CuVoodoo

the sorcery of copper

User Tools

Site Tools


printer_cartridge

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
printer_cartridge [2017/09/14 11:47]
kingkevin add implementing cartridge chip
printer_cartridge [2019/04/15 08:32] (current)
kingkevin [implementing DS2432] typo
Line 43: Line 43:
   - the family code (last byte of the ROM ID) "​0xb3"​ (decoded from the trace) doesn'​t match [[https://​github.com/​owfs/​owfs-doc/​wiki/​1Wire-Device-List|common lists]] (mTC002 it a for a thermocouple. a different manufacturer might have used the same family code)   - the family code (last byte of the ROM ID) "​0xb3"​ (decoded from the trace) doesn'​t match [[https://​github.com/​owfs/​owfs-doc/​wiki/​1Wire-Device-List|common lists]] (mTC002 it a for a thermocouple. a different manufacturer might have used the same family code)
   - the function commands present in the trace (0x0f, 0xaa, 0xa5) [[http://​owfs.sourceforge.net/​family.html|match]] a couple of devices   - the function commands present in the trace (0x0f, 0xaa, 0xa5) [[http://​owfs.sourceforge.net/​family.html|match]] a couple of devices
-  - the [[https://​www.maximintegrated.com/​en/​products/​digital/​memory-products/​DS2432.html|DS2432]] matches the usage: 1-Wire (the protocol used) EEPROM (to store the toner level) with SHA-1 authentication (to prevent counterfeit cartridges). The [[http://​datasheets.maximintegrated.com/​en/​ds/​DS2432.pdf|Maxim datasheet]] is abridged and does not contains family code and function command codes (lame security by obscurity), but the [[http://​pdf.datasheetcatalog.com/​datasheet/​maxim/​DS2432.pdf|Dallas datasheet]] does+  - the [[https://​www.maximintegrated.com/​en/​products/​ibutton/​memory-products/​DS2432.html|DS2432]] matches the usage: 1-Wire (the protocol used) EEPROM (to store the toner level) with SHA-1 authentication (to prevent counterfeit cartridges). The [[http://​datasheets.maximintegrated.com/​en/​ds/​DS2432.pdf|Maxim datasheet]] is abridged and does not contains family code and function command codes (lame security by obscurity), but the [[http://​pdf.datasheetcatalog.com/​datasheet/​maxim/​DS2432.pdf|Dallas datasheet]] does
   - based on this datasheet I implemented a DS2432 protocol decoder for sigrok, and the capture matches (no bytes missing or exceeding, and the commands order make sense). Only the family code does not match: 0x33 for DS2432, 0xb3 for our chip   - based on this datasheet I implemented a DS2432 protocol decoder for sigrok, and the capture matches (no bytes missing or exceeding, and the commands order make sense). Only the family code does not match: 0x33 for DS2432, 0xb3 for our chip
   - even the used SHA-1 hash implementation used for authentication matches (I re-implemented and tested it with key material I found later)   - even the used SHA-1 hash implementation used for authentication matches (I re-implemented and tested it with key material I found later)
  
 Thus this chip is a DS2432, either re-branded or cloned. Thus this chip is a DS2432, either re-branded or cloned.
-[[https://​electronics.stackexchange.com/​questions/​171329/​help-identifying-this-chip-eeprom|Other printers]] (here a filament cartridge for the Stratasys UPrint SE 3D printer) also use this chip, but in a [[https://​www.3dprintforums.com/​showthread.php/3153-How2-Refill-the-EEPROM-of-the-HP-DesignJet-3D-aka-uPrint|non-secure]] [[https://​github.com/​bvanheu/​stratasys/​issues/​21|way]].+[[https://​electronics.stackexchange.com/​questions/​171329/​help-identifying-this-chip-eeprom|Other printers]] (here a filament cartridge for the Stratasys UPrint SE 3D printer) also use this chip, but in a [[https://​www.3dprintforums.com/​forum/stratasys/​how2-refill-eeprom-hp-designjet-3d-aka-uprint-3153/|non-secure]] [[https://​github.com/​bvanheu/​stratasys/​issues/​21|way]].
  
 ==== implementing DS2432 ==== ==== implementing DS2432 ====
Line 60: Line 60:
   * since the printer tries 4 times reading out the authenticated page using the same challenge there is plenty of time to forward the request and use an original chip as oracle   * since the printer tries 4 times reading out the authenticated page using the same challenge there is plenty of time to forward the request and use an original chip as oracle
   * the print is done before updating the toner level, thus you could completely ignore the corresponding write commands   * the print is done before updating the toner level, thus you could completely ignore the corresponding write commands
-  * even if you use an original chip oracle, the write success is not authenticated,​ thus you can fake that the write succeeded when you are MitM, if the printer doesn'​t read the authenticated value afterwards to ensure the write took place+  * even if you use an original chip as oracle, the write success is not authenticated,​ thus you can fake that the write succeeded when you are MitM, if the printer doesn'​t read the authenticated value afterwards to ensure the write took place
   * the printer starts by reading memory page 1 without authentication. Maybe there is some field in there allowing to switch to god mode (e.g. developer mode), which does not require authentication   * the printer starts by reading memory page 1 without authentication. Maybe there is some field in there allowing to switch to god mode (e.g. developer mode), which does not require authentication
  
printer_cartridge.1505382448.txt.gz ยท Last modified: 2017/09/14 11:47 by kingkevin