Skip to content
This repository has been archived by the owner on Jun 19, 2021. It is now read-only.

State of RE efforts? #1

Open
russkel opened this issue Dec 7, 2020 · 9 comments
Open

State of RE efforts? #1

russkel opened this issue Dec 7, 2020 · 9 comments

Comments

@russkel
Copy link

russkel commented Dec 7, 2020

Hello,

Came across this as I have an interest in using M18 batteries for other purposes! Did you guys get any further than what is presented in this repo?

Cheers,

Russ
@lvanasse
Copy link

lvanasse commented Dec 8, 2020

Hi @russkel, sadly this project is not being currently worked on. I am afraid that's all that we currently have. Although, @LazyEngineerToBe may have more information regarding the results.

@russkel
Copy link
Author

russkel commented Dec 8, 2020

Thanks @Ludoenso, interested in hearing what the results and outcome was.

@lit-af
Copy link
Collaborator

lit-af commented Dec 8, 2020

We abandoned this project a little while ago. The internal wiring of the tools was making the reverse engineering a bit tricky.

What I found out is that, when the handshake between the tool and the battery is interrupted, the full voltage is sent on the data lines. So a logic analyzer couldn't be plugged to the data lines since its maximum input voltage is usually around 10V. I've checked the waveform on the oscilloscope but I wasn't able to identify with precision the protocol that's being used. It could be one of the many supported by the chip inside of the battery.

@russkel
Copy link
Author

russkel commented Dec 8, 2020
edited

What I found out is that, when the handshake between the tool and the battery is interrupted, the full voltage is sent on the data lines.

That seems a fairly malicious thing for Milwaukee to do.. Thanks for the heads up.

I see the firmware 'dumps' are actually, I would guess it wouldn't have been that easy to simply lift off the firmware from those MCUs.

@lit-af
Copy link
Collaborator

lit-af commented Dec 9, 2020

You're welcome! I think it's more of a safety feature than an on purpose hacking defence.

Getting the firmware dumps was fairly easy, there's no protection on the pcb to prevent it. The only thing we had to do was to solder pins on the pcb in order to connect the PICkit 3 Debugger.

@russkel
Copy link
Author

russkel commented Dec 9, 2020
edited

Getting the firmware dumps was fairly easy, there's no protection on the pcb to prevent it. The only thing we had to do was to solder pins on the pcb in order to connect the PICkit 3 Debugger.

Sorry I didn't complete the sentence: it looks like the firmware dumps are empty. There isn't much/any machine code in there? I tried opening it in Ghidra and there didn't seem to be anything detected.

I think it's more of a safety feature than an on purpose hacking defence.

Oh, out of curiosity how is this a safety feature?

@lit-af
Copy link
Collaborator

lit-af commented Dec 11, 2020

I tried analyzing the dump too. Without any success. I have no clue if the dump is valid or not. The 6 sequential charger might not have a lot of intelligence in it, hence the short hex dump.

It might be a safety feature inside of the tool. The tool is bypassing the trigger switch and the motor and returning the voltage to the battery, IMO this could prevent an electrical fire.

@russkel
Copy link
Author

russkel commented Dec 12, 2020

Thanks @LazyEngineerToBe. If I get any further with this I can let you know, if you're interested.

@lit-af
Copy link
Collaborator

lit-af commented Dec 12, 2020

If you happen to make any progress, I sure would like to hear about it! 🙂

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@russkel @lvanasse @lit-af