This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
printer_cartridge [2017/09/14 09:47] – add implementing cartridge chip kingkevin | printer_cartridge [2024/01/07 17:49] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 43: | Line 43: | ||
- the family code (last byte of the ROM ID) " | - the family code (last byte of the ROM ID) " | ||
- the function commands present in the trace (0x0f, 0xaa, 0xa5) [[http:// | - the function commands present in the trace (0x0f, 0xaa, 0xa5) [[http:// | ||
- | - the [[https:// | + | - the [[https:// |
- based on this datasheet I implemented a DS2432 protocol decoder for sigrok, and the capture matches (no bytes missing or exceeding, and the commands order make sense). Only the family code does not match: 0x33 for DS2432, 0xb3 for our chip | - based on this datasheet I implemented a DS2432 protocol decoder for sigrok, and the capture matches (no bytes missing or exceeding, and the commands order make sense). Only the family code does not match: 0x33 for DS2432, 0xb3 for our chip | ||
- even the used SHA-1 hash implementation used for authentication matches (I re-implemented and tested it with key material I found later) | - even the used SHA-1 hash implementation used for authentication matches (I re-implemented and tested it with key material I found later) | ||
Thus this chip is a DS2432, either re-branded or cloned. | Thus this chip is a DS2432, either re-branded or cloned. | ||
- | [[https:// | + | [[https:// |
==== implementing DS2432 ==== | ==== implementing DS2432 ==== | ||
Line 60: | Line 60: | ||
* since the printer tries 4 times reading out the authenticated page using the same challenge there is plenty of time to forward the request and use an original chip as oracle | * since the printer tries 4 times reading out the authenticated page using the same challenge there is plenty of time to forward the request and use an original chip as oracle | ||
* the print is done before updating the toner level, thus you could completely ignore the corresponding write commands | * the print is done before updating the toner level, thus you could completely ignore the corresponding write commands | ||
- | * even if you use an original chip a oracle, the write success is not authenticated, | + | * even if you use an original chip as oracle, the write success is not authenticated, |
* the printer starts by reading memory page 1 without authentication. Maybe there is some field in there allowing to switch to god mode (e.g. developer mode), which does not require authentication | * the printer starts by reading memory page 1 without authentication. Maybe there is some field in there allowing to switch to god mode (e.g. developer mode), which does not require authentication | ||