Jump to content


Photo
- - - - -

Lexmark HBN3 Protocol Reverse Engineering


  • Please log in to reply
12 replies to this topic

#1 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 31 August 2009 - 03:46 PM

Also posted on my personal website: http://www.awakecoding.com/

I have recently tried writing a program that would replay the packets from a wireshark packet capture took during a network printing session with my Lexmark x4690. Surprisingly, it did work! Encouraged by this first working test, I made a second program that tries to break down the protocol into logical parts that make more sense than just sending a bunch of blobs. I have successfully isolated the "payload" (the printing page itself) out of the protocol and dumped it to a file that my program uses. The payload appears to be a variant of HP's PCL, and part of it seems to be explained in Lexmark's Printer Languages and Interface Technical Reference. My test program with the test payload can be downloaded here: lexprint.zip.

Compile using:
gcc -o lexprint lexprint.c

and then run it:
./lexprint <Printer IP address> printer.dat

Here is what it should look like:

aghaster@debian:~/lexprint$ ./lexprint 192.168.1.175 print.dat
Server: 192.168.1.175
File: print.dat
> 48 42 4E 33 00 00 00 00 01
< 48 42 4E 33 00 00 00 00 00
Connected to HBN3 server
> A5 00 07 50 E0 81 00 02 00 11
< 48 42 4E 33 00 00 00 00 0C A5 00 09 50 E0 81 00 02 00 11 01 00
> A5 00 0D 50 E0 82 02 03 00 04
< 48 42 4E 33 00 00 00 00 08 A5 00 05 40 FF 80 00 00
> A5 00 09 50 E0 81 00 23 00 01
< 48 42 4E 33 00 00 00 00 08 A5 00 05 40 FF 80 00 00
> A5 00 08 50 E0 81 00 22 02 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 E0 82 02 03 00
> A5 00 06 50 E0 73 01 01 10 00
< 48 42 4E 33 00 00 00 00 08 A5 00 05 50 E0 81 00 23
> A5 00 07 50 E0 8F 20 03 01 01
< 48 42 4E 33 00 00 00 00 0B A5 00 08 50 E0 81 00 22 02 00 01
> A5 00 0B 50 E0 81 00 01 00 01
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 E0 73 01 01 10
> A5 00 07 50 E0 8F 20 03 01 00
< 48 42 4E 33 00 00 00 00 1E A5 00 1B 50 E0 8F 20 03 01 01 01 01 00 10 FB F4 CF F3 FF 7F B3 1C A7 E9 BF EB 00 FF 3F 7F
> A5 00 0B 50 E0 81 00 01 00 01
< 48 42 4E 33 00 00 00 00 08 A5 00 05 50 E0 81 00 01
> A5 00 07 50 E0 81 00 05 01 16
< 48 42 4E 33 00 00 00 00 1E A5 00 1B 50 E0 8F 20 03 01 00 01 00 00 10 BF D4 5D F3 FF 7F 1F E9 9A EA FF EF 00 FF 1F 77
> A5 00 0E 50 E0 81 00 01 00 01
< 48 42 4E 33 00 00 00 00 08 A5 00 05 50 E0 81 00 01
> A5 00 0D 50 E0 84 00 01 0A 6A
< 48 42 4E 33 00 00 00 00 06 A5 00 03 D4 E0 81
> A5 00 0E 50 E0 81 00 01 00 01
< 48 42 4E 33 00 00 00 00 08 A5 00 05 50 E0 81 00 01
> A5 00 06 50 05 00 00 00 00 01
< 48 42 4E 33 00 00 00 00 08 A5 00 05 50 E0 84 00 01

 

... (continues, the payload is too large to paste here)

 

< 48 42 4E 33 00 00 00 00 09 A5 00 06 10 01 00 03 CD 44
> A5 00 06 50 05 01 00 00 01 3A
< 48 42 4E 33 00 00 00 00 09 A5 00 06 10 01 00 03 CD 45
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 10 01 00 03 CD 46
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 01 00 00 01
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 08 50 05 02 00 00 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 05 50 E0 82 02 02 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01
> A5 00 06 50 E0 73 01 01 00 00
< 48 42 4E 33 00 00 00 00 09 A5 00 06 50 05 02 00 00 01

Where <Printer IP Address> is your Lexmark printer IP address (192.168.1.175 in my case). The test payload is ten rows of the letter 'A' from notepad. For the moment the only documentation is the source code itself. I will post more when I find more, but in the meantime if anybody is interested in contributing findings and information, you are always welcome to send me an email.

This thread is here for people that want to take a look at it and contribute their findings :p
  • Phail_Saph and Swerve like this

#2 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 31 August 2009 - 03:52 PM

That's pretty crazy, I gave up on Linux printing a long time ago. How "smart" are these printers? A lot of network printers can be made to do much more... interesting things.

#3 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 31 August 2009 - 04:44 PM

That's pretty crazy, I gave up on Linux printing a long time ago. How "smart" are these printers? A lot of network printers can be made to do much more... interesting things.


The part I haven't started working on with this printer is the network scanning :p On the printer you can press the scan button, select a computer on the network and even a program in which the resulting image will be open. I guess that this involves some negotiation between the HBN3 aware computers on the network that advertise themselves and send a list of possible programs to the printer.

Also, it also means that if you can intercept the packets from the computer to the printer you can get the document itself. I know that some more expensive models for offices have an optional hardware "PrintCryption" module that encrypts the documents when they are printed over the network. Those that do no have PrintCryption do not have this protection and the documents could be intercepted any time.

I talked with someone that had a printer that supports the PrintCryption hardware module. Even though he didn't have it installed, the firmware updates were encrypted. I do not know if this constitutes a violation of the GPL, as the source code is supposed to be all available on Lexmark's FTP server. In my case, the firmware updates aren't encrypted, and it contains a Linux busybox installation for ARM.

#4 johnnymanson

johnnymanson

    SUP3R 31337

  • Members
  • 175 posts
  • Gender:Male
  • Location:Somewhere in NC, USA

Posted 31 August 2009 - 11:13 PM

Good Job Agaster! You've been working this problem for a long time. I am glad to see that you have had some success. I am am still using my HP Office Jet 6500 E709n to print from Windows and Ubuntu by its WiFi connection. The scan page can be accessed from a browser by IP address. I also remember that setting up Cups was easier than installing the printer under windows. Keep plugging away and you'll get it all to work. The Office Jet 6500 might be a better starting point for other users looking to purchase a new printer for Linux.

#5 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 02 September 2009 - 08:35 AM

Good Job Agaster! You've been working this problem for a long time. I am glad to see that you have had some success. I am am still using my HP Office Jet 6500 E709n to print from Windows and Ubuntu by its WiFi connection. The scan page can be accessed from a browser by IP address. I also remember that setting up Cups was easier than installing the printer under windows. Keep plugging away and you'll get it all to work. The Office Jet 6500 might be a better starting point for other users looking to purchase a new printer for Linux.


Yeah, HP's JetDirect protocol is well supported by CUPS :p It is trivial to set it up with Ubuntu.

I was searching yesterday for the very few places on the internet that mention Lexmark's HBN3. Lexmark says that it's using both TCP and UDP on port 9100, which is something I need to look at. They also separately mentioned "HBN3 scan" on port 9100/TCP. I made a wireshark packet capture for a scan when it is initiated from the printer, but I think I should start by capturing the packets when the computer initiates it. The first thing that caught my eye is that the "connect string" used is almost the same as when printing, but then you can very easily guess it's meaning:

HBN3 Printing:

Printer  : 48 42 4E 33 00 00 00 00 01
Computer : 48 42 4E 33 00 00 00 00 00

HBN3 Scanning:

Printer  : 48 42 4E 33 00 00 00 00 02
Computer : 48 42 4E 33 00 00 00 00 00

48 42 4E 33 is ASCII for "HBN3". We can see that the last byte is used to indicate to the printer what the computer wants to do: print (1) or scan (2) and the printer acknowledges it by returning the same connect string with the last byte set to 0.

HBN3 scanning is probably easier to get working as I do not have to reverse engineer the payload as well: the printer is sending the payload, not the computer. There is some kind of a negotiation involved in which the printer asks the computer for a list of software to open the image with, and then the user can choose it from the printer's front panel, etc.

As for 9100/UDP, my guess is that it is used as a control channel when the printer wants to request things from the computer instead of the other way around. In the packet capture for the scan in which the printer initiated the scan, it is still the computer that opened the connection and sent the first packet. I'll have to look more into it.

#6 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 02 September 2009 - 10:17 PM

You should offer Lexmark the right to distribute your work in exchange for pay/free new printers and crap/swag.

Nice work.

#7 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 02 September 2009 - 11:21 PM

You should offer Lexmark the right to distribute your work in exchange for pay/free new printers and crap/swag.

Nice work.


I think he's more likely to be sued, to be honest.

#8 livinded

livinded

    Dangerous free thinker

  • Agents of the Revolution
  • 1,942 posts
  • Location:~/

Posted 03 September 2009 - 01:05 AM


You should offer Lexmark the right to distribute your work in exchange for pay/free new printers and crap/swag.

Nice work.


I think he's more likely to be sued, to be honest.


Exactly, I'd watch out for lexmark sending a DMCA notice.

#9 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 03 September 2009 - 02:06 AM

Outstanding Work!

"Making music out of packets is what it's all about"
---Ancient Chinese Proverb

(at least in some parallel universe, assuming multi-worlds theory holds)

I wouldn't worry about legal stuff. You own the printer and it's your computer. Using their protocols outside of EULA to access the printer isn't by default illegal. It looks like through experimentation you discovered how the protocols send the data which means that you validly reverse engineered it. Reverse engineering is legal.

This could turn into an healthy debate.


#10 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 03 September 2009 - 10:07 PM

And since Lexmark is using GPLd software on the printer, and provided Ag here the sources as required, why would he be sued?

#11 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 03 September 2009 - 11:42 PM

And since Lexmark is using GPLd software on the printer, and provided Ag here the sources as required, why would he be sued?


Here are some precisions on what is covered by what:

Lexmark uses Linux (busybox) to make the print server along with other services such as an embedded web server and a telnet interface. Lexmark only gives the source code of things that were previously in GPL, they didn't GPL the code that they weren't forced to. This means that the HBN3 server that the printer runs is not in GPL, as they wrote it from scratch and own the copyright to its code. For my reverse engineering work, I haven't disassembled the HBN3 server that the printer uses, but I have simply analyzed wireshark packet captures and attempted to mimic it. It turns out that it is not too much of a problem to send something to print to the printer using the HBN3 protocol, but then the payload itself seems to be in an "Enhanced PCL" format that includes commands with ID's marked as 'unused' in their own documentation. I have no idea if the 'ordinary' PCL would work with the printer, but the payload I have captured do not seem to be using anything documented.

I do not think that reverse engineering the protocol causes a problem. The only possible problem would be if the protocol is covered by a patent, and then their lawyers would get pissed at somebody outside Lexmark making a program to use the protocol. Most of the time companies simply do not care about anything that is not Windows or Mac. They're also often not very interested into releasing documentation because they do not want competitors to copy them. But then, if you want to spend a lot of time to reverse engineer their thing and come up with something that is approximately what it was originally but works well enough to make Linux users happy, they usually don't both much about suing you. Companies usually sue people when they reverse engineer something that they think is a threat to their company, for instance, if you reverse engineer a DRM mechanism. I doubt that they would get pissed that some guy in his basement wanted to waste his time reverse engineering their network printing protocol so that he can print from Linux, instead of buying a printer from one of their competitors that is supported by Linux.

Also, Lexmark does not fully comply to the GPL... As I told them in one of my emails, they're not complying to section 3 as they do not even mention that their printers are running Linux and where to get the source code. Yes, they do have it in a public FTP server, but you have to first discover on your own that your printer is most likely to be running some embedded Linux distribution and then ask them about it and finally get an answer with a link. They replied to that saying that my email had been forwarded to their legal department. I mailed them later to know if they was anything new about it, but I did not get any more replies. I have also asked them about possible public documentation on the HBN3 protocol, with no answer.

Something I'm asking myself about the EULA: Usually a EULA states that if you can not comply with the restrictions, then you should not be using the EULA covered software at all. What if I'm not using it? ;)

#12 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 04 September 2009 - 12:13 AM

Here is more, taken straight out of the license agreement:

LEXMARK SOFTWARE LICENSE AGREEMENT

This Software License Agreement (License Agreement) is a legal agreement between you (either an individual or a single entity) and Lexmark International, Inc. (Lexmark) that, to the extent your Lexmark product or Software Program is not otherwise subject to a written software license agreement between you and Lexmark or its suppliers, governs your use of any Software Program installed on or provided by Lexmark for use in connection with your Lexmark product. The term "Software Program" includes machine-readable instructions, audio/visual content (such as images and recordings), and associated media, printed materials and electronic documentation, whether incorporated into, distributed with or for use with your Lexmark product.


6. LIMITATION ON REVERSE ENGINEERING. You may not alter, decrypt, reverse engineer, reverse assemble, reverse compile or otherwise translate the Software Program, except as and to the extent expressly permitted to do so by applicable law for the purposes of inter-operability, error correction, and security testing. If you have such statutory rights, you will notify Lexmark in writing of any intended reverse engineering, reverse assembly, or reverse compilation. You may not decrypt the Software Program unless necessary for the legitimate Use of the Software Program.


If I understand correctly, their definition of "Software Program" does not cover the protocol itself but would cover their program that implements it. In the case they think otherwise, their clause on reverse engineering looks quite friendly to the type of reverse engineering I'm doing.

#13 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 04 September 2009 - 01:45 PM

Putting something in a EULA doesn't make it the law.. also I was under the impression that the DMCA was used for copy-protection..




BinRev is hosted by the great people at Lunarpages!