hard drive for my Uprint ES plus, running the machine and then re-imaging as discussed way above- It did NOT reset the clock for the chip. Perhaps they’ve upgraded the chip to write as well. the chips on these spools have 4 contacts.

    Any similar experiences?

  23. Hi, I’m a student at a high school and am very privileged to have a 3-d 1200es printer at my school. Though due to the high cost of printer cartridges from dimension, we aren’t allowed to use it (much). If we were able to use material from companies like Makerbot, we would be allowed and probably be encouraged to use the printer. We have a few empty cartridges lying around with chips in them and I also have a Arduino. Although i haven’t programed anything with 1-wire communication. The main issue is that since it is a school printer, I’m not allowed to take apart the printer because of insurance. I am allowed to mess with a cartridge and do whatever i want with them, plus i’m allowed to reset the printer. Plus with a set plan i might be able to convince my teacher to let me have a go at erasing the serial numbers on the printer as long as i can do it from a remote computer.
    Any and all help would be appreciated. Send me a email @ justinhockey@gmail.com

  24. Wow, a 1200es – you are indeed privileged! I’m really disappointed that your school limits your access to the machine just because the materials are pricey – the 1200es is probably a good $35k-$40k machine, so that’s a bit like saying “no, you can’t drive the Ferrari because premium unleaded is so expensive”.

    If I were in your position, I’d suggest to the powers-that-be that the school sell off the 1200es and get a bunch of Makerbots instead. Heck, the yearly maintenance fee that Stratasys is charging your school for the 1200es would cover a Replicator by itself, and then you’d be able to run PA-747 filament all day long from a variety of sources. This is actually what Frankie did for UWM’s Digital Craft Research Lab – we had been hoping to get a used old model Stratasys for several thousand dollars, but Frankie wound up building a fleet of RepRaps for the same price instead. You may not be able to provide every student in a class with their own machine, but you’d be able to do much, much more than with just the 1200es.

  25. The EEPROMs have always been written to – this is what allowed you to swap between different color cartridges (even between different machines), yet retain an accurate count of how much material was left.

  26. Hi Blue,

    First of all thank you very much for this and other posts they’ve been very helpful. We have a uPrint printer and with your help we successfully hacked the machine so we can use Makerbot material instead of the expensive stuff that Stratasys sells. Our printer is running Fedora instead of RedHat and for installing the script we removed the hard drive from the printer and modified the files directly from a virtual machine. If it is any help we can post a more detailed description of what we did.

    Since the Makerbot material is a little bit thicker (1.75mm) from the original Stratasys (1.6mm from measurements we did) we are a little concerned about the extra mechanical effort (in the long run) or some overheating that the motor can have. So what we are trying to do now is to change the speed of the model material motor. In the configuration file of the printer there are a lot of parameters but we can find any that may be the speed. There are the PID values for the head motor, but without the behavioral model of the motor I don’t know if it can help us. Well if you are familiar with this file and/or if you want to help us I can send it to you so you can take a look.

    P. S.: We have the Maraca EX 3.0 software but really didn’t help, we could only change temperatures, plus the model of our printer is not in the list.

  27. Sorry for the english, I use google translator. I’m from Brazil and I have a Uprint, phaco like to know how to use generic cartridges? I have a problem with counting the eeprom. thank you

  28. Hi Fabiano,

    I’ll tell you what we did.
    First of all we connected with a serial cable to the DIAG port that is in the back of the printer. You can use hiperterminal or any other software like that to make the connection. The parameters are baud 38400, 8 data bits, 1 stop bit, no parity, no flow control. To read the EEPROM you have to type the command:

    er 0 0 0 128

    For the model material. And:

    er 1 0 0 128

    For the support material.
    This will throws something like this:

    Model carrier ID (8 8-bit values)
    000000: b3 a6 33 04 d0 14 10 bd ..3…..

    Model carrier in bay 0: 128 bytes at address 0 (128 8-bit values)
    000000: 06 4b aa e4 cc eb 9c dd f8 01 49 0b 12 ca f7 99 .K……..I…..
    000016: 1d 7a bf da a8 dc 68 60 c9 04 12 ac de 6c 4b 29 .z….h`…..lK)
    000032: 2e 91 67 93 5f 2a 91 e5 8f 71 6e fe cc 63 79 5c ..g._*…qn..cy\
    000048: 8f 71 6e fe cc 63 79 5c bf dd ab d7 c6 22 d5 c6 .qn..cy\…..”..
    000064: 22 6b 00 00 00 00 49 f9 55 aa 55 4d 45 01 5e be “k….I.U.UME.^.
    000080: 13 de 00 00 00 00 00 00 bf dd ab d7 c6 22 d5 c6 ………….”..
    000096: 69 b0 11 90 00 00 00 00 53 54 52 41 54 41 53 59 i…….STRATASY
    000112: 53 94 76 71 a1 7d e7 1d 09 22 1d 33 e9 96 d7 f9 S.vq.}…”.3….

    Then you have to arrange the data in order to write it to the EEPROM in this format

    “06,4b,aa,e4,cc,eb,9c,dd,f8,01,49,0b,12,ca,f7,99,1d,7a,bf,da,a8,dc,68,60,c9,04,12,ac,de,6c,4b,29,2e,91,67,93,5f,2a,91,e5,8f,71,6e,fe,cc,63,79,5c,8f,71,6e,fe,cc,63,79,5c,bf,dd,ab,d7,c6,22,d5,c6,22,6b,00,00,00,00,49,f9,55,aa,55,4d,45,01,5e,be,13,de,00,00,00,00,00,00,bf,dd,ab,d7,c6,22,d5,c6,69,b0,11,90,00,00,00,00,53,54,52,41,54,41,53,59,53,94,76,71,a1,7d,e7,1d,09,22,1d,33,e9,96,d7,f9″

    This –> ” “<– are very important.

    To write the data you type the next command

    ew 0 0 0 "data" For model
    ew 1 0 0 "data" For support

    Like this:

    ew 0 0 0 "06,4b,aa,e4,cc,eb,9c,dd,f8,01,49,0b,12,ca,f7,99,1d,7a,bf,da,a8,dc,68,60,c9,04,12,ac,de,6c,4b,29,2e,91,67,93,5f,2a,91,e5,8f,71,6e,fe,cc,63,79,5c,8f,71,6e,fe,cc,63,79,5c,bf,dd,ab,d7,c6,22,d5,c6,22,6b,00,00,00,00,49,f9,55,aa,55,4d,45,01,5e,be,13,de,00,00,00,00,00,00,bf,dd,ab,d7,c6,22,d5,c6,69,b0,11,90,00,00,00,00,53,54,52,41,54,41,53,59,53,94,76,71,a1,7d,e7,1d,09,22,1d,33,e9,96,d7,f9"

  29. hitch when the cable on the machine and the computer, a message on the machine power failure, low battery output. What do you mean?

  30. I connected the cable to the DIAG output and the computer, but not nothing happens, would have to download some program?

  31. My school has a uprint by dimensions printer and I was wondering if this hack would still work for it. It uses p430 cartridges and I was wondering how you would change those

  32. Hello! (and greetings to Milwaukee Makerspace from Pumping Station: One!)

    I work at a college in Chicago that happens to have a Dimension sst1200 with an expired service contract… and I’ve been given permission to modify the machine (to reduce the cost of printing for students). Unfortunately, the machine’s firmware has been updated to the latest one, and it seems that there are some differences between your findings and mine.

    I’ve got an image of the HD, hexdumps from cartridges at all states (new in box, new in machine, used and not empty, and empty), Maraca 4.0, and a serial connection to the DIAG port on the back of the machine.

    I’ve been teaching our old Stratasys technician a few things about the machine as well!

    I was hoping I’d be able to pick your brain on some things! Is there any chance I could email you some of the questions I had?

    And if you get a chance, tell everyone at Milwaukee Makerspace that TensorFlux says hello! I hope the new space is treating you well 🙂

    Cheers!

  33. Hey, greets to the PS:1 crew! We’re not moved into the new space yet (still getting the place prepped), but we’re really stoked about it! On the printer, definitely drop me a line – if you’ve been given permission to hack the machine, I’d love to come down and poke at it myself, as I have no access to any modern Stratasys machines.

  34. I work with a uprint plus and previously a ST768, and I am very pissed with the toll printing system (I have about 100 spent uprint chips sigh). So pissed I built a tantillus (excellent printer). I wouldn’t be so pissed, if they just charge double or tripple the going rate of ABS, but at times 10 the going rate your having a laugh.

    Anyhow I have been in touch with Bolson, and for the last year and a bit, and they have said there material for the uprint is not far away, however that is always what they say. I even offered to buy a chip re-programmer from Bolson with no luck.

    So thank-you all for these great comments. I am going to try some of these things over the next few months, fingers crossed there is a way to bulk feed (<1Kg Spool) the uprint!

  35. Hello!

    Can anyone explain the exactly hardware and firmware differences between the SST 768 and the Elite? It seems to be identical machines. Would not be possible to “upgrade” a SST 768 to a Elite?

    Also, would be possible to use the Insight software to create valid CMB files to be used on the SST 786? The Catalyst are very limited and the SST could do more.

  36. Hey guys, I write from Argetina, I have a SST768 and in my country it costs a cartridge around $ 600, so using it is very expensive, I have carefully read the post for reusing the cartridges but it is very difficult for those who have no knowledge electronica. They may do a step by step tutorial to do so?

    Thanks for your feedback.
    regards
    Martin

  37. I forgot, someone has the latest version of CATALYST for my sst768?

    Thanks for your feedback.
    regards
    Martin

  38. You don’t need to cut the trace to read a cartidge with bus pirate. Connect the bus pirate to trace closest to hole to GND and other trace connect to MOSI. Connect the bus pirate to the computer USB. Start a terminal program (I used Realterm) and connect to COM for bus pirate (mine was COM2) @ 11520 buad, no parity, 6 data bits, & 1 stop bit.

    In the open terminal window:

    1) Type ‘m’ for menu.
    2) Type ‘2’ for 1-Wire.
    3) Type ‘w’ for power supply.
    4) Type ‘P’ for pull-up resistor.
    5) Type ‘[‘ for bus reset.
    6) Type ‘240’ for search.
    7) Type ‘204’ for skip ROM function.
    8) Type ‘(0x55)(1) 0xf0 0x00 0x00 r:512’ for dump.

    Save the dumped data from the terminal window.

  39. Well, there you go! Thanks, John – I was concerned that the resistor would mess with getting a good read with the Bus Pirate. I’ll have to give it a try myself.

  40. Hi,

    Has anyone tried to replace the DS chip with a micro-controller, like atmega8?
    It’s no problem making a atmega board with a button to reset back to original data.
    has anyone been able to connect anything else than the original DS chip to cummunicat with the machine?

  41. Jarno you were asking how to “upgrade” a SST 768 to a Elite.
    I have a 768BST, and to me it looks like it’s probably different head since the BST only has one temperature in the head. and the elite probably has two.

    Your SST also has two i suspect.
    can build with two different temperatures on material and support or can only have one headtemp like on my BST?

    I talked to a technician some time back and he said the new one’s are based on ball screws while mine are using wire.
    But while ball screws are better at positioning it has nothing to do with what materials it can handle. That is what I’m interested in widening, since i can only use the P400 and breakaway support.
    first off i want to be able to use water soluble support, secondly it would be great to be able to use more modern materials.

    In my machine it’s ready for connecting another temperature sensor, and probably different two-temp head also. Other than that i suspect it’s only a matter of software?

    I will “Root” my BST today and investigate a bit. but don’t be betting on me finding the answer, with two kids and toooooo much work to do, other than hacking.

    Anyone done an upgrade from BST to Elite?
    Anyone out there with a spare head for an sst or elite mashine?

Leave a Reply

Your email address will not be published. Required fields are marked *