Skip to content

Modified and improved AirSense 10 PAP device firmware. Messy and experimental.

License

Notifications You must be signed in to change notification settings

smhc/airbreak-plus

Repository files navigation

CPAP running custom firmware

Jailbreaking CPAP machines to make temporary ventilators

This is the README for the internals of ResMed CPAP jailbreak works; for a high-level overview, see airbreak.dev.

This tree does not contain any files that are copyrighted by ResMed. You must have a device to extract the firmware from, which is then patched, and the modified version is re-flashed.

You will need the tools described in docs/installation. The stubs.S file that has been committed is for SX567-0401. Flashing it on a different version will likely cause problems.

Extensions can either replace existing functions at fixed addresses, or can use some of the unused space in the image. The Makefile has a short explanation of how to do this; the patch-airsense file will also need to be updated to patch the binary file into the firmware.

Helpful GDB commands:

Reboot the device and halt before running any code:

mon reset halt

Unlock the STM32 and flash the new firmware into it:

mon stm32f2x options_write 0 0x2c ; reset halt ;  flash write_image erase stm32-breath.bin 0x8000000

Read the Therapy Manager floating point variables, or a specific one like the target pressure (0x2d):

x/200f 0x2000e948
x/f (0x2000e948 + 4 * 0x2a)

Read the Therapy Manager integer variables, or a specific one like the current mode (0x6F):

x/200xw 0x2000e750
x/xw (0x2000e750 + 4 * 0x6F)

About

Modified and improved AirSense 10 PAP device firmware. Messy and experimental.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 92.3%
  • Assembly 4.0%
  • Python 1.9%
  • Tcl 0.9%
  • Shell 0.6%
  • Makefile 0.2%
  • Perl 0.1%