I think it’s not exactly true. It uses Allwinner R528/T113 SoC to run TinaLinux (the host), for Klipper MCU it uses Xtensa LX7. For communication it seems they implemented some interface not present in Klipper
I think you’re mischaracterizing the Manta boards by calling them “highly integrated”. Manta boards are really typical 32 bit main controller boards with the addition of a 5V power supply sufficient to run a CM4/CB1 and a USB hub which allows the 32 bit MCU on the board to communicate with the CM4/CB1.
This is identical in concept to any other board which communicates via USB to a host (Raspberry Pi or similar) through USB - when you’re talking about a Raspberry Pi, it has the USB hub built in and requires its own external power supply.
It’s much more accurate to say that a Manta board has a socket for a CM4/CB1 host that eliminates the need for a separate power supply and cabling.
Actually I’d be surprised if Anycubic put any effort into it. As I have never touched such a printer, this is just spitballing:
- The MCU board (Trigorilla SPE_A_V1.0.0) seems quite basic
- The “Linux box” is integrated behind the display or is it part of the main board?
- The connection between these two is this PCB ribbon cable
In any case the ribbon cable likely is just combining the standard interfaces into a different physical form.
Well, they have mem_interface : mem_interface_DSP under [mcu], which does not seem to be present in Klipper, so I don’t think you’re right about them not putting any effort in it
Ah, k. Good to know or rather bad since again another GPL violation.
Hi,
I tried these passwords, but none of them are working…
Hi all,
I was tinkering with the mainboard a little bit and here is the complete block diagram I drawn, according to the components (I omitted the connectors, since they have markings on the silkscreen):
There is NO uC in this board. All controlling is done by the Allwinner R528-S3 CPU.
https://bbs.aw-ol.com/assets/uploads/files/1645007527374-r528_user_manual_v1.3.pdf
The Onboard flash is a 8 GB KLM8G1GETF-B041
https://semiconductor.samsung.com/estorage/emmc/emmc-5-1/klm8g1getf-b041/
The stepper drivers are indeed TMC2209 ones (I removed the heatsink from one of them)
The wifi module is RTL8723DU - which has also a Bluetooth for connection, but it is not used by Anycubic
https://www.realtek.com/en/products/communications-network-ics/item/rtl8723du
There is an SOIC-8 IC on the board, it is NDP2331KC, which is a step down DC-DC converter (I originally thought it was an external eeprom ic). Used for the low power levels probably (3V3, 5V0, 1V8, etc.)
https://datasheet.lcsc.com/lcsc/2306121559_NDP-NDP2331KC_C7420587.pdf
The bigger TSSOP-16 IC is simply an USB HUB, to create the EXT2 and EXT1 USB ports. Its type is FE8.1
https://terminus-usa.com/product/fe8-1-usb2-0-high-speed-4-port-hub-controller/
The LCD is a simple LCD display, no integrated uC on it (at least which controls the TMC2209 ICs, etc) It is connected to the CPU directly, the resistors around them are for impedance matching, and termination resistors. It has a resistive touch interface, it is also connected to the main board.
The CPU controls the TMC2209 ICs via 4x UART, it can be clearly seen on the mainboard that the wires are routed directly to the CPU.
There is one switch, next to the CPU which is a RESET switch. If you connect the FIRMWARE labeled USB port to a PC than a “new player” will show when you push the reset button 
Bus 001 Device 012: ID 1f3a:efe8 Allwinner Technology sunxi SoC OTG connector in FEL/flashing mode
So this will be the port we can use for uploading our software.
NEXT steps:
we definitely need to compile a basic linux, that can run Klipper as a process, so an external SBC (RPI) can control our mainboard via UART.
In regards to the root password hash, a quick search brings up this which seems to indicate that $1$IhXzNJre$DYiasTPrHJp2X2imFvpVl1 is an MD5 hash, however none of my attempts to crack it seem to be going anywhere.
According to the above link talking about the hash format, this was probably generated by crypt(3), making IhXzNJre the salt and DYiasTPrHJp2X2imFvpVl1 the hash. Following this SO post gives an invocation of ./hashcat -a 0 -m 20 "IhXzNJre:DYiasTPrHJp2X2imFvpVl1" ./rockyou.txt. Unfortunately that doesn’t seem to work (nor does anything else I’ve tried) so I’m stuck on that front. Flashing custom firmware definitely seems like the “correct” approach to this printer though, especially given how much the stock firmware sucks.
1 Like
Hi,
Seeing your post I also installed hashcat, and started cracking the code.
I found the following:
The hash is not a simple Salt+MD5 code, rather a “md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)” hash, which has code m 500
https://hashcat.net/wiki/doku.php?id=example_hashes
Also I have run a dictionary attack on that hash, and nothing was found, so I started a lower case letter brute force attack.
The command is the following:
hashcat -d 2 -O -a 3 -m 500 '$1$IhXzNJre$DYiasTPrHJp2X2imFvpVl1' ?l?l?l?l?l?l?l?l
It will take approx 8 hour to run, if it will not give any result, I’ll try to do with only numbers (someone mentioned that in china they use number only passwords as well)
- or if you have time you can start the number only session
I tested 6-10 chars passwords len, numbers only with no results
Isn’t it running regular u-boot?
Then you could try to just bypass the login using the boot loader itself.
Just add some bootargs variables.
Add like init=/bin/sh or something.
I have yet to try open and connecting via uart to the printer.
As your boot logs look like it looks like the main board boot delay is 0 which makes it impossible to enter the boot menu without something like voltage injection glitch or something like that.
Boot delay 0 isn’t actually a problem.
The rootfs is a squashfs, but they mount an overlay on top of it. I added my own shadow file to the overlay and can login at the serial prompt. Could presumably add dropbear or similar, although I was unsuccessful at getting persistence by adding a service to /etc/init.d. Something about boot order, maybe. I haven’t spent a lot of time on it.
Not actually sure what would be useful at this point. My intent was to add dropbear so I can send files via ssh, then do some RE work on their protocol for status, remote printing, etc.
Yeah. The goal would be like having fully unlocked klipper on the printer with modding or custom firmware. But nice!! Do you mind explaining more about replacing the shadow file??
They mount the rootfs squashfs partition, which is readonly, then mount a separate partition on top of it using overlayfs to store any changes. Basically if a file is in the overlay partition, it’ll show up instead of the readonly file in the squashfs. So I made a shadow file with a password I know and put it in the overlay partition. Reboot and it’s my password being used for root instead of theirs.
Actually doing it was pretty easy once I got initial access via the bootargs. They mount just the overlay at /overlay. So drop a file in there with whatever contents you want. Reboot normally so init and whatnot runs, and you can login with your own password.
Awesome! So the 0 delay thing isn’t a problem? You just hold enter or something to interrupt the boot process?
Yup. Turns out there’s a difference between disabling the boot environment and setting the delay to 0.
Cool! I’ll try it myself when I get the time! Looks like things are possible! Might play around trying to get a custom Linux compiled and try to run it or something. Would love to have it fully unlocked.
Wow, awesome news guys!
Keep up the good work!
If you need additional testing feel free to send me the custom linux images.
On 2.3.6. I couldn’t interrupt the boot process. 
I even tried macros in Tera Term.