Reverse Engineering of Bob (including backup of ESP flash)

[whosmatt]

My Bob (normal version) arrived today and I could not help but take it apart immediately (at least the front plate). I'll share my findings here, because some of them are very relevant to the project.

The front panel is very easy to take apart, just remove the screws visible from the inside. There are four (non evil) clips holding the front plastic down around the window, those will come undone by applying a bit of force and rocking the front plastic around from the top (there is no way to directly undo the clips, but they are designed to pull out without damage). There is a hinge at the bottom, so do not pry from the bottom.

Having done that, you will be greeted by a small board (rev 2.4 in my case) with an ESP32-WROOM-32D (Detected as ESP32-D0WD (revision 1)) and a handful of peripherals. Notably, the connection to the power electronics somewhere else in the unit happens via a single standard RJ45 cable. There is a handy programming header for the ESP, I have marked the pinout in the picture below.

I used esptool to dump the firmware (esptool detects 16MB flash). I am no firmware dumping expert, I cannot guarantee that this file is valid and wont brick your Bob. Flashing it to a random 8MB ESP32 does seem to give the correct serial output, but doesnt find all the partitions. I sadly do not have a 16MB ESP around to test it properly. BobOS_hwrev24.zip

Now for the most interesting bit: The serial dump. Bob is VERY talkative when just connected to a 115200 baud serial interface. Maybe a little too talkative because it includes wifi ssid and password in cleartext. Here is a somewhat full serial log with personal information [REDACTED]: Bob_serial_log.txt

It seems to be communicating to an AWS backend using MQTT. Alarmingly, there is no privacy policy available for this particular service and there are some hints towards the bottom of the log that it might be sending cartridge info to the server. If that is the case, they may be able to see if cassettes have been rewound.

Regardless, they are able to fight the rewinder with OTA updates, so keeping wifi disconnected might be the best option. Until someone takes the risk and tries it, we dont know if downgrading by flashing the ESP works.

[whosmatt]

After a couple hiccups with wifi (stayed on the update screen for a long time) my Bob seems to be working again, so booting it on the bench (without its peripherals connected) did not lock up the software.

There are hints towards an STM32 MCU on the power board somewhere else in the machine. The ESP seems to have a partition with a binary for an STM32 processor, presumably for updating it.

I dont think I am goig to take apart the full machine though. I am happy enough having dumped the firmware and taking apart the rest would get messy and complicated.

The 2 pin connector seen on the PCB is for the touch strip that opens the door.

[miyoyo]

Hey there, you may want to join us on Discord, we've been working with the Bob Minimalist and I've been sharing my findings there, maybe there are a few things you can pick up with some quick discussion.

You may also want to specify that you're doing this for the regular bob in the title, because, while there are some similarities, they do have quite a few differences on the display side.

[dekuNukem]

Nice job! The discord link is here: https://discord.gg/gyGFqD2vfP

miyoyo has made a lot of progress on a bob minimalist, and did some firmware disassembly too!

[EmerickH]

Hey, I did some work figuring the layout of the board

Board

GPIO	Description
GPIO0	External (clock out?)
GPIO1	Serial TX
GPIO2	Audio amplifier shutdown control
GPIO3	Serial RX
GPIO4	Screen power control
GPIO5	RS485 DIR
GPIO12	N.C. ?
GPIO13	Screen data: CS
GPIO14	LED power control
GPIO15	Screen data?
GPIO16	Screen data: SCK
GPIO17	Going to screen and RJ45, pulled high most of the time, probably RESET for screen and STM32
GPIO18	Screen data: MOSI
GPIO19	Screen data: MISO
GPIO21	Layed out to RJ45
GPIO22	RS485 RX
GPIO23	RS485 TX
GPIO24	N.C. ?
GPIO25	N.C. ?
GPIO26	Layed out to RJ45
GPIO27	Touch sensing
GPIO32	Button 1
GPIO33	Layed out to RJ45: STM32 BOOT0
GPIO34	Button 3
GPIO35	Button 2

2 of the pins going in the RJ45 are probably i2c for the cartridge, the others maybe for LEDs?

Reversing the firmware

With that kind of info and a little bit of figuring out the protocol with the power board we should be able to make a completely custom firmware

Used libraries in the original code: https://github.com/loboris/ESP32_TFT_library (100% sure): ST7789V based screen (JWS024N1DS04-V0) https://github.com/tonyp7/esp32-wifi-manager (100% sure) https://github.com/aws/amazon-freertos (99%) (SDK=AmazonFreeRTOS&Version=4.0.0&Platform=EspressifESP32) https://github.com/ESP32-Musings/OTA_update_STM32_using_ESP32 (probably)

Flash storage

The flash of the ESP32 contains a "storage" partition formatted in SPIFFS with these settings: Block size: 8192, page size: 256

#define SPIFFS_OBJ_META_LEN 64
#define SPIFFS_OBJ_NAME_LEN 64
#define SPIFFS_ALIGNED_OBJECT_INDEX_TABLES 1

I contains non standard folder declaration at the beginning for some reason, if you use mkspiffs to extract it, you will have to patch it in order to ignore 0 size files (or files with name ending with "/.")

(someone should be fired for coming up with such an unusual config) It contains images (for displaying on the screens), and configs (custom cycles, ...).

[robbe-haesendonck]

@whosmatt FYI: You unintentionally leaked your WiFi credentials by sharing the binary dump.

[whosmatt]

@whosmatt FYI: You unintentionally leaked your WiFi credentials by sharing the binary dump.

don't worry, I was aware of that right after posting it and had changed them immediately