CuVoodoo

the sorcery of copper

User Tools

Site Tools

Trace:
printer_cartridge

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
printer_cartridge [2017/09/14 09:47] – add implementing cartridge chip kingkevinprinter_cartridge [2024/01/07 17:49] (current) – external edit 127.0.0.1
Line 43: Line 43:
   - the family code (last byte of the ROM ID) "0xb3" (decoded from the trace) doesn't match [[https://github.com/owfs/owfs-doc/wiki/1Wire-Device-List|common lists]] (mTC002 it a for a thermocouple. a different manufacturer might have used the same family code)   - the family code (last byte of the ROM ID) "0xb3" (decoded from the trace) doesn't match [[https://github.com/owfs/owfs-doc/wiki/1Wire-Device-List|common lists]] (mTC002 it a for a thermocouple. a different manufacturer might have used the same family code)
   - the function commands present in the trace (0x0f, 0xaa, 0xa5) [[http://owfs.sourceforge.net/family.html|match]] a couple of devices   - the function commands present in the trace (0x0f, 0xaa, 0xa5) [[http://owfs.sourceforge.net/family.html|match]] a couple of devices
-  - the [[https://www.maximintegrated.com/en/products/digital/memory-products/DS2432.html|DS2432]] matches the usage: 1-Wire (the protocol used) EEPROM (to store the toner level) with SHA-1 authentication (to prevent counterfeit cartridges). The [[http://datasheets.maximintegrated.com/en/ds/DS2432.pdf|Maxim datasheet]] is abridged and does not contains family code and function command codes (lame security by obscurity), but the [[http://pdf.datasheetcatalog.com/datasheet/maxim/DS2432.pdf|Dallas datasheet]] does+  - the [[https://www.maximintegrated.com/en/products/ibutton/memory-products/DS2432.html|DS2432]] matches the usage: 1-Wire (the protocol used) EEPROM (to store the toner level) with SHA-1 authentication (to prevent counterfeit cartridges). The [[http://datasheets.maximintegrated.com/en/ds/DS2432.pdf|Maxim datasheet]] is abridged and does not contains family code and function command codes (lame security by obscurity), but the [[http://pdf.datasheetcatalog.com/datasheet/maxim/DS2432.pdf|Dallas datasheet]] does
   - based on this datasheet I implemented a DS2432 protocol decoder for sigrok, and the capture matches (no bytes missing or exceeding, and the commands order make sense). Only the family code does not match: 0x33 for DS2432, 0xb3 for our chip   - based on this datasheet I implemented a DS2432 protocol decoder for sigrok, and the capture matches (no bytes missing or exceeding, and the commands order make sense). Only the family code does not match: 0x33 for DS2432, 0xb3 for our chip
   - even the used SHA-1 hash implementation used for authentication matches (I re-implemented and tested it with key material I found later)   - even the used SHA-1 hash implementation used for authentication matches (I re-implemented and tested it with key material I found later)
  
 Thus this chip is a DS2432, either re-branded or cloned. Thus this chip is a DS2432, either re-branded or cloned.
-[[https://electronics.stackexchange.com/questions/171329/help-identifying-this-chip-eeprom|Other printers]] (here a filament cartridge for the Stratasys UPrint SE 3D printer) also use this chip, but in a [[https://www.3dprintforums.com/showthread.php/3153-How2-Refill-the-EEPROM-of-the-HP-DesignJet-3D-aka-uPrint|non-secure]] [[https://github.com/bvanheu/stratasys/issues/21|way]].+[[https://electronics.stackexchange.com/questions/171329/help-identifying-this-chip-eeprom|Other printers]] (here a filament cartridge for the Stratasys UPrint SE 3D printer) also use this chip, but in a [[https://www.3dprintforums.com/forum/stratasys/how2-refill-eeprom-hp-designjet-3d-aka-uprint-3153/|non-secure]] [[https://github.com/bvanheu/stratasys/issues/21|way]].
  
 ==== implementing DS2432 ==== ==== implementing DS2432 ====
Line 60: Line 60:
   * since the printer tries 4 times reading out the authenticated page using the same challenge there is plenty of time to forward the request and use an original chip as oracle   * since the printer tries 4 times reading out the authenticated page using the same challenge there is plenty of time to forward the request and use an original chip as oracle
   * the print is done before updating the toner level, thus you could completely ignore the corresponding write commands   * the print is done before updating the toner level, thus you could completely ignore the corresponding write commands
-  * even if you use an original chip oracle, the write success is not authenticated, thus you can fake that the write succeeded when you are MitM, if the printer doesn't read the authenticated value afterwards to ensure the write took place+  * even if you use an original chip as oracle, the write success is not authenticated, thus you can fake that the write succeeded when you are MitM, if the printer doesn't read the authenticated value afterwards to ensure the write took place
   * the printer starts by reading memory page 1 without authentication. Maybe there is some field in there allowing to switch to god mode (e.g. developer mode), which does not require authentication   * the printer starts by reading memory page 1 without authentication. Maybe there is some field in there allowing to switch to god mode (e.g. developer mode), which does not require authentication
  
printer_cartridge.1505382448.txt.gz · Last modified: 2024/01/07 17:49 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki Privacy Policy