Learning to Reverse Engineer on a Broken Printer

Lexmark Hack

When a Lexmark inkjet printer stopped working, [Mojobobo] was able to claim it as his own. He quickly realized that the machine was flooded with ink and not worth repairing, but that didn’t mean he couldn’t still find a use for it. When he learned that the printer’s firmware was not only upgradable but also unprotected, he knew he should be able to get the printer to do his own bidding.

[Mojobobo] started his journey with the motherboard. The unit still powered up, but it was asking to insert a “duplex module” before it would boot any further. [Mojobobo] first tried to find a way to trick the duplex module sensor, but was unsuccessful. His next step was to search for some kind of serial communications port. He didn’t have an oscilloscope, so instead he used a speaker with a wire probe. In theory, if the wire was pressed against an active serial port, he would be able to hear varying tones through the speaker. Sure enough, he found some interesting tones after probing around some ports next to a “JTAG” label. He looked up some information about the nearby chip and found that it included an SPI bus.

After some internet research, [Mojobobo] learned enough about SPI to have a rough idea of how to use it. Having limited tools available to him, he decided to use his Arduino to try to communicate with the motherboard. After wiring up a simple circuit, (and then re-wiring it) he was able to dump the first 4096 bytes of the motherboard’s boot loader to the Arduino via the SPI interface.

[Mojobobo's] next steps will be to find a faster way to dump the boot loader. At 9600 baud, he grew tired of waiting after three hours. Once he has the full boot loader he intends to search for a way to bypass the duplex sensor and get the board to finish booting. Then he may just use the printer for its scanning functions, or he might find other interesting uses for it.

Comments

  1. ehud42 says:

    Using a speaker and wire to probe for serial data – now THAT’s a hack!

  2. Chris Muncy says:

    Lots of +1 goodness in this. And I agree, using a speaker was brilliant.

  3. umer says:

    So could you convert this printer or any other printer in a dicom printer?

  4. bert says:

    In this thread: reopening a forum thread that has been dead for 5 months.

  5. pcf11 says:

    I’ve always heard bad things about Lexmark printers. Perhaps this hack will turn all of that around?

  6. rasz_pl says:

    Has 24MHz streaming logic analyzer/datalogger (Saleae) … uses Arduino at 9.6kbits

  7. Salvador Limones says:

    I got a very similar (if not identical) Dell printer for free a couple of months ago. I disassembled it completely about an hour after I got it, of course. Both the main board and the LCD board are driven by identical Lexmark ARM processors/microcontrollers. Unfortunately, I couldn’t find any information about those. The chips are likely rebranded (is Lexmark an ARM licensee?), but I have no idea who the actual manufacturer might be.

  8. qbert says:

    A few things about lexmark printers, may or may not apply here, they use normally have a small boot loader that brings up a second larger boot loader. This sets all chip HW up, sets up MMU stuff and gets ready to invoke the LINUX kernel.

    This version of Linux will use CRAMFS to store all the files used by Linux. You will have to unspool these, figure out which driver module handles the GPIO, decode which pin goes where and then back patch the driver. The CRAMFS image then needs to be redone.

    As a got ya, the code blobs may be signed, and without a valid value the printer may not run as desired. Also some of the driver modules may be embedded in the kernel blob. All of this can be dealt with, just how much time do you want to put into this…

  9. David says:

    I did something similar some time ago when I bricked router, erasing its bootloader.
    I re-used some parts I already had to do the job, I used a PIC32 to do the SPI interface and a PL2303 USB-Serial adapter from ebay, that could be tuned to up 1228800bps.
    In the end I had to lower a bit, to 921600bps, to avoid data corruption.
    The speed could reach 90KB/s which was pretty good for the thing itself, usually was around 70-80KB/s. That was more than 4Mbyte/minute!
    So if your Arduino is too slow, speed up the SPI and forget the USB interfacem instead use a serial adapter.
    Also there are cheap USB programmers on ebay for 20 bucks or less!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 97,790 other followers