-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
computed checksum did NOT match #33
Comments
I changed the sha256 checksum in the bash script to match my v306 firmware and flashed the device anyways. The flash appears to have worked because my machine now says "HACKED!". However, none of the extra options show up in the mode menu, it just shows CPAP and Autoset. |
I flashed the machine back to the stock firmware, that appears to have worked as expected... the machine no longer says "HACKED!". I reset the Redmed machine with a power cycle. However, I now get this message on the Raspberry Pi... root@ubuntu:~/airbreak# openocd -f ./tcl/airsense.cfg |
root@ubuntu:~/airbreak# openocd -f ./tcl/airsense.cfg -d 3
Debug: 223 17 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event examine-end
Debug: 224 17 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event trace-config Debug: 225 17 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event trace-config Debug: 226 17 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event reset-init
Debug: 227 17 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event reset-init
Debug: 228 18 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event reset-start Debug: 229 18 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event reset-start Debug: 230 18 configuration.c:82 find_file(): found tcl/airsense-info.tcl |
I very briefly had it working after I shorted RST to v3.3 (R-Pi pin 1)... the following was output to the terminal... I'm wondering if maybe I have a loose wiring? I soldered them to the board and they seem solidly attached to the pads. However, when I wiggle SWDIO and restart openocd it sometimes briefly works (gets to the dump message). I'm struggling to isolate the wire or figure out a pattern to help me troubleshoot. I didn't find any issues yet with a multimeter continuity test. I guess I'll try resoldering the connection tomorrow. root@ubuntu:~/airbreak# openocd -f ./tcl/airsense.cfg Polling target stm32f4x.cpu failed, trying to reexamine |
Just a FYI: I'm running into the same checksum mismatch and I have the same checksum as you |
Confirmed: Hash is equivalent to SW version: SX567-0306 Running also in the same issues as you. One bar and unable to force an OTA update. |
Good news, it turns out it was a bad connection on the SWDIO wire, I desoldered the old wire and cleaned up the pad and soldered on an entirely new wire. Now openocd is working as expected on the very first attempt. The old wire didn't fail continuity testing, but I think the problem was the wire just had very high resistance relatively speaking that was degrading the digital signaling... the pad is so small and maybe the rosin core I used was interfering with the little bit of contact surface... I don't know, but openocd is working now! Now I just need to figure out how to injects the rights bits in the right places with the v306 firmware that I have, but ideally I would like to figure out how to upgrade my machine to v401. |
Is there a reason why we aren't sharing the firmware dumps? This would make it a lot easier for people who haven't been getting OTA updates |
The firmware is copyright material, and should never be shared (or even links to such material submitted). People doing so would jeopardize the entire project. Note that the same SW version number encompasses a large group of potentially incompatible firmware as as well. The firmware (and location of stuff) changes also with the 'catalog no' on the back. It's possible some catalog no's are never OTA to the latest FW version as well, which could be due to compatibility reasons for example. |
Aw, that makes sense! Thank you for the clarification and for all of the hard work you and others have put in to this project. |
This is from the patch-airsense script: extra_modes() { From someone who has a v401 firmware, what exactly is located at 0x8590? I'm wondering if I can use xxd and just grep for that string to find the correct location in my v306 firmware to patch. A grep for just 0303 returns too many entries. |
It does not appear that the manufacturer is pushing updates to devices, It seems that patients need to go to their doctor to have the devices updated to newer firmware versions. Ref: http://www.apneaboard.com/forums/Thread-Resmed-Airsense-10-Autoset-firmware-update?page=3 |
I've asked around and may have found a friend with the newer firmware who would let me borrow his device. Since I'd have access to both dumps, I could see if I can compare both |
I have new modes now after my latest flash:
|
Oh nice! Is everything working? |
Still playing with it, not even sure what half the features do! However, the first one I tried, ASVAuto, appears to be working... because if I pause my breath for a few seconds the machine will increase the pressure to force me to inhale. The screen has some non-sense on it too...
|
iVaps has been acting strange for me, just wondering if it is the same for you |
I'm not even sure what that is so I'm probably not the best person to ask if it's operating normally. I'll do what I can to help out converting these to emergency ventilators, but I came here primarily for enabling BiPAP / ASVAuto functionality on my own personal machine. I'm a computer systems engineer who also likes to do electrical engineering as a hobby, so I was compelled to pull mine apart and tinker with it. :-) |
Yes absolutely, I think that is critical for enabling emergency ventilator use because it seems very apparent that ResMed has a multitude of firmware versions in production units. If we can figure out how to find the right insertion points in the code for the 0x0 mode feature mask we can automate the process to work on most any arbitrary firmware version. |
I think the very first time I re-flashed the machine it was a bad upload, recall that my IO wire was flakey... the extra menus are working now with just the 0x0 mode feature mask. This code works as is verbatim with my firmware version:
|
Left is 0401 offset, right is the equivalent 0306 offset using a hexdump of both bins. Basically just went through the script and fished out all relevant offsets. As can be seen, there are not a lot of differences. Since the actual firmware is copyrighted, I decided to just post the offsets and not the actual values |
Added a pull request based off of what I found to make patch-airsense compatible |
Patched a v306 bin file using dblunk88's update, but I do not see new modes either in the user or the clinical menu. |
@gszakacs comment out patch_code (line 126 if you're using my compatibility patch from my fork https://github.com/dblunk88/airbreak/blob/master/patch-airsense) and uncommenting all_menu (line 131) might help too. What I think is happening is that you did not compile and it is trying to install the patch_code, which will be missing. Mid-patch it will panic and exit... which leaves you with a half-patched firmware with no modes Or you could give this a shot and try some of his troubleshooting steps he took in this thread
|
Also, I will probably attempt to add an automatic hexdump search to find offsets sometime in the future to get all versions compatible (if there are any non-306 and 401 versions floating around). I just don't know how feasible that is due to the need to disclose certain sections in the bin file for the search. |
@dblunk88 You are correct. I used the patch file from your repo and run it on my bin, After patching, I also have the same non-sense menu titles as @nbritton + noticed duplicate "min PS", "max PS", "start EPAP" items in the clinical menu. Some settings are visible but not adjustable, for example the "rise time" "trigger" "cycle". As far as the emergency ventilator functionality those menu items are hopefully irrelevant, but I am curious if you are noticing the same limitations. |
I think the menu items are intentional and may be used as an indicator on what version it is running. You can actually see them being patched in at the end of the script. As far as the limited options go, I do have the same issue, but really haven't taken the time yet to see on why that is. I'm still getting familiar with the binaries myself... someone else might know the answer though :) Could you paste the error? |
I've been working on 0302 compatibility and here is what I have so far: unlock ui limits, extra debug, extra modes, and the gui config address need a +8 offset comment out extra menu and the second address of all menu, then offset the first (status bit 5) address by +8 The anti-tamper may not be needed but it does need to be offset by +2 to use it. I haven't tried anything else but that is tested and working on a Rev 1.0 board as well. What I've ran into though is that the GUI areas on 302 are a bit different. For example (from the 0401 stubs file): NSTUB(0x08066c1b, dispatch_0x38_0x40) is at 664f6 -725 I haven't tested anything else yet but that yields working menus, graphics, and all modes; again on SX567-0302 on a Rev. 1.0 PCB. |
You just invent numbers. |
Exhalation has a passive phase, and a late active exhalation phase. Furthermore, the airway is not static during exhalation and exhalatory resistance contributes to the process that integrates respiratory effort to culminate in an arousal. |
@Asmageddon Did you ever find out why this didn't work? I believe that the ASV machine has double the on-board RAM of a regular one in order to accommodate the more complex program. |
@exxr I faced the bootloop at my first attempt, managed to fix. Are you willing to share ASV firmware? I have ASV working either using airsense firmware or Vauto patched firmware ( working ASV, ASV auto, Autoset, Vauto) . The downside is OSCAR show the settings used, like some modes. I will show graphs and all recorded data correctly. I believe I can manage to have ASV working 100% with you firmware, if you decide to share, I will give it a shot and let you know how it works. |
Sorry @ArthurMafra, I don't have access to the stock ASV firmware, but if it expects more memory won't it fail to run? Although now I'm not so sure if there really is a hardware difference since you claim that the patched firmware works fine in ASV mode, have you done a long term test to ensure it's stable? |
Hello @exxr . I understood you got broken ASV looking for stock firmware. At first I thought ASV was behaving strangely. After tests, I can say I believe it is working correctly. I got high pressures that increase due to large leaks on masks. ASVauto tries to push air into airways because it was designed for central apneas and the algorithm seams to force air so I should be open or mixed apnea. I can't sleep with cpap maks for more than 1 or 2 hours. I got 5 and 7 one time but it is rare so I gave up. I always I take mask off and just realize next day. What make you believe ASV is not working on yours? I don't think there is any difference on aircurve and airsense models in terms of memory storage. I could not manage to make iVaps work properly. It will require Aircurve ST firmware. |
I was replying to the other commenter who has the broken ASV machine, I don't have one at all at the moment but will be getting an Airsense and will mod it. If you don't mind I'd like to email you for some info? |
No, It seems that the different firmware have some different config values but the algorithm itself appears to operate fine. Unfortunately, it sometimes goes crazy and starts machine-initiated breathing and doesn't let the body switch back to natural, which makes it pretty disruptive for sleep. |
Is this only an issue with the patched firmware? Or are you talking about the different firmware versions 30x vs 40x? If so, besides the reporting issue does the patched firmware function 100% correctly? |
Did y’all pay attention to board versions and the differences between them? 1.0 doesn’t have the auxiliary connections that are used on the ASV model to connect to the battery backed alarm board used on the ASV model; the 1.1 board does. It may very well be that some board versions can support ASV and some can’t; if it’s a 1.0 board that was never designed with a thought towards ASV that board could’ve been made in sub-variants with different chips that have varying amounts of RAM…later on they would’ve standardized the 1.1 variant if they were actually utilizing the extra RAM. |
@exxr 30x ASV works on 30x CPAP hardware, 40x firmware doesn't. Likewise, 30x firmware doesn't work on the 40x model. @ruri-baka Thanks for the clarification. I'm not an electronics/reverse-engineering person, and I forgot to actually consider that. If you're well-versed in it, I'd love to contact you as I'm trying to figure out how to knockdown the backup rate feature in ASV mode, but very far out of my specialty here. |
My airsense came with 306BR. 401 US firmware works on my 30x6 hardware. Including myair app. Aircuve VAuto 302 firmware works on 306 Airsense hardware. Aircurve firmware on airsense will cause myair to deregister the device after first use due to serial /model differences, register again, work one time and keep deregistering. |
@ArthurMafra I might have seen that post, as I've done similar research to confirm that yeah, stock ASV goes apesh*t with the backup rate too. If possible I'd like to reverse engineer the feature off, since I believe it compromises therapy efficacy. The truth is that PAP is really poor at managing Sleep Disordered Breathing. It seems to mostly help people who developed it with age, whose nasal breathing isn't awful and airway size okay. You could try a nasal mask(most people can adapt to it at least a bit), nasal dilators, or a soft cervical collar(prevents chin tucking that worsens apnea), but long term you should look into either nasal surgery(don't recommend), or the more effective surgically assisted palatal expansion(MSE/EASE/SAMSE/SAMARPE/etc.), which enlarges your entire nasal cavity. Possibly, you might need MMA surgery too, since receded jaws are what causes airway collapsibility. If you'd like, add me on Discord( |
@dblunk88 Please can you assist me. I have 0302 firmware on Airsense 10 CPAP. My firmware hash is: dac92172863440cef65643166a8c3e4b22e4c3e15da2f9f20f463e831d316473 I patched the patch using @ruri-baka 's patch but when trying to patch the firmware I get the incorrect hash error. Is it safe to just include my hash in the patch? I saw you wrote a script to compare offsets but since I only have my firmware, it is not of much use. Do you have any idea how I can proceed? Thanks for all your hard work. I really appreciate it. Kind regards, --EDIT I managed to flash the "patched" firmware by replacing the hash in the patch with my stm32.bin hash. On testing it seems not all the functions are working properly (NB: Not all were tested.). Namely: Didn't try other modes as I'm not sure what to expect from them. Line graph of pressure did not seem to appear anywhere. I also noticed that the pressure unit in the settings menu was "USE" instead of cmH2O as before. I have since restored the original firmware until I figure it out. |
I'm not sure if the scripts for 030X work, and it sounds like you probably corrupted your image. Good call to just restore it. Feel free to add me on Discord I might be able to help you. |
Thanks, What is your discord username? |
|
|
I had the same issue, although I am using 0401. My hash is I was able to have it working by modifying the
(I also had to change the expected hash). |
@Asmageddon I'd love to discuss disabling backup rate in more detail. I've added you on discord if you're up for it 😊 |
I just want bi-level features from my AS10. I'm working with a newer C2C machine that claims to be sx567-0401... but the checksum does not match supposed 0401. I used Bash to generate a true checksum on my FW and got patch-airsense to run (commenting out the extra breath stuff). I did a diff and find that spurious things noted here like FLAGS= instead of My Options, GIT= instead of Sleep (Report)... so I dont' trust it. Evidently it's being caused by this: FLAGSTR=$(printf 'FLAGS=0x%02x' $BUILD_FLAGS) COMMIT_HASH=$(git log -n1 --format=format:"%H" | head -c 7) Gonna try it again and comment out the printf patches. I'll post back here. I also commented out the HACKED stuff. Here's my 0401 C2C stock checksum hash: a8d740fce5840d48078c71b39c2682d63d61466b3d6a10dfda3c37111ced8844 Looks like they're jiggering it to mess with us! Why not just turn on the Security bit? Crazy that it's open anyway... my little widgets never leave the plant open like that. |
Holy crap, it worked! I definitely don't recommend doing this to your main machine... have a spare around... or two! I have an S9, an AS10 from 2015, and this AS10 C2C I bought Nov 2023 'black Friday' for $399 new. I had to edit the script as described above... I flashed the new unit, since I'm experimenting with updating the modem (put a new motor cleaned etc) on the old unit... even put an external antenna on it, four bars of 4G with ATT... now to just jigger MyAir the right way, it has not worked so far... delete and start new account? Anyway, the proof's in the sleeping, I'll put this one back in rotation on normal APAP and see if it hiccups. I've scheduled a new sleep study (been 14 years) and I'm thinking bi-level will help with my UARS and EFL's. Can't wait to see my doctor's face when I bring this into him to have program... he's already pissed I'm using Oscar and getting great results. Thanks to all the previous hacktastic hackers working on this. I stand on the shoulders of giants. |
I've noticed if I don't have 'all options all the time' menu enabled it's missing some stuff from some modes... and when it's enabled all the menus are confusing. More work necessary here. Let's see if it kills me tonight. |
@scowell Would you add me on Discord? I'd love to chat with you, I've done a lot more work with implementing custom algorithms too. |
Am I on Discord? My interest here is more into maintenance rather than creating a ventilator... I want to access the EEPROM to do things like reset the motor hours and change the modem ID so that older AutoSets can be updated with 4G modems. I haven't even got the disassembly going yet... much less the C-code. I'm hacking my way through the patch-airsense script... I'm not a Linuxian, having to remember bash etc and figger stuff out in context. IOW, I'm a real newb at this. Lurking around I've gotten my hands on a lot of RM FW, going to try sleeping with a bi-level tonight... running Beyond Compare on these bins has been instructive. Turns out there's four or five 0401 firmwares available, some with more diffs than others. I would like to change parms on scoring RERAs, etc. I was able to sleep a full night on APAP with my jailbreak code... so it didn't kill me, that's a success in my book... the Oscar of it did show a suspicious 25cm max pressure limit... hee hee. Now it's replaced with vAuto stock FW and working nicely... going to have a problem with Oscar data if I can't access the EEPROM (or wherever it is) and change the SD card file headers to reflect the data on the card... it's not in the FW for the STM32. I do envision that these AS10 carcasses will become the open-source PAP platform for the future... eternally grateful that the security bit was not set (all my widgets leave the plant locked, of course). Is RM giving us tacet approval? Or are they just completely clueless? All my bootloaders are encrypt-capable... nothing goes out en-clair. I've watched some video of the CEO... he's a real piece of work, climate-change denier etc. Love his machines. Does anyone have a clue what this: FLAGSTR=$(printf 'FLAGS=0x%02x' $BUILD_FLAGS) is about? It just seems to screw up the menu display. |
I am on Discord! And I sent you a friend req. |
... and you didn't accept. Does this happen often here? Am I just a sucker? |
@scowell omg I'm sorry. I don't remember rejecting a friend request but I've had some really bad two weeks. Send again? I'm now just And yeah that bit of script replaces one of the strings, it's debug info for the jailbreak so to speak. |
Could you add me too? I'm johnie89 on discord |
root@ubuntu:~/airbreak# ./patch-airsense stm32.bin stm32-unlocked.bin
stm32.bin: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
stm32.bin: wrong hash
SW firmware version on my device is SX567-0306, it's been unplugged for about six months so I guess it did not receive the over the air updates to version SX567-0401. I don't know how to trigger the OTA firmware update process, I don't have a DME provider so I'm not even sure this unit can receive the update. The machine has one bar on the modem signal status. Is there a way to download the stock firmware update version SX567-0401 on the Internet?
root@ubuntu:~/airbreak# sha256sum stm32.bin
363a204ba217f31223e929365d58b8f5ce038a7681e362fe157e190c2eacbd30 stm32.bin
The text was updated successfully, but these errors were encountered: