Reverse Engineering Day 15th of Jan
Will Pearson
cutter software [1] to discover it's secrets, and allow us to make
something a little bit better. So we are planning on having a day on
the 15th of Jan dedicated to all things reverse engineering. It will
be a day of code hacking and prodding the binary files generated by
the laser cutter software.
There will be also be a couple of talks, for those that wish. I'm
doing a beginner's guide to patching with Ollydbg and Mark (ms7821) is
doing something on the differences between the low-level guts of
windows and linux.
If anyone else has a talk or demo they want to do, shout!
Some idea of numbers would be good.
Details as they evolve can be found on the wiki:
http://wiki.hackspace.org.uk/wiki/Hack_Evening_Workshops/Reverse_engineering_day
Will
[1] http://wiki.hackspace.org.uk/wiki/Projects/RELaserSoftware
Ciarán Mooney
Work is currently on-going with the reverse engineering of the laser
cutter. It may be worthwhile asking someone (Jasper?) who has already
made a start on figuring out the .mol file structure to give quick
talk so everyone is up to speed.
I plan on attending btw.
Ciarán
Federico Spadini
--Fed
Matte
Oooh count me in that sounds like fun
On 25 Nov 2010 16:48, "Federico Spadini" <fspa...@gmail.com> wrote:
That sounds like good fun, count me in.
--Fed
On Nov 25, 2010, at 4:32 PM, Will Pearson wrote:
> There is a hackspace project to reverse enginee...
M
related to reverse engineering - sounds fun to try at this.
Regards,
Morris.
M
Regards,
Morris
Tasos Varoudis (archtech.gr)
thnx
Tasos
>
> Will
>
> [1]http://wiki.hackspace.org.uk/wiki/Projects/RELaserSoftware
Ciarán Mooney
M, There is a link to the current laser software on the wiki, but be
warned it is likely to be virus infected!
http://wiki.hackspace.org.uk/wiki/Projects/RELaserSoftware
Ciarán
Sam Cook
Very interested in helping with this but not much experience: any suggested reading to get me up to speed?
S
Will Pearson
On Nov 25, 4:44 pm, Ciarán Mooney <general.moo...@googlemail.com>
wrote:
>
> Work is currently on-going with the reverse engineering of the laser
> cutter. It may be worthwhile asking someone (Jasper?) who has already
> made a start on figuring out the .mol file structure to give quick
> talk so everyone is up to speed.
nearer the time, and organise something then.
> I plan on attending btw.
>
Will
Will Pearson
On Nov 26, 11:18 am, Sam Cook <sc...@hep.ucl.ac.uk> wrote:
> Hi,
>
> Very interested in helping with this but not much experience: any suggested
> reading to get me up to speed?
>
good you are is based off knowing a lot about how the internals of
machines work and how data is stored or transmitted (endian-ness etc).
It is hard to give an introduction to it.
This is a very cursory introduction to reverse engineering file
formats.
http://en.wikibooks.org/wiki/Reverse_Engineering/File_Formats
The .mol file format doesn't appear to be compressed so you can skip
those sections.
This has a brief over view of reverse engineering a usb protocol.
http://libnetmd.sourceforge.net/howto.html
We will need to do some of that, to figure out the conversation
between the computer and the laser cutter..
There is a lot more info on reverse engineering programs but we are
probably not going to be doing much of that, although that is what my
talk will be on.
Will
Dirk-Willem van Gulik
Op 27 nov 2010, om 19:22 heeft Will Pearson het volgende geschreven:
> On Nov 26, 11:18 am, Sam Cook <sc...@hep.ucl.ac.uk> wrote:
>>
>> Very interested in helping with this but not much experience: any suggested
>> reading to get me up to speed?
> Reverse engineering is a bit like detective work for programmers. How
> good you are is based off knowing a lot about how the internals of
> machines work and how data is stored or transmitted (endian-ness etc).
> It is hard to give an introduction to it.
> ....
> We will need to do some of that, to figure out the conversation
> between the computer and the laser cutter..
Right - but there are some very simple things you can do to 'break things in' - e.g. record a couple of samples which are identical; record a few where only one parameter is changed each time relative to the first one. Record the pure 'init' versus the 'make a change much later' - in the case of sensors; record full black and white.. etc.
Or that may be just me pretty much following the same pattern due to lack of imagination :)
Dw
Will Pearson
On Nov 27, 6:40 pm, Dirk-Willem van Gulik <di...@webweaving.org>
wrote:
1) Computer sends a file (.mol) to the laser cutter. (It can also save
it to be transported by usb key stick rather than direct from usb)
2) Computer then tells the cutter to cut the .mol file.
So we can get a lot of information from the .mol file.
So we can do change things and analyze process. It depends how much
has been done by the 15th. Jasper has done a bit of it already, and
his mol files can be found in his folder in the upload folder of
laz0rs (the system that controls the laser cutter). I'm exploring
automating the process somewhat with autohotkey and universal hooker,
although I'm not sure how big a job it is and how much data we will
need to do the reverse engineering.
Also having said that we can't get much out of program analysis we
might be able to get a lot of information if we can use universal
hooker[1] to hook calls to the file writing and look at the size and
order of the structs written. I haven't used it yet so I'm not sure
what we can do with it.
Will
[1]http://oss.coresecurity.com/uhooker/doc/index.html
Mark Steward
Yes, this is a good technique - it's the scientific principle of only
changing one variable at a time. Even so you need interpretation - is
the laser cutter following speeds or time intervals? Is power ramping
done by the controller or set directly by values in the .mol?
Knowledge of the various ways the firmware and controller could be
designed is valuable here, and it's often an insight by someone who's
seen something in a different system that helps resolve mysterious
behaviour.
File formats, which are frequently designed for easy parsing, can be
documented even if the underlying mechanisms are obscure. Learning
the basic data types is a good idea, and learning to distinguish
pointers and lengths (usually multiples of 4) from values is
important. Beyond that, good visual pattern matching and familiarity
with other people's code will make the whole process faster.
Code of course tells you exactly what's going on, but requires more
work in advance, and generally takes longer. I'm expecting to get at
least some of the firmware analysed, but I hope we'll only have to use
it for details like calibration.
Ladyada has a nice worked example of getting USB data from the Kinect
at http://www.ladyada.net/learn/diykinect/. I had a few nice file
format reversing tutorials bookmarked, but can't find them now (this
is why I should use delicious). Until I do,
http://nada-labs.net/2010/file-format-reverse-engineering-an-introduction/
is the sort of thing we'll be doing.
Mark
Mike Harrison
I wonder if an easier option might be to bypass the controller in the cutter and use one of the many
ready-made documented stepper controllers. It's only 2 steppers and a laser on/off, so not exactly
rocket science!
It would also be an opportunity to add software controllable dynamic laser power control.
What's on the controller board in the cutter ? Any opportunity to extract firmware and disassemble
that? Or replace the firmware?
Charles Yarnold
Jasper Wallace
> I wonder if an easier option might be to bypass the controller in the cutter and use one of the many
> ready-made documented stepper controllers. It's only 2 steppers and a laser on/off, so not exactly
> rocket science!
> It would also be an opportunity to add software controllable dynamic laser power control.
It's 3 steppers, there is a z axis for moving the platform up and down as
well as x & y.
There's also cooling pump on/off, a Modbus over rs232 interface for the
control panel, some temp sensors, and case open sensors. See the link
on the wiki for a .pdf manual for the controller board.
http://wiki.hackspace.org.uk/wiki/Projects/RELaserSoftware
> What's on the controller board in the cutter ?
At least one cypress EZ-USB fx2 (not sure it's an fx2), probably a 2nd one (one per
usb interface), a DSP, and a FPGA.
> Any opportunity to extract firmware and disassemble
> that? Or replace the firmware?
EZUSB's are 8051 compatable, the firmware is downloadable from leetro's site
and a cursor glance at it says it's not compressed or encrypted. sdcc is an
open source 8051 C compiler and there are disassemblers out there.
Dissassembling the firmware would be useful for working out whats going on
with the .MOL format in detail.
Might also be interesting to look for an 8051 emulator and hacking it to
support the EZUSB specific stuff, we could then run the firmware under an
emulator to see more about what it's doing.
--
[http://pointless.net/] [0x2ECA0975]
Adam Ainsworth
Sent from my iPad
Jasper Wallace
> [more snippage]
I've dumped my working state as a zip file, links to it on the wiki here:
http://wiki.hackspace.org.uk/wiki/Projects/RELaserSoftware#State_Dump
Will switch to github when i learn git, or maybe set up my own hg server :P
--
[http://pointless.net/] [0x2ECA0975]
Ciarán Mooney
I suggest that someone as well as making a file with a square etc like
we have done, but also looks at how the cutter head behaves. How it
moves might give us an idea of what the file is doing.
Especially when there are multiple layers with different laser powers or speeds.
Ciarán
Russ Garrett
> ready-made documented stepper controllers. It's only 2 steppers and a laser on/off, so not exactly
> rocket science!
> It would also be an opportunity to add software controllable dynamic laser power control.
We'll assume this isn't an option. It ain't broke, so we shouldn't fix it.
I suspect it's not as simple as you suggest because I doubt the
bargain chinese laser controller would have so much controller
hardware if it was easy to do it in software.
--
Russ Garrett
ru...@garrett.co.uk
Jasper Wallace
> On Sun, 28 Nov 2010, Jasper Wallace wrote:
>
> > [more snippage]
>
> I've dumped my working state as a zip file, links to it on the wiki here:
>
> http://wiki.hackspace.org.uk/wiki/Projects/RELaserSoftware#State_Dump
>
> Will switch to github when i learn git, or maybe set up my own hg server :P
hg server here:
The usb driver script is in the mpc6515 repo, it can now upload files!
if you want to push changes the username is hg, and the password is
Boujmarr6
I'll reorganise my stuff tommorow and set up some other repo's for the
other bits.
P.S. If you are interested in helping and do use the laser cutter please
use the non-snoopy usb sniffing tool (in
Desktop/uploads/jasper/usb-sniffing on laz0rs) to sniff the use of the
'start', 'stop' and 'pause' buttons.
To use the usb sniffing thing:
0) make sure the laser cutter software is not running.
1) run the usb sniffer
2) select the mpc6515 device and click on install
3) click on replug, this will start the logging running
4) run the normal lazer cutter software and use it
5) quit the lazer cutter software, and on usbsniff hit pause log and then
close log (or some thing like that)
6) copy C:/WINDOWS/USBSnoop.log to
Desktop/uploads/jasper/some-meaningful-and-unique-filename.log
7) delete the log in usbsniff
8) goto 3 (i think, might have to uninstall 1st).
The key is to document the things you do and the order you do them in
carefully!
There's a TODO list here:
http://pointless.net/hg/mpc6515/file/9c004ef6e80b/TODO
--
[http://pointless.net/] [0x2ECA0975]