Thursday 2 September 2010

When You Can't Find a Hack, Make Your Own

I recently got wind of sweet deal on a Planet Eclipse eTek3 paintball marker and I took it. The gun is great. It's well designed, light, easy to use, and it's electronic.
Being me I naturally started to look into what upgrades, customizations, and hacks were available for it. I was surprised to find there were no hacks AT ALL to be found anywhere in Google for it. I figured at least people would be doing simple things like putting in circuits to simulate rapid trigger pulling... but nope; nothing out there. I did find all sorts of other parts I could spend large sums of money on to swap out the "board" (aka single sided PCB with a single MCU on it- this isn't rocket science) to something with more blinking lights and LCD's! Oooh boy! Oh no, wait. I'm not a 13 year old kid and I'm not dazzled by blinking lights and the ability to modify the colour of my OLED screen or -GASP- 2 MIPS!
All these wickedly overpriced and overhyped electronics did get me thinking so I opened up the marker and looked at the board.
I was pleasently surprised when I found that the heart of the stock board was a PIC18F1320 MCU (10 MIPS BTW). I know the PICs well and I immediately located the ICSP traces on the PCB. After a little rummaging around in the basement I found my USB Willem with ICSP header and wired the two together. I dumped the PIC and was not terribly surprised to find that the application code and bootloader were both read and write protected. I was more surprised to find that the on-chip eeprom memory was readable and writeable.
The hex values I saw were few enough that I thought they could easily map back to the variables the gun offered (trigger de-bounce, balls per second caps, dwell, shots to trigger auto-fire, etc.) so I reset the board to defaults, dumped the hex values and repeated the process making single changes. It was pretty easy to see what was what and I quickly figured out the math behind the hex -> real world value and the checksum routine. (8bit math FTW!)
Once I was pretty confident I could make a change and set the proper checksum I modified the values and wrote back to the PIC. I fired up the gun and verified that I had indeed changed the variable correctly (the firing mode to be safe) and I gave myself a pat on the back for spending about 4 hours to do what could be done with the board still in the gun in about 30 seconds. :p
The obvious goal was to see if I could put in a value that exceeded what the stock board would allow. For example, the stock board won't allow you to go over 15.4 balls per second in the ramping mode. An aftermarket board will go up to the theoretical physical limit of the gun which is ~25bps. I made the change, flashed the settings back, and fired up the gun. I was VERY excited to see the gun flash twice in the tens indicator proving that I had indeed just set the gun to shoot at 20bps - 4.6bps faster than "allowed"... for free.
Of course, just because the little blinking lights says it'll shoot 20bps doesn't mean it will so I loaded up some reballs and tested. WOW! 20bps is stupidly fast!

Up next: tweaking the values to make a full auto mode for the big game Sept 19 :D

P.S. I thought about detailing the entire hack along with how to decode the hex values and calculate the checksum but I think it's better not to. If you're not smart enough to read this post, do the work, and figure out the math on your own it's probably better off that you don't do it.

EDIT: Added links

1 comment:

Derek said...

Jerk!!! Share the math with all the script kiddies!!!