The Christisen's

Zeno Tip Reset / Hack

by on Nov.27, 2009, under Matt's Projects

See the updates!

Ever wonder if Zeno tips could be reset or hacked? I have. I find it hard to believe that a 45 count tip or 60 count tip (or whatever tip) is degraded beyond use after the face value count has been consumed. And at ~25 bucks a pop for a 60 use tip, it was at least worth looking into.

***WARNING: REUSE TIPS AT YOUR OWN PERIL***


Cracking open the Zeno revealed a Cypress cy8c27443 microcontroller with the I2C pins routed straight to the tip. Inside the tip is a 128 byte I2C eeprom, four 22 ohm resistors in parallel (heat source), a zener, a thermistor and one other resistor. If I can get to it I will post a schematic **POSTED**. So, with the arrival of my new Bus Pirate v3a by Ian Lesnet I began sniffing the bus. And as it turns out, the Zeno merely increments/decrements a couple of bytes in the tip’s eeprom to signal a use. Shortly after starting a treatment, the uC writes the following: 0×00 at address 64, increments decrements the byte at address 65 and decrements increments the byte at address 66. From there I manipulated bytes 65 & 66 until the Zeno indicated a full tip, which ended up being 0x3E and 0xC1 respectively for the 60 use tips I had on hand.

More to come:
I will be building a tip extender / breakout board for future tip resets and bus sniffing. I will also be looking more into an issue I was having with getting a tip to show full count when only writing to the money bytes at address 64 thru 66. Which very well may have been operator error with the BP as I fumbled around. To get around the issue I just wrote to the entire address range (see macro below).

TeraTerm Macro:
;This is a quick and dirty TeraTerm macro for resetting a 60 count Zeno tip.
;with Ian Lesnet’s Bus Pirate.
;
;Adjust your .ini file for proper Bus Pirate serial port settings.
;
;Requires TeraTerm version 4.27 or later
;
;Only tested with Bus Pirate Firmware v3.0

MyPort = 5

connect ‘/C=MyPort’
mpause 500
;Just Because
send 13
wait ‘HiZ>’
;Bus Mode Menu
send “m” 13
wait ‘(1) >’
;I2C
send “4″ 13
wait ‘(1) >’
;Software I2C
send “1″ 13
wait ‘(1) >’
;Fast I2C
send “2″ 13
wait ‘I2C>’
;Pullups Menu
send “p” 13
wait ‘(1) >’
;Pullups On
send “2″ 13
wait ‘Pull-up resistors ON’
;Power Supplies On
send “W” 13
wait ‘POWER SUPPLIES ON’
;Let I2C EEPROM Initialize
pause 1
;Write Data to EEPROM
send “[0xA0, 0, 0x08, 0x00, 0x41, 0x04, 0x97, 0x04, 0xC4, 0x04]” 13
wait ‘I2C>’
send “[0xA0, 8, 0x97, 0x09, 0x1B, 0x00, 0x36, 0x03, 0x00, 0x64]” 13
wait ‘I2C>’
send “[0xA0, 16, 0x0A, 0xF0, 0x96, 0x1E, 0x0A, 0xA5, 0x1E, 0xB4]” 13
wait ‘I2C>’
send “[0xA0, 24, 0x00, 0x78, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x0D]” 13
wait ‘I2C>’
send “[0xA0, 32, 0xC8, 0xFE, 0x3E, 0x01, 0xC2, 0x64, 0x32, 0x0A]” 13
wait ‘I2C>’
send “[0xA0, 40, 0x04, 0x4C, 0x02, 0xBC, 0x00, 0xE1, 0xFF, 0xF6]” 13
wait ‘I2C>’
send “[0xA0, 48, 0x3C, 0xB2, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 56, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 64, 0x00, 0x3E, 0xC1, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 72, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 80, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 88, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 96, 0x54, 0x0A, 0x00, 0x01, 0x82, 0x44, 0x5F, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 104,0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 112,0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
send “[0xA0, 120,0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]” 13
wait ‘I2C>’
;Bus Mode Menu
send “m” 13
wait ‘(1) >’
;Set HiZ
send 13
unlink

:

Leave a Reply

You must be logged in to post a comment.

Visit our friends!