v2: Firmware available?

[kruton]

It would be good to have a binary of the firmware that the device uses. The board has two unpopulated JTAG headers along with a Silex Technology SX-ULPGN chip and a RIGADO BMD-300 chip.

The SX-ULPGN supports a serial debug UART on pins 38 and 39. The BMD-300 allows SWD read back of the firmware (the version in the Petnet Feeder 2.0 is the AD version that is not locked).

[kruton]

I connected a serial console to the SX-ULPGN and it outputs the following. It resets every 30 seconds or so:

reset cause:RESET_1
_WAKEMGR_Register  item:0x43a558
cmnos_allocram_init: start=0x44eaf0 size=725064
NUM_DEV=2 FWMODE=5 FWSUBMODE=0 FWBR_BUF 1
Mac address is : [removed]
wlan power patch
_WAKEMGR_Register  item:0x43e194
RegDB opened
AMSDU enabled
WNM INIT
_WAKEMGR_Register  item:0x467230
_WAKEMGR_Register  item:0x469f38
alloc rem: 593068
host_dset_init
_host_dset_do_init
ram_dset_init
otp_dset_init
rom_dset_init
mem_dset_init
DataSet asynchronous initialization done (0)

[kruton]

I bought a little SWD device from Amazon and connected it to the BMD-300 SWD connector (J101) on the main board. I used OpenOCD to dump the firmware contents to inspect with Ghidra.

[kruton]

Here's a list of the API calls I could see:

/api/v1/kronos/software/releases/transactions/
/api/v1/core/events
/api/v1/kronos/software/releases/transactions
/api/v1/kronos/software/releases/transactions/%s/received
/api/v1/kronos/software/releases/transactions/%s/succeeded
/api/v1/kronos/software/releases/transactions/%s/failed
/api/v1/kronos/devices
/api/v1/kronos/gateways

These look like Telemetry API fields:

_|deviceHid
s|local_md5
s|msg_type
sensor
f|voltage
i|usb
i|chg
i|rssi
i|btn
i|mem
s|pnid
s|fw_ver
s|wifi
s|log
feed_result
s|s_id
s|s_p
s|s_act
s|s_auto
s|s_r
s|s_t
i|stime
i|etime
f|e_g
f|a_g
f|h_s
f|h_e
i|src
b|fail
s|err
s|rid
b|online
s|remote_md5

[kruton]

Here are my notes from looking at the handlers for messages via MQTT:

Outgoing message types (6 total):

Topic = "krs.tel.gts.<clientId>"

• 0 - boot
• 1 - sensor {"_|deviceHid":"ad06c3b579d59b2045fe01c37d18ca7252336935","s|msg_type":"sensor","f|voltage":4086,"i|usb":1,"i|chg":0,"i|ir":1,"i|rssi":99,"i|btn":1,"i|mem":5648}
• 2 - feedresult `{"|deviceHid":"ad06c3b579d59b2045fe01c37d18ca7252336935","s|msg_type":"feed_result","i|stime":1601883341,"i|etime":1601883343,"f|e_g":27,"f|a_g":0,"f|h_s":-133,"f|h_e":-133,"i|src":5,"b|fail":true,"s|err":"Unknown Error","s|rid":""}`
• 3 - hb (heartbeat) {"_|deviceHid":"ad06c3b579d59b2045fe01c37d18ca7252336935","s|msg_type":"hb","b|online":1} 4 - trace (debug trace) {"_|deviceHid":"ad06c3b579d59b2045fe01c37d18ca7252336935","s|msg_type":"trace","i|tl":32,"s|ts":"Start - D�, Portion: 0 tbsp(309448g), Turns: 41, Bowl: 0g, Hopp"} {"_|deviceHid":"ad06c3b579d59b2045fe01c37d18ca7252336935","s|msg_type":"trace","i|tl":32,"s|ts":"Results - Actual: 536928072 tbsp(0g), End: 309476, Bowl: 44g Ho"} 5 - hash {"_|deviceHid":"ad06c3b579d59b2045fe01c37d18ca7252336935","s|local_md5":"9f12737513eebebdfa70ca72fa562c45","s|msg_type":"hash","s|remote_md5":"26a98b0dc2ae400c65711957f5a14d5a"}

Incoming message type:

• reboot
• feed
  • portion (tablespoons?)

Possible other incoming messages (not sure what the actual commands are):

• button_enable_remote
• schedule ??
  • active
  • automatic
  • feeding_id
  • reminder

Test data from firmware? [{"active":true,"automatic":true,"feeding_id":"40006b28dbdfd7b2_zbxM2a_11:46AM","name":"FEED2","portion":0.0625,"reminder":false,"time":%ld}]

• budget ??

  • tbsp_per_feeding
  • recipe
  • g_per_tbsp
  • budget_tbsp

  Test data in firmware: {"budget_cups":0.75,"cups_per_feeding":0.25,"kcals_per_cup":519,"kcals_per_day":389.75,"kg_per_cup":0.10421836228287841,"managed":false,"num_feedings":3,"recipe":"E0000060"}

• utc ?? (maybe:utc_offset)

  • utc_offset

[tedder]

ohhhhhh, so I was seeing the first three API interactions and it was then appearing dead. That's because it flipped to MQTT?

great work. lemme get you on Slack, though it's quiet.. I've been waiting for someone to make forward progress.

[kruton]

I started back up the MQTT server and got it to try to dispense. My hopper is empty so it spun for probably 20 seconds fruitlessly. I'm not sure what the portion measurements mean yet.

You have to look at what topic it subscribes to. My PetNet is subscribing using the client ID 40285608b03f085d1b4e31ec5f60b3b912f64f2d and deviceHid of ad06c3b579d59b2045fe01c37d18ca7252336935 in the example below.

hbmqtt_pub --url mqtt://localhost:1883/ -t 'krs/cmd/stg/40285608b03f085d1b4e31ec5f60b3b912f64f2d' -m '{"hid":"feed1","name":"SendCommand","encrypted":false,"parameters":{"deviceHid":"ad06c3b579d59b2045fe01c37d18ca7252336935","command":"feed","payload":"{\"portion\":2}"}}'

The feeder will send an HTTP-via-MQTT response to topic krs.api.gts.40285608b03f085d1b4e31ec5f60b3b912f64f2d of something like:

{"requestId":"GS-2020-10-06T00:18:47.000Z","eventName":"GatewayToServer_ApiRequest","encrypted":false,"parameters":{"uri":"/api/v1/core/events/feed1/received","method":"PUT","apiKey":"efa2396b6f0bae3cc5fe5ef34829d60d91b96a625e55afabcea0e674f1a7ac43","apiRequestSignature":"dc6ba210d41c72ae2997e1c7ddcdb36316e55356061fa09c30db558c1279a330","apiRequestSignatureVersion":"1","timestamp":"2020-10-06T00:18:46.000Z"},"signature":"8198cf30c1a98972d238680fe92798d3124dfa66653f58a6f2d607935330a564","signatureVersion":"1"}')}                                                                                  

You must respond to the requestId (in this example GS-2020-10-06T00:18:47.000Z) with a HTTP 200 OK equivalent status before it will proceed:

hbmqtt_pub --url mqtt://localhost:1883/ -t 'krs/api/stg/40285608b03f085d1b4e31ec5f60b3b912f64f2d' -m '{"requestId":"GS-2020-10-06T00:18:47.000Z","eventName":"GatewayToServer_ApiRequest","encrypted":false,"parameters":{"status":"OK"}}'

[kruton]

You could order a V2 on Amazon for $65 :)

[SixthTitan]

Couldn't you reverse engineer the petnet android app to point to a url you've constructed with mqt? I assume there might be a variable in there somewhere that points to these endpoints.

On Wed, Oct 7, 2020, 3:02 PM Brian Beaird notifications@github.com wrote:

Such a bummer. You guys are doing great work - hate that I can't easily apply this to my V1. Honestly hate the idea of just chucking the whole thing into the trash, but I don't know what else I'd do with it. I already bought a PetKit feeder, which seems to do the job just as well.

On Wed, Oct 7, 2020 at 1:58 PM Kenny Root notifications@github.com wrote:

You could order a V2 on Amazon for $65 :)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub < https://github.com/tedder/petnet-api-hacking/issues/12#issuecomment-705131689 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/ABXHM2G7IGS4TQCSLXGRSYDSJS26VANCNFSM4OOF5PEQ

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/tedder/petnet-api-hacking/issues/12#issuecomment-705133494, or unsubscribe https://github.com/notifications/unsubscribe-auth/AI7EVLF3OHQW2EX4NMKYT7DSJS3LLANCNFSM4OOF5PEQ .

[kruton]

I don't know what the V1 looks like on the network. I would suggest trying to do packet captures of what it's sending across the network (or trying to send now that PetNet's domains are defunct).

[tedder]

Hey gen1 folks, this is hard to thread, please go into #15 to work on efforts there. @fbretmounet can you repost your images and text there? I'm going to delete the messages from this thread.

[ak48disk]

There's a 8Mbit flash chip on my 2.0 device board that I can read through a programmer. It seems contains some firmware and it disassembles as a ARM binary.

However, I didn't put much effort in the firmware but I just replaced the main board with a resperberry pi to just drive the motor from time to time. I lost all the weight sensors and motion sensors, but it's the quickest way that I can get my feeder back to work.

[mbillow]

Closing this out since we have pretty much everything working with the V2 feeders.

[hassankhan]

Hi @kruton :wave:

Any chance you could post the firmware image?