This repository is part of a reverse engineering project to understand the communication process between Medtronic 630G / 640G / 670G pumps and Contour Next Link 2.4 blood glucose meter and Medtronic compatible equipment. It includes my analysis of CNL connections and test point leads. This knowledge, combined with Pazaan and Bal00 past achievements, should drive the project forward.
- Current Project Status
- What We Currently Know
- Hardware Overview, what I have discovered
- Reverse engineering
Steps currently taken in the reversing project:
- Dissasemble CNL24 and identify chipsets onboard
- Attempt to read the Firmware of the Ti cc2430 ZigBee radio
- Since then, no significant success has been achieved
This repository will guide you through the next steps:
- Attempt to read flash memory from MX25L1606-8006E_DS_EN
- Microcontroller reading via dabug connector
- Pending hardware delivery
The OTA protocol layer is 802.15.4 spec, and pretty sure its ZigBee. A good portion of the protocol is already discovered by Pazaan on his repo at https://github.com/pazaan/decoding-contour-next-link. The current issue at hand, is that the CNL24's USB layer appears to block writing actions, and only supports reading. So with a CNL24 alone, we can read Medtronic CGM and pump settings over USB, but if we want to loop with the pumps, we have to get direct over the air access.
We need to figure out how the AES key is generated by the firmware to figure out how to connect our own custom radios to the pump. Unfortunately, the possibility of remotely changing the base level has not been discovered. It probably doesn't exist. As a result, Medtronic 630G / 640G pumps may not be suitable for OpenAPS solutions
Renesas PD70F3796 microcontroller
The main integrated circuit is the Renesas PD70F3796 microcontroller. Package: 100-pin plastic LQFP package. The discussed microcontroller has :
| Renesas microcontroller | PD70F3796 |
|---|---|
| flash memory512 KB | 512 KB |
| RAM | 40 KB |
| Logical space | 64 MB |
| External memory area | 13 MB |
| Max. frequency | 20 MHz |
https://www.renesas.com/us/en/doc/products/mpumcu/doc/v850/r01uh0001ej0400_v850esjx3l.pdf
Unknown circuits
On the Top side, there are one unknown ICs
-
1? HSS 064 67 or S7T S57 44 Its function is unknown.
-
2? The second chip was recognized as MAX 17040. Thanks to the @ecc1. It is a battery cell level indicator circuit.
Meter measuring system
This is probably the system used to measure the glucose from the sample on the test strip. We can omit it because it is not involved in connecting the CNL with the pump.
TOSHIBA T5DBO0 1624 HUL 181961
Ti SoC CC2430 ZigBee Radio
On the this side has a radio chip CC2430-F128.
It is a texas instrument RF chip, RF transceiver with an industry-standard enhanced 8051 MCU, 128 KB flash memory, 8 KB RAM. I know from experience that the 8051 does not support all standard functions, so it's good to read the documentation and erate. The chip is set up and programmed each time it is started. It does not store the program code. Therefore, we have to focus on the MX25L memory and the PD70F3769 microcontroller.
http://www.ti.com/lit/ds/symlink/cc2430.pdf
CC2430-F128 5CW01HG 1549
Flash Memory
The PD70F3769 microcontroller works with flash memory MX25L1606-8006E_DS_EN This is 16M-BIT CMOS SERIAL FLASH http://www.zlgmcu.com/mxic/pdf/NOR_Flash_c/MX25L1606-8006E_DS_EN.pdf
Controller NCP372
Positive and Negative overvoltage protection controller.
Having access to specialized equipment, I desoldered the PD70F3769 and CC2430 chips. I analyzed the connections of the systems on the motherboard. I was able to create a CNL schematic diagram. On the motherboard are placed test points. I was able to tag most of them. We can distinguish pins: flash memory bus, connections between the processor and the radio. The most important is the debug port. With it we can connect to the PD70F3796 control unit.
Testpoins numbers are the pin numbers of the respective components. (e.g. 46 - CC2430 is a pin 46 of the RF CC2430 pin )
I include the diagram and the TinyCAD library files. https://sourceforge.net/projects/tinycad/
What to do next
I hope that this documentation will be used further to develop a replacement device connecting the pump with the phone. This creates a wireless pump status data connector that can send information to Nightscout without a CNL connection via the USB port.
The repository was established on the basis of previous publications Bal00 https://github.com/Bal00/reversing-contour-next-link-24 , https://github.com/pazaan/decoding-contour-next-link #wearenotwaiting