Lexmark x4690 Reverse Engineering

[Aghaster 23]

I recently got a Lexmark x4690 wifi printer. It is a quite nice printer, except for the fact that it doesn't work with Linux. I can use my brother's computer that runs Windows to print, but I'd like to be able to print from Linux. I've installed the printer so that it connects wirelessly to my router as a network printer, to avoid the trouble of going through a computer that must sit there waiting for printing jobs. A network printer protocol is probably much easier to reverse engineer and program for than reverse engineering a USB printer driver and then writing a new one. I've used wireshark to capture the packets as I was printing the test page (the test page the software asks you to print to test that the printer is working fine). Wireshark seems to be putting protocol names that are close to what the printer is using but not exactly it (it reports checksum errors in the packets, probably some kind of checksum used by the protocol it thinks it is, but the checksum must be different with this printer protocol).

I've uploaded the wireshark packet capture here for other people to study it.

In the packet capture, 192.168.1.117 is the computer from which I was printing and 192.168.1.175 is the printer. I also ran nmap to see what services were running on the printer:

Interesting ports on 192.168.1.175:
Not shown: 1709 closed ports
PORT	  STATE SERVICE
21/tcp	open  ftp
80/tcp	open  http
8000/tcp  open  http-alt
9100/tcp  open  jetdirect
10000/tcp open  snet-sensor-mgmt
50000/tcp open  iiimsf

Not all of the services shown by nmap seem to be used in the packet capture, maybe the printer supports other network printing protocols? No idea. All ideas are welcome.

[chaostic 7]

You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.

[Aghaster 23]

You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.

Hum... you have a good point here. I have an older PowerPC mac, I'm going to install the driver, print the test page and capture the packets with wireshark and see if they're much different from the Windows one.

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.

[jelliott7593 10]

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.

Too many companies just over look the open-source community.

[UTS_HOST 1]

we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.

[eth0enigma 4]

You would be much better off trying to find the CUPS or LP forums and asking there.

But, port 9100? Is it capable of being set up as a IP printer like most net enabled printers? Or can you access it's webserver and just submit pdfs or what not like that? Sure, its not ideal, but setting up a PS or PDF printer on your linux box and then dropping the pdf to the printer's http server (or ftp server) can get you running for now.

Apparently, Lexmark does not use regular standards, or support Linux at all. If you have a Mac or OSX box, there are mac drivers for it, and OSX uses CUPS just like linux. That should help guide you towards a quicker result than trying to work from Windows drivers.

Hum... you have a good point here. I have an older PowerPC mac, I'm going to install the driver, print the test page and capture the packets with wireshark and see if they're much different from the Windows one.

Yeah, Lexmark seems to totally ignore Linux's existence. They simply don't bother.

i would agree that cups or an lp forum would be a better place to ask, however since port 9100 is open check out irongeeks video on network printer hacking http://www.irongeek.com/i.php?page=videos/...6printerhacking you may be able to telnet to that port and print via telnet I've done it on some HP printers i don't know much about how lexmark has it's network printers setup.

-E

[schippstrich 5]

I am not sure what you have done so far as to try and get it communicating with your Linux box but here:

Have you used CUPS and tried searching for a generic Lexmark driver(If your specified model is not listed)? Try the PS or PPD files.

Connect to it using IPP or the JetDirect Service (port 9100).

Are you using Debian? (I know you like Debian)

On the Gnome menu : System ---> Administration --> Printing

It will walk you through it.

If you are using a different desktop environment find a similar approach.

[chaostic 7]

we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.

Apparently, Lexmark does have drivers for corporate-type printers, but not the commercial-type printers they make.

[Aghaster 23]

I got new exciting info. On port 10000 is a very interesting interface. I found out more in this blog post from someone with another lexmark printer:

http://blog.trumpton.org.uk/2008/12/lexmar...on-printer.html

There's no proof yet but this very suspiciously look like an embedded Linux distribution. If it is, Lexmark will be the new Linksys.

aghaster@debian:~$ telnet 192.168.1.175 10000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
LXK: ls

?
enable
exit
finger
gatherdebug
help
history
info
lbcntl
lookup
ls
netstat
ping
setup
nvramreset

LXK: netstat -n

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address		   Foreign Address		 State	  
tcp		0	  0 0.0.0.0:8000			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:4033			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:9100			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:50000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:10000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:80			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:21			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:631			 0.0.0.0:*			   LISTEN	  
tcp		0	  0 192.168.1.175:10000	 192.168.1.110:54859	 ESTABLISHED 
udp		0	  0 0.0.0.0:9100			0.0.0.0:*						   
udp		0	  0 0.0.0.0:161			 0.0.0.0:*						   
udp		0	  0 0.0.0.0:5353			0.0.0.0:*						   
udp		0	  0 0.0.0.0:9580			0.0.0.0:*						   
udp		0	  0 239.255.255.250:3702	0.0.0.0:*						   

LXK: info


USB port 1
Printer Type:  3600-4600 Series
Print Job Status: No Job Currently Active
Printer Status: 0 Ready

Adapter Information
Network Card Type: Ethernet 802.11b/g
Firmware Revision: NET.AR.N204
Network Card Part Number: 40X4817
Network Card EC: MN_SH_2
Network Address (MSB, Canonical): 0004007CDB52, 0020003EDB4A
Address 192.168.1.175
Netmask 255.255.255.0
Gateway 192.168.1.1

LXK: setup

Ethernet 802.11b/g

Carte Réseau
   Etat:						 Connecté
   Bitrate:					  48 Mbps
   Date et heure actuelles:	  2006-04-09 20:32
   Délai de fin de tâche:		90
   UAA(MAC):					 0020003EDB4A
   LAA:						  000000000000
   Référence:					40X4817
   MFG FW:					   5D0036C
   Version du microcode:		 NET.AR.N204
   Compi:						27-May-08 16:25, mls-bld
   Mot de passe:				 Définir

Paramètres d'option réseau intégrée
   Type d'imprimante:			 3600-4600 Series

TCP/IP
   Actif:						En fonction
   Activer DHCP:				 Hors fonction
   Source de l'adresse:		  Manuel
   Adresse:					  192.168.1.175
   Masque de réseau:			 255.255.255.0
   Passerelle:				   192.168.1.1
   Nom de domaine complet:	   ET0020003EDB4A.agh.ath.cx
   Nom Zero Configuration:	   Lexmark

Sans fil
   Type BSS:					 Infrastructure
   SSID:						 1337
   Mode sécurité sans fil:	   Désactivé
   Puissance du signal:		  -29 dBm
   Point d'accès actuel:		 001EE535B716
   Canal actuel:				 1
   Qualité:					  Excellente
   Code erreur:				  Aucun

LXK:

[Aghaster 23]

I've just ran a nikto scan on my printer, there are a couple of results I need to try:

debian:/home/aghaster# nikto -h 192.168.1.175 -C all
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP:		  192.168.1.175
+ Target Hostname:	ET0020003EDB4A.local
+ Target Port:		80
+ Start Time:		 2009-04-19 19:52:46
---------------------------------------------------------------------------
+ Server: thttpd
- /robots.txt - contains 1 'disallow' entry which should be manually viewed. (GET)
+ OSVDB-0: Non-standard header cd returned by server, with contents: 2: can't cd to /web
+ thttpd - www.acme.com/software/thttpd. Below v2.03 lets reading of system files by adding // like //etc/passwd. 2.04 has a buffer overflow in 'If-Modified-Since' header.
+ OSVDB-0: GET /search.php?searchfor=\"><script>alert('Vulnerable');</script> : Siteframe 2.2.4 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /phpimageview.php?pic=java script:alert('Vulnerable') : PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS).  http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query= : myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent : myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /modules.php?letter=%22%3E%3Cimg%20src=java script:alert(document.cookie);%3E&op=modload&name=Members_List&file=index : Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-0: GET /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2119: GET /shopexd.asp?catalogid='42 : VP-ASP Shopping Cart 5.0 contains multiple SQL injection vulnerabilities. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0560, http://www.securityfocus.com/bid/8159
+ OSVDB-2799: GET /cgi.cgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /webcgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-914/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-915/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /mpcgi/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /ows-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-sys/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-local/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /htbin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgibin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgis/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /scripts/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-win/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /fcgi-bin/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-exe/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-home/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-2799: GET /cgi-perl/dose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ 3577 items checked: 31 item(s) reported on remote host
+ End Time:		2009-04-19 20:25:09 (1943 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Test Options: -h 192.168.1.175 -C all
---------------------------------------------------------------------------

[Aghaster 23]

Here are a couple of special replies when trying to send invalid HTTP requests:

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET /../ HTTP/1.1
Host: 192.168.1.175

HTTP/1.0 200 OK
cd: 2: can't cd to /web
Expires: Sun, 27 Feb 1972 08:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

<html>
<head>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8">

<TITLE> 3600-4600 Series</TITLE>
<LINK REL="stylesheet" HREF="/configStyle.css" TYPE="text/css">
</head>

<frameset cols="185,*" framespacing="0" border="0" frameborder="0">

  <frame name="left" scrolling="no" target="rtop" src="/cgi-bin/dynamic/left_bar.html">

  <frameset rows="120,*,50">

	<frame name="rtop" target="rbottom" src="./cgi-bin/dynamic/topbar.html" marginwidth="0" marginheight="0" scrolling="no" noresize>
	<frame name="rbottom" src="/cgi-bin/dynamic/status_list.html" scrolling="auto" marginwidth="15" marginheight="10" noresize target="_self">

	<frame name="bottombar" target="bottombar" src="./cgi-bin/dynamic/langbar.html" marginwidth="0" marginheight="0" scrolling="no" noresize>

  </frameset></frameset>
  <noframes>
  <body>
  <p>This page uses frames, but your browser does not support them.</p>
  </body>
  </noframes>
</frameset>

</html>
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET //index.html HTTP/1.1
Host: 192.168.1.175

HTTP/1.1 400 Bad Request
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:30:07 GMT
Last-Modified: Tue, 04 Apr 2006 03:30:07 GMT
Accept-Ranges: bytes
Connection: close
booga3!

<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>400 Bad Request</H2>
Your request has bad syntax or is inherently impossible to satisfy.
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
invalid.		  
UNKNOWN 400 Bad Request
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:30:59 GMT
Last-Modified: Tue, 04 Apr 2006 03:30:59 GMT
Accept-Ranges: bytes
Connection: close

<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>400 Bad Request</H2>
Your request has bad syntax or is inherently impossible to satisfy.
Connection closed by foreign host.

aghaster@debian:~$ telnet 192.168.1.175 8000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
GET /404.htm HTTP/1.1
Host: 192.168.1.175

HTTP/1.1 404 Not Found
Server: thttpd
Content-Type: text/html
Date: Tue, 04 Apr 2006 03:31:52 GMT
Last-Modified: Tue, 04 Apr 2006 03:31:52 GMT
Accept-Ranges: bytes
Connection: close

<HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>404 Not Found</H2>
The requested URL '/404.htm' was not found on this server.
Connection closed by foreign host.

Notice how in the second request I get a "booga3!" error while none of the others get that.

[Aghaster 23]

I have disassembled my printer to be able to access the main circuit board and take pictures. I made a list of the things that was written on top of components that I could read:

Lexmark
21B4299
L-LA4475A3
0839T 1785924

Samsung 840
K4S561632J-UC75
S5616 2Y6392A2C

VIM
WM8196SCDS
88ACBRY

5142
2AEMX

SPANSION
FL016A1F

TEXAS INSTRUMENTS
7AA21LTG4
SN105108A
20C0830

8008TMX
SK 88D
1014242

AS358M
820J88

809870
88  17

Datasheets:

K4S561632J-UC75 (256MB DRAM)

WM8196

AS358M

The main circuit board

A closer look at the left of the main circuit board

A closer look at the right of the main circuit board

The SD card reader, it has a mini-usb connector and if you connect it to your computer you should be able to use it. Windows XP was able to detect it and use it right away.

The wireless adapter for the printer, it is connected to the mainboard using some kind of connector which is unknown to me (the white connector on the top left of the mainboard is where it connects)

[Aghaster 23]

Sorry for the huge pictures, I'm hosting them on my personal website. Is there a way to force a resize on those pictures, or an automatic thumbnail? I still want to provide the full size picture, so that people can read the part numbers.

[UTS_HOST 1]

we used lexmark printers all the time at the company i use to work for. Identix, they made fingerprint software for the state. A lot of our systems were redhat based, i will see if i have any of the old images laying around. To keep it simple, it was a redhat system with Identix software running on top to capture finger prints, mug shots ect , then you can print the finger print cards off the lexmark printer. Chance's are if you have been arrested you have been booked with a Identix system. Now part of L1 Identity solutions.

Apparently, Lexmark does have drivers for corporate-type printers, but not the commercial-type printers they make.

yea i ripped open the image on it only works on the higher end models.

[johnnymanson 2]

It's no help for Aghaster but I just bought an HP Officejet 6500 All-in-one printer. Setup for this Wifi enabled printer in Ubuntu was a piece of cake. It is actually faster and easier to add in Ubuntu than XP.

[Aghaster 23]

Vector requested that I remove the metal shield from the wireless adapter and post pictures of it:

Wireless adapter, top view

Wireless adapter, view of the back

Here is a transcription of the part numbers we can see:

88W8638-BEB1
FT14311.2
0818 C2P
TW

Samsung 825
K8P3215UQB
P14B

Samsung 828
K4S281632I-UC75

339
eZE6823

CETCCJ
44.000
835

TPS73701
86C4ENH

Datasheets:

K8P3215UQB (32MB Flash Memory)

K4S281632I-UC75 (128MB SDRAM)

There seem to be a bunch of unpopulated holes, I'm wondering what could go in there. Maybe there's place for a JTAG connector?

[chaostic 7]

8 pins, plus two leds? On a card with wifi? Unpopulated ethernet port. I'll bet someones life on it. Some googling found that Marvel chip (wifi) to be the same as some Linksys voip router combos.

The Empty u1 would most likely be a ethernet transceiver.

The four pin blank connector between the ethernet mask and wifi shield might be serial. One too many pins for WOL. The two pin connector next to it might be a led connector? One pin looks like it goes through a resister then under the wifi shield. Finally, there's a 7 pin sip connection near the top left on the front picture that cant be seen because of the angle of the picture and the caps in the way.

[Aghaster 23]

8 pins, plus two leds? On a card with wifi? Unpopulated ethernet port. I'll bet someones life on it. Some googling found that Marvel chip (wifi) to be the same as some Linksys voip router combos.

The Empty u1 would most likely be a ethernet transceiver.

The four pin blank connector between the ethernet mask and wifi shield might be serial. One too many pins for WOL. The two pin connector next to it might be a led connector? One pin looks like it goes through a resister then under the wifi shield. Finally, there's a 7 pin sip connection near the top left on the front picture that cant be seen because of the angle of the picture and the caps in the way.

It looks like there is some cool stuff that can be done with that. Even if I solder an ethernet port in there, I need the software to be aware of it. In any case, what kind of wire should I use for best results if I want to solder an ethernet port? I'd take an old ethernet socket + cut cat 5 cable, or are ordinary wires just like what you'd use with a breadboard fine?

By the way, it is a row of 6 pins that is partially hidden by the caps (you can tell by the picture of the back of the board). Do you still think it is sip?

[Aghaster 23]

For some reason, the scanner wouldn't work properly when I reassembled the printer. The scanner carrier would move to the right until it reaches it, but then wouldn't know it has reached the end and would try to move further. I swear I've reassembled the thing correctly, I tried cleaning the glass, etc, resetting the printer to factory defaults but nothing would work. I finally just brought the printer back to the store and got a new one. I won't attempt disassembling the new one as if it breaks again I'm stuck with it. There's a plus, however: I had forgotten the password on the previous printer, but I got the password for this one. This means I can access much more for configuration. The thing I wanted to see the most was the LXK prompt on port 10000 with administrator priviledges:

aghaster@debian:~$ telnet 192.168.1.175 10000
Trying 192.168.1.175...
Connected to 192.168.1.175.
Escape character is '^]'.
LXK: enable
Please enter the print server's password : ********
Response accepted.
Extra commands enabled

LXK: ls

?
arp
disable
enable
exit
finger
gatherdebug
help
history
info
lbcntl
lookup
ls
msum
netstat
ping
ps
reset
route
setup
stop
nvramreset

LXK: history

History
Firmware Revision: NET.AR.N204
Time/Date: Mon Apr  3 22:44:28 2006
TB EEC CT: 5 0   0-00:24:21.90
000400AAF4F2, 002000552F4F


LXK: info


USB port 1
Printer Type:  3600-4600 Series
Print Job Status: No Job Currently Active
Printer Status: 0 Ready

Adapter Information
Network Card Type: Ethernet 802.11b/g
Firmware Revision: NET.AR.N204
Network Card Part Number: 40X4817
Network Card EC: MN_SH_2
Network Address (MSB, Canonical): 000400AAF4F2, 002000552F4F
Address 192.168.1.175
Netmask 255.255.255.0
Gateway 192.168.1.1

LXK: netstat

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address		   Foreign Address		 State	  
tcp		0	  0 0.0.0.0:8000			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:4033			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:9100			0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:50000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:10000		   0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:80			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:21			  0.0.0.0:*			   LISTEN	  
tcp		0	  0 0.0.0.0:631			 0.0.0.0:*			   LISTEN	  
tcp		0	  0 192.168.1.175:10000	 192.168.1.110:46346	 ESTABLISHED 
udp		0	  0 0.0.0.0:9100			0.0.0.0:*						   
udp		0	  0 0.0.0.0:161			 0.0.0.0:*						   
udp		0	  0 0.0.0.0:5353			0.0.0.0:*						   
udp		0	  0 0.0.0.0:9580			0.0.0.0:*						   
udp		0	  0 239.255.255.250:3702	0.0.0.0:*						   

LXK: ps

  PID  Uid	 VmSize Stat Command
	1 root		512 S   init			
	2 root			SWN [ksoftirqd/0]
	3 root			SW< [events/0]
	4 root			SW< [khelper]
	5 root			SW< [kthread]
	8 root			SW< [kblockd/0]
   11 root			SW  [khubd]
   34 root			SW  [pdflush]
   35 root			SW  [pdflush]
   37 root			SW< [aio/0]
   36 root			SW  [kswapd0]
   38 root			SW  [svcerrd]
   70 root			SW  [mtdblockd]
   77 root		492 S   /bin/sh /etc/init.sh 
   88 root		488 S   /bin/sh /pkg-netapps/etc/rc 
   95 root			SWN [jffs2_gcd_mtd1]
  181 root		512 S   syslogd -O /dev/console 
  294 root			SW< [MAC Mgmt]
  307 root		532 S   /pkg-netapps/bin/mvwcd -f /pkg-netapps/etc/mvwcd.conf
  327 root		488 S   /bin/sh /pkg-netapps/etc/debug_prompt 
  329 root		592 S   lexdebug -h 
  348 root		552 S   ErrorExit 
  359 root		732 S   VacuumServer 
  360 root		732 S   VacuumServer 
  362 root		732 S   VacuumServer 
  371 root		796 S   StatusServer 
  372 root		796 S   StatusServer 
  373 root		796 S   StatusServer 
  374 root		796 S   StatusServer 
  375 root		796 S   StatusServer 
  380 root		736 S   NPAP_Server 
  383 root		520 S   /bin/sh /pkg-netapps/etc/rc_net_postPage4 
  389 root		636 S   NPAP_Server 
  390 root		636 S   NPAP_Server 
  391 root		736 S   NPAP_Server 
  392 root		736 S   NPAP_Server 
  393 root		736 S   NPAP_Server 
  394 root		636 S   NPAP_Server 
  388 root		420 S   flashsrv unix:/tmp/flashsrv unix:/tmp/flashsrv_interl
  396 root		736 S   NPAP_Server 
  398 root		760 S   PrinterHandler 
  402 root		616 S   HIDHandler 
  403 root		616 S   HIDHandler 
  405 root		760 S   PrinterHandler 
  406 root		616 S   HIDHandler 
  407 root		760 S   PrinterHandler 
  408 root		760 S   PrinterHandler 
  415 root		760 S   PrinterHandler 
  418 root		800 S   vacWLAN 
  419 root		800 S   vacWLAN 
  420 root		800 S   vacWLAN 
  421 root		800 S   vacWLAN 
  437 root		816 S   vacip -vrbhma 
  438 root		816 S   vacip -vrbhma 
  439 root		816 S   vacip -vrbhma 
  440 root		816 S   vacip -vrbhma 
  476 root		580 S   firewall_app 
  502 root		632 S   vacSEC 
  531 root		856 S   thttpd -nos -d /pkg-netapps/web -p 80 -p 631 -p 8000 
  542 root		676 S   HostListApp 
  543 root		676 S   HostListApp 
  550 root		676 S   HostListApp 
  551 root		676 S   HostListApp 
  552 root		676 S   HostListApp 
  553 root		676 S   HostListApp 
  554 root		676 S   HostListApp 
  558 root		676 S   HostListApp 
  598 root		736 S   mdns 
  608 root		736 S   mdns 
  609 root		736 S   mdns 
  663 root		572 S   NetworkKeepAlive 
  667 root		576 S   addrconf 
  668 root		576 S   addrconf 
  669 root		576 S   addrconf 
  726 root		560 S   /sbin/inetd /tmp/inetd.conf 
  741 root		728 S   host-config 
  749 root		648 S   Hbn3 
  753 root		648 S   Hbn3 
  754 root		648 S   Hbn3 
  755 root		648 S   Hbn3 
  756 root		648 S   Hbn3 
  769 root		584 S   Ntp 
  777 root		796 S   lxkwsPS 
  782 root		504 S   snmpSysDescr 
  783 root		796 S   lxkwsPS 
  784 root		796 S   lxkwsPS 
 1000 root		648 S   lexdebug 
 1006 root		568 R   ps auxf 

LXK: exit

Connection closed by foreign host.

What can we infer from the process list? Are there processes which are known to only exist on Linux?

[chaostic 7]

It looks like there is some cool stuff that can be done with that. Even if I solder an ethernet port in there, I need the software to be aware of it. In any case, what kind of wire should I use for best results if I want to solder an ethernet port? I'd take an old ethernet socket + cut cat 5 cable, or are ordinary wires just like what you'd use with a breadboard fine?

By the way, it is a row of 6 pins that is partially hidden by the caps (you can tell by the picture of the back of the board). Do you still think it is sip?

SIP = Single Inline Pins

As opposed to DIP (Dual Inline Pins). So you would need a strip of SIP to be able to solder on a header to it. I only have DIP headers (standard width, they fit most internal connectors, like internal USB and Front Panel LEDS/Switches, and even 3.5 inch IDE slots.) I need to get some SIP headers for stuff like this (And some 2.5inch ide sized headers)

As for the ethernet, you could use short (still atleast one/two Twists) cat5e cables and make a short extension to a ethernet socket, yes, but it would be better to try to get one that fits right on the board.

The problem is that it won't work with just the connector. It looks like alot of passive components for the ethernet connection are missing, plus two possible active components (U1, and y1). Like I said, U1 is probably the ethernet transceiver, what gives the ethernet connection its mac address and converts from Layer 1 to Layer 2 or above. The Ethernet PHY chip. Y1 could be level protection and smoothing.

To get it to work on ethernet, you would be better off buying the lexmark card with ethernet. But if you have a working wifi router, there is no need.

[Aghaster 23]

I passed the evening asking questions on multiple IRC channels, and I really think there's a good chance that the printer is running Linux and not some other form of UNIX using a license other than GNU's GPL. I have just sent Lexmark this mail, hoping it falls in the good hands (I'm dreaming in colors):

Hi,

I recently bought a Lexmark x4690, a wifi printer. I noticed that the printer has an 'LXK' prompt on port 10000, to ease management of the printer. That LXK prompt provides a couple of commands that allow me to know more about the printer, one of which revealed something quite interesting: the firmware running on my Lexmark printer is most likely Linux-based. Here's a sample of the output of the 'ls' command at the LXK prompt:

LXK: ps

  PID  Uid	 VmSize Stat Command
	1 root		512 S   init			
	2 root			SWN [ksoftirqd/0]
	3 root			SW< [events/0]
	4 root			SW< [khelper]
	5 root			SW< [kthread]
	8 root			SW< [kblockd/0]
   11 root			SW  [khubd]
   34 root			SW  [pdflush]
   35 root			SW  [pdflush]
   37 root			SW< [aio/0]
   36 root			SW  [kswapd0]
   38 root			SW  [svcerrd]
   70 root			SW  [mtdblockd]
...

Many of these processes are known to be Linux processes, such as ksoftirqd, so I exclude the possibility that the printer is using firmware based on some other kind of UNIX. As the Linux kernel is licensed under the GPLv2 license, I would have expected the source code to be available from Lexmark, but I could not find it anywhere. The GPLv2 license is clear about this point, and failure to distribute the source code in this case would be a violation of the GPL license.

I would like to know where I can find the source code for the firmware of my printer, thanks.

[phr34kc0der 35]

You probably know more that i do about gpl violations but some advice can be found here

http://www.fsf.org/licensing/licenses/gpl-violation.html

If it turns out not to not be Linux (and as such, the source code unavailable) is the firmware binary available? Im sure between all of us we could reverse it and find out what we needed to know (btw my reverse engineering skills are very limited but i'm willing to give it a shot ).

Edited April 27, 2009 by phr34kc0der

[mungewell 7]

I passed the evening asking questions on multiple IRC channels, and I really think there's a good chance that the printer is running Linux and not some other form of UNIX using a license other than GNU's GPL. I have just sent Lexmark this mail, hoping it falls in the good hands (I'm dreaming in colors):

Good try, but I fear that it won't get you any where.... unfortunately.

Regarding the hardware, the Marvelll 88W8638 (i believe) is an ARM SOC, probably the Liberates series but their partnumbers are so screwed up.... On the wireless module the FCC ID is not readable, you can find out a whole load of stuff from the FCC search site.

I have a IOMEGA NAS which runs Linux and IOMEGA claims they are not required to release source, their customer support department also says it does not support linux even though Linux is mentioned on the box as a supported OS. Fuckwitts!

Mungewell

[Aghaster 23]

Here is the first reply I got from them:

Dear MarcAndre,

Thank you for contacting us regarding this matter. I appreciate the opportunity to assist you, and I hope my suggestions will provide a resolution.

Here is your Service Request # 1-1473012341

To the best of my knowledge, there are currently no plans to develop Linux drivers to support this model. Thank you for notifying us of this request. I will forward your comments on to our development department, as it is only through input from you, our customers, that we can make these important business decisions.

If you have any more questions or concerns, please contact me at your convenience and I will be happy to assist you. (If I am not available, another representative may reply to your request.)

To respond, please select "Reply" in your e-mail software, and be sure that the past e-mail is included in this reply.

[AOL Users: In order to include the previous e-mail, you must highlight it with your mouse when you are replying.]

If your e-mail client automatically deletes prior e-mail thread information, it will cause a delay while we look up your support history. If this is the case you may want to save the old e-mails as attachments and attach them to the current e-mail.

Sincerely,

Ranjith

Lexmark eSupport Team

http://support.lexmark.com

[THREAD ID:1-OCZRLH]

Please rate your e-mail support experience. Your feedback is extremely valuable to us. Please click the link below to participate in a brief Lexmark Customer Satisfaction Survey.

https://surveys.lexmark.com/survey/s?s=9972

The guy who replied to my email didn't understand what I meant, obviously, and thought I was asking for Linux drivers XD.

@phr34kc0der: yeah, I'm aware of that site you gave a link to, that is my option once the option of asking them to willingly give the source code has been tried.

@mungewell: Did you try contacting the FSF about it?

[Aghaster 23]

I just sent back this reply, hoping to get a more satisfying answer:

Hi Ranjith,

Thanks for taking the time to reply to my email. I'm afraid I have been misunderstood, I am talking about the software that the printer itself is running in order to receive printing jobs and accomplish other tasks, not the driver I would need to install on my computer or any other software that is installed on my computer. By firmware I am referring to the embedded operating system that the printer is running. For this kind of software it is common to see Linux being used as it is easy to modify and adapt to different embedded devices such as printers (Linksys routers also run Linux, for instance). The reason why I am telling you this is because I have sufficient reasons to believe that my Lexmark x4690 printer is running a Linux-based firmware (the list of processes that I've sent you in my first mail shows processes that only appear on a Linux system). A Linux-based firmware would be covered by the same license as the original Linux kernel, the GNU General Public License (GPL), which would force Lexmark to comply to it. The GPL states clearly that modified versions of code that is released under the GPL must remain in GPL, and that the modified code must be available, along with many other conditions. Failure to comply to the GPL when using GPL-covered code is a violation of the GPL and is illegal.

A famous case of a violation of the GPL has been seen with Linksys routers running Linux. People have noticed that Linksys routers (the WRT54G, for instance) were running a Linux-based firmware, but that the source code for that firmware was unavailable from Linksys. The issue got resolved when Linksys (which is now owned by Cisco) released the source code for its Linux-based firmware. As I'm finding myself in front of a similar situation, I am ringing the alarm. I went on Lexmark's website and I couldn't even find the firmware in its binary form, even less the source code for it. The firmware revision for my printer is NET.AR.N204.

Can you please forward this email to your superiors or anybody that would be the best suited to help me solve this issue? I want proof that my printer isn't running Linux, otherwise I want the source code for it.

Thanks a lot for your time,

-Marc-Andre