Aghaster

Lexmark x4690 Reverse Engineering

41 posts in this topic

I recently got a Lexmark x4690 wifi printer. It is a quite nice printer, except for the fact that it doesn't work with Linux. I can use my brother's computer that runs Windows to print, but I'd like to be able to print from Linux. I've installed the printer so that it connects wirelessly to my router as a network printer, to avoid the trouble of going through a computer that must sit there waiting for printing jobs. A network printer protocol is probably much easier to reverse engineer and program for than reverse engineering a USB printer driver and then writing a new one. I've used wireshark to capture the packets as I was printing the test page (the test page the software asks you to print to test that the printer is working fine). Wireshark seems to be putting protocol names that are close to what the printer is using but not exactly it (it reports checksum errors in the packets, probably some kind of checksum used by the protocol it thinks it is, but the checksum must be different with this printer protocol).

I've uploaded the wireshark packet capture here for other people to study it.

In the packet capture, 192.168.1.117 is the computer from which I was printing and 192.168.1.175 is the printer. I also ran nmap to see what services were running on the printer:

Interesting ports on 192.168.1.175:
Not shown: 1709 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
8000/tcp open http-alt
9100/tcp open jetdirect
10000/tcp open snet-sensor-mgmt
50000/tcp open iiimsf

Not all of the services shown by nmap seem to be used in the packet capture, maybe the printer supports other network printing protocols? No idea. All ideas are welcome.

-1

Share this post


Link to post
Share on other sites

You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.

-1

Share this post


Link to post
Share on other sites
You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.

Hum... you have a good point here. I have an older PowerPC mac, I'm going to install the driver, print the test page and capture the packets with wireshark and see if they're much different from the Windows one.

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.

0

Share this post


Link to post
Share on other sites
Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.

Too many companies just over look the open-source community. -_-

0

Share this post


Link to post
Share on other sites

we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.

0

Share this post


Link to post
Share on other sites
You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.

Hum... you have a good point here. I have an older PowerPC mac, I'm going to install the driver, print the test page and capture the packets with wireshark and see if they're much different from the Windows one.

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.

i would agree that cups or an lp forum would be a better place to ask, however since port 9100 is open check out irongeeks video on network printer hacking http://www.irongeek.com/i.php?page=videos/...6printerhacking you may be able to telnet to that port and print via telnet :) I've done it on some HP printers i don't know much about how lexmark has it's network printers setup.

-E

0

Share this post


Link to post
Share on other sites

I am not sure what you have done so far as to try and get it communicating with your Linux box but here:

Have you used CUPS and tried searching for a generic Lexmark driver(If your specified model is not listed)? Try the PS or PPD files.

Connect to it using IPP or the JetDirect Service (port 9100).

Are you using Debian? (I know you like Debian)

On the Gnome menu : System ---> Administration --> Printing

It will walk you through it.

If you are using a different desktop environment find a similar approach.

0

Share this post


Link to post
Share on other sites
we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.

Apparently, Lexmark does have drivers for corporate-type printers, but not the commercial-type printers they make.

0

Share this post


Link to post
Share on other sites

I got new exciting info. On port 10000 is a very interesting interface. I found out more in this blog post from someone with another lexmark printer:

http://blog.trumpton.org.uk/2008/12/lexmar...on-printer.html

There's no proof yet but this very suspiciously look like an embedded Linux distribution. If it is, Lexmark will be the new Linksys.

aghaster@debian:~$ telnet 192.168.1.175 10000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
LXK: ls

?
enable
exit
finger
gatherdebug
help
history
info
lbcntl
lookup
ls
netstat
ping
setup
nvramreset

LXK: netstat -n

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4033 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:50000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.175:10000 192.168.1.110:54859 ESTABLISHED
udp 0 0 0.0.0.0:9100 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:9580 0.0.0.0:*
udp 0 0 239.255.255.250:3702 0.0.0.0:*

LXK: info


USB port 1
Printer Type: 3600-4600 Series
Print Job Status: No Job Currently Active
Printer Status: 0 Ready

Adapter Information
Network Card Type: Ethernet 802.11b/g
Firmware Revision: NET.AR.N204
Network Card Part Number: 40X4817
Network Card EC: MN_SH_2
Network Address (MSB, Canonical): 0004007CDB52, 0020003EDB4A
Address 192.168.1.175
Netmask 255.255.255.0
Gateway 192.168.1.1

LXK: setup

Ethernet 802.11b/g

Carte Réseau
Etat: Connecté
Bitrate: 48 Mbps
Date et heure actuelles: 2006-04-09 20:32
Délai de fin de tâche: 90
UAA(MAC): 0020003EDB4A
LAA: 000000000000
Référence: 40X4817
MFG FW: 5D0036C
Version du microcode: NET.AR.N204
Compi: 27-May-08 16:25, mls-bld
Mot de passe: Définir

Paramètres d'option réseau intégrée
Type d'imprimante: 3600-4600 Series

TCP/IP
Actif: En fonction
Activer DHCP: Hors fonction
Source de l'adresse: Manuel
Adresse: 192.168.1.175
Masque de réseau: 255.255.255.0
Passerelle: 192.168.1.1
Nom de domaine complet: ET0020003EDB4A.agh.ath.cx
Nom Zero Configuration: Lexmark

Sans fil
Type BSS: Infrastructure
SSID: 1337
Mode sécurité sans fil: Désactivé
Puissance du signal: -29 dBm
Point d'accès actuel: 001EE535B716
Canal actuel: 1
Qualité: Excellente
Code erreur: Aucun

LXK:

0

Share this post


Link to post
Share on other sites

I've just ran a nikto scan on my printer, there are a couple of results I need to try:

debian:/home/aghaster# nikto -h 192.168.1.175 -C all
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP: 192.168.1.175
+ Target Hostname: ET0020003EDB4A.local
+ Target Port: 80
+ Start Time: 2009-04-19 19:52:46
---------------------------------------------------------------------------
+ Server: thttpd
- /robots.txt - contains 1 'disallow' entry which should be manually viewed. (GET)
+ OSVDB-0: Non-standard header cd returned by server, with contents: 2: can't cd to /web
+ thttpd - www.acme.com/software/thttpd. Below v2.03 lets reading of system files by adding // like //etc/passwd. 2.04 has a buffer overflow in 'If-Modified-Since' header.
+ OSVDB-0: GET /search.php?searchfor=\"><script>alert('Vulnerable');</script> : Siteframe 2.2.4 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /phpimageview.php?pic=java script:alert('Vulnerable') : PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query= : myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent : myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /modules.php?letter=%22%3E%3Cimg%20src=java script:alert(document.cookie);%3E&op=modload&name=Members_List&file=index : Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2119: GET /shopexd.asp?catalogid='42 : VP-ASP Shopping Cart 5.0 contains multiple SQL injection vulnerabilities. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0560, http://www.securityfocus.com/bid/8159
+ OSVDB-2799: GET /cgi.cgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /webcgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-914/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-915/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /mpcgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /ows-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-sys/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-local/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /htbin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgibin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgis/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /scripts/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-win/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /fcgi-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-exe/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-home/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-perl/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ 3577 items checked: 31 item(s) reported on remote host
+ End Time: 2009-04-19 20:25:09 (1943 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Test Options: -h 192.168.1.175 -C all
---------------------------------------------------------------------------

0

Share this post


Link to post
Share on other sites

Here are a couple of special replies when trying to send invalid HTTP requests:

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET /../ HTTP/1.1
Host: 192.168.1.175

HTTP/1.0 200 OK
cd: 2: can't cd to /web
Expires: Sun, 27 Feb 1972 08:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

<html>
<head>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8">

<TITLE> 3600-4600 Series</TITLE>
<LINK REL="stylesheet" HREF="/configStyle.css" TYPE="text/css">
</head>

<frameset cols="185,*" framespacing="0" border="0" frameborder="0">

<frame name="left" scrolling="no" target="rtop" src="/cgi-bin/dynamic/left_bar.html">

<frameset rows="120,*,50">

<frame name="rtop" target="rbottom" src="./cgi-bin/dynamic/topbar.html" marginwidth="0" marginheight="0" scrolling="no" noresize>
<frame name="rbottom" src="/cgi-bin/dynamic/status_list.html" scrolling="auto" marginwidth="15" marginheight="10" noresize target="_self">

<frame name="bottombar" target="bottombar" src="./cgi-bin/dynamic/langbar.html" marginwidth="0" marginheight="0" scrolling="no" noresize>

</frameset></frameset>
<noframes>
<body>
<p>This page uses frames, but your browser does not support them.</p>
</body>
</noframes>
</frameset>

</html>
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET //index.html HTTP/1.1
Host: 192.168.1.175

HTTP/1.1 400 Bad Request
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:30:07 GMT
Last-Modified: Tue, 04 Apr 2006 03:30:07 GMT
Accept-Ranges: bytes
Connection: close
booga3!

<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>400 Bad Request</H2>
Your request has bad syntax or is inherently impossible to satisfy.
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
invalid.
UNKNOWN 400 Bad Request
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:30:59 GMT
Last-Modified: Tue, 04 Apr 2006 03:30:59 GMT
Accept-Ranges: bytes
Connection: close

<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>400 Bad Request</H2>
Your request has bad syntax or is inherently impossible to satisfy.
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET /404.htm HTTP/1.1
Host: 192.168.1.175

HTTP/1.1 404 Not Found
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:31:52 GMT
Last-Modified: Tue, 04 Apr 2006 03:31:52 GMT
Accept-Ranges: bytes
Connection: close

<HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>404 Not Found</H2>
The requested URL '/404.htm' was not found on this server.
Connection closed by foreign host.

Notice how in the second request I get a "booga3!" error while none of the others get that.

0

Share this post


Link to post
Share on other sites

I have disassembled my printer to be able to access the main circuit board and take pictures. I made a list of the things that was written on top of components that I could read:

Lexmark
21B4299
L-LA4475A3
0839T 1785924

Samsung 840
K4S561632J-UC75
S5616 2Y6392A2C

VIM
WM8196SCDS
88ACBRY

5142
2AEMX

SPANSION
FL016A1F

TEXAS INSTRUMENTS
7AA21LTG4
SN105108A
20C0830

8008TMX
SK 88D
1014242

AS358M
820J88

809870
88 17

Datasheets:

K4S561632J-UC75 (256MB DRAM)

WM8196

AS358M

lexmark_mainboard.jpg

The main circuit board

lexmark_left.jpg

A closer look at the left of the main circuit board

lexmark_right.jpg

A closer look at the right of the main circuit board

lexmark_sd_card_reader.jpg

The SD card reader, it has a mini-usb connector and if you connect it to your computer you should be able to use it. Windows XP was able to detect it and use it right away.

lexmark_wireless_adapter.jpg

The wireless adapter for the printer, it is connected to the mainboard using some kind of connector which is unknown to me (the white connector on the top left of the mainboard is where it connects)

0

Share this post


Link to post
Share on other sites

Sorry for the huge pictures, I'm hosting them on my personal website. Is there a way to force a resize on those pictures, or an automatic thumbnail? I still want to provide the full size picture, so that people can read the part numbers.

0

Share this post


Link to post
Share on other sites
we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.

Apparently, Lexmark does have drivers for corporate-type printers, but not the commercial-type printers they make.

yea i ripped open the image on it only works on the higher end models.

0

Share this post


Link to post
Share on other sites

It's no help for Aghaster but I just bought an HP Officejet 6500 All-in-one printer. Setup for this Wifi enabled printer in Ubuntu was a piece of cake. It is actually faster and easier to add in Ubuntu than XP.

0

Share this post


Link to post
Share on other sites

Vector requested that I remove the metal shield from the wireless adapter and post pictures of it:

lexmark_wireless_top.jpg

Wireless adapter, top view

lexmark_wireless_back.jpg

Wireless adapter, view of the back

Here is a transcription of the part numbers we can see:

88W8638-BEB1
FT14311.2
0818 C2P
TW

Samsung 825
K8P3215UQB
P14B

Samsung 828
K4S281632I-UC75

339
eZE6823

CETCCJ
44.000
835

TPS73701
86C4ENH

Datasheets:

K8P3215UQB (32MB Flash Memory)

K4S281632I-UC75 (128MB SDRAM)

There seem to be a bunch of unpopulated holes, I'm wondering what could go in there. Maybe there's place for a JTAG connector?

0

Share this post


Link to post
Share on other sites

8 pins, plus two leds? On a card with wifi? Unpopulated ethernet port. I'll bet someones life on it. Some googling found that Marvel chip (wifi) to be the same as some Linksys voip router combos.

The Empty u1 would most likely be a ethernet transceiver.

The four pin blank connector between the ethernet mask and wifi shield might be serial. One too many pins for WOL. The two pin connector next to it might be a led connector? One pin looks like it goes through a resister then under the wifi shield. Finally, there's a 7 pin sip connection near the top left on the front picture that cant be seen because of the angle of the picture and the caps in the way.

0

Share this post


Link to post
Share on other sites
8 pins, plus two leds? On a card with wifi? Unpopulated ethernet port. I'll bet someones life on it. Some googling found that Marvel chip (wifi) to be the same as some Linksys voip router combos.

The Empty u1 would most likely be a ethernet transceiver.

The four pin blank connector between the ethernet mask and wifi shield might be serial. One too many pins for WOL. The two pin connector next to it might be a led connector? One pin looks like it goes through a resister then under the wifi shield. Finally, there's a 7 pin sip connection near the top left on the front picture that cant be seen because of the angle of the picture and the caps in the way.

It looks like there is some cool stuff that can be done with that. Even if I solder an ethernet port in there, I need the software to be aware of it. In any case, what kind of wire should I use for best results if I want to solder an ethernet port? I'd take an old ethernet socket + cut cat 5 cable, or are ordinary wires just like what you'd use with a breadboard fine?

By the way, it is a row of 6 pins that is partially hidden by the caps (you can tell by the picture of the back of the board). Do you still think it is sip?

0

Share this post


Link to post
Share on other sites

For some reason, the scanner wouldn't work properly when I reassembled the printer. The scanner carrier would move to the right until it reaches it, but then wouldn't know it has reached the end and would try to move further. I swear I've reassembled the thing correctly, I tried cleaning the glass, etc, resetting the printer to factory defaults but nothing would work. I finally just brought the printer back to the store and got a new one. I won't attempt disassembling the new one as if it breaks again I'm stuck with it. There's a plus, however: I had forgotten the password on the previous printer, but I got the password for this one. This means I can access much more for configuration. The thing I wanted to see the most was the LXK prompt on port 10000 with administrator priviledges:

aghaster@debian:~$ telnet 192.168.1.175 10000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
LXK: enable
Please enter the print server's password : ********
Response accepted.
Extra commands enabled

LXK: ls

?
arp
disable
enable
exit
finger
gatherdebug
help
history
info
lbcntl
lookup
ls
msum
netstat
ping
ps
reset
route
setup
stop
nvramreset

LXK: history

History
Firmware Revision: NET.AR.N204
Time/Date: Mon Apr 3 22:44:28 2006
TB EEC CT: 5 0 0-00:24:21.90
000400AAF4F2, 002000552F4F


LXK: info


USB port 1
Printer Type: 3600-4600 Series
Print Job Status: No Job Currently Active
Printer Status: 0 Ready

Adapter Information
Network Card Type: Ethernet 802.11b/g
Firmware Revision: NET.AR.N204
Network Card Part Number: 40X4817
Network Card EC: MN_SH_2
Network Address (MSB, Canonical): 000400AAF4F2, 002000552F4F
Address 192.168.1.175
Netmask 255.255.255.0
Gateway 192.168.1.1

LXK: netstat

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4033 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:50000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.175:10000 192.168.1.110:46346 ESTABLISHED
udp 0 0 0.0.0.0:9100 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:9580 0.0.0.0:*
udp 0 0 239.255.255.250:3702 0.0.0.0:*

LXK: ps

PID Uid VmSize Stat Command
1 root 512 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kthread]
8 root SW< [kblockd/0]
11 root SW [khubd]
34 root SW [pdflush]
35 root SW [pdflush]
37 root SW< [aio/0]
36 root SW [kswapd0]
38 root SW [svcerrd]
70 root SW [mtdblockd]
77 root 492 S /bin/sh /etc/init.sh
88 root 488 S /bin/sh /pkg-netapps/etc/rc
95 root SWN [jffs2_gcd_mtd1]
181 root 512 S syslogd -O /dev/console
294 root SW< [MAC Mgmt]
307 root 532 S /pkg-netapps/bin/mvwcd -f /pkg-netapps/etc/mvwcd.conf
327 root 488 S /bin/sh /pkg-netapps/etc/debug_prompt
329 root 592 S lexdebug -h
348 root 552 S ErrorExit
359 root 732 S VacuumServer
360 root 732 S VacuumServer
362 root 732 S VacuumServer
371 root 796 S StatusServer
372 root 796 S StatusServer
373 root 796 S StatusServer
374 root 796 S StatusServer
375 root 796 S StatusServer
380 root 736 S NPAP_Server
383 root 520 S /bin/sh /pkg-netapps/etc/rc_net_postPage4
389 root 636 S NPAP_Server
390 root 636 S NPAP_Server
391 root 736 S NPAP_Server
392 root 736 S NPAP_Server
393 root 736 S NPAP_Server
394 root 636 S NPAP_Server
388 root 420 S flashsrv unix:/tmp/flashsrv unix:/tmp/flashsrv_interl
396 root 736 S NPAP_Server
398 root 760 S PrinterHandler
402 root 616 S HIDHandler
403 root 616 S HIDHandler
405 root 760 S PrinterHandler
406 root 616 S HIDHandler
407 root 760 S PrinterHandler
408 root 760 S PrinterHandler
415 root 760 S PrinterHandler
418 root 800 S vacWLAN
419 root 800 S vacWLAN
420 root 800 S vacWLAN
421 root 800 S vacWLAN
437 root 816 S vacip -vrbhma
438 root 816 S vacip -vrbhma
439 root 816 S vacip -vrbhma
440 root 816 S vacip -vrbhma
476 root 580 S firewall_app
502 root 632 S vacSEC
531 root 856 S thttpd -nos -d /pkg-netapps/web -p 80 -p 631 -p 8000
542 root 676 S HostListApp
543 root 676 S HostListApp
550 root 676 S HostListApp
551 root 676 S HostListApp
552 root 676 S HostListApp
553 root 676 S HostListApp
554 root 676 S HostListApp
558 root 676 S HostListApp
598 root 736 S mdns
608 root 736 S mdns
609 root 736 S mdns
663 root 572 S NetworkKeepAlive
667 root 576 S addrconf
668 root 576 S addrconf
669 root 576 S addrconf
726 root 560 S /sbin/inetd /tmp/inetd.conf
741 root 728 S host-config
749 root 648 S Hbn3
753 root 648 S Hbn3
754 root 648 S Hbn3
755 root 648 S Hbn3
756 root 648 S Hbn3
769 root 584 S Ntp
777 root 796 S lxkwsPS
782 root 504 S snmpSysDescr
783 root 796 S lxkwsPS
784 root 796 S lxkwsPS
1000 root 648 S lexdebug
1006 root 568 R ps auxf

LXK: exit

Connection closed by foreign host.

What can we infer from the process list? Are there processes which are known to only exist on Linux?

0

Share this post


Link to post
Share on other sites
It looks like there is some cool stuff that can be done with that. Even if I solder an ethernet port in there, I need the software to be aware of it. In any case, what kind of wire should I use for best results if I want to solder an ethernet port? I'd take an old ethernet socket + cut cat 5 cable, or are ordinary wires just like what you'd use with a breadboard fine?

By the way, it is a row of 6 pins that is partially hidden by the caps (you can tell by the picture of the back of the board). Do you still think it is sip?

SIP = Single Inline Pins

As opposed to DIP (Dual Inline Pins). So you would need a strip of SIP to be able to solder on a header to it. I only have DIP headers (standard width, they fit most internal connectors, like internal USB and Front Panel LEDS/Switches, and even 3.5 inch IDE slots.) I need to get some SIP headers for stuff like this (And some 2.5inch ide sized headers)

As for the ethernet, you could use short (still atleast one/two Twists) cat5e cables and make a short extension to a ethernet socket, yes, but it would be better to try to get one that fits right on the board.

The problem is that it won't work with just the connector. It looks like alot of passive components for the ethernet connection are missing, plus two possible active components (U1, and y1). Like I said, U1 is probably the ethernet transceiver, what gives the ethernet connection its mac address and converts from Layer 1 to Layer 2 or above. The Ethernet PHY chip. Y1 could be level protection and smoothing.

To get it to work on ethernet, you would be better off buying the lexmark card with ethernet. But if you have a working wifi router, there is no need.

0

Share this post


Link to post
Share on other sites

I passed the evening asking questions on multiple IRC channels, and I really think there's a good chance that the printer is running Linux and not some other form of UNIX using a license other than GNU's GPL. I have just sent Lexmark this mail, hoping it falls in the good hands (I'm dreaming in colors):

Hi,

I recently bought a Lexmark x4690, a wifi printer. I noticed that the printer has an 'LXK' prompt on port 10000, to ease management of the printer. That LXK prompt provides a couple of commands that allow me to know more about the printer, one of which revealed something quite interesting: the firmware running on my Lexmark printer is most likely Linux-based. Here's a sample of the output of the 'ls' command at the LXK prompt:

LXK: ps

PID Uid VmSize Stat Command
1 root 512 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kthread]
8 root SW< [kblockd/0]
11 root SW [khubd]
34 root SW [pdflush]
35 root SW [pdflush]
37 root SW< [aio/0]
36 root SW [kswapd0]
38 root SW [svcerrd]
70 root SW [mtdblockd]
...

Many of these processes are known to be Linux processes, such as ksoftirqd, so I exclude the possibility that the printer is using firmware based on some other kind of UNIX. As the Linux kernel is licensed under the GPLv2 license, I would have expected the source code to be available from Lexmark, but I could not find it anywhere. The GPLv2 license is clear about this point, and failure to distribute the source code in this case would be a violation of the GPL license.

I would like to know where I can find the source code for the firmware of my printer, thanks.

0

Share this post


Link to post
Share on other sites

You probably know more that i do about gpl violations but some advice can be found here

http://www.fsf.org/licensing/licenses/gpl-violation.html

If it turns out not to not be Linux (and as such, the source code unavailable) is the firmware binary available? Im sure between all of us we could reverse it and find out what we needed to know (btw my reverse engineering skills are very limited but i'm willing to give it a shot :P).

Edited by phr34kc0der
0

Share this post


Link to post
Share on other sites
I passed the evening asking questions on multiple IRC channels, and I really think there's a good chance that the printer is running Linux and not some other form of UNIX using a license other than GNU's GPL. I have just sent Lexmark this mail, hoping it falls in the good hands (I'm dreaming in colors):

Good try, but I fear that it won't get you any where.... unfortunately.

Regarding the hardware, the Marvelll 88W8638 (i believe) is an ARM SOC, probably the Liberates series but their partnumbers are so screwed up.... On the wireless module the FCC ID is not readable, you can find out a whole load of stuff from the FCC search site.

I have a IOMEGA NAS which runs Linux and IOMEGA claims they are not required to release source, their customer support department also says it does not support linux even though Linux is mentioned on the box as a supported OS. Fuckwitts!

Mungewell

0

Share this post


Link to post
Share on other sites

Here is the first reply I got from them:

Dear MarcAndre,

Thank you for contacting us regarding this matter. I appreciate the opportunity to assist you, and I hope my suggestions will provide a resolution.

Here is your Service Request # 1-1473012341

To the best of my knowledge, there are currently no plans to develop Linux drivers to support this model. Thank you for notifying us of this request. I will forward your comments on to our development department, as it is only through input from you, our customers, that we can make these important business decisions.

If you have any more questions or concerns, please contact me at your convenience and I will be happy to assist you. (If I am not available, another representative may reply to your request.)

To respond, please select "Reply" in your e-mail software, and be sure that the past e-mail is included in this reply.

[AOL Users: In order to include the previous e-mail, you must highlight it with your mouse when you are replying.]

If your e-mail client automatically deletes prior e-mail thread information, it will cause a delay while we look up your support history. If this is the case you may want to save the old e-mails as attachments and attach them to the current e-mail.

Sincerely,

Ranjith

Lexmark eSupport Team

http://support.lexmark.com

[THREAD ID:1-OCZRLH]

Please rate your e-mail support experience. Your feedback is extremely valuable to us. Please click the link below to participate in a brief Lexmark Customer Satisfaction Survey.

https://surveys.lexmark.com/survey/s?s=9972

The guy who replied to my email didn't understand what I meant, obviously, and thought I was asking for Linux drivers XD.

@phr34kc0der: yeah, I'm aware of that site you gave a link to, that is my option once the option of asking them to willingly give the source code has been tried.

@mungewell: Did you try contacting the FSF about it?

0

Share this post


Link to post
Share on other sites

I just sent back this reply, hoping to get a more satisfying answer:

Hi Ranjith,

Thanks for taking the time to reply to my email. I'm afraid I have been misunderstood, I am talking about the software that the printer itself is running in order to receive printing jobs and accomplish other tasks, not the driver I would need to install on my computer or any other software that is installed on my computer. By firmware I am referring to the embedded operating system that the printer is running. For this kind of software it is common to see Linux being used as it is easy to modify and adapt to different embedded devices such as printers (Linksys routers also run Linux, for instance). The reason why I am telling you this is because I have sufficient reasons to believe that my Lexmark x4690 printer is running a Linux-based firmware (the list of processes that I've sent you in my first mail shows processes that only appear on a Linux system). A Linux-based firmware would be covered by the same license as the original Linux kernel, the GNU General Public License (GPL), which would force Lexmark to comply to it. The GPL states clearly that modified versions of code that is released under the GPL must remain in GPL, and that the modified code must be available, along with many other conditions. Failure to comply to the GPL when using GPL-covered code is a violation of the GPL and is illegal.

A famous case of a violation of the GPL has been seen with Linksys routers running Linux. People have noticed that Linksys routers (the WRT54G, for instance) were running a Linux-based firmware, but that the source code for that firmware was unavailable from Linksys. The issue got resolved when Linksys (which is now owned by Cisco) released the source code for its Linux-based firmware. As I'm finding myself in front of a similar situation, I am ringing the alarm. I went on Lexmark's website and I couldn't even find the firmware in its binary form, even less the source code for it. The firmware revision for my printer is NET.AR.N204.

Can you please forward this email to your superiors or anybody that would be the best suited to help me solve this issue? I want proof that my printer isn't running Linux, otherwise I want the source code for it.

Thanks a lot for your time,

-Marc-Andre

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now