A fix for the firmware v. 3.xx problem in Davis Instruments Corp. weather stations © Torkel M. Jodalen annoyingdesigns.com December 29, 2014 Abstract This document describes how to overcome the ”serial line lockdown” introduced by Davis Instruments Corp. in firmware versions 3.00, 3.12 and 3.15 for the Vantage Pro2 (VP2) series of weather stations and firmware version 3.00 for the Vue series of weather stations. The fix is based on the Atmel AVR ATtinyX51 series microcontroller.
Disclaimer The author assumes no responsibility for your use of information contained in this document. Experiment entirely at your own risk. The author does not represent Davis Instruments Corp. Likewise, the author does not have any commercial interests in Davis Instruments Corp. or any other companies or products mentioned in this document. All trademarks remain the property of their respective holders, and are used only to identify the products mentioned.
Contents 1 Introduction 1.1 The Davis Vantage Pro2 series 1.2 Typical station setup . . . . . 1.3 Original Davis data loggers . 1.4 Third-party data loggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 1.1 Introduction The Davis Vantage Pro2 series Despite shortcomings in sensor accurancy3 the Vantage Pro2 series of weather stations, manufactured by Davis Instrument Corp. of Hayward, CA, USA (from here on referred to as Davis) have been popular with weather hobbyists for several years.
1.3 Original Davis data loggers Data loggers cover two different functions: archiving data from the console and providing a means of communicating with the console from a computer. The data logger itself contains only a very limited amount of logic: it is mainly made up of an Adesto Technologies DataFlash chip for data storage and a level converter6 used for converting the 3.3V signals from the console’s in-system UART7 to more commonly accepted signals levels — and the other way around, providing safe 3.
Figure 1: Original Davis data logger — non-green dot version (product # 06510 SER). Figure 2: Original Davis data logger, under the cover — green dot version (product # 06510 SER). 1.4 Third-party data loggers In 2012, third-party data loggers with specifications and functionality equal to the original Davis units emerged on the market. Reasonably priced, they offered a most welcome alternative to the overpriced Davis units.
2 The green dot data logger problem Starting in 2012, new Davis data loggers suddenly shipped with a green dot sticker attached to the enclosure, hence the unofficial term green dot data loggers. The same green dot sticker started appearing on console enclosures, indicating consoles shipping with the new firmware version 3.00. For the Vantage Pro2 series of weather stations, the firmware version made a remarkable jump from v. 1.90 to v. 3.00 overnight — and later to version 3.
3 A look inside the Davis units Apart from the custom-made LCD display, the Davis Vantage Pro2 console consists of commonly available electronics parts. The microcontroller running the entire show is an Atmel ATmega128L [5] loaded with Davis’ own firmware. The console unit contains a rear expansion connector which is directly wired to the ATmega128L MCU. Tracing the individual connectors back to the MCU pinout, as has already been done and documented thoroughly [10], has revealed some interesting facts.
3.1 The console serial line Of particular interest on the ATmega128L MCU are the pins used for serial line communication (pins 2, 3 and GND) as well as the SPI8 lines. Pins 2, 3 and GND are routed directly to the expansion connector at the rear of the console. The signal logic adheres to the EIA-232 (RS-232) specification, though signal levels are 3.3V only. As such, a level converter is required for interfacing to a personal computer, which would otherwise fry the MCU.
3.2 So, how does it work, then? During power-up (boot sequence) or after a reset9 , the console performs internal checks and determines whether a data logger is connected. For non-green dot consoles upgraded to firmware version ≥ 3.12, the serial line and data logging functions remain available. Users remain free to utilize their third-party data loggers, old-school Davis data loggers, direct serial line communication, etc.
• Watching the serial line for any activity during the boot sequence reveals that the serial line is not involved in the authentication process. This leaves the Serial Pheripheral Interface (SPI) as a promising candidate. • The Adesto Technologies datasheet for the AT45DB011 DataFlash chip [20] is an interesting read, as it provides several hints of what mechanisms can be employed in the authentication process — without adding additional hardware components to the circuitry.
3.3.2 Particulars from the AT45DB011 datasheet The Adesto Technologies AT45DB011 1Mbit DataFlash chip [20] found in original Davis data loggers contains the storage space for logging weather observations from the console. The AT45DB011 DataFlash chip is well documented and it even supports a limited instruction set. The instruction set is typically used to store and retrieve data and to carry our related ”housekeeping functions”.
3.3.3 Logic analyzer findings Using a logic analyzer such as the Saleae Logic16 [15] hooked up to GND and the MOSI, MISO, CLK and SS lines between the console and the original Davis data logger reveals which communication is going on there. The data logger authentication only takes place during the console boot sequence, either when first powering up the console or after a console reset. The console starts out by reading the chip status.
Figure 8: Bird on the wire: the Saleae Logic16 listening in on the SPI communication between the console and the original Davis data logger. The AT45DB011 DataFlash chip is the one at the far left of the PCB. http://meteo.annoyingdesigns.
3.3.4 Having a chat with a green-dot Davis data logger Using a BusPirate [18] in SPI mode, the AT45DB011 status byte and the security register can be read from an original Davis data logger. This step is by no means required, but it can be a useful tool to extract the contents of the securty register in the AT45DB011 DataFlash chip. The BusPirate is connected to a PC via a USB cable.
Then proceed by sending some commands to the AT45DB011 DataFlash chip in the original data logger and read the return values: • To read the chip status, which should return 0x8C : [0xd7 r:1] • To read the manufacturer ID and device density, which should return the values 0x1F 0x22 0x00 0x00 : [0x9f r:4] • To read the entire security register of 128 bytes: [0x77 0 0 0 r:128] Figure 9: The BusPirate having a friendly chat with an original Davis data logger.
Figure 10: The BusPirate doing just what it is supposed to do. The contents of the security registers of two different Davis data loggers is included below (also refer to section 6.
4 The solution (and end to troubles) As the data logger authentication process has been reasonably well documented, a flow diagram can be constructed to visualize which details need to be worked on. The essential mechanisms are indicated by red shadows in figure 11. However, please note that: • For non-green dot consoles running firmware version ≥ 3.12, the authentication process is bypassed.
4.1 The next few steps From here on, it’s all a matter of: • Chosing a microcontroller for the implementation. • Chosing a compiler/IDE and other programming tools for the implementation. • Programming the microcontroller. • Wiring the microcontroller to the console. 4.2 Selecting a microcontroller There is a huge variety of microcontrollers available, many of which can be used to reply to the commands from the Davis console.
4.3 A simple BASCOM-AVR implementation for the ATtiny25/45/85 The BASCOM-AVR BASIC compiler [12] for Windows is available free of charge10 . While Atmel Studio [7] and WinAVR [24] are certainly capable of the task (utilizing the C/C++ languages), Atmel Studio requires Micorosoft Visual Studio as a back-end, resulting in a rather comprehensive software package. The BASCOM-AVR IDE/compiler requires only some 50 MB of disk space — and runs considerably faster than Atmel Studio on old-fashioned computers.
' ' ' ' ' ' Unlock the Davis VP2/Vue console serial line using the ATtiny25/45/85 Torkel M. Jodalen - http://www.annoyingdesigns.com Revised: 2013-10-28 NOTE: The SECURITY_REGISTER_DATA (128-byte security register) is defined in the DATA section following the program logic. $PROG &HFF,&HC1,&HDF,&HFF ' Lock, FuseLow, FuseHigh, FuseExtended $REGFILE = "ATtiny85.
ElseIf COMMAND = CMD_SECURITY Then ' Respond to CMD_SECURITY For I = 0 To 2 ' First respond with three dummy bytes as per AT45DB011 specification While USI_DATA_READY <> 1 Wend USIDR = &H00 Reset USI_DATA_READY Next I For I = 0 To 127 ' Then respond with 128-byte security register data While USI_DATA_READY <> 1 Wend USIDR = Lookup(I , SECURITY_REGISTER_DATA) Reset USI_DATA_READY Next I End If ' Done communicating, set Hi-Z state on PB1 (MISO) port Config PortB.
' ' ' ' ' ' ' ' Unlock the Davis VP2/Vue console serial line using the ATtiny85 and a random device ID. Using algorithm as described by WXForum.net user "watson" on November 28, 2013. NOTE: The ATtiny25 does NOT have sufficient SRAM for this implementation. Torkel M. Jodalen - http://www.annoyingdesigns.com Revised: 2013-11-30 $PROG &HFF,&HC1,&HDF,&HFF $REGFILE = "ATtiny85.
' Wait for something to come around While USI_Data_ready <> 1 Wend If COMMAND = CMD_STATUS Then ' Respond to CMD_STATUS While USI_DATA_READY <> 1 Wend USIDR = RESPONSE_STATUS Reset USI_DATA_READY ElseIf COMMAND = CMD_SECURITY Then ' Respond to CMD_SECURITY For I = 0 To 2 ' First respond with three dummy bytes as per AT45DB011D specification While USI_DATA_READY <> 1 Wend USIDR = &H00 Reset USI_DATA_READY Next I For I = 0 To 127 ' Then respond with 128-byte security register data While USI_DATA_READY <> 1 We
4.5 Using BASCOM-AVR with the STK500 and the ATtiny25/45/85 Getting up to speed with BASCOM-AVR and the STK500 may require a tiny bit of effort. The main challenge will probably be the installation of the required Windows drivers for the STK500. The steps below should be sufficient to get going within an hour or so: 4.5.1 The STK500 User Guide — read it! Take the time to read the STK500 User Guide [3]. The STK500 is a fine piece of equipment with a large number of configuration options.
Figure 13: Jumper configuration for the STK500. Also note the location of the ATtiny25/45/85 MCU as placed in the programming socket. In this photo, the ”orientation notch” of the MCU points upwards. 4.5.3 The MCU programming process Using the BASCOM-AVR compiler and the STK500 programmer is more or less selfexplanatory.
4.6 Testing the MCU after programming Once the MCU has been programmed in the STK500 programmer, it can be tested by using the BusPirate without removing the MCU from the STK500. Keep the wires as short as possible and remember to disconnect the programming cable from the blue SPROG1 header. Even here the combined length of the PCB ”wires” and the wires connecting the BusPirate to the STK500 may be too long to facilitate trouble-free SPI communication.
4.7 Wiring the programmed MCU to the Vantage Pro2 console Wiring the ATtiny25/45/85 to the console can be achieved by connecting 6 short wires from the console expansion connector to the MCU. As SPI communication is intended for short-distance communication only (typically between devices located on the very same PCB), using long wires will not work. The implementation shown here has been successfully tested with 10-15 cm wire lengths.
Figure 18: Required wiring between the console expansion connector and the MCU. Refer to figure 5 for a description of the expansion connector. Figure 19: Presto! The three extra wires carry the serial line signals TXD, RXD and GND at 3.3V signal levels. Using shorter wires, the ATtiny25/45/85 MCU can be safely tucked away in the small bay just below the console expansion connector.
5 Implications and complications Davis created a number of problems by introducing firmware version 3.xx — not only to those utilizing non-Davis equipment, but also to their own support organization. Also, answers received from Davis technical support don’t really add to the company’s credibility. Section 5.4 contains some relevant email excerpts. 5.1 Product names/versions • Davis has released no official information on the ”original data logger” requirement introduced in firmware version 3.00.
• The official Davis policy of ”smokescreen lies” may work for a short while — until someone takes the trouble to document what really goes on. Sadly, there is only room for one character at the bottom line — it all boils down to $. 5.4 Email correspondence In late December, 2012, the following email exchanges took place between the author and Davis technical support. At this point the nature of the ”original data logger requirement” had already been identified.
Someone is telling lies here. The above statement just isn’t true, refer to [10] and [14] for details. The hardware has been updated for greater reliability and to provide for future enhancements. Asking for further details, this was swiftly followed up by: There are no known reliability issues with 1.90, we are always updating the design and hardware on our stations to keep up with current technology. At this point there are no plans for future enhancements to our stations.
6 6.1 Et cetera Parts list Apart from the normal stuff found in well-assorted workbench drawers such as screwdrivers and a soldering iron, the following parts are required to assemble the ”product” mentioned in this document. It may be possible to order most of the parts from one single supplier — the below list contains the units which are confirmed to fit the cause, along with the name/URL of the various suppliers which they were once ordered from.
6.2 Reverse-engineered data logger schematic An anonymous source contributed this reverse-engineered data logger schematic. Its validity has not been verified, as I never had a need for a logger unit myself. The Seiko S-81230 voltage regulator indicates that the unit actually runs on 3.0 V. Figure 20: Reverse-engineered data logger schematic — contributed by an anonymous source. http://meteo.annoyingdesigns.
6.3 Questions and answers Are there other attack vectors which can be used to unlock the console serial line? Yes. Davis obviously don’t apply NSA security standards to their products. Can the ATtiny25/45/85 be removed from the console after a successful authentication? Yes, it can. It seems that the authentication will remain valid until the console is reset. Still, please note the caution on page 2 of this document.
Any news regarding the calculation of security register values? Yes. On November 28, 2013 WForum.net user watson published the algorithm to calculate the security register values based on a known device ID. Section 4.4 refers. What would be the right thing for Davis to do regarding firmware v. 3.
What does it take to build a third-party data logger? A little effort. Study the datasheets for the relevant components and you’ll find that bits and pieces fit together quite nicely. Section 6.2 refers. Or use a Raspberry Pi, a BeagleBone or another minicomputer which can be configured to meet your exact needs. What’s the main purpose of this document? Self-education.
Why won’t WeatherLink work with just the serial line? Because WeatherLink is old-school proprietary software and even requires a hardwareprovided communication handshake, achieved by: • Connecting the RTS and CTS lines. • Connecting the DSR, DTR and (D)CD lines. Figure 21 and the excellent writeup by DeKay [11] refer. Oh, BTW, the entire concept of a hardware- implemented communication handshake in the data logger is so 1980ish.
6.4 Contact information Contact information, web address, Google Groups discussion forum, et cetera: Torkel M. Jodalen Pb. 1036 Jeløy NO-1510 Moss Norway Email → tmj@bitwrap.no (no technical questions, please) Web → http://meteo.annoyingdesigns.com WOSPi → http://meteo.annoyingdesigns.com/WOSPi.pdf Google Groups → https://groups.google.com/group/wospi?hl=en (Yes, we’re using the WOSPi group for this purpose, too — feel free to post your technical questions here).
References [1] Davis Instruments Corp. Davis Instruments 2013 Catalog. Hayward, CA, USA, 2013. [2] Davis Instruments Corp. Vantage Pro, Vantage Pro2 and Vantage Vue serial communication reference manual v. 2.61. http://www.davisnet.com/support/ weather/download/VantageSerialProtocolDocs_v261.pdf, 2013. Accessed: 2013-06-22. [3] Atmel Corporation. STK500 User Guide. http://www.atmel.com/Images/ doc1925.pdf, 2003. Accessed: 2013-06-29. [4] Atmel Corporation. AVR319: Using the USI module for SPI communication.
[15] Saleae LLC. The Logic16 logic analyser. http://www.saleae.com/logic16, 2013. Accessed: 2013-06-24. [16] Jurij Mikeln. Introduction to microcontroller programming using BASCOM. AX elektronika d.o.o., Ljubljana, Slovenia, 2000. [17] Jurij Mikeln and Vladimir Mitrovic. BASCOM AVR programming. AX elektronika d.o.o., Ljubljana, Slovenia, 2012. [18] Where Labs LLC / Dangerous Prototypes. BusPirate v3. http:// dangerousprototypes.com/docs/Bus_Pirate, 2013. Accessed: 2013-06-24. [19] rdsman.
Revision history A working implementation using the ATtiny25/45/85 series of MCUs was complete as of December, 2012. Writing the documentation/do-it-yourself-guide is what has taken most of the time. The revision history of this document is recorded below. Date Change(s) applied 2014.12.29 2014.10.23 2013.11.30 Minor editorial changes. Minor editorial changes. Added section 4.4. Editorial changes. Minor editorial changes. Minor editorial changes. Minor change to the program code.
http://meteo.annoyingdesigns.
