Stampante uPrint

Prove di hacking su una stampante 3D Dimention uPrint

Porta DIAG

Porta seriale RS232 da cui è possibile accedere alla console comandi della scheda di controllo

  • Setting: 38400,N,8,1
  • Tipo DTE (Serve un cavo invertente ed un convertitore USB/RS232)

Una volta avuto l'accesso con il comand help è possibile avere l'elenco dei comandi:

Per avere l'help sul singolo comando:

help nomecomando

Note varie

L'ammontare del materiale rimanente in una cartridge è memorizzato in una EEPROM da 512 byte di tipo DS2433 fornita insieme ad ogni cartridge.

  • Il primo problema è che il numero che esprime la quantità di materiale è criptato.

  • Il secondo problema è che la stampante tiene memorizzato sul suo hard disk interno una lista di quali cartridge sono state usate e a che punto sono arrivate singolarmente.

Per superare il problema si potrebbe fare un dump di una EEPROM al 100%. Usarla fino a che raggiunge il 5-10% di uso Riscrivere su essa il 100% di capacità tramite il dump preservando la crittografia originale In più, sarebbe interessante, se il file contenente traccia delle cartridges (/sysytem.dat o /mariner/config/system.dat) fosse cancellato ad ogni boot.

Fortunatamente la stampante gira sotto Linux (RHEL 8).

Part 1 - Copia dell'hard disk e abilitazione ssh

  • Estrarre l'hard disk della uPrint
  • Farne una immagine usando:
$ sudo dd if=/dev/sdb conv=sync,noerror bs=64K of=uprint.img 
  • Using Virtualbox, restore the image you made of the hard drive into a VM. If you are using Virtualbox, I would suggest using the VBoxManage tool to convert the raw image to a VDI, and then using that VDI as a hard drive attached to a virtual machine in Virtualbox.
  • Change the root password however you want (I manually edited /etc/shadow from a LiveCD in the virtual machine, you can type “linux single” into the LILO prompt before booting up the system and issuing passwd, etc.)
  • Make the necessary edits to rc.local to delete the system.dat file(s) on boot, enable SSH (not necessary, but may be helpful in the future) by adding another entry to rc.local, and edit iptables to allow SSH.
  • Create an image of the virtual machine you just made all of the changes in. I would recommend booting a LiveCD in the VM, and using dd with a pipe to gzip (with a further pipe to scp/ftp if you wish, although the image should only come out to ~870mb when compressed – easily fitting into the LiveCD’s temporary RAM storage).
  • Take this newly created, compressed image, and use “gzip -dc” with a pipe to “dd” to image the printer’s physical hard drive. Alternatively, you could have imaged the drive directly from the LiveCD in the virtual machine (something like dd if=/dev/sda of=/dev/sdc where /dev/sdc is the printer’s physical hard drive that you attached to the VM.)
  • Put the hard drive back into the printer, and turn it on. With any luck, it should boot and you should have SSH access to it. If it does not boot, restore the vanilla image back to a VM, and try again.
    If you do not have SSH access, make sure you edited iptables correctly – keep in mind those lines are processed in order! Add the line allowing connections to port 22 as high up in the list as possible.

Parte 2 - EEPROM

Now we’ll actually read and write to the cartridge’s EEPROM.

  • This is where that serial cable listed up top comes in. Notice the serial port on the back of the printer labelled “DIAG”? That’s the diagnostic console, and it can perform extremely low level functions that even having root access doesn’t give you. Connect one end of your serial cable to the port, and the other end to some computer.
  • I would suggest PuTTY, but I suppose HyperTerminal and other terminal emulation software would work as well. Configure your software of choice to a baud rate of 38400, 8 data bits, 1 stop bit, no parity, and XOn/XOff, hardware, or no flow control (try each until one works)
  • Issue the following command to read the cartridge’s EEPROM: “er 0 0 512”. Replace that command with “er 1 0 512” if you wish to dump the support material cartridge’s EEPROM. Give it a few seconds, and it should print out something that looks like this. Manually copy and paste that entire chunk, and save it to a file on your local machine. Please note, as stated earlier, my 100% dump will not work for your cartridge’s EEPROM chip as each has a different serial number that is used to encrypt the data on it (Thank you, Ian). I made a quick JavaScript tool to automate formatting EEPROM dumps so they can be written back.
  • Keep this file around for when your cartridge reaches a low percentage of remaining material, and then issue the following command via the console: “ew 0 0 {your comma-separated, double-quote enclosed 100% dump from the same cartridge here}”. Replace with “ew 1 0 {data}” if you wish to write your previous support material dump to the support material EEPROM.
  • Reboot the printer, and voila – you’re back to 100%! Just make sure to re-spool the cartridge, and you’re good to go!

So, what just happened during those last two steps? You overwrote the near-empty value on the cartridge’s EEPROM with its previous 100% dump/value. Since the dump came from the same cartridge (albeit earlier in time), the unique encryption key is preserved, and the cartridge is ready to be used again. Upon rebooting the printer, the printer starts up, deletes the system.dat file(s), and sees the cartridge you are using as a brand new one that has never been used before. At last, your newly re-spooled cartridge is ready to print again!

I’d love to hear any tips, alternate methods, and/or experiences in the comments. However, your standard disclaimer applies: I am not responsible for any damage to any of your hardware.

Links