| Electronics > Projects, Designs, and Technical Stuff |
| Lexmark Printer Hacking |
| << < (2/2) |
| mobilegamer999:
Another way you might be able to increase speed would be to send it over as bytes of data instead of ASCII which will net you up to about a 2x speedup. |
| mojobojo:
--- Quote from: mobilegamer999 on May 15, 2014, 02:26:46 pm ---Hey, I upped the serial speed and re-wrote some of it so it should hopefully transfer a lot faster, try this code. NOTE: You will need to set your receive baud to 115200 instead of 9600. --- Code: ---// MX25L6405 SPI // Datasheet http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/3F21BAC2E121E17848257639003A3146/$File/MX25L6405,%203V,%2064Mb,%20v1.3.pdf?OpenElement // Some code from http://arduino.cc/en/Tutorial/SPIEEPROM // Pin Definitions #define DATAOUT 11 // MOSI #define DATAIN 12 // MISO #define SPICLOCK 13 // sck #define SLAVESELECT 10 // ss // Command Definitions #define WREN 0x06 // Sets the (WEL) write enable latch bit #define WRDI 0x04 // Reset the (WEL) write enable latch bit #define RDID 0x9F // Output the manufacturer ID and 2-byte device ID (outputs 3 bytes) #define RDSR 0x05 // To read out the status register (outputs 1 byte) #define WRSR 0x01 // To write new values to the status register #define READ 0x03 // N bytes read out until CS# goes high (requires input address of 3 bytes) (outputs ? bytes) #define FAST_READ 0x0B // (requires input address of 3 bytes, optional fourth?) (outputs ? bytes) #define PARALLEL_MODE 0x55 // Enter and stay in parallel mode until power off #define SE 0x20 // Sector erase (input 3 bytes address) #define SE_ALT 0xD8 #define CE 0x60 // Chip erase #define CE_ALT 0xC7 #define PP 0x02 // Page Program (input 3 byte address) #define DP 0xB9 // Deep Power Down #define EN4K 0xB5 // Enter 4Kb sector #define EX4K 0xB5 // Exit 4Kb sector #define RDP 0xAB // Release from deep power down #define RES 0xAB // Read electronic id (optional 3 byte input?) #define REMS 0x90 // Read electronic manufacturer & device id (2 byte optional? third byte if 0 will // output manufacturer id first, 1 will output device id first) char fmt[16]; // Some place to sprintf into byte eeprom_output_data = 0; byte eeprom_input_data = 0; byte clr = 0; byte spi_transfer(volatile byte data) { SPDR = data; // Start the transmission while (!(SPSR & (1 << SPIF))) // Wait the end of the transmission { }; return SPDR; // return the received byte } void setup() { Serial.begin(115200); pinMode(DATAOUT , OUTPUT); pinMode(DATAIN , INPUT); pinMode(SPICLOCK , OUTPUT); pinMode(SLAVESELECT , OUTPUT); // Data sheet says this must be high digitalWrite(SLAVESELECT, HIGH); // SPCR = 01010000 //interrupt disabled, spi enabled, msb 1st, master, clk low when idle, //sample on leading edge of clk, system clock/4 rate (fastest) SPCR = (1 << SPE)|(1 << MSTR); clr = SPSR; clr = SPDR; delay(1000); } void ReadID() { digitalWrite(SLAVESELECT, LOW); spi_transfer(RDID); int b1 = spi_transfer(0xFF); int b2 = spi_transfer(0xFF); int b3 = spi_transfer(0xFF); digitalWrite(SLAVESELECT, HIGH); Serial.print(fmt); Serial.print(b1, HEX); Serial.print(" "); Serial.print(b2, HEX); Serial.print(" "); Serial.println(b3, HEX); } void ReadElectronicId() { digitalWrite(SLAVESELECT, LOW); spi_transfer(RES); spi_transfer(0x00); spi_transfer(0x00); spi_transfer(0x00); int b1 = spi_transfer(0xFF); digitalWrite(SLAVESELECT, HIGH); Serial.println(b1); } void ReadManufactureId() { digitalWrite(SLAVESELECT, LOW); spi_transfer(REMS); spi_transfer(0x00); spi_transfer(0x00); spi_transfer(0x00); int b1 = spi_transfer(0xFF); int b2 = spi_transfer(0xFF); int b3 = spi_transfer(0xFF); digitalWrite(SLAVESELECT, HIGH); Serial.print(fmt); Serial.print(b1, HEX); Serial.print(" "); Serial.print(b2, HEX); Serial.print(" "); Serial.println(b3, HEX); } void ReadStatusReg() { digitalWrite(SLAVESELECT, LOW); spi_transfer(RDSR); int b1 = spi_transfer(0xFF); digitalWrite(SLAVESELECT, HIGH); sprintf(fmt, "%02X\n", b1); Serial.print(fmt); } void Dump() { int data; digitalWrite(SLAVESELECT, LOW); spi_transfer(READ); // Address auto increments so only need to do a read instruction once // Address 0x000000 spi_transfer(0x00); spi_transfer(0x00); spi_transfer(0x00); for (int i = 0, x = 0; i < 4096; i++, x++) { if (x >= 16) { Serial.println(); x = 0; } Serial.print(spi_transfer(0xFF)); Serial.print(" "); } digitalWrite(SLAVESELECT, HIGH); } void loop() { ReadID(); // RDID //ReadElectronicId(); // RES //ReadManufactureId(); // REMS //Dump(); while (1) { delay(1000); } } --- End code --- --- End quote --- Thank you very much for this. I will definitely have to try this out later. |
| manu:
Hello, In addition to what it was already said to speed up the uart baudrate to 115200+ (230400 is easy to get on Arduino, some tries may be neccessary at 460800 and 921600) and transfer data in binary rather than ASCII, you may speed up the SPI clock from 4MHz to 8MHz (according to the eeprom datasheet, you can set the spi clock up to 50MHz) by using SPI.setClockDivider to 2 : http://arduino.cc/en/Reference/SPISetClockDivider If you have a more powerful board than the Arduino, you may speed up the process, but hey, what's the fun in that! You could save the dump of the memory with a serial client like Teraterm, but you may already have the necessary tools to do that. I just get a quick look at your post, so excuse me if I had made any mistake. Good luck in you reverse engineering. |
| flextard:
Hi! I cannot stress how happy I am to find this thread!!! I have been given a similar printer that wouldn't print. Somehow I managed to make it print unreliably, but by then I had already disassembled it twice and built interest in the ARM platforms inside. That was September last year, and after a few weeks of getting nowhere (having minimal reverse engineering experience) I put the project on hold. Tonight, however, I grabbed the dusty boards and power supply out of the shelf and started dicking around. In my case (can't remember the printer model), the LCD board is a 'fully' independent system, with ARM processor, 512Mbit DDR400 (http://www.samsung.com/global/business/semiconductor/file/2011/product/2009/10/22/083716ds_k4h51xx38g_fbga_rev10.pdf, 512Mbit flash (H27U518S2CTP-BC), capacitive touch-screen controller, and own power regulation down from the printer's 30VDC input apparently. The 'mainboard' looks just like the one on the pic above, but without the NIC and connector. What bugged me for a while, and still surprises me, is that they used USB as a data link between the boards. So of course I traced the USB TX/RX lanes through the boards and concluded the mainboard's processor hosts the WiFi module and the card reader controller. That controller then hosts the PictBridge USB port and also the USB-Mini that links to the LCD/UI board. Once the printer booted, I quickly swapped the miniA cable for one that was plugged to my Linux desktop (PC to LCD/UI board), and got a RNDIS link! :D Gave it an IP, pinged fine at .6ms average, port scanned with SSH and Telnet active but filtered, one open port that I have to check again, and another open port which is UPNP 1900 which replied 404 to an http request. A bit confusing, but this is how far I think I am now. Will get some sleep and eagerly wait to hear from you guys! Cheers. |
| BonesMax:
I am so glad I found this site ;D It just so happens I have stripped a Lexmark Laser printer 968 with the idea of having some fun . This one has the 6203 motherboard made in 2007 with a mini usb connecter so looks like I'm going to have some once the rain stops pouring down and I can get the boards inside. I'm hoping yo guys will post more as you go along. |
| Navigation |
| Message Index |
| Previous page |