Announcement

Collapse
No announcement yet.

Pantum P2502W Toner Reset Chip help

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #81
    Re: Pantum P2502W Toner Reset Chip help

    I found a simple way to reset the toner chip page counter via the USB cable. No need to open the printer or buy a chip programmer.

    The only drawback is that you still need to be able to print a page for the firmware to write the new page counter to the toner chip.

    If anyone wants to try this, send me a PM because this hack is firmware version specific and at the moment it will only work on printers that have the same firmware as mine.

    Comment


      #82
      Re: Pantum P2502W Toner Reset Chip help

      Guys check out this page, they have modified the firmware to require no chip.

      I hope we can reverse engineer what they did or just pay the small free to the firmware:

      https://zaplaty.com/itm/pantum-printer-fixware/3107505

      Comment


        #83
        Re: Pantum P2502W Toner Reset Chip help

        Originally posted by timschuerewegen View Post
        If anyone wants to try this, send me a PM because this hack is firmware version specific and at the moment it will only work on printers that have the same firmware as mine.
        Could you please share the instruction with me?

        Comment


          #84
          Re: Pantum P2502W Toner Reset Chip help

          I would be interested in more info as well. Looking to do the same on a Samsung M2070W which I believe is very similar internals.
          I dumped the eeprom however it looks encrypted so I guess the next step is to reverse engineer the firmware to find the key/algo.
          If you could share details of how you did this for the Pantum it might speed up the process. Thanks

          Comment


            #85
            Re: Pantum P2502W Toner Reset Chip help

            Originally posted by s00 View Post
            Looking to do the same on a Samsung M2070W which I believe is very similar internals.
            The M2070W SPI flash contents looks totally different, there is no decrypted bootloader. Recent Pantum printers use a decrypted bootloader with an encrypted firmware, and the values needed to derive the key are stored in OTP register inside the SoC. The firmware contains USB commands to read/write ANY memory, so you can dump the SPI flash (since it is memory mapped), read the OTP registers to derive the key, and manipulate RAM while the printer is running to e.g. reset the toner chip counters.

            Comment


              #86
              Re: Pantum P2502W Toner Reset Chip help

              would U PLZ show us how to do so?

              Comment


                #87
                Re: Pantum P2502W Toner Reset Chip help

                Originally posted by timschuerewegen View Post
                I found a simple way to reset the toner chip page counter via the USB cable. No need to open the printer or buy a chip programmer.

                The only drawback is that you still need to be able to print a page for the firmware to write the new page counter to the toner chip.

                If anyone wants to try this, send me a PM because this hack is firmware version specific and at the moment it will only work on printers that have the same firmware as mine.

                would U PLZ show us how to do so?

                Comment


                  #88
                  Re: Pantum P2502W Toner Reset Chip help

                  Originally posted by timschuerewegen View Post
                  I successfully modified the page count on my toner chip, but ...

                  The newer firmware versions keep track of up to 5 toner chip page counts in the nvram area on the SPI flash chip. When the firmware reads the page count from the toner chip, it will compare it to the page count value in nvram for that toner chip and use the highest value. This means that lowering the page count on the toner chip alone will not work, unless you also edit nvram or use the toner chip in a new printer.

                  I also figured out how to dump and upgrade the firmware via USB. I might try to make a "toner always full" or "no toner chip required" firmware for my P2500W printer
                  welldone ... but will you share the cooked firware with us???

                  Comment


                    #89
                    Re: Pantum P2502W Toner Reset Chip help

                    Originally posted by crdleoffiilth View Post
                    welldone ... but will you share the cooked firware with us???
                    I never made such firmware. The only thing I can do is reset the toner page counter(s) by using the USB memory read/write commands, but it depends on firmware version, so only the version I have is supported.

                    Comment


                      #90
                      Re: Pantum P2502W Toner Reset Chip help

                      [QUOTE=timschuerewegen;1155048]I never made such firmware. The only thing I can do is reset the toner page counter(s) by using the USB memory read/write commands, but it depends on firmware version, so only the version I have is supported.[/QUOT]
                      Tanx what commands U use and firmware version of Urs Plz

                      Comment


                        #91
                        Re: Pantum P2502W Toner Reset Chip help

                        Originally posted by timschuerewegen View Post
                        I never made such firmware. The only thing I can do is reset the toner page counter(s) by using the USB memory read/write commands, but it depends on firmware version, so only the version I have is supported.
                        Tanx what commands U use and firmware version of Urs Plz

                        Comment


                          #92
                          Re: Pantum P2502W Toner Reset Chip help

                          Originally posted by crdleoffiilth View Post
                          Tanx what commands U use and firmware version of Urs Plz
                          I used the USB memory read/write commands to modify some of the firmware RAM variables related to page counter(s) so that when I printed a page, the page counter(s) would be set to 0, both in the toner chip and printer flash memory. My printer has the 3.2.4.1 (encrypted) firmware.

                          Comment


                            #93
                            Re: Pantum P2502W Toner Reset Chip help

                            Originally posted by timschuerewegen View Post
                            The M2070W SPI flash contents looks totally different, there is no decrypted bootloader. Recent Pantum printers use a decrypted bootloader with an encrypted firmware, and the values needed to derive the key are stored in OTP register inside the SoC. The firmware contains USB commands to read/write ANY memory, so you can dump the SPI flash (since it is memory mapped), read the OTP registers to derive the key, and manipulate RAM while the printer is running to e.g. reset the toner chip counters.
                            ok, thanks useful to know.
                            I had a look and found a debug UART on the printer and can see it is using u-boot as the bootloader and running VxWorks as the RTOS. Unfortunately all the standard u-boot commands don't work so I couldn't dump the memory/flash that way. No sign of JTAG either

                            Comment


                              #94
                              Re: Pantum P2502W Toner Reset Chip help

                              Originally posted by timschuerewegen View Post
                              I used the USB memory read/write commands to modify some of the firmware RAM variables related to page counter(s) so that when I printed a page, the page counter(s) would be set to 0, both in the toner chip and printer flash memory. My printer has the 3.2.4.1 (encrypted) firmware.
                              I really dont know what exactly U mean common share the commands and the exact commands that modifies f...cking printer frimware

                              Comment


                                #95
                                Re: Pantum P2502W Toner Reset Chip help

                                Originally posted by crdleoffiilth View Post
                                I really dont know what exactly U mean common share the commands and the exact commands that modifies f...cking printer frimware
                                How are you sending the commands to the printer?

                                Comment


                                  #96
                                  Re: Pantum P2502W Toner Reset Chip help

                                  Originally posted by timschuerewegen View Post
                                  How are you sending the commands to the printer?
                                  I just ordered a pantum printer and waiting for it to arrive.
                                  If you're still around, could you give more details on how to send commands to the printer? (i.e. does it emulate a serial port, uses bulk transfers or something else?).

                                  Comment


                                    #97
                                    Re: Pantum P2502W Toner Reset Chip help

                                    @timschuerewegen I got the printer, under Linux I found that I can write some commands to /dev/usb/lp0 and get back an answer (I tried the same on tcp port 9100, jetdirect, with no answer).

                                    The commands have the format

                                    (ESC)%-12345X@PJL ENTER LANGUAGE=ACL(CR)(LF)(16 bytes)(ESC)%-12345X

                                    and the 16 bytes I found that give me back an answer are:

                                    00 ac 00 01 00 00 00 00 00 00 00 00 00 00 00 00 -> gives back the firmware version (string)

                                    00 ac ff 85 00 00 00 00 00 00 00 00 00 00 00 00 -> gives back the ram size in MB in one of the reply bytes

                                    00 ac ff 05 00 00 00 00 00 00 00 00 00 00 00 00 -> gives back the serial number (string)

                                    00 ac 00 08 00 00 00 00 00 00 00 00 00 00 00 00 -> gives back a long string with some gibberish and part of the model

                                    00 ac 00 06 00 00 00 00 00 00 00 00 00 00 00 00 -> gives back a longer string with some gibberish and another part of the model

                                    Could you tell me if I'm on the right track and what are the commands to read/write the memory?

                                    Comment


                                      #98
                                      Re: Pantum P2502W Toner Reset Chip help

                                      long string with some gibberish?
                                      try viewing it as 16bit unicode.
                                      maybe it's asian writing?

                                      Comment


                                        #99
                                        Re: Pantum P2502W Toner Reset Chip help

                                        No, definitely there's plain ASCII code there mixed with binary data.
                                        The reply to those two commands comes in two frames, the first is a mirror of the command with the 8th byte containing the length of the second frame.

                                        00 AC 00 08 00 01 00 5B 00 00 00 00 00 00 00 00

                                        54 49 4D 45 3D E4 BA 94 20 38 E6 9C 88 20 31 34 20 31 37 3A 30 31 3A 34 39 20 32 30 32 30 20 50 52 4F 44 3D 70 61 6E 74 75 6D 5F 32 30 31 36 5F 62 61 73 61 6C 74 20 64 65 62 75 67 20 20 20 20 20 20 20 5B 4E 4F 20 4D 41 43 20 41 44 44 52 45 53 53 5D 0D 0A 00 6C 01 D4 21 6C :TIME=五.8月.14.17:01:49.2020.PROD=pantum_2016_basalt.debug.......[NO.MAC.ADDRESS]...l.?!l



                                        00 AC 00 06 00 01 00 76 00 00 00 00 00 00 00 00

                                        00 76 4D 46 47 3A 50 61 6E 74 75 6D 3B 4D 44 4C 3A 4D 36 35 30 30 57 20 73 65 72 69 65 73 3B 43 4D 44 3A 41 43 4C 2C 43 4D 44 2C 73 63 61 6E 2C 5A 4A 53 2C 50 4A 4C 3B 43 49 44 3A 50 61 6E 74 75 6D 20 4D 36 35 30 30 57 20 73 65 72 69 65 73 3B 43 4C 53 3A 50 52 49 4E 54 45 52 3B 44 45 53 3A 50 61 6E :.vMFG:Pantum;MDL:M6500W.series;CMD:ACL,CMD,scan,ZJS,PJL;CID:Pantum.M6500W.series;CLS:PRINTER;DES:Pan
                                        18 - 74 75 6D 20 4D 36 35 30 30 57 20 73 65 72 69 65 73 3B :tum.M6500W.series;

                                        Comment


                                          Re: Pantum P2502W Toner Reset Chip help

                                          These are the different functions.

                                          AclReadTable and AclWriteTable are the functions that read/write memory. You can use them to read the OTP memory (to derive the firmware encryption key), dump the SPI flash, and modify firmware variables to reset the toner counters.

                                          0x0001 = AclGetVersion
                                          0x0002 = AclRetStatus
                                          0x0003 = AclReadEEPROM
                                          0x0004 = AclGetASICID
                                          0x0006 = AclGet1284String
                                          0x0008 = AclGetBuildInfo
                                          0x0009 = AclReadTable
                                          0x000A = AclWriteTable
                                          0x000F = AclBurnFlash
                                          0x0080 = AclGetInportKey
                                          0x0300 = sc_csc_dl_csc_table
                                          0x0301 = sc_csc_delete_csc_tables
                                          0x1001 = ttcp_process_acl
                                          0xC0DE = AclDoDownload
                                          0xD1EE = AclResetBoard
                                          0xEC0D = AclWriteEEPROM
                                          0xF001 = ACL_test_OUT
                                          0xF002 = ACL_test_IN
                                          0xFF00 = AclClearPageCounter
                                          0xFF01 = AclGetPageCounter
                                          0xFF03 = AclGetTonerInfo
                                          0xFF04 = AclSetSerialNumber
                                          0xFF05 = AclGetSerialNumber
                                          0xFF06 = AclSetMacAddress
                                          0xFF07 = AclGetMacAddress
                                          0xFF08 = AclSetProductionDate
                                          0xFF09 = AclGetProductionDate
                                          0xFF0A = AclSetProductionBatch
                                          0xFF0B = AclGetProductionBatch
                                          0xFF0C = AclSetEngineConfig
                                          0xFF0D = AclGetEngineConfig
                                          0xFF0E = AclSetNetConfig
                                          0xFF0F = AclGetNetConfig
                                          0xFF10 = AclSetMachineType
                                          0xFF11 = AclGetMachineType
                                          0xFF13 = AclReadFile
                                          0xFF14 = AclSetPreburningTest
                                          0xFF15 = AclGetPreburningTest
                                          0xFF16 = AclPortTest
                                          0xFF18 = AclMfpPanelUpdate
                                          0xFF1A = AclSetRestoreFactory
                                          0xFF1D = Acl_Wifi_Get_RSSI
                                          0xFF20 = ? set oid, set zone set flag, set country code, ...
                                          0xFF21 = AclGetPrinterAttributes
                                          0xFF23 = ? toner set serial number
                                          0xFF24 = ? toner get serial number
                                          0xFF27 = ? AclSetPowerOffEnable
                                          0xFF28 = ? AclGetPowerOffEnable
                                          0xFF80 = AclWifiSetup
                                          0xFF81 = AclWifiGetInfo
                                          0xFF82 = AclSetSleepTime
                                          0xFF83 = AclGetSleepTime
                                          0xFF84 = AclPrintInternalPage
                                          0xFF85 = ACLGetDDRmemsize
                                          0xFF86 = AclGetFwUpdateRate
                                          0xFF87 = AclGetPrinterStatus
                                          0xFF88 = ACLConfirmUpdateOlderVersion

                                          Comment

                                          Working...
                                          X