Decoding Capsure USB

After my initial tinkering and playing with the RM200 Capsure colorimeter I wanted to be able to experiment with firmware tweaks, also having to use the X-Rite Windows app, using fiddler to hack the packets connecting to their servers each time I switched firmwares wasn't ideal, so it was time to try to decode the interface to see if it's possible to talk to the handset directly without the app and server connection...

So fire up Wireshark, run the sync app, connect the device, and wade through the data, and we can see the packets going backwards and forwards. I run a full re-sync and firmware update and have a chunky log to decode later.

Here we can see URB_BULK in and out, here is a two byte command 0x78 0x12 going out, on endpoint 0x02. On the return we then have:  

A chunk of info coming back. I try writing the same using python but figure out that there's a step before where it sends an URB_CONTROL message:

So once this is figured out (it takes the length of the message) I can replicate these simple commands in python and start working through one by one adding them into a python utility. Here sending the urb_control 151, the length and then the data packet to endpoint 0x81:

 

and then working through the ones I can figure out start adding little utility functions:

 

Next... I figure out there's an image uploaded at the start of a sync... it uploads the familiar circular arrows sync image. That seems like a low risk way to practice uploading a chunk of content (i.e. more than 2-4 bytes) since it'll need spreading over multiple packets and takes a header and follow up messages....

So what to send....

 a capsure showing a doom loading screen

Yeah ok. it's not actually running Doom.. but yes, I can successfully send an image to the handset. Hmm now if I can just keep sending images I can.....


😁 Rollin.

Ok. enough sillyness.

I start working through the firmware upload process so I can flip between the firmwares directly, after much stress, and setbacks, and a few what look like "brickings" of the handset, I finally have my experimental firmware upload working. I don't understand what all of the packets mean yet, so just cargo-cult that part of the script, the real uploader seems to pause on USB interrupts during the upload but I can't figure out how to get those configured so for now rely of a few random sleeps.

During the process it's clear the "chip id" is the information used to differentiate models, but in use, the id has to have a checksum byte which isn't always output, so I add a function to calculate that, allowing arbitrary chipids to be used for experimentation.  

Now. During firmware upload, it flips into a bootloader, so I find I can just trigger that separately and get into and use the bootloader menu. 

 
Clicking "menu" and we see some interesting/fun options! 

Unfortunately "Top Secret" doesn't do anything interesting and is a lot less exciting than it sounds. But here we can view the NAND flash memory, and in there see the serial number and chip id.

Several functions e.g. "Backup/restore" take a password.... turns out the "1001" in the bootloader is that. 😂



Now that's *interesting* and I'll dig into that in the next update.

The current scripts and commands can be seen in the python on codeberg. Obviously, caveat emptor using that, but it seems that if something goes wrong with a firmware update, then often just powering off and getting into the bootloader is enough to get things going again. (more on this in the flash update post which will follow)

The next project was manipulating the onboard flash which needs another write-up. Spoiler there were more brickings, one of which appeared fatal, and dismantling this unit seems to have broken something 😭.

I'll add the next writeup in the next few days.

Teaser.... A RM200 cosmetic showing a QC colour picker:


  

Popular posts from this blog

seven month update

Image
so how's it going? Seven months on. Seven months on from the event . I've been trying to work out how to communicate this all week (and a bit), mulling over different ideas. going for a run, thinking it over, but never actually getting around to writing it down. Similarly, I'm supposed to be writing a short bio for an upcoming race, but I have absolutely no idea what to say about me. "Started late in life, runs a bit, doesn't take it too seriously"? Reckon I'm going to have to find someone else's to copy. 😀 After finally summoning up the courage to finish reading Anne's ' one year update ' - that spurred me on, I think it's good for me to get this down on paper and out of my head, hopefully someone will find it useful or helpful and I think it will be good to be able to look back on my thoughts in the future. I try to keep getting back to a normal (for me) routine, so it can be deceptive looking at what I've been up ...
Read more

Tracking running Part #2

Image
Part deux tracker blog posting...  If you're just interested in running and not technology, this is probably not that interesting for you so head over to the run post instead... ( link ) If you are just interested in technology, this is the post for you! If you're interested in both, probably wander off and read that one first, then come back here. 😁 After several improvements and reworks from the first build of the tracking website ( described over here ) I was happy with my tracking website now, and it had worked well on the race day... The site can follow several trackers, supports several different types (mine, tk102, tk104, lk109, orux map), can show the track taken for each, overlay a "course" show the elevation profile with aid stations along the way, highlight the viewers location... (ok it is possible I may have over-engineered it since it's just a personal site) S o decided it was time to stop adding bells and whistles and should return to the idea of b...
Read more

back from the brink

Image
Another weekend, another 100 miler in the calendar after the disappointment of the failed GUCR attempt two weeks ago. My cough is still lingering but feels like it's finally shifting and the forecast is for a hot dry day, so I’m feeling confident. Well after all, I *know* I can run 100 miles.  Getting to the start was slightly more stressful that usual: I probably ought to either take Friday afternoons off for races, or be a lot more organised in the week beforehand - rather than trying to find, pack and arrange everything into drop bags, run bag and finish bag in under 45 minutes. Check online and trains showing as on time.... so I grab a coffee passing through Croydon, grab a sausage roll in Clapham... then hear the announcement over the tannoy that there are severe delays of up to 45 minutes expected. Uh oh, I'm not going to make evening registration, not a huge issue since I can just sign on in the morning, but I'd wanted to be ready to go from waking up. T...
Read more