Jump to content


Photo
- - - - -

Lexmark x4690 Reverse Engineering


  • Please log in to reply
40 replies to this topic

#1 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 13 April 2009 - 11:39 PM

I recently got a Lexmark x4690 wifi printer. It is a quite nice printer, except for the fact that it doesn't work with Linux. I can use my brother's computer that runs Windows to print, but I'd like to be able to print from Linux. I've installed the printer so that it connects wirelessly to my router as a network printer, to avoid the trouble of going through a computer that must sit there waiting for printing jobs. A network printer protocol is probably much easier to reverse engineer and program for than reverse engineering a USB printer driver and then writing a new one. I've used wireshark to capture the packets as I was printing the test page (the test page the software asks you to print to test that the printer is working fine). Wireshark seems to be putting protocol names that are close to what the printer is using but not exactly it (it reports checksum errors in the packets, probably some kind of checksum used by the protocol it thinks it is, but the checksum must be different with this printer protocol).

I've uploaded the wireshark packet capture here for other people to study it.

In the packet capture, 192.168.1.117 is the computer from which I was printing and 192.168.1.175 is the printer. I also ran nmap to see what services were running on the printer:

Interesting ports on 192.168.1.175:
Not shown: 1709 closed ports
PORT	  STATE SERVICE
21/tcp	open  ftp
80/tcp	open  http
8000/tcp  open  http-alt
9100/tcp  open  jetdirect
10000/tcp open  snet-sensor-mgmt
50000/tcp open  iiimsf

Not all of the services shown by nmap seem to be used in the packet capture, maybe the printer supports other network printing protocols? No idea. All ideas are welcome.

#2 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 14 April 2009 - 01:21 AM

You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.

#3 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 14 April 2009 - 06:25 AM

You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.


Hum... you have a good point here. I have an older PowerPC mac, I'm going to install the driver, print the test page and capture the packets with wireshark and see if they're much different from the Windows one.

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.

#4 phasma

phasma

    Hakker addict

  • Members
  • 527 posts
  • Country:
  • Gender:Male
  • Location:Pennsylvania

Posted 14 April 2009 - 07:49 AM

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.


Too many companies just over look the open-source community. -_-

#5 UTS_HOST

UTS_HOST

    SUP3R 31337

  • Members
  • 152 posts

Posted 14 April 2009 - 09:36 AM

we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.

#6 Enigma

Enigma

    HPR Overlord

  • Moderating Team
  • 839 posts
  • Country:
  • Gender:Male
  • Location:Florida

Posted 14 April 2009 - 11:18 AM

You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.


Hum... you have a good point here. I have an older PowerPC mac, I'm going to install the driver, print the test page and capture the packets with wireshark and see if they're much different from the Windows one.

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.



i would agree that cups or an lp forum would be a better place to ask, however since port 9100 is open check out irongeeks video on network printer hacking http://www.irongeek....6printerhacking you may be able to telnet to that port and print via telnet :) I've done it on some HP printers i don't know much about how lexmark has it's network printers setup.

-E

#7 SchippStrich

SchippStrich

    SUP3R 31337 P1MP

  • Members
  • 293 posts
  • Country:
  • Gender:Male
  • Location:USA

Posted 14 April 2009 - 04:11 PM

I am not sure what you have done so far as to try and get it communicating with your Linux box but here:

Have you used CUPS and tried searching for a generic Lexmark driver(If your specified model is not listed)? Try the PS or PPD files.
Connect to it using IPP or the JetDirect Service (port 9100).
Are you using Debian? (I know you like Debian)
On the Gnome menu : System ---> Administration --> Printing
It will walk you through it.
If you are using a different desktop environment find a similar approach.

#8 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 14 April 2009 - 10:24 PM

we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.


Apparently, Lexmark does have drivers for corporate-type printers, but not the commercial-type printers they make.

#9 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 19 April 2009 - 12:38 PM

I got new exciting info. On port 10000 is a very interesting interface. I found out more in this blog post from someone with another lexmark printer:

http://blog.trumpton...on-printer.html

There's no proof yet but this very suspiciously look like an embedded Linux distribution. If it is, Lexmark will be the new Linksys.

aghaster@debian:~$ telnet 192.168.1.175 10000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
LXK: ls

?
enable
exit
finger
gatherdebug
help
history
info
lbcntl
lookup
ls
netstat
ping
setup
nvramreset

LXK: netstat -n

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address		   Foreign Address		 State	  
tcp		0	  0 0.0.0.0:8000			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:4033			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:9100			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:50000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:10000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:80			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:21			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:631			 0.0.0.0:*			   LISTEN	  
tcp		0	  0 192.168.1.175:10000	 192.168.1.110:54859	 ESTABLISHED 
udp		0	  0 0.0.0.0:9100			0.0.0.0:*						   
udp		0	  0 0.0.0.0:161			 0.0.0.0:*						   
udp		0	  0 0.0.0.0:5353			0.0.0.0:*						   
udp		0	  0 0.0.0.0:9580			0.0.0.0:*						   
udp		0	  0 239.255.255.250:3702	0.0.0.0:*						   

LXK: info


USB port 1
Printer Type:  3600-4600 Series
Print Job Status: No Job Currently Active
Printer Status: 0 Ready

Adapter Information
Network Card Type: Ethernet 802.11b/g
Firmware Revision: NET.AR.N204
Network Card Part Number: 40X4817
Network Card EC: MN_SH_2
Network Address (MSB, Canonical): 0004007CDB52, 0020003EDB4A
Address 192.168.1.175
Netmask 255.255.255.0
Gateway 192.168.1.1

LXK: setup

Ethernet 802.11b/g

Carte Réseau
   Etat:						 Connecté
   Bitrate:					  48 Mbps
   Date et heure actuelles:	  2006-04-09 20:32
   Délai de fin de tâche:		90
   UAA(MAC):					 0020003EDB4A
   LAA:						  000000000000
   Référence:					40X4817
   MFG FW:					   5D0036C
   Version du microcode:		 NET.AR.N204
   Compi:						27-May-08 16:25, mls-bld
   Mot de passe:				 Définir

Paramètres d'option réseau intégrée
   Type d'imprimante:			 3600-4600 Series

TCP/IP
   Actif:						En fonction
   Activer DHCP:				 Hors fonction
   Source de l'adresse:		  Manuel
   Adresse:					  192.168.1.175
   Masque de réseau:			 255.255.255.0
   Passerelle:				   192.168.1.1
   Nom de domaine complet:	   ET0020003EDB4A.agh.ath.cx
   Nom Zero Configuration:	   Lexmark

Sans fil
   Type BSS:					 Infrastructure
   SSID:						 1337
   Mode sécurité sans fil:	   Désactivé
   Puissance du signal:		  -29 dBm
   Point d'accès actuel:		 001EE535B716
   Canal actuel:				 1
   Qualité:					  Excellente
   Code erreur:				  Aucun

LXK:


#10 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 19 April 2009 - 01:48 PM

I've just ran a nikto scan on my printer, there are a couple of results I need to try:

debian:/home/aghaster# nikto -h 192.168.1.175 -C all
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP:		  192.168.1.175
+ Target Hostname:	ET0020003EDB4A.local
+ Target Port:		80
+ Start Time:		 2009-04-19 19:52:46
---------------------------------------------------------------------------
+ Server: thttpd
- /robots.txt - contains 1 'disallow' entry which should be manually viewed. (GET)
+ OSVDB-0: Non-standard header cd returned by server, with contents: 2: can't cd to /web
+ thttpd - www.acme.com/software/thttpd. Below v2.03 lets reading of system files by adding // like //etc/passwd. 2.04 has a buffer overflow in 'If-Modified-Since' header.
+ OSVDB-0: GET /search.php?searchfor=\"><script>alert('Vulnerable');</script> : Siteframe 2.2.4 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /phpimageview.php?pic=java script:alert('Vulnerable') : PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS).  http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query= : myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent : myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /modules.php?letter=%22%3E%3Cimg%20src=java script:alert(document.cookie);%3E&op=modload&name=Members_List&file=index : Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2119: GET /shopexd.asp?catalogid='42 : VP-ASP Shopping Cart 5.0 contains multiple SQL injection vulnerabilities. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0560, http://www.securityfocus.com/bid/8159
+ OSVDB-2799: GET /cgi.cgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /webcgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-914/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-915/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /mpcgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /ows-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-sys/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-local/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /htbin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgibin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgis/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /scripts/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-win/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /fcgi-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-exe/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-home/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-perl/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ 3577 items checked: 31 item(s) reported on remote host
+ End Time:		2009-04-19 20:25:09 (1943 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Test Options: -h 192.168.1.175 -C all
---------------------------------------------------------------------------


#11 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 19 April 2009 - 02:00 PM

Here are a couple of special replies when trying to send invalid HTTP requests:

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET /../ HTTP/1.1
Host: 192.168.1.175

HTTP/1.0 200 OK
cd: 2: can't cd to /web
Expires: Sun, 27 Feb 1972 08:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

<html>
<head>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8">

<TITLE> 3600-4600 Series</TITLE>
<LINK REL="stylesheet" HREF="/configStyle.css" TYPE="text/css">
</head>

<frameset cols="185,*" framespacing="0" border="0" frameborder="0">

  <frame name="left" scrolling="no" target="rtop" src="/cgi-bin/dynamic/left_bar.html">

  <frameset rows="120,*,50">

	<frame name="rtop" target="rbottom" src="./cgi-bin/dynamic/topbar.html" marginwidth="0" marginheight="0" scrolling="no" noresize>
	<frame name="rbottom" src="/cgi-bin/dynamic/status_list.html" scrolling="auto" marginwidth="15" marginheight="10" noresize target="_self">

	<frame name="bottombar" target="bottombar" src="./cgi-bin/dynamic/langbar.html" marginwidth="0" marginheight="0" scrolling="no" noresize>

  </frameset></frameset>
  <noframes>
  <body>
  <p>This page uses frames, but your browser does not support them.</p>
  </body>
  </noframes>
</frameset>

</html>
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET //index.html HTTP/1.1
Host: 192.168.1.175

HTTP/1.1 400 Bad Request
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:30:07 GMT
Last-Modified: Tue, 04 Apr 2006 03:30:07 GMT
Accept-Ranges: bytes
Connection: close
booga3!

<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>400 Bad Request</H2>
Your request has bad syntax or is inherently impossible to satisfy.
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
invalid.		  
UNKNOWN 400 Bad Request
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:30:59 GMT
Last-Modified: Tue, 04 Apr 2006 03:30:59 GMT
Accept-Ranges: bytes
Connection: close

<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>400 Bad Request</H2>
Your request has bad syntax or is inherently impossible to satisfy.
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET /404.htm HTTP/1.1
Host: 192.168.1.175

HTTP/1.1 404 Not Found
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:31:52 GMT
Last-Modified: Tue, 04 Apr 2006 03:31:52 GMT
Accept-Ranges: bytes
Connection: close

<HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>404 Not Found</H2>
The requested URL '/404.htm' was not found on this server.
Connection closed by foreign host.

Notice how in the second request I get a "booga3!" error while none of the others get that.

#12 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 23 April 2009 - 11:36 AM

I have disassembled my printer to be able to access the main circuit board and take pictures. I made a list of the things that was written on top of components that I could read:

Lexmark
21B4299
L-LA4475A3
0839T 1785924

Samsung 840
K4S561632J-UC75
S5616 2Y6392A2C

VIM
WM8196SCDS
88ACBRY

5142
2AEMX

SPANSION
FL016A1F

TEXAS INSTRUMENTS
7AA21LTG4
SN105108A
20C0830

8008TMX
SK 88D
1014242

AS358M
820J88

809870
88  17

Datasheets:

K4S561632J-UC75 (256MB DRAM)
WM8196
AS358M

Posted Image
The main circuit board

Posted Image
A closer look at the left of the main circuit board

Posted Image
A closer look at the right of the main circuit board

Posted Image
The SD card reader, it has a mini-usb connector and if you connect it to your computer you should be able to use it. Windows XP was able to detect it and use it right away.

Posted Image
The wireless adapter for the printer, it is connected to the mainboard using some kind of connector which is unknown to me (the white connector on the top left of the mainboard is where it connects)

#13 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 23 April 2009 - 12:02 PM

Sorry for the huge pictures, I'm hosting them on my personal website. Is there a way to force a resize on those pictures, or an automatic thumbnail? I still want to provide the full size picture, so that people can read the part numbers.

#14 UTS_HOST

UTS_HOST

    SUP3R 31337

  • Members
  • 152 posts

Posted 23 April 2009 - 12:15 PM

we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.


Apparently, Lexmark does have drivers for corporate-type printers, but not the commercial-type printers they make.


yea i ripped open the image on it only works on the higher end models.

#15 johnnymanson

johnnymanson

    SUP3R 31337

  • Members
  • 175 posts
  • Gender:Male
  • Location:Somewhere in NC, USA

Posted 23 April 2009 - 01:45 PM

It's no help for Aghaster but I just bought an HP Officejet 6500 All-in-one printer. Setup for this Wifi enabled printer in Ubuntu was a piece of cake. It is actually faster and easier to add in Ubuntu than XP.

#16 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 24 April 2009 - 12:17 AM

Vector requested that I remove the metal shield from the wireless adapter and post pictures of it:

Posted Image
Wireless adapter, top view

Posted Image
Wireless adapter, view of the back

Here is a transcription of the part numbers we can see:

88W8638-BEB1
FT14311.2
0818 C2P
TW

Samsung 825
K8P3215UQB
P14B

Samsung 828
K4S281632I-UC75

339
eZE6823

CETCCJ
44.000
835

TPS73701
86C4ENH

Datasheets:

K8P3215UQB (32MB Flash Memory)
K4S281632I-UC75 (128MB SDRAM)

There seem to be a bunch of unpopulated holes, I'm wondering what could go in there. Maybe there's place for a JTAG connector?

#17 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 24 April 2009 - 01:22 AM

8 pins, plus two leds? On a card with wifi? Unpopulated ethernet port. I'll bet someones life on it. Some googling found that Marvel chip (wifi) to be the same as some Linksys voip router combos.

The Empty u1 would most likely be a ethernet transceiver.

The four pin blank connector between the ethernet mask and wifi shield might be serial. One too many pins for WOL. The two pin connector next to it might be a led connector? One pin looks like it goes through a resister then under the wifi shield. Finally, there's a 7 pin sip connection near the top left on the front picture that cant be seen because of the angle of the picture and the caps in the way.

#18 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 26 April 2009 - 10:55 AM

8 pins, plus two leds? On a card with wifi? Unpopulated ethernet port. I'll bet someones life on it. Some googling found that Marvel chip (wifi) to be the same as some Linksys voip router combos.

The Empty u1 would most likely be a ethernet transceiver.

The four pin blank connector between the ethernet mask and wifi shield might be serial. One too many pins for WOL. The two pin connector next to it might be a led connector? One pin looks like it goes through a resister then under the wifi shield. Finally, there's a 7 pin sip connection near the top left on the front picture that cant be seen because of the angle of the picture and the caps in the way.


It looks like there is some cool stuff that can be done with that. Even if I solder an ethernet port in there, I need the software to be aware of it. In any case, what kind of wire should I use for best results if I want to solder an ethernet port? I'd take an old ethernet socket + cut cat 5 cable, or are ordinary wires just like what you'd use with a breadboard fine?

By the way, it is a row of 6 pins that is partially hidden by the caps (you can tell by the picture of the back of the board). Do you still think it is sip?

#19 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 26 April 2009 - 03:48 PM

For some reason, the scanner wouldn't work properly when I reassembled the printer. The scanner carrier would move to the right until it reaches it, but then wouldn't know it has reached the end and would try to move further. I swear I've reassembled the thing correctly, I tried cleaning the glass, etc, resetting the printer to factory defaults but nothing would work. I finally just brought the printer back to the store and got a new one. I won't attempt disassembling the new one as if it breaks again I'm stuck with it. There's a plus, however: I had forgotten the password on the previous printer, but I got the password for this one. This means I can access much more for configuration. The thing I wanted to see the most was the LXK prompt on port 10000 with administrator priviledges:

aghaster@debian:~$ telnet 192.168.1.175 10000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
LXK: enable
Please enter the print server's password : ********
Response accepted.
Extra commands enabled

LXK: ls

?
arp
disable
enable
exit
finger
gatherdebug
help
history
info
lbcntl
lookup
ls
msum
netstat
ping
ps
reset
route
setup
stop
nvramreset

LXK: history

History
Firmware Revision: NET.AR.N204
Time/Date: Mon Apr  3 22:44:28 2006
TB EEC CT: 5 0   0-00:24:21.90
000400AAF4F2, 002000552F4F
 

LXK: info


USB port 1
Printer Type:  3600-4600 Series
Print Job Status: No Job Currently Active
Printer Status: 0 Ready

Adapter Information
Network Card Type: Ethernet 802.11b/g
Firmware Revision: NET.AR.N204
Network Card Part Number: 40X4817
Network Card EC: MN_SH_2
Network Address (MSB, Canonical): 000400AAF4F2, 002000552F4F
Address 192.168.1.175
Netmask 255.255.255.0
Gateway 192.168.1.1

LXK: netstat

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address		   Foreign Address		 State	  
tcp		0	  0 0.0.0.0:8000			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:4033			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:9100			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:50000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:10000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:80			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:21			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:631			 0.0.0.0:*			   LISTEN	  
tcp		0	  0 192.168.1.175:10000	 192.168.1.110:46346	 ESTABLISHED 
udp		0	  0 0.0.0.0:9100			0.0.0.0:*						   
udp		0	  0 0.0.0.0:161			 0.0.0.0:*						   
udp		0	  0 0.0.0.0:5353			0.0.0.0:*						   
udp		0	  0 0.0.0.0:9580			0.0.0.0:*						   
udp		0	  0 239.255.255.250:3702	0.0.0.0:*						   

LXK: ps

  PID  Uid	 VmSize Stat Command
	1 root		512 S   init			
	2 root			SWN [ksoftirqd/0]
	3 root			SW< [events/0]
	4 root			SW< [khelper]
	5 root			SW< [kthread]
	8 root			SW< [kblockd/0]
   11 root			SW  [khubd]
   34 root			SW  [pdflush]
   35 root			SW  [pdflush]
   37 root			SW< [aio/0]
   36 root			SW  [kswapd0]
   38 root			SW  [svcerrd]
   70 root			SW  [mtdblockd]
   77 root		492 S   /bin/sh /etc/init.sh 
   88 root		488 S   /bin/sh /pkg-netapps/etc/rc 
   95 root			SWN [jffs2_gcd_mtd1]
  181 root		512 S   syslogd -O /dev/console 
  294 root			SW< [MAC Mgmt]
  307 root		532 S   /pkg-netapps/bin/mvwcd -f /pkg-netapps/etc/mvwcd.conf
  327 root		488 S   /bin/sh /pkg-netapps/etc/debug_prompt 
  329 root		592 S   lexdebug -h 
  348 root		552 S   ErrorExit 
  359 root		732 S   VacuumServer 
  360 root		732 S   VacuumServer 
  362 root		732 S   VacuumServer 
  371 root		796 S   StatusServer 
  372 root		796 S   StatusServer 
  373 root		796 S   StatusServer 
  374 root		796 S   StatusServer 
  375 root		796 S   StatusServer 
  380 root		736 S   NPAP_Server 
  383 root		520 S   /bin/sh /pkg-netapps/etc/rc_net_postPage4 
  389 root		636 S   NPAP_Server 
  390 root		636 S   NPAP_Server 
  391 root		736 S   NPAP_Server 
  392 root		736 S   NPAP_Server 
  393 root		736 S   NPAP_Server 
  394 root		636 S   NPAP_Server 
  388 root		420 S   flashsrv unix:/tmp/flashsrv unix:/tmp/flashsrv_interl
  396 root		736 S   NPAP_Server 
  398 root		760 S   PrinterHandler 
  402 root		616 S   HIDHandler 
  403 root		616 S   HIDHandler 
  405 root		760 S   PrinterHandler 
  406 root		616 S   HIDHandler 
  407 root		760 S   PrinterHandler 
  408 root		760 S   PrinterHandler 
  415 root		760 S   PrinterHandler 
  418 root		800 S   vacWLAN 
  419 root		800 S   vacWLAN 
  420 root		800 S   vacWLAN 
  421 root		800 S   vacWLAN 
  437 root		816 S   vacip -vrbhma 
  438 root		816 S   vacip -vrbhma 
  439 root		816 S   vacip -vrbhma 
  440 root		816 S   vacip -vrbhma 
  476 root		580 S   firewall_app 
  502 root		632 S   vacSEC 
  531 root		856 S   thttpd -nos -d /pkg-netapps/web -p 80 -p 631 -p 8000 
  542 root		676 S   HostListApp 
  543 root		676 S   HostListApp 
  550 root		676 S   HostListApp 
  551 root		676 S   HostListApp 
  552 root		676 S   HostListApp 
  553 root		676 S   HostListApp 
  554 root		676 S   HostListApp 
  558 root		676 S   HostListApp 
  598 root		736 S   mdns 
  608 root		736 S   mdns 
  609 root		736 S   mdns 
  663 root		572 S   NetworkKeepAlive 
  667 root		576 S   addrconf 
  668 root		576 S   addrconf 
  669 root		576 S   addrconf 
  726 root		560 S   /sbin/inetd /tmp/inetd.conf 
  741 root		728 S   host-config 
  749 root		648 S   Hbn3 
  753 root		648 S   Hbn3 
  754 root		648 S   Hbn3 
  755 root		648 S   Hbn3 
  756 root		648 S   Hbn3 
  769 root		584 S   Ntp 
  777 root		796 S   lxkwsPS 
  782 root		504 S   snmpSysDescr 
  783 root		796 S   lxkwsPS 
  784 root		796 S   lxkwsPS 
 1000 root		648 S   lexdebug 
 1006 root		568 R   ps auxf 

LXK: exit

Connection closed by foreign host.

What can we infer from the process list? Are there processes which are known to only exist on Linux?

#20 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 26 April 2009 - 07:20 PM

It looks like there is some cool stuff that can be done with that. Even if I solder an ethernet port in there, I need the software to be aware of it. In any case, what kind of wire should I use for best results if I want to solder an ethernet port? I'd take an old ethernet socket + cut cat 5 cable, or are ordinary wires just like what you'd use with a breadboard fine?

By the way, it is a row of 6 pins that is partially hidden by the caps (you can tell by the picture of the back of the board). Do you still think it is sip?


SIP = Single Inline Pins
As opposed to DIP (Dual Inline Pins). So you would need a strip of SIP to be able to solder on a header to it. I only have DIP headers (standard width, they fit most internal connectors, like internal USB and Front Panel LEDS/Switches, and even 3.5 inch IDE slots.) I need to get some SIP headers for stuff like this (And some 2.5inch ide sized headers)

As for the ethernet, you could use short (still atleast one/two Twists) cat5e cables and make a short extension to a ethernet socket, yes, but it would be better to try to get one that fits right on the board.

The problem is that it won't work with just the connector. It looks like alot of passive components for the ethernet connection are missing, plus two possible active components (U1, and y1). Like I said, U1 is probably the ethernet transceiver, what gives the ethernet connection its mac address and converts from Layer 1 to Layer 2 or above. The Ethernet PHY chip. Y1 could be level protection and smoothing.

To get it to work on ethernet, you would be better off buying the lexmark card with ethernet. But if you have a working wifi router, there is no need.




BinRev is hosted by the great people at Lunarpages!