DAVIS Vantage Vue ISS Fiche technique

A fix for the firmware v. 3.xx problemin Davis Instruments Corp. weather stations© Torkel M. Jodalenannoyingdesigns.comDecember 29, 2014AbstractThis doc

3.2 So, how does it work, then?During power-up (boot sequence) or after a reset9, the console performs internal checksand determines whether a data lo

• Watching the serial line for any activity during the boot sequence reveals that theserial line is not involved in the authentication process. This l

3.3.2 Particulars from the AT45DB011 datasheetThe Adesto Technologies AT45DB011 1Mbit DataFlash chip [20] found in original Davisdata loggers contains

3.3.3 Logic analyzer findingsUsing a logic analyzer such as the Saleae Logic16 [15] hooked up to GND and the MOSI,MISO, CLK and SS lines between the co

Figure 8: Bird on the wire: the Saleae Logic16 listening in on the SPI communication between the consoleand the original Davis data logger. The AT45DB

3.3.4 Having a chat with a green-dot Davis data loggerUsing a BusPirate [18] in SPI mode, the AT45DB011 status byte and the security registercan be re

Then proceed by sending some commands to the AT45DB011 DataFlash chip in theoriginal data logger and read the return values:• To read the chip status,

Figure 10: The BusPirate doing just what it is supposed to do.The contents of the security registers of two different Davis data loggers is includedbe

4 The solution (and end to troubles)As the data logger authentication process has been reasonably well documented, a flowdiagram can be constructed to

4.1 The next few stepsFrom here on, it’s all a matter of:• Chosing a microcontroller for the implementation.• Chosing a compiler/IDE and other program

DisclaimerThe author assumes no responsibility for your use of information contained in thisdocument. Experiment entirely at your own risk.The author

4.3 A simple BASCOM-AVR implementation for the ATtiny25/45/85The BASCOM-AVR BASIC compiler [12] for Windows is available free of charge10. WhileAtmel

' Unlock the Davis VP2/Vue console serial line using the ATtiny25/45/85' Torkel M. Jodalen <[email protected]> - http://www.annoyingdesig

ElseIf COMMAND = CMD_SECURITY Then' Respond to CMD_SECURITYFor I = 0 To 2' First respond with three dummy bytes as per AT45DB011 specificati

' Unlock the Davis VP2/Vue console serial line using the ATtiny85 and a' random device ID. Using algorithm as described by WXForum.net user&

' Wait for something to come aroundWhile USI_Data_ready <> 1WendIf COMMAND = CMD_STATUS Then' Respond to CMD_STATUSWhile USI_DATA_READ

4.5 Using BASCOM-AVR with the STK500 and the ATtiny25/45/85Getting up to speed with BASCOM-AVR and the STK500 may require a tiny bit of effort.The mai

Figure 13: Jumper configuration for the STK500. Also note the location of the ATtiny25/45/85 MCU asplaced in the programming socket. In this photo, the

4.6 Testing the MCU after programmingOnce the MCU has been programmed in the STK500 programmer, it can be tested byusing the BusPirate without removin

4.7 Wiring the programmed MCU to the Vantage Pro2 consoleWiring the ATtiny25/45/85 to the console can be achieved by connecting 6 short wiresfrom the

Figure 18: Required wiring between the console expansion connector and the MCU. Refer to figure 5 fora description of the expansion connector.Figure 19

Contents1 Introduction 21.1 The Davis Vantage Pro2 series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Typical station setup . . .

5 Implications and complicationsDavis created a number of problems by introducing firmware version 3.xx — not onlyto those utilizing non-Davis equipmen

• The official Davis policy of ”smokescreen lies” may work for a short while — untilsomeone takes the trouble to document what really goes on. Sadly, t

Someone is telling lies here. The above statement just isn’t true, refer to [10] and [14]for details.The hardware has been updated for greater reliabi

6 Et cetera6.1 Parts listApart from the normal stuff found in well-assorted workbench drawers such as screw-drivers and a soldering iron, the followin

6.2 Reverse-engineered data logger schematicAn anonymous source contributed this reverse-engineered data logger schematic. Itsvalidity has not been ve

6.3 Questions and answersAre there other attack vectors which can be used to unlock the console serial line?Yes. Davis obviously don’t apply NSA secur

Any news regarding the calculation of security register values?Yes. On November 28, 2013 WForum.net user watson published the algorithm to calcu-late

What does it take to build a third-party data logger?A little effort. Study the datasheets for the relevant components and you’ll find that bitsand pie

Why won’t WeatherLink work with just the serial line?Because WeatherLink is old-school proprietary software and even requires a hardware-provided comm

6.4 Contact informationContact information, web address, Google Groups discussion forum, et cetera:Torkel M. JodalenPb. 1036 JeløyNO-1510 MossNorwayEm

1 Introduction1.1 The Davis Vantage Pro2 seriesDespite shortcomings in sensor accurancy3the Vantage Pro2 series of weather stations,manufactured by Da

References[1] Davis Instruments Corp. Davis Instruments 2013 Catalog. Hayward, CA, USA, 2013.[2] Davis Instruments Corp. Vantage Pro, Vantage Pro2 and

[15] Saleae LLC. The Logic16 logic analyser. http://www.saleae.com/logic16,2013. Accessed: 2013-06-24.[16] Jurij Mikeln. Introduction to microcontroll

Revision historyA working implementation using the ATtiny25/45/85 series of MCUs was complete asof December, 2012. Writing the documentation/do-it-you

http://meteo.annoyingdesigns.com 41

1.3 Original Davis data loggersData loggers cover two different functions: archiving data from the console and provid-ing a means of communicating wit

Figure 1: Original Davis data logger — non-green dot version (product # 06510 SER).Figure 2: Original Davis data logger, under the cover — green dot v

2 The green dot data logger problemStarting in 2012, new Davis data loggers suddenly shipped with a green dot stickerattached to the enclosure, hence

3 A look inside the Davis unitsApart from the custom-made LCD display, the Davis Vantage Pro2 console consists ofcommonly available electronics parts.

3.1 The console serial lineOf particular interest on the ATmega128L MCU are the pins used for serial line commu-nication (pins 2, 3 and GND) as well a