Author Topic: Reverse engineering DVD buffer DRM (Read 2991 times)

R30Repair71 · « **on:** May 11, 2022, 07:51:39 pm »

Hello all, I am at a complete loss for my current reverse engineering project. I have a device that is basically a DB9 connector with an unknown IC and a ceramic capacitor. The chip keeps count of how many minutes our Venmill Hybrid 2.0 buffers have run and demand a new chip once 500 minutes has passed. I am looking for a way to reprogram it to reduce waste, because the only way you can buy consumables (pads, compound, chip, etc) is in a kit. The chips markings are

ATH022
02CMCN
2022Y99

I cant find ANYTHING on this and based on the PCB, its some sort of kooky custom crap. Any help would be appreciated. I tossed the chip in my TL866II and got it to read but it only returned a little bit of garbage. Comparing it to a fresh chip, it is the exact same. All photos are included below.

DavidAlfa · « **Reply #1 on:** May 11, 2022, 08:10:31 pm »

It works again if you replace -only- that eeprom?
Or replace the whole device?
What's the other unknown chip?

R30Repair71 · « **Reply #2 on:** May 11, 2022, 08:20:41 pm »

The whole assembly gets swapped out. Ill include a photo of it below. the unknown chip is the one i pictured in the original post. The manufacturer will not sell individual parts from the consumables kits. In theory, all of the polishing compound and the buffing pads should be used up at 500 minutes of run time. however, that is typically not the case and has resulted in a lot of wasted compound and pads. heres the link to the consumables kit. https://www.venmill.com/products/hybrid-combo-pack

Without a fresh chip, the buffing machine will not run. you MUST buy a new kit with the chip for it to run, whether or not the current consumables are used up. I am trying to find a way to spoof a fresh chip so that I can run the machine without spending $90 every 500 minutes

DavidAlfa · « **Reply #3 on:** May 11, 2022, 09:33:42 pm »

Edit: That marking matches the AT24C02C, which is a very simple EEPROM, no unique ID, no special memory locations, not OTP locable... looks like a normal EEPROM.
Might be interesting to try disconnecting WP and pulling it to GND, sounds too easy.

Was the fresh one ever connected to the machine?
Are you completely sure both had the same contents?
Was it autodetected by the Programmer?
Try manually choosing a larger i2c memory, ex. 32Kbit.

There're special EEPROM with two different addresses, ex. the M24256 has a second address, for a page that can be permanently locked.
The AT24CS02 also has a second address to read a unique ID.
The AT24CSW02X has both.

Try manually selecting any of these EEPROM types in the programmer, or manually set the EEPROM address, using 0xB0 instead the default 0xA0.

Have you ever switched between two partially used dongles, and did the machine show different remaining times?

Haenk · « **Reply #4 on:** May 12, 2022, 08:35:01 am »

I'd say this is pretty much the same:

https://www.microchip.com/en-us/product/ATSHA206A

IMHO this can not easily be circumvented (that's the basic concept, after all...).

DavidAlfa · « **Reply #5 on:** May 12, 2022, 08:41:44 am »

I don't think so? They don't seem to make it in tssop package... Also the pinout is very different. But not completely impossible.

magic · « **Reply #6 on:** May 12, 2022, 09:16:14 am »

If they are evil enough this could be a device which pretends to be I²C EEPROM while also being something more than that. A logic analyzer could tell how the machine talks to it.

It doesn't look like the Microchip product above because that one uses different protocol, fewer pins and apparently has integrated bypass capacitor.

bingo600 · « **Reply #7 on:** May 12, 2022, 09:32:15 am »

IMHO ATH means ATMEL , and it kinda fits

What if the "Unigue 128bit serial" - "Buys 500 minutes" , and the eeprom contents is just for Manuf validation.

Marking pg. 23
https://ww1.microchip.com/downloads/en/DeviceDoc/20006330A.pdf

Mouser DS (Atmel)
https://eu.mouser.com/datasheet/2/268/Atmel_8815_SEEPROM_AT24CS01_02_Datasheet-1368744.pdf

See further down ...

I'd get a cheap saleae clone, install sigrok , and "sniff the i2c comms".

/Bingo

DavidAlfa · « **Reply #8 on:** May 12, 2022, 10:12:42 am »

Have you read the markings in the datasheet?
The AT24C02C is the only one matching:
ATH....
02C....

The others have different markings, N1/N2 for the AT24CS01/AT24CS02.

bingo600 · « **Reply #9 on:** May 12, 2022, 10:28:24 am »

Quote from: DavidAlfa on May 12, 2022, 10:12:42 am

Have you read the markings in the datasheet?
The AT24C02C is the only one matching:
ATH....
02C....

The others have different markings, N1/N2 for the AT24CS01/AT24CS02.

OOpz
I'd have to agree here

But then it makes no sense that the Old & New eeprom contents is the same , unless they both don't work/activate

Unless the eeprom C' uses the same mask as the S' , and have a "hidden serial inside"

Doctorandus_P · « **Reply #10 on:** May 12, 2022, 11:47:31 am »

So what's in this Venmill thing anyway?
A motor to spin the disc, one or two motors for the polishing pads, maybe a pump?

I used to repair scratches in CD's with an orbital sander and a cloth with some polishing stuff, because that is what I had at hand.
I would never ever buy a polishing kit from that company, first out of principles about this drm nonsense, and secondly because it's extremely overpriced.

Polishing CD's or DVD's is nothing special. It's just a piece of plastic. Those big polishers used on cars may work wonders.
The most important thing though is to not damage the backside, but apart from that you can go medieval on your polishing techniques.

Have you thought about having a look inside that USD1800 box?
I'm guessing it has a power supply, a few motors and a PCB to control it. Ripping out the PCB and making a complete replacement can't be too difficult, and if you make some documentation along the way you have a good entry for Hackaday. It's also possible this thing has been reverse engineered already and it's on some GIT gobbling site.

coromonadalix · « **Reply #11 on:** May 12, 2022, 05:00:47 pm »

ive reverse hacked some IPL laser hand pieces, they use Dallas one wire ic's like an eeprom and a temperature monitor, but the @@@!# are logging the 64 bit id descriptor of each cartridge ic's pair, you have to swap at least 5 different piece before putting back the originals ones loll

I did found the eeprom logic loll i can reset them indefinitely BUT .... need at least 5-6 sets

free_electron · « **Reply #12 on:** May 12, 2022, 05:49:02 pm »

is that still really a "thing" ? buffing out dvd's in 2022 ? i don't even have an optical drive anymore in any of my computers. and cd/dvd players are long gone too.

most likely they log any key that has been used. so simply copying doesn't work. you'll need to be able to generate new keys.

R30Repair71 · « **Reply #13 on:** May 12, 2022, 09:36:08 pm »

game discs are still alive and well!

Haenk · « **Reply #14 on:** May 13, 2022, 07:58:33 am »

Quote from: free_electron on May 12, 2022, 05:49:02 pm

is that still really a "thing" ? buffing out dvd's in 2022 ? i don't even have an optical drive anymore in any of my computers. and cd/dvd players are long gone too.

A good part of my collection of CDs has significantly increased in value (too bad I passed on the SACDs), so there obviously is more demand than 20 years ago.
I gave away most of my DVD movies, those are usually worthless.
Game DVDs are still valuable though. And those tend to be abused and scratched...

The players (for all types of media - compact cassette, CD, DVD/SACD, vinyl) have also dramatically increased in value.

DavidAlfa · « **Reply #15 on:** May 13, 2022, 10:32:00 am »

Definitely a $10 cheap logic analyzer would help a lot, i2c and EEPROM protocols are easy to decode.

Are you able to see the remaining minutes?
I'd take a dongle with little time left, cut the WE trace and solder the pin 7&8 together, so it becomes read-only.
The machine might refuse to work, in the worst case it'll be a small loss, it was almost empty!

Or perhabs it performs a check at boot but not later... Toggling a switch to disable writes after the buffing started?

Cryo · « **Reply #16 on:** December 29, 2023, 05:18:05 pm »

Found this post on google. Went ahead and made an account to say that the last suggestion [cutting WE and tying it high] seems to have worked for me. Additional Data: my Chip had around 30 seconds left on it and after i performed the above change, the display says " 7* " instead of the remaining time. I have since run it longer than than 30 seconds and its still going. I will reply to this post with any updates if the arise.

I had previously used a logic analyzer to take samples of the signals that the chip was sending to the machine, i dont mind sharing them here if anyone interested.

Thank you members of this group for sharing your theories and information. I imagine a lot more traffic on this post in the future seeing as the company that produces these DRM devices is now discontinuing them.

coromonadalix · « **Reply #17 on:** December 29, 2023, 06:10:43 pm »

yeah the machine will read chip, but not write any countdown numbers if the write signal is disabled

but some companies are sneaky, they need to see a writing process going on ...

DavidAlfa · « **Reply #18 on:** December 29, 2023, 07:04:54 pm »

Ha! So the program doesn't verify the written values... or it enters some sort of error mode - Well let's keep working anyways!
Yeah it would be nice if you attached the recorded data, might not be useful today, but might be useful for someone coming 8 months later, just like you!


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

Author Topic: Reverse engineering DVD buffer DRM (Read 2991 times)

Share me