osresearch / airbreak

CPAP jailbreak to allow it to be used as a temporary ventilator
MIT License
261 stars 69 forks source link

CPAP running custom firmware

Jailbreaking CPAP machines to make temporary ventilators

This is the README for the internals of ResMed CPAP jailbreak works; for a high-level overview, see airbreak.dev. The project is MIT licnsed and has a CoC. Please review the Contributor's Guidelines before submitting issues or pull requests.

This tree does not contain any files that are copyrighted by ResMed. You must have a device to extract the firmware from, which is then patched, and the modified version is re-flashed.

You will need the tools described in docs/disassembly. The stubs.S file that has been committed is for SX567-0401. Flashing it on a different version will likely cause problems.

Extensions can either replace existing functions at fixed addresses, or can use some of the unused space in the image. The Makefile has a short explanation of how to do this; the patch-airsense file will also need to be updated to patch the binary file into the firmware.

Helpful GDB commands:

Start gdb, connect to the OpenOCD server and disassemble the current address:

gdb-multiarch -iex 'target remote localhost:3333'
display/i $pc

Reboot the device and halt before running any code:

mon reset halt

Unlock the STM32 and flash the new firmware into it:

mon stm32f2x options_write 0 0x2c ; reset halt ;  flash write_image erase stm32-unlocked.bin 0x8000000

Read the Therapy Manager floating point variables, or a specific one like the target pressure (0x2d):

x/200f 0x2000e948
x/f (0x2000e948 + 4 * 0x2a)

Read the Therapy Manager integer variables, or a specific one like the current mode (0x6F):

x/200xw 0x2000e750
x/xw (0x2000e750 + 4 * 0x6F)