Skip to content

Latest commit

 

History

History
55 lines (43 loc) · 1.81 KB

README.md

File metadata and controls

55 lines (43 loc) · 1.81 KB

CPAP running custom firmware

Jailbreaking CPAP machines to make temporary ventilators

This is the README for the internals of ResMed CPAP jailbreak works; for a high-level overview, see airbreak.dev. The project is MIT licnsed and has a CoC. Please review the Contributor's Guidelines before submitting issues or pull requests.

This tree does not contain any files that are copyrighted by ResMed. You must have a device to extract the firmware from, which is then patched, and the modified version is re-flashed.

You will need the tools described in docs/disassembly. The stubs.S file that has been committed is for SX567-0401. Flashing it on a different version will likely cause problems.

Extensions can either replace existing functions at fixed addresses, or can use some of the unused space in the image. The Makefile has a short explanation of how to do this; the patch-airsense file will also need to be updated to patch the binary file into the firmware.

Helpful GDB commands:

Start gdb, connect to the OpenOCD server and disassemble the current address:

gdb-multiarch -iex 'target remote localhost:3333'
display/i $pc

Reboot the device and halt before running any code:

mon reset halt

Unlock the STM32 and flash the new firmware into it:

mon stm32f2x options_write 0 0x2c ; reset halt ;  flash write_image erase stm32-unlocked.bin 0x8000000

Read the Therapy Manager floating point variables, or a specific one like the target pressure (0x2d):

x/200f 0x2000e948
x/f (0x2000e948 + 4 * 0x2a)

Read the Therapy Manager integer variables, or a specific one like the current mode (0x6F):

x/200xw 0x2000e750
x/xw (0x2000e750 + 4 * 0x6F)