Examining printer firmware might also reveal the details more readily.

kefka · on June 7, 2017

Probably. But my experiences are that these chips are fabless fab chips with half a dozen things on it. Reverse engineering is of course doable. But you're getting into ARM territory, with custom ARM licenses and different opcodes. It gets "unfun", and quickly. And ARM has no concept of probing for hardware, your best chance at a memorymap is whatever you build yourself, and not fry.

But I would imagine that a simple 3d printed harness would work a lot better with allowing signals to be recorded and make the printer think its printing. Then the bypass harness could have an ARM on it and spool instructions to either a SD card, or via USB serial.

The goal here is as transparent as possible, just in case there are other security systems that try to detect this attack. But I'd guess they havent got to that point yet.

nucleardog · on June 8, 2017

Why make the printer "think" it's printing. Why not just literally measure and record the pulses sent to the actual print heads?

The "yellow dot" method would be picked up pretty quickly by the yellow being triggered while printing entirely B&W documents.

Things like dithering, if they encode things like printer serial numbers might be catchable by printing an identical set of documents across two examples of the printer.

kefka · on June 8, 2017

> Why make the printer "think" it's printing. Why not just literally measure and record the pulses sent to the actual print heads?

That's what my shim would do, is record the signals to the ink solenoids. The reason to make the printer think its printing, is primarily because of all the DRM lockout crap all manufacturers use. Ideally, I'd even let it print so that when the firmware sees ink levels going down, nothing on the firmware side would look amiss.

> The "yellow dot" method would be picked up pretty quickly by the yellow being triggered while printing entirely B&W documents.

Indeed. However, its old hat about the yellow dots. I know they've moved on to something much harder to detect, and also likely scan and reprint resilient. What is this new type? No bloody clue. I'd assume a bad actor using heavy stego on chip. And if I were designing it, I'd watch for things like test images coming through and not mark them.

My first attempt would be with a high res 100$ bill scan. I betcha that'd trigger something interesting.

> Things like dithering, if they encode things like printer serial numbers might be catchable by printing an identical set of documents across two examples of the printer.

Yeah, I figure there's a serial number, time/date, hostname, IP, logged-in username.. All sorts of data. This is also corporate espionage area as well as national security, so I'd figure they would put out all the stops to catch, if they can't prevent the print itself.

Just chalk it up to me, and my paranoid mind. Still doesnt mean they arent out to get you!