Page 1 of 9 12345 ... LastLast
Results 1 to 10 of 89
Like Tree73Likes

Thread: Disassembling Joyetech eVic firmware image

  1. #1
    Full Member
    Join Date
    Jan 2013
    Location
    Ireland
    Posts
    28

    Default Disassembling Joyetech eVic firmware image

    Hi, I've just created a project on GitHub, that can decrypt Joyetech eVic firmware image v1.0 - v1.1
    I'd appreciate any help with finding a disassembler for the binary image.

    https://github.com/bitterskittles/NVaporWare
    _nderscore, Zetaphor and jj_9 like this.

  2. #2
    Full Member
    Join Date
    Jan 2013
    Location
    Ireland
    Posts
    28

    Default

    I think the MCU could be one of 8051 based Sinowealth Lithium battery management chips. ida can disassemble the file, but haven't played around with it yet

    SH366000
    I couldn't find an English product description page, but here is the Google translated summary:

    Description :
    The SH366000 Ying Electronic Co., Ltd. introduced an intelligent battery management chip, its communication protocol is compatible with SMBus1.1, in line with the smart battery the instruction set SBData1.1 specifications; 2 to 4 apply to lithium-ion and lithium-polymer battery pack; be able to accurately calculate the full charge capacity of the battery pack, the remaining capacity and run time and charging of the battery can complete the required time; provide voltage, current, temperature monitoring, providing hardware and software protection; provide cell balancing function to extend the battery life.

    Characteristic:
    ■ achieve 2 -, 3 -, 4 - string lithium battery charge and discharge management and security
    ■ compatible with SMBus v1.1 and SBData1.1 standardize
    ■ Coulomb integral method and the open circuit voltage combined to determine the remaining capacity of the battery
    ■ Under the current temperature and current, combined with embedded model dynamically calculated discharge cut-off voltage
    ■ with self-learning function, a full charge and discharge process to obtain the actual maximum capacity
    ■ provide overload and short circuit protection, MV / LV / over / under temperature battery pack protection
    ■ two security
    ■ cell balancing function to extend the battery life
    ■ support 4 - ,5-LED output display absolute or relative remaining battery percentage
    ■ Low-power system design
    ■ Package: TQFP 48/TSSOP 38
    Last edited by bitterskittles; 01-14-2013 at 09:55 PM.

  3. #3
    Full Member ECF Veteran
    Join Date
    Feb 2012
    Location
    Arizona
    Posts
    116

    Default

    I don't know that I have much to offer in terms of help on this subject but I think I like where you are going with this. I haven't used an evic yet but based on what it is it seems reasonable for me to believe that someone with better programming skills than myself should be able to write unofficial firmware. This could be an absolute game changer. Perhaps the best place to start would be a complete disassembly of the control head to see exactly what it is working with (hopefully they didn't put globs of epoxy over the chip(s)). A physical inspection is the only way to know for sure what the technical limitations are. The next step would be how the firmware is written. Likewise, ( I just thought of this) decompiling the MVR software that displays usage data on the PC might yield some useful information as well.
    I doubt that was terribly helpful but I had to comment on this since I have been thinking about this for the past few days. I'll probably go ahead and order an evic in the next week or so because even though most of the bells and whistles are useless to me I am convinced it's only a matter of time until a firmware (official or otherwise) comes out that makes it a much better device for most vapers.

  4. #4
    Full Member
    Join Date
    Jan 2013
    Location
    Ireland
    Posts
    28

    Default

    Hi Janusxvii,
    Thanks for your comment. Getting the decryption out of disassembled MVR was easy, and it should be fairly trivial to write a program to read the statistics from the device and write a new firmware through USB. However, my assembly skills are limited to x86/x64 CPU's, and I also agree with you that it would reveal more information if the internals of the control head was examined by someone with the right skill set.

    Also, MVR.exe contains the string "Sinowealth_Sh86313_Smoke_Joyetech_Type0001", which I believe is the identifier of the MCU that runs the firmware and controls the lithium battery management chip inside the control head.

    I must also admit that I haven't ordered an eVic device yet due to some negative reviews on youtube (JoyeTech eVic Full Review v1.1 - YouTube). I'd consider buying one if some of the issues like incorrect actual volt levels were addressed in a new firmware.

  5. #5
    Moved On Team ECF (folding@home)
    Verified Member

    Join Date
    Dec 2012
    Location
    Lower NY
    Posts
    2,146

    Default

    OMG someone do this!
    I'm sure we have someone smart enough, even if its just to fix the damn display messages, like "no atomizer find" to "no atomizer found" I really want to like the eVic and think people here can make a 'better' firmware then Joyetech can.

    Good luck !

  6. #6
    Full Member ECF Veteran
    Join Date
    Feb 2012
    Location
    Arizona
    Posts
    116

    Default

    Well I did pull the trigger on ordering one. I should be getting it towards the end of the week. I have no experience with programming outside of a mediocre aptitude with the Arduino micro-controller. However I have a decent amount of work related experience with electronics and reverse engineering and will be examining the device carefully to see how difficult it will be to disassemble without destroying it. If I don't feel 100% comfortable that I can strip it down to the board level without ruining the unit then I'm going to wait until I can reasonably afford to buy just a control head to sacrifice in the name of research and development. Whatever my observations are I will post them here.
    Also I feel like it's worth pointing out that in the process of googling "sinowealth sh86313" I discovered another vaping message board where it looks like someone else came to the same conclusion as you bitterskittles. Lastly, I saw somewhere (but can't remember where) that Joytech is planning on releasing v1.2 of the firmware and v1.1 of the MVR software in the very near future.

    OVALE/Joyetech eVic - new VV mod - Page 6
    Last edited by Janusxvii; 01-22-2013 at 03:22 AM.
    bitterskittles likes this.

  7. #7
    Full Member Supporting Member
    Join Date
    Jan 2013
    Location
    Netherlands
    Posts
    16

    Default

    I'll jump in in a couple weeks, got a move coming up first and will need to do some resettling first.
    bitterskittles likes this.

  8. #8
    Full Member
    Join Date
    Jan 2013
    Location
    Ireland
    Posts
    28

    Default

    Hi,

    I had time to learn 8051 assembly and peek into the decrypted firmware image this week, and wanted to post a quick update on my findings. Actually 8051 turned out to be much simpler than x86, however, the small amount of instructions and being a 8 bit processor causes an inflation in the number of instructions used to do a simple operation, especially when moving data around registers code memory and external memory.

    in v1.1, the bitmaps for the fonts and other things start from address 0x2B13. The first byte is the number of horizontal pixels, and the second byte corresponds to the number of vertical pixels.

    Length of a single image data is: ((height * width) / 8)

    The first character at 0x2B13 is number 0, followed by the rest of the numbers and lower case letters. Haven't examined every image but I assume it follows the ASCII order.

    The only thing is, every 2 row has to be swapped for some reason that's unknown to me for the moment. I will investigate the disassembled code further when I have more time.

    Examples:
    number 0
    Address: 0x2B13
    Data: 06 08 7E 00 81 81 7E 81
    Total length: 8 bytes
    Size: 6x8
    Default order: After swapping the columns:
    01.jpg 02.jpg

    number 3
    Address: 0x2B2B
    Data: 06 08 42 00 89 81 76 89
    Total length: 8 bytes
    Size: 6x8
    Default order: After swapping the columns:
    31.jpg 32.jpg
    Last edited by bitterskittles; 01-24-2013 at 05:06 PM. Reason: deleted a borked image

  9. #9
    Full Member Supporting Member
    Join Date
    Jan 2013
    Location
    Netherlands
    Posts
    16

    Default

    Good job! Take this as a start. When 1.2 comes out, we'll be taking it from there.

  10. #10
    ECF Moderator Team ECF (folding@home)
    Verified Member
    Registered Reviewer/Blogger
    ECF Veteran
    Judge Dredd's Avatar
    Join Date
    Nov 2012
    Location
    127.0.0.1
    Posts
    1,524

    Default

    Quote Originally Posted by bitterskittles View Post
    Hi,

    I had time to learn 8051 assembly and peek into the decrypted firmware image this week, and wanted to post a quick update on my findings. Actually 8051 turned out to be much simpler than x86, however, the small amount of instructions and being a 8 bit processor causes an inflation in the number of instructions used to do a simple operation, especially when moving data around registers code memory and external memory.

    in v1.1, the bitmaps for the fonts and other things start from address 0x2B13. The first byte is the number of horizontal pixels, and the second byte corresponds to the number of vertical pixels.

    Length of a single image data is: ((height * width) / 8)

    The first character at 0x2B13 is number 0, followed by the rest of the numbers and lower case letters. Haven't examined every image but I assume it follows the ASCII order.

    The only thing is, every 2 row has to be swapped for some reason that's unknown to me for the moment. I will investigate the disassembled code further when I have more time.

    Examples:
    number 0
    Address: 0x2B13
    Data: 06 08 7E 00 81 81 7E 81
    Total length: 8 bytes
    Size: 6x8
    Default order: After swapping the columns:
    01.jpg 02.jpg

    number 3
    Address: 0x2B2B
    Data: 06 08 42 00 89 81 76 89
    Total length: 8 bytes
    Size: 6x8
    Default order: After swapping the columns:
    31.jpg 32.jpg
    Did you use IDA for this?
    "Quitting smoking after you get cancer is like putting on a seatbelt after a head-on collision."

Page 1 of 9 12345 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •