Disassembling Joyetech eVic firmware image

[Dracconus]

I haven't bothered grabbing an evic, but if someone can give me a copy of the firmware I'll look at it, and have a few friends of mine that are programmers take a couple of looks with me. I'm not sure what the nvaporware thing is, didn't really read through it. Is it the firmware, or a disassembled version of it? Have you bothered looking at the files meta information (if any) and seeing what container was used, and whether joyetech is even the company that compiled it? A lot of companies LOVE to brand their products, and IDA would be a good way to do it.
Also, if you're looking to edit the information displayed, a simple string search should result in finding the displayed message, then you can edit it accordingly.

 

[Judge Dredd]

I haven't bothered grabbing an evic, but if someone can give me a copy of the firmware I'll look at it, and have a few friends of mine that are programmers take a couple of looks with me. I'm not sure what the nvaporware thing is, didn't really read through it. Is it the firmware, or a disassembled version of it? Have you bothered looking at the files meta information (if any) and seeing what container was used, and whether joyetech is even the company that compiled it? A lot of companies LOVE to brand their products, and IDA would be a good way to do it.
Also, if you're looking to edit the information displayed, a simple string search should result in finding the displayed message, then you can edit it accordingly.

NVaporWare is a library written by bitterskittles that decrypts the eVic firmware files.

With regard to strings, the goal is to change the internal limits, not just what is displayed.

The firmware is very complex, and bitterskittles is working on finding out how Joye implemented decimal values in the firmware.

 

[_nderscore]

I haven't bothered grabbing an evic, but if someone can give me a copy of the firmware I'll look at it, and have a few friends of mine that are programmers take a couple of looks with me. I'm not sure what the nvaporware thing is, didn't really read through it. Is it the firmware, or a disassembled version of it? Have you bothered looking at the files meta information (if any) and seeing what container was used, and whether joyetech is even the company that compiled it? A lot of companies LOVE to brand their products, and IDA would be a good way to do it.
Also, if you're looking to edit the information displayed, a simple string search should result in finding the displayed message, then you can edit it accordingly.

It's the sourcecode to a decrypter for the firmware.

The firmware binary is decrypted by the MVR software before it is transferred to the device, so it must be decrypted in order to be disassembled and analyzed.

The have heard the firmware has a checksum also, so you can't just modify strings and have it work. You would need to recalculate this checksum or somehow find a way to patch around it.

 

[bitterskittles]

I'm not sure what the nvaporware thing is, didn't really read through it. Is it the firmware, or a disassembled version of it?

It does what it says in the readme file: https://github.com/bitterskittles/NVaporWare
Usage:

namespace Demo{
    using System.IO;

    using NVaporWare;

    internal class Program
    {
        private static void Main(string[] args)
        {
            var decrypter = new FirmwareDecrypter();
            var firmware = decrypter.Decrypt([COLOR=#ff0000][B]"code.bin"[/B][/COLOR]);
            using (var fs = new FileStream([COLOR=#ff0000][B]"feed_me_to.ida"[/B][/COLOR], FileMode.Create, FileAccess.Write))
            {
                fs.Write(firmware.Data, 0, firmware.Data.Length);
            }
        }
    }
}

Also, if you're looking to edit the information displayed, a simple string search should result in finding the displayed message, then you can edit it accordingly.

eVic FW doesn't use ASCII, unicode, or any other encoding used in PCs to store the UI strings. Please refer to these posts for more info:
Strings
Resource offsets in v1.1

 

[Janusxvii]

Just a quick post with the results of my visual inspection today. I examined the control head under a 20X inspection microscope and made a few discoveries, though nothing earth shattering. First, I believe I misspoke in my previous post when I said that there was a barrier of epoxy on the underside of the unit. I am now fairly certain that it is a plastic disk that has been press fit into place. My assumption now is that after the electronics are fit into place this disk is installed and the center pin is pressed through a hole in the center of the disk. I attempted to remove this pin with a pair of pliers and moderate force but stopped when I realized that it will require a bit of rough treatment to remove. So I am going to hold off until I can afford to purchase just the control head for the sole purpose of tearing it apart. This will probably be about a month from now (though possibly sooner). I also noticed that the electronics sit on two separate boards that are stacked on top of each other so that from the display side the arrangement is: display-board-board. Under the microscope I was able to see the individual pixels on the display and attempted to count them so as to determine the maximum screen resolution but I kept losing count. I also did a little bit of research on 8051 MCU's and discovered that there is a freeware program called "MCU 8051 IDE". I don't know if that will be of any use but I figured I would throw it out there. I will keep checking up on this thread so as to stay up to date on any new developments and will let everyone know as I make progress on the physical disassembly front, but for the time being I am at an impasse.

 

[bitterskittles]

Added encryption support to NVaporWare library, if anyone's interested.

https://github.com/bitterskittles/NVaporWare/blob/master/test/NVaporWare.Test/FirmwareTests.cs

 

[snaphappyalex]

Hey there guys, Been watcing this thread with great interest. Im a bigtime tinkerer and a HUGE fan of the evic... However, Im a mechanic, not an electronics whiz. Im sorta getting what you guys are saying about the checksum and the decryption... Ive been doing some nosing around and doing my research, but you guys are the closest to disassembling the image and making it open to tinkering... If theres anything you guys could do with, let me know... I may not have much knowledge myself but I have contacts and Im also willing to learn for the sake of modifying my evic... My last attempt at modifying coding was simply editing game files in notepad about 8 years ago haha

 

[Janusxvii]

Hey there guys, Been watcing this thread with great interest. Im a bigtime tinkerer and a HUGE fan of the evic... However, Im a mechanic, not an electronics whiz. Im sorta getting what you guys are saying about the checksum and the decryption... Ive been doing some nosing around and doing my research, but you guys are the closest to disassembling the image and making it open to tinkering... If theres anything you guys could do with, let me know... I may not have much knowledge myself but I have contacts and Im also willing to learn for the sake of modifying my evic... My last attempt at modifying coding was simply editing game files in notepad about 8 years ago haha

I can definitely relate to what you are saying. I'm not a programming person myself. My professional experience is as a draftsmen and as a quality control inspector for a machine shop. That's why my primary goal for myself is to take one apart, document how it is made and figure out what the devices absolute maximum limitations are. However, I'm not going to risk destroying the first mod I've ever owned so I'm on hold until I can afford to buy a control head for testing and evaluation.
As far as I know this isn't any sort of formalized group thing, so by all means jump in with whatever you feel you can offer. My personal thoughts if you are unsure of what you could/would be interested in working on would be that if you are in a position to get your hands on a unit for disassembly purposes you could work on the same thing that I am. This way we could independently verify each others findings. If this isn't an option for you I have recently started mulling the idea in my head of seeing if it would be feasible to remove the existing spring and replace it with a hot-spring that would collapse if the unit got dangerously hot. Those are just my thoughts on the issue though, feel free to help out however you can.

 

[Jaywalker9988]

Hey guys... Finally I can post here...

First off, great work so far!!

I made a C implementation of a decrypter and an image dumper... Im also doing some RE work on it as well.



In the past I worked on iOS jailbreaking, so reverse engineering firmware is kind of second nature to me lol. I dont really vape, but one of my hacker buddies does and asked me to help hack the eVic, so thats why Im here.

I'm currently figuring out the USB protocol for updating on the client side in order to build a libusb tool to update/pull stats/etc. Once thats done, we can have firmware updates on Mac and Linux too!!

Will update with findings as needed

My github repo is at http://github.com/Jaywalker/xVic

Also: bitterskittles Any idea what the rest of the header structure is?? I have this so far
typedef struct {
unsigned char unk_1[16];
int checksum;
unsigned char unk_2[12];
unsigned char key[32];
} FWHeader;

 

[bitterskittles]

Good work. Gotta leave to work so I'll make this quick.
MVR.exe opens the .bin file and reads bytes 0..8, and compares against a hadrcoded array. If they don't match, it fails.
then it ignores bytes 9..15, reads the checksum from 16..19, ignores 20..31 again, and reads the encrypted key from 32..63
Finally, it compares the checksum with the sum of decrypted bytes, and fails if it doesn't match.

The hardcoded bytes 0..8 are { 0x04, 0x0A, 0x0C, 0x51, 0x08, 0x1A, 0x44, 0x09, 0x0A };

I hope this helps.

 

[Plumes.91]

Hey guys, I read through the whole thread. Interesting. I'm not into code at all.
In fact I hate numbers all together. lol. I have to ask, whats the point of doing this?

 

[ImThatGuy]

Point? To jailbreak past our intended limits!!! K...'nuff said...

 

[elmattias]

I've got a theory about the evic, that theory is that there is an inferior boost circuit on the device with an amp limitation on the hardware switch...that being said, I'm subscribing to this out of shear curiosity, with the hope that I'm totally wrong, and that you guys increase the overall power and performance of the device...

In addition, I'd also like to see if the "glorified puff counter"can be made into something better...because lets face it, the PC interaction that the evic has right now....it's kind of lame.

Sent from my EVO using Tapatalk 2

 

[Plumes.91]

I thought I saw a couple tech reviewers on youtube say that its got the boost circuit and it cannot go to 15 watts already. Thats 1 of the main reasons I asked what you guys were doing.

 

[ImThatGuy]

Just wondering...

Who actually vapes at 15 watts? What juice is good at 15 or more watts? What kind of delivery device would be able to properly perform 15 watts or more? (a guess would be an RBA?)

Just questions... *flame shield on*

 

[elmattias]

Just wondering...

Who actually vapes at 15 watts? What juice is good at 15 or more watts? What kind of delivery device would be able to properly perform 15 watts or more? (a guess would be an RBA?)

Just questions... *flame shield on*

well I like ten to twelve Watts...and evic can't can't even do that...regardless,as stated all I have is theory to go off of...and I hope you guys prove me wrong, but as it stands,I find the device less than stellar.

Sent from my EVO using Tapatalk 2

 

[ImThatGuy]

What flavor (pg/vg) and device are you using?

 

[EricSFla]

I use an AC9, a rebuildable genesis, with a 28 guage kanthal 6/7 wrap. The evic is useless, not enough power, but with a ProVari, I get a great vape.

The reason why you need more power with an RBA is that the SS wick is stealing heat via conduction.

 

[AttyPops]

People keep commenting that the firmware changes will "fix all things" like it's magic or something.

I've said in previous threads...this deveice even comes with built-in heat sensors and shuts down when overheated due to heavy vaping...that's in the product info. Changing the firmware won't change the hardware limitations, only how the existing device works feature wise (like easier VW for example).

Circumventing the firmware is generally a bad idea. If there's bugs, they'll fix em....

Interesting thread. Interesting to do for curiosity's sake. But .... one must use some real caution or you'll fry the hardware and/or possibly even blow up the battery. (Like by activating two things that aren't normally active at the same time creating a heavy amp draw.... that's a long shot but hey...get the point?)

 

[bitterskittles]

The MCU inside eVic was originally designed for MP3 players, and it can playback MP3 and WMA files using the build in codec and DAC.
It's possible that we may not succeed at our attemts to increase the power output, but wouldn't it be awesome if it provided audio feedback, in GlaDOS voice?

when powered on:
"initiating vape protocol, please stand by"

if no atomizer "find"
*buzzing alarm noise* "vape failed, please attach an atomizer"

if battery is too low
"vape termination is imminent. please plug into the nearest power supply. ten, nine, eight.."