And now for a bit of EEPROM hacking

[3MAR2016 Note: A much newer, better method has been developed and is documented in this post.]

A common question among commenters to this blog when I write about my Stratasys FDM 1600 is “how did you hack the cartridge?”  Newer Stratasys machines such as the Dimension series (P-Class machines – I assume named after the Prodigy, which I think was the first Stratasys machine to use cartridges) don’t have plain old wire welding type spools like the old FDM series – instead, they have the filament stored in a large cassette.  This is nice as it keeps the filament dry without having to keep it in a dry box and it makes loading in new material (or swapping colors) a breeze.  On the down side (as many Stratasys owners have apparently discovered), Stratasys went the route of inkjet printer manufacturers and have ‘chipped’ their cartridges so that you can’t simply refill the cartridge with material and continue on.  While this isn’t a hindrance to me and my old machine, I’ve still been curious to know if there’s a way around this (if I ever come across a Dimension for cheap, I’ll need a way to feed it as well).  Note: I understand the big T-class machines (named after the Titan model, I assume) still use large spools, though I believe the spools also have a chip module (but hey, if you can afford to buy a T-class, the consumables cost probably isn’t a big concern).

Inside each Stratasys cartridge is a Maxim DS2433 one-wire EEPROM (in a SO-8 package) that the machine communicates with. This is a simple 4kb (that’s kilobits – only 512 bytes of storage) device, and reading/writing them is reasonably straightforward – a library most likely exists for 1-wire communication no matter what your microcontroller of choice is (Arduino enthusiasts, look here). Dumping the contents of one yields hexadecimal gibberish, unfortunately. What’s more, you can’t simply clone one of them, as each has a unique 48-bit serial number lasered onto the die at the time of production, and this serial (presumably) is used as the seed to encrypt/obfuscate the EEPROM data. This has been enough to dissuade most tinkerers from playing further with the system, though Bolson Materials may very well have cracked the code, as they are able to provide new EEPROMs with their cartridge refill spools.

Thanks to some hacking by the shadowy figure known as ‘Dervish’, it’s been found that only a small portion (12 bytes) of the EEPROM is dedicated to storing how much material is left on the spool.  As a cartridge was used, the EEPROM was read out at various points and only bytes 0x58-0x63 changed over the life of a cartridge.  Specifically, here’s the layout of data on the EEPROM as known thus far as a result of reading EEPROMs from several brand new cartridges:

0x00-0x41: scrambled data (commenter lgg2 noted that 0x28-0x2F is identical to 0x30-0x37, highlighted in purple)
0x42-0x45: 0x00000000
0x46-0x47: scrambled data
0x48-0x4A: 0x55AA55 (highlighted in green)
0x4B-0x4D: scrambled data
0x4E-0x4F: 0x71BE, 0x72BE, 0x73BE, 0x74BE, or 0x75BE
0x50-0x51: scrambled data
0x52-0x57: 0x000000000000
0x58-0x63: filament remaining (scrambled data, highlighted in yellow) – on an unused spool, 0x62-0x63 is always 0x4BB9, but this gets modified (along with 0x58-0x61) as the cartridge is used.  Perhaps 0x62-0x63 is an unencrypted checksum?
0x64-0x67: 0x00000000
0x68-0x70: 0x535452415441535953 (‘STRATASYS’ in ASCII, highlighted in dark blue)
0x71-0x1FF: scrambled data

Simple enough, right?  Just read in the EEPROM at 100% full, respool it with generic material when empty and write the 100% full data back to the EEPROM…  Well, not quite.  You can certainly use this respooled cartridge in a different machine, but not in the same one, as they remember what cartridges they’ve already used (that serial number on the EEPROM).  This is where Dervish tore into the guts of the machine and began the really clever hacking.  When you open up the side panel of a Dimension, here’s what you see (image taken from Brad Rigdon’s Print To 3D gallery):

Brad also has a nice video on youtube that shows the full workings of the machine. The electronics appear to be composed of 3 boards – the large PDB (Power Distribution Board) on the left, the SBC (Single Board Computer, just a PC) in the center right above the hard drive, and what appears to be a motion controller board (in the upper right, connected to the SBC via a 16-bit PC/104 header). As per the troubleshooting section of the Dimension/SST Service Guide, the motion controller board in the upper right is known as the ‘186 board’.  The SBC pictured appears to be an Ampro P5v, though some Dimensions use a Nova-600.  After connecting a keyboard and monitor to the SBC, Dervish found that the computer is running Linux (Red Hat 8, specifically – not Fedora 8, but the circa 2002 version with a 2.4.x kernel).

By rebooting the system he was able to enter single user mode (at the LILO prompt, enter ‘linux single’) and could change the root password to whatever was desired (type ‘passwd’ at the prompt, enter a new password, then enter again to confirm). After rebooting once more into standard mode as root with his newly minted password, he modified /etc/sysconfig/iptables to open up port 22 so that he could ssh into the system and hack remotely without having to be at the console itself (the sshd daemon does not run by default, so adding the line ‘/etc/init.d/sshd start’ to /etc/rc.local is also required).   While he had been able to modify temperatures on the machine by using Stratasys’s ‘Maraca’ software (the CatalystEX software offers no ability to tweak the system), direct access to the SBC allows much greater control over process parameters such as adjusting rollback.  All the configurations are stored within the /mariner/config tree (the hard drive image covers multiple models), and it can be tricky to determine which ‘gender’ (kona, lanai, spinnaker, oahu etc.) corresponds to a given machine, but noting which directory has the most recent modification date is a dead giveaway.

The holy grail turned out to be the discovery of an innocuous sounding file named ‘system.dat’ located in the root directory.  This is where the Dimension apparently stores a list (in binary) of all the cartridge EEPROM serial numbers that it has seen before.  Delete this file and the machine gets amnesia, allowing respooled cartridges (with the EEPROM rewritten to show 100% full) to be used again.  I assume creating a cron job to delete this file periodically (or using rc.local to delete it on startup) would also work.

As far as I know, this constitutes the cutting edge of Stratasys hacking – I’ve heard rumors before of people having bypassed the cartridge EEPROMs, but this is the first concrete information I’ve seen on how to accomplish it.  If anyone has further information, please leave a comment!

244 thoughts on “And now for a bit of EEPROM hacking”

  1. Okay, I think you’re supposed to use the ‘SS’ command when connected via HyperTerminal, and you should get “X Axis Ready”. If not, use the FH and FZ commands followed by SS. If you still don’t get “X Axis Ready” then your controller board is shot – that’s according to an old photocopy I have. I don’t have any experience with the P-class machines, so I don’t know that I can provide any real guidance. You may want to also ask in one of the threads at gnurds.com or the stratasysusers.org forum.

  2. when entering command “SS” gave the result
    NMIStatus: 0x0
    Flags: 0x40c8 : Initialized : MhmReady : ShmReady : GlobalsLoaded
    PwrControl: 0xd : DC : HeadHeater
    Cartridge: 0x3fc3 : ModPresent : SupPresent : ModLoaded : SupLoaded
    : ModLatched : SupLatched : ModMatInHead : SupMatInHead
    : ReplaceFailed : LoadFailed
    XYAxis: 0x0
    ZAxis: 0x0
    Status: 0x2000
    command flag = 0
    curve count = -1
    modHead = 184 / 0
    supHead = 186 / 0
    Temps = 100.20/100.00 / 99.90/100.00 / 75.30/75.00
    Current Position = 12.50,12.37,-0.00
    Gantry: GR5K Stage: SR64K
    current material: model model fc: 0 support fc: 0
    Version: 1924 PLDVersion: 33 Gender: sst1200es

  3. when entering FH not give a result. but it will start finding home
    when entering FZ, XY axis not ready:Find Z before Fi
    nd Home.

  4. when entering command “FH” gave the result
    INFO:Foam sensor down when it should
    be up:Surface sensor down after motion complete

    when entering FZ, XY axis not ready:Find Z before Fi
    nd Home.

  5. I’m guessing the ‘foam sensor down when it should be up’ may be the issue – is there a sensor that you can check? I have no idea how the sensors might work (I didn’t even know there was a foam sensor), but if it’s a microswitch or an optical flag, check the outputs with a multimeter.

  6. Peter,

    I have a SST machine that I’m working on can you send the repair manual. It too old for dealer support.

    Thanks,
    Mike

  7. HI,
    i have just purchased a BST 768 printer and was wondering if anyone could help
    with a a problem I have. when you try to build It shows error 14-21
    and shuts down, I have contacted Sys in the UK but have had no reply.
    is it possible to obtain a copy of the manual for this machine.
    I have a copy of the service manual for the uprint range. but the machines are to
    dissimilar for it to be of any use.

  8. 14, 21: Abort : Z axis not ready. (PMD chip not ready)
    sing the HyperTerminal, type SS. “X Axis Ready” should be displayed.
    (Housekeeper needs to be preformed every second but did not)

    (Chip that controls the PMD chip not ready)
    14, 21: Abort : Z axis not ready. (PMD chip not ready)
    If it is not displayed, then type the “FH” & “FZ” commands. Finally type “SS” again. If “X Axis Ready” still is not displayed, then replace the 186/contoller Board.

  9. Could anyone lead me to software for a Stratasys 1650 FDm machine I have.
    It did not come with software and can not find anything that would work.

  10. Gen 1 electronics have a 186 based controller board, while Gen 2 and 3 have a Coldfire based controller. Gen 3 controller has a column of LEDs on the top right of the board, but Gen 2 does not.

  11. I Get no data on my Dimension SST 768…
    it stops at “Sending Eeprom Data”

    Could anyone please help me!

  12. i just got that advise that my Printer is to old aged 😉 Any one here who could help? I just dont get any data. Is there a way to get the Data direct from the Chip? I hope anybody could help! Thank you!

  13. its a gen 1 with the 186. i got a new hd from strat. still have dark squares across all lcd’s. think it might be the SBC which is a Ampro p5v. what goes bad in these the embedded cmos?

  14. I know the thread reference is old, but I’m looking for the service manual for the dimension 768. Any help would be greatly appreciated.
    Thanks in advance

  15. turned out to be a bad front display that was keeping the machine from booting and displaying squares across all screens.

  16. Hi all,
    i have hacked the encryption ! 😉
    the ds-chip-key is not the one the Machine remembers, it is as Serial-Number inside the encrypted block and the chip-key is Part of a bigger Encryption-Key 😉
    It is possible to reuse the chip again and again !!!
    it would also be very difficult for SSys to keep track of the refilled Chips.
    What Do You mean?
    Should I Start a Chip-Refill-Service?
    Refilling is resistant against Firmware-upgrades 😉
    You can test me 🙂
    Send me a Chip-Dump with the Chip-Key and wait for a response 😉

  17. You lost me a touch DS_Filler… What is the Chip key, is it not in the Chip Dump in line 3 of your post?

  18. Obviously your not planning on sharing that info… but you are somewhat confusing… what is the DS chip key? the DS serial number?.. what is the encrypted Block?

    Ok I’ll send you a Dump.. but what’s the chip key?

    Thanks,

    Ted

  19. Yes i meant the DS 64-bit serial. Sorry for that confusion
    I need the Dump and the DS-Serial to create a new Record you can write back on the DS-chip.

    Right now i dont plan to share that info, maybe i will change my opinion in the future?
    I dont want to pull down SSys pants 😉 They have to much money and lawyers on their side …
    They did a good job in constructing the machine and its internal protection to bind their customers to them.

    The De/Encryption uses a key split into
    a) a machine-key
    b) the chip-serial
    c) fixed parts of the Dump
    These 3 are brew together and the resulting Block
    contains a 64-bit (Material)-Serial-Number you can find in the logs of the Machine when changing the Material 😉
    this Mat-Serial and Materialammount is rememberd encrypted in the system.dat ( this behaviour seems to be different in newer firmware as SSys has obviously reacted on the Hack described here )

    What i can do with your Dump in connection with the DS-Serial is
    a) create a new Mat-Serial
    b) Fill to the same or a bigger ammount of Material
    c) set any other Material-Type

    Greez
    😉

  20. hi i am unfortunately a new dumb ass that bought a demssions sst 768 off ebay and in up to my ears . i was told “it only needed a print head” but it doesn’t have any words in the lighted display and like i see many of you are requesting help
    i have the 4.o catalyst soft ware and a user guide but my computer dont comunicate to or from it(sob/sob more sobs.could ya help a poor helpless dumb ass PLEASE!
    im a us vet paying a lot of child support mercy sob sob

  21. Unfortunately, if you bought one that ‘only needed a print head’, it is probably a trade-in unit that had the head, main control board, and hard drive yanked out and sent back to Stratasys. What boards are still installed in the rear? Getting a new head will not be cheap.

  22. Could someone please send me the service manual. The link in the post is no longer working.

  23. I’d Like to add that on my EEPROM dump (P430 cartridge Stratasys Dimension SST1200) 0x4E-0x4F Reads 0x66BE.

    Bit late i know, but any byte might help.

  24. So did you actually figure out how to reset the material chip so it can be used again for a Dimension 1200?

  25. We bought a dimension 768 and it works perfect.. but the cartridge issue… we are willing to pay anyone that can walk us through this (may even pay a trip for you to come to denver).. email me at jason dolbin (at) yahoo dot com

  26. Open the cartridge with a 7/64 hex wrench—turn the cartridge upside down, unscrew the four bolts, BUT DON’T OPEN THE CARTRIDGE UNTIL IT’S RIGHTSIDE UP.
    Turn the cartridge rightside up, keeping track of the four bolts, cut, loosen, or remove the side id sticker so the top half of the cartridge can be lifted off.
    Then you can extend or retract the filament, as needed.
    To close it up, make sure the 2 pinch rollers, dessicant bags, and the gasket are in place, then put the lid back on, hold the halves together while you turn the cartridge upside down. Insert and tighten the 4 bolts, and you’re done!

  27. I used the diagnostics port to copy the eprom from one fresh cartridge onto an old cartridge. I then rebooted, which deleted /system.dat.
    However, the printer now thinks that the cartridge is empty, and the eprom contents have been changed!

  28. Now the display says that it can’t read the cartridge, although I can dump the eprom from the diagnostics port.

  29. It may be possible to determine the gender of your machine through the diagnostics port using the rg command. According to the output from my BST1200 the command “displays the current gender as found in the status structure. The gender may be neutral, mariner, dimension, prodigyplus, jib, msi, or schooner. Each of these corresponds to a hardware configuration.”
    I would guess that the possible genders is dependent on your model of printer.

  30. What did you have to download to upgrade the kernel to 2.6.23.15? You later said that 2.6.26.8-57.fc8 wouldn’t work with mariner. Did you find a later version that works with mariner? 2.4.18 is really lame.

    Thanks

  31. I have a Stratasys Uprint and want to do this hack but unfortunately it’s over my head. If someone is able to step me through it or even come here to NJ to do it for me I’d be willing to pay. Please contact me at iaknown (@t) hot Mail dot com.

  32. Unfortunately, I don’t think the uPrint can be hacked in this way yet – the problem is that uPrint cartridge EEPROMs use a secret MAC authentication key for writes to be performed.

  33. Would anyone happen to know what the root password is on the Dimension 1200es? Does Stratasys use a common password?

  34. I don’t know that there is a proper root password on Stratasys machines – /etc/passwd seems to have non-ASCII characters in the hash for the root password, making it seem implausible that there is an actual password in use.

Leave a Reply

Your email address will not be published. Required fields are marked *