When a Lexmark inkjet printer stopped working, [Mojobobo] was able to claim it as his own. He quickly realized that the machine was flooded with ink and not worth repairing, but that didn’t mean he couldn’t still find a use for it. When he learned that the printer’s firmware was not only upgradable but also unprotected, he knew he should be able to get the printer to do his own bidding.
[Mojobobo] started his journey with the motherboard. The unit still powered up, but it was asking to insert a “duplex module” before it would boot any further. [Mojobobo] first tried to find a way to trick the duplex module sensor, but was unsuccessful. His next step was to search for some kind of serial communications port. He didn’t have an oscilloscope, so instead he used a speaker with a wire probe. In theory, if the wire was pressed against an active serial port, he would be able to hear varying tones through the speaker. Sure enough, he found some interesting tones after probing around some ports next to a “JTAG” label. He looked up some information about the nearby chip and found that it included an SPI bus.
After some internet research, [Mojobobo] learned enough about SPI to have a rough idea of how to use it. Having limited tools available to him, he decided to use his Arduino to try to communicate with the motherboard. After wiring up a simple circuit, (and then re-wiring it) he was able to dump the first 4096 bytes of the motherboard’s boot loader to the Arduino via the SPI interface.
[Mojobobo’s] next steps will be to find a faster way to dump the boot loader. At 9600 baud, he grew tired of waiting after three hours. Once he has the full boot loader he intends to search for a way to bypass the duplex sensor and get the board to finish booting. Then he may just use the printer for its scanning functions, or he might find other interesting uses for it.
Using a speaker and wire to probe for serial data – now THAT’s a hack!
Love it!!!
Slightly cleverer is a piezo speaker or earpiece, since they’re very high-impedance and won’t load the circuit much.
Lots of +1 goodness in this. And I agree, using a speaker was brilliant.
So could you convert this printer or any other printer in a dicom printer?
In this thread: reopening a forum thread that has been dead for 5 months.
That’s funny
.. I’ve been alive for those 5 months and haven’t heard about this.
I’ve always heard bad things about Lexmark printers. Perhaps this hack will turn all of that around?
Has 24MHz streaming logic analyzer/datalogger (Saleae) … uses Arduino at 9.6kbits
He’s using the Arduino to communicate via SPI protocol. Can Saleae do it? Right. Read the article first.
the thing he works on BOOTS = loads bootloader over SPI, all you have to do is sniff said SPI traffic and decode it on the computer
and yes, saleaeaea** can do SPI if you load custom firmware, you need to remember its just Cypress fx2 ezeusb chip on almost bare pcb.
http://fpga4u.epfl.ch/wiki/FX2#v2.1_firmware_with_SPI_master
I got a very similar (if not identical) Dell printer for free a couple of months ago. I disassembled it completely about an hour after I got it, of course. Both the main board and the LCD board are driven by identical Lexmark ARM processors/microcontrollers. Unfortunately, I couldn’t find any information about those. The chips are likely rebranded (is Lexmark an ARM licensee?), but I have no idea who the actual manufacturer might be.
A few things about lexmark printers, may or may not apply here, they use normally have a small boot loader that brings up a second larger boot loader. This sets all chip HW up, sets up MMU stuff and gets ready to invoke the LINUX kernel.
This version of Linux will use CRAMFS to store all the files used by Linux. You will have to unspool these, figure out which driver module handles the GPIO, decode which pin goes where and then back patch the driver. The CRAMFS image then needs to be redone.
As a got ya, the code blobs may be signed, and without a valid value the printer may not run as desired. Also some of the driver modules may be embedded in the kernel blob. All of this can be dealt with, just how much time do you want to put into this…
I did something similar some time ago when I bricked router, erasing its bootloader.
I re-used some parts I already had to do the job, I used a PIC32 to do the SPI interface and a PL2303 USB-Serial adapter from ebay, that could be tuned to up 1228800bps.
In the end I had to lower a bit, to 921600bps, to avoid data corruption.
The speed could reach 90KB/s which was pretty good for the thing itself, usually was around 70-80KB/s. That was more than 4Mbyte/minute!
So if your Arduino is too slow, speed up the SPI and forget the USB interfacem instead use a serial adapter.
Also there are cheap USB programmers on ebay for 20 bucks or less!