5th Gen Custom Firmware!!!!!!

[joshu...@ieee.org]

DISCLAIMER:  If you don't know what you are doing, you could potentially render your printer inoperable.

Hi Everyone,

I am happy to announce that I've managed to load my own custom firmware bundle (bundle cause I didn't change any code) onto the 5th Gen!!!  It was a heart pounding journey as I wait for the machine to reboot.  But I am proud to say that I am able to set a custom pre-heat temperature (I've set it to 179C since I am just trying to see if I can load a custom firmware on) and enable ssh.  Check out the photos below!!!

I am going to do a more detailed write-up on the instructions but here's the basic steps for the brave soul:

1. extract makerbot's official firmware image
2. mount the rootfs image
3. modify whatever you need
4. re-create the rootfs
5. remove the signature file
6. generate the hash file
7. repackage the firmware bundle
8. load your custom firmware from MakerBot Desktop
9. When prompted with an Unknown FW, just accept to continue

I will be back in 2 hours for the detailed write-up.  Starving to death and have to go get something to eat...

Josh

[Jeff Davis]

Nice work Josh!

[joshu...@ieee.org]

Ok, here's the detailed instructions that I've promised.

Disclaimer once again: do this at your own risk as it can potentially render your machine inoperable.

HOWTO: Load a Custom Firmware Image onto the 5^th Gen Replicator

Assumption

This procedure assumes that you are performing under a linux host.  I did this in Ubuntu 14.04 under VMware Player.

Host System Preparation

1. Modify your kernel to include support of the NAND flashchip used in the 5^th Gen Makerbot (this is a repeat of Dan’s post at: https://groups.google.com/forum/#!topic/makerbot-users/4DUfxiO2G-8 )

   1. Download the kernel source apt-get source linux-image-$(uname –r)

   2. Modify the nand_ids.c file and add the following line at line 46:

{“MB 1M NAND 4G 3.3V 8-bit”, { .dev_id = 0x80 }, .pagesize = SZ_4K, .chipsize = SZ_4K, .erasesize = SZ_1M, .options = SP_OPTIONS},

1. sudo apt-get build-dep linux-image-$(uname –r)

2. change to your kernel source tree and type the following:

   1. fakeroot debian/rules clean

   2. fakeroot debian/rules binary-headers binary-generic

3. this should produce a number of *.deb files at the parent directory of the kernel source root folder

4. navigate to the parent directory where the *.deb files are and type:

   1. sudo dpkg –i linux*3.13.0-45*.deb

   2. sudo reboot

Firmware Preparation

1. Select an official firmware version as your starting point.  You can do this by opening up your browser and navigate to the machine’s IP.

2. Click on the firmware directory and it will show the previous firmware that you’ve loaded to the machine.  There should only be one file called: firmware.zip

3. Extract this file to a directory (let’s call this firmware_dir from now on)

4. Switch to root:

   1. sudo su

5. Then follow Dan’s post on how to mount the rootfs at https://groups.google.com/forum/#!topic/makerbot-users/4DUfxiO2G-8.  The instructions are repeated here.  Please type the following commands in a shell:

   1. modprobe nandsim first_id_byte=0x00 second_id_byte=0x80 third_id_byte=0x00 fourth_id_byte=0x00

   2. mtdinfo /dev/mtd0

   3. ubiformat /dev/mtd0 –s 4096 –O 4096

   4. modprobe ubi

   5. modprobe ubifs

   6. ubiattach /dev/ubi_ctrl –m 0 –O 4096

   7. ubimkvol /dev/ubi0 –N rootfs –s $((0x8000000))

   8. ubiupdatevol /dev/ubi0_0 rootfs

   9. mount –t ubifs ubi0:rootfs /mnt/the_directory_where_you_want_to_mount

 

Modify the Firmware

1. For the purpose of the following discussion, we will assume that you’ve mounted the rootfs image under /mnt.  Furthermore, please stay as root for the rest of the procedure.

2. Navigate into /mnt/usr/settings

3. Open up firmware_version.json and change the build number to something else.  I’ve used 250 to distinguish it from the official firmware.

4. You can also modify the Preheat temperature at line 367 of the printer_settings.json file.  For the demonstration purposes, I just changed it to 179.

5. The interesting stuff are located under /mnt/usr/lib/python3.3/site-packages/kaiten.  It seems that this is where a lot of the actions are happening.

6. I also enabled ssh (but I forgot to configure the ssh daemon to enable remote root login so couldn’t really post a demo screenshot).  Anyway, I am not an expert on this and you can probably Google around to get the detailed instructions.

7. Once you’ve completed your modifications, type:

   1. mkfs.ubifs –r /mnt –o custom –m 4096 –c 300 –e 1040384 –q

      This will generate a custom ubifs image called custom.

Packaging the custom firmware

1. You can switch back to normal user now if you want. 

2. Delete the following files from the original firmware directory (firmware_dir):

   1. signature

   2. rootfs

3. Copy the custom image that you’ve created into the firmware_dir and rename it to rootfs

4. Copy the attached gen_hash.py and check_hash.py files to the parent folder of firmware_dir

5. Now we have to generate the hash file.  To do this execute gen_hash.py within firmware_dir.  This will generate a hash file called ‘hash’.

   1. python3 ../gen_hash.py

6. Next, check the generated hash file by executing:

   1. python3 ../check_hash.py

7. Finally, modify the version number in manifest.json to match the version number that you’ve set in the previous step.  If you are following this example, then change the last number under version to 250.  You can set it to whatever you want as long as it matches the one you set in firmware_version.json.

8. Just for kicks, I also modified the description to: “Wong’s custom firmware version 1.6.1.250” J  This is completely optional but it just helps you visualize what you are loading in the desktop program.

9. zip the following files together:

   1. hash

   2. manifest.json

   3. rootfs

   4. uImage

10. Take care that you DO NOT create a directory structure in the zip file or the desktop program will complain that the firmware is corrupted.

Load Your Firmware

1. Finally, fire up Makerbot Desktop and go to Update Firmware

2. Then Browse to the custom firmware that you’ve created and you are good to go.

3. After the file is transferred on to your machine, it will go through a verify process.  Since we don’t have a valid signature it will complain whether you still want to go ahead or not. 

4. At this point, if you are still brave enough then just accept to continue.

5. If you couldn’t handle the risk of bricking your machine then cancel.

 

So that’s pretty much it folks.  Happy printing!

 

Josh

[joshu...@ieee.org]

Thanks Jeff.  It was a scary experience while waiting for the machine to bootup. lol.

On Sunday, February 22, 2015 at 6:46:36 PM UTC-5, Jeff Davis wrote:

Nice work Josh!

[joshu...@ieee.org]

After some more digging, I noticed that the printer will send usage data to google analytics.  Check out analytics.py under:

/usr/lib/python3.3/site-packages/kaiten/

You can see that MakerBot is sending printer events back:

ANALYTICS_URL = "www.google-analytics.com"

TRACKING_ID = "UA-7650456-17"

EVENT_CATEGORY = "birdwing"

I am definitely going to isolate my printer from the outside network now.  This is rather disturbing...

Josh

[Enginwiz]

Good job! Congratulation!

What kind of information does the 5th generation spybot send back to Makerbot?

Hopefully they don't dare to use the crappy webcam ...

[Jetguy]

I give them a "special" picture for every print.

[joshu...@ieee.org]

As of firmware 1.6.1, they are just error messages and statistics such as the number of retractions/jam.  But it includes the firmware version.  So while it may not be something you would worry about if you are running the stock firmware, it may be a concern if you are running your own code and MakerBot finds out and decided to disable it somehow.

You can disable Analytics under the MakerBot Cloud Service menu on the machine.  It would have been nice for MBI to inform their users that they've added such feature.  It is off by default but do yourself a favor and have a sanity check just in case.

The other issue I have with Google Analytics is that while the machine may not send personally identifiable information, from what I've read Google Analytics can narrow down the geographic region based on the IP address.  Anyway, I've completely blocked off www.google-analytics.com from my gateway so no devices in my household can access that site.

Josh

[Hynek Štětina]

Hello.
I did try to upload modified firmware to my Mini but with no success. I did follow all the steps without any problems except the last one. It fails on firrmware verification. On the Mini, there is no LCD, so I cant see or confirm the message about unofficial firmware.

Any hint what can be wrong?

Thanks,
Hynek

[joshu...@ieee.org]

Hi Hynek,

I don't have a mini but let me take a look at the load procedure in the mini firmware.  Which version of the official firmware are you on right now?

Josh

[Hynek Štětina]

Hello,
I did it on version 1.7. But after that I tried to downgrade my Mini to FW 1.5 and repeat the firmware modification also on this firmware. I was worried that MakerBot implemented some protection to the newest firmware.

Thanks,
Hynek

[joshu...@ieee.org]

Hi Hynek,

I just looked at the code for the mini.  The good news is that MakerBot did not implement any protection and the loading procedure is the same as Replicator 5G (which is the one that I am using).  The bad news is that in order to override the signature check, the code is asking for a user input from the front panel.  It is a json request to the LCD service.  You can see this in line 362 firmwareburningprocess.py located under /usr/lib/python3.3/site-packages/kaiten/processes.

Does the mini have any front panel with buttons on?  It seems that during power up it calls a script to initiate a RotaryDial.  I am wondering if you could press the dial to confirm.  But I am not sure if the 'lcd' service still exists or if it is emulated by something else.

I will continue to look and let you know if I have any updates.  In the meantime, I discovered an alternative way to run custom code in the 5G without modifying the firmware.  It is a JSON RPC call which I have no experience with.  If you look under machine_manager.py line 1997, you can see a jsonrpc function called copy_ssh_id.  This needs to be called from the desktop side.  If you are able to initiate this call and upload an ssh key to the machine then you can get root access and do a chroot to your custom code on a usb key.

There is still hope if you are running a mini :)  Will keep you posted.

Josh

[Jetguy]

There is no rotary dial, no LCD and only a single button used for activating a wifi connect or can also pause a print in progresson a mini.

If the mapping is correct, maybe, just maybe, it can be used to confirm but no guarantee.