Author Topic: Lexmark toner chip Ti046b1  (Read 122022 times)

0 Members and 3 Guests are viewing this topic.

Offline Alan.B

  • Contributor
  • Posts: 13
  • Country: ar
Re: Lexmark toner chip Ti046b1
« Reply #125 on: July 19, 2018, 10:16:19 pm »
Friend, thank you for your logs, they are very helpful!

Could you add these lines to the sketch? They are to make a full dump of the chip! And I would need you to upload those dumps, especially the reset chip and if you can also do a full dump of a chip before the reset with delcopi and after the reset, better!

Code: [Select]
//In variables
uint8_t k[3] = {0x01, 0x00, 0x00};
uint8_t k_[1024];

uint8_t l[3] = {0x01, 0x00, 0x04};
uint8_t l_[1024];

//In "switch" function
case 'k':
  Serial.print("Send: 0x01, 0x00, 0x00 | Dump1: ");
  read_TI046B1_register(0x000, k, sizeof(k), k_, sizeof(k_), 0);
  break;
case 'l':
  Serial.print("Send: 0x01, 0x00, 0x04 | Dump2: ");
  read_TI046B1_register(0x000, l, sizeof(l), l_, sizeof(l_), 0);
  break;
 

Offline AndreiKenig

  • Contributor
  • Posts: 11
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #126 on: July 22, 2018, 06:40:16 pm »
Alan.B
Sorry. I did not understand that I should enter a, b, c, d ... The sketch works.
Code: [Select]
------ UnBlock-----
Send: 0x03 | Response: 00
Send: 0x83 | Response: F0
Send: 0x01,0x50,0x04 | Response: 01F80050323446303030320000000909
Send: 0x82 | Response: 38
Send: 0x81, 0x08 | Response: FF
Send: 0x82 | Response: 48
Send: 0x81, 0x4E, 0x86, 0x61, 0xAE, 0x96, 0x54, 0xC2, 0x31, 0xFA, 0xC6, 0x2D, 0x53, 0x74, 0x35 | Response: FF
Send: 0x82 | Response: 88
Send: 0x80 | Response: BD98F565CCE0D40116CBB70880CDB38A
---
Send: 0x03 | Response: 00
Send: 0x83 | Response: F0
Send: 0x01,0x50,0x04 | Response: 01F80050323446303030320000000909
Send: 0x82 | Response: 38
Send: 0x81, 0x08 | Response: FF
Send: 0x82 | Response: 48
Send: 0x81, 0x4E, 0x86, 0x61, 0xAE, 0x96, 0x54, 0xC2, 0x31, 0xFA, 0xC6, 0x2D, 0x53, 0x74, 0x35 | Response: FF
Send: 0x82 | Response: 88
Send: 0x80 | Response: BD98F565CCE0C7017B0EE30DF199F38B
---
Send: 0x03 | Response: 00
Send: 0x83 | Response: F0
Send: 0x01,0x50,0x04 | Response: 03AD0050323446303030330000000913
Send: 0x82 | Response: 38
Send: 0x81, 0x08 | Response: FF
Send: 0x82 | Response: 48
Send: 0x81, 0x4E, 0x86, 0x61, 0xAE, 0x96, 0x54, 0xC2, 0x31, 0xFA, 0xC6, 0x2D, 0x53, 0x74, 0x35 | Response: FF
Send: 0x82 | Response: 88
Send: 0x80 | Response: BD98F565CCE0F0015709189211715C84

-----Block-----
Send: 0x03 | Response: 00
Send: 0x83 | Response: F0
Send: 0x01,0x50,0x04 | Response: 03AD0050323446303030330000000913
Send: 0x82 | Response: 38
Send: 0x81, 0x08 | Response: FF
Send: 0x82 | Response: 48
Send: 0x81, 0x4E, 0x86, 0x61, 0xAE, 0x96, 0x54, 0xC2, 0x31, 0xFA, 0xC6, 0x2D, 0x53, 0x74, 0x35 | Response: FF
Send: 0x82 | Response: 98
Send: 0x80 | Response: 00000000000000000000000000000000
---
Send: 0x03 | Response: 00
Send: 0x83 | Response: F0
Send: 0x01,0x50,0x04 | Response: 01940050323446313338320000000905
Send: 0x82 | Response: 38
Send: 0x81, 0x08 | Response: FF
Send: 0x82 | Response: 48
Send: 0x81, 0x4E, 0x86, 0x61, 0xAE, 0x96, 0x54, 0xC2, 0x31, 0xFA, 0xC6, 0x2D, 0x53, 0x74, 0x35 | Response: FF
Send: 0x82 | Response: 98
Send: 0x80 | Response: 00000000000000000000000000000000

The programmer DelCopi badly flushes the chip. He writes that 500 pages are printed.  >:(
Мemory addresses where the information:
0x00E1-0x00E2 Number of pages printed //0x16, 0x32  (5682 pages)
0x0440-0x044B Serial number           //0x43, 0x41, 0x44, 0x31, 0x37, 0x33, 0x31, 0x38, 0x31, 0x35, 0x34, 0x33 (CAD173181543)
0x0453-0x045A Model                   //0x50, 0x32, 0x34, 0x46, 0x30, 0x30, 0x30, 0x33 (P24F0003)
0x045F-0x0460 Volume of the cartridge //0x13, 0x88 (5000)
Attaching dump chips. In the name "reset" this chip was dropped and after that printed.


Number of pages printed  0x131, 0x132
 

Offline Technics66

  • Contributor
  • Posts: 10
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #127 on: July 23, 2018, 03:47:28 pm »

Number of pages printed  0x131, 0x132
I noticed that 0x0C0-0FF = 0x110-0x14F.
There are new cartridges P50F5H00. I took the dumps from the new one installed in the printer 317, installed in the MFP410 and printed pages.
« Last Edit: July 23, 2018, 04:23:59 pm by Technics66 »
 

Offline Alan.B

  • Contributor
  • Posts: 13
  • Country: ar
Re: Lexmark toner chip Ti046b1
« Reply #128 on: July 24, 2018, 01:51:29 am »
Technics66! You would have some chip of these 24D0002, 52D4000, 52D4H00, 52D4X00. They are the ones that I have, but I can not authenticate in the registry 0x81; and I think if you try to read with Delcopi any of these in the log you could get an authentication key and it would be very useful ...

I leave you a new sketch, which optimizes a bit the use of memory in global variables.

With "t", perform a test chip (chip information)
with "d", perform a full dump of the chip.

Regards!

Code: [Select]
#include "twi-all-included.h"

void setup()
{
  Serial.begin(9600); 
  twi_init();
}

bool read_TI046B1_register(uint16_t TenBits_slave_address, uint8_t * registerBuffer, int registerSize, uint8_t * destinationBuffer, uint16_t readSize, bool stopCom)
{
  uint16_t slave_address_LSB = TenBits_slave_address & 0x0FF; //0076543210 //8 LSB
  uint16_t slave_address_MSB = TenBits_slave_address & 0x300; //9800000000 //2 MSB
 
  //Put the MSB bits to the Left :
  slave_address_MSB = slave_address_MSB >> 8; //For example, 0x300 becomes 0x003
 
  //7 bits address equivalent for the begining :
  uint8_t SevenBits_compat_address = 0x78 | slave_address_MSB; //TWI library will put send those 7 bits followed by read/write bit.
 
  //Preparation of the write buffer : 8LSB of the slave's address, then 3 bytes writes to call a register read.
  uint8_t txBuffer[registerSize + 1];

  for(uint8_t i = 0; i < sizeof(txBuffer); i++)
  {
    if(i==0)
    {
      txBuffer[i] = slave_address_LSB;
    }
    else
    {
      txBuffer[i] = registerBuffer[i-1];
    }
  }

  uint16_t nRet = twi_writeTo(SevenBits_compat_address, txBuffer, sizeof(txBuffer), 1, stopCom);
  if (nRet == 1)
  {
    Serial.println("W1");
    return;
  }
  else if (nRet == 2)
  {
    Serial.println("W2");
    return;
  }
  else if (nRet == 3)
  {
    Serial.println("W3");
    return;
  }
  else if (nRet == 4)
  {
    Serial.println("W4");
    return;
  }
 
  nRet = twi_readFrom(SevenBits_compat_address, destinationBuffer, readSize, true); //xxx bytes read with a Stop at the end. 
  if (nRet == 0x00)
  {
    Serial.println("R1");
    return;
  }
 
  if (nRet != readSize)
  {
    Serial.println("R2");
    return;
  }

  if (nRet == readSize)
  {
    for (uint16_t i=0; i<readSize; i++)
    {
      //Serial.print("0x");
      if (destinationBuffer[i] < 0x10)
      {
        Serial.print(0, HEX);
        Serial.print(destinationBuffer[i], HEX);
      }
      else
      {
        Serial.print(destinationBuffer[i], HEX);
      }
      if(i != readSize) Serial.print(" ");
    }
    Serial.println("");
   
    return true;
  }

}

//DelCopi Secuence
uint16_t a_ = 1, b_ = 1, c_ = 16, d_ = 1, e_ = 1, f_ = 1, g_ = 1, h_ = 1, i_ = 16, k_ = 1024, l_ = 1024;
uint8_t a[1] = {0x03};
uint8_t b[1] = {0x83};
uint8_t c[3] = {0x01,0x50,0x04};
uint8_t d[1] = {0x82};
uint8_t e[2] = {0x81, 0x08};
uint8_t f[1] = {0x82};
uint8_t g[15] = {0x81, 0x4E, 0x86, 0x61, 0xAE, 0x96, 0x54, 0xC2, 0x31, 0xFA, 0xC6, 0x2D, 0x53, 0x74, 0x35};
uint8_t h[1] = {0x82};
uint8_t i[1] = {0x80};
//Full Dump!
uint8_t k[3] = {0x01, 0x00, 0x00};
uint8_t l[3] = {0x01, 0x00, 0x04};
//One Buffer for all!
uint8_t rxBuffer[1024];

void loop()
{
  char command = getCommand();
  switch (command)
  {
    case 't': //Test Chip
        Serial.print("Send: 03 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, a, sizeof(a), rxBuffer, a_, 0);
        Serial.print("Send: 83 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, b, sizeof(b), rxBuffer, b_, 0);
        Serial.print("Send: 01 50 04 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, c, sizeof(c), rxBuffer, c_, 0);
        Serial.print("Send: 82 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, d, sizeof(d), rxBuffer, d_, 0);
        Serial.print("Send: 81 08 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, e, sizeof(e), rxBuffer, e_, 1);
        Serial.print("Send: 82 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, f, sizeof(f), rxBuffer, f_, 0);
        Serial.print("Send: 81 4E 86 61 AE 96 54 C2 31 FA C6 2D 53 74 35 \t| Response: ");//81 4E 86 61 AE 96 54 C2 31 FA C6 2D 53 74 35
        read_TI046B1_register(0x000, g, sizeof(g), rxBuffer, g_, 1);
        Serial.print("Send: 82 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, h, sizeof(h), rxBuffer, h_, 0);
        Serial.print("Send: 80 \t\t\t\t\t\t| Response: ");
        read_TI046B1_register(0x000, i, sizeof(i), rxBuffer, i_, 0);
        Serial.println("");
      break;
    case 'd': //Dump Chip
        Serial.print("Full Dump: ");
        read_TI046B1_register(0x000, k, sizeof(k), rxBuffer, k_, 0);
        read_TI046B1_register(0x000, l, sizeof(l), rxBuffer, l_, 0);
        Serial.println("");
      break;
  }
}

char getCommand()
{
  char c = '\0';
  if (Serial.available())
  {
    c = Serial.read();
  }
  return c;
}
 
The following users thanked this post: Sutan

Offline Bigkim

  • Contributor
  • Posts: 12
  • Country: ca
Re: Lexmark toner chip Ti046b1
« Reply #129 on: July 24, 2018, 06:06:11 am »
 I work for a company that sells generic cartridges that are not refilled, but are manufactured by a different company.
Our chips no only give a "Full" reading at all times,but more importantly trick the printer into thinking that a cartridge is original.
We actually find that "compatables" cost less than refilling, and since refilling is messy, and a lot of "toner empty" notifications are actually mechanical problems in disguise,  so we have found compatables a better route.
 Printer companies spend a lotta time trying to keep non-original compatable cartridges outta their printers, and often try to "root" us out with frequent "printer upgrades" by email.
Luckily our Asian suppliers keep one step ahead of them, as are one of Amazons top suppliers, with 100% customer satisfaction, over 20 years.
 

Offline Technics66

  • Contributor
  • Posts: 10
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #130 on: July 26, 2018, 01:57:01 pm »
By studying the reset and use logs, I concluded that there are 5 blocks with data. At the end of each block there seems to be a checksum (CRC16).
1. 0x020 - 0x0BD. CRC in 0x0BE-0x0BF (158 byte + 2 byte CRC16)
2. 0x0C0 - 0X0E9. CRC in 0x0EA-0x0EB (42 byte + 2 byte CRC16)
3. 0x0EC - 0x10D. CRC in 0x10E-0x10F (32 byte + 2 byte CRC 16)
4. 0x110 - 0x139. CRC in 0x13A-0x13B = block 2 (42 byte + 2 byte CRC16)
5. 0x13C - 0x15D. CRC in 0x15E-0x05F = block 3 (32 byte + 2 byte CRC 16)
I'm not sure about the checksums, but when resetting the programmer in these addresses writes data that is not read anywhere. Check and understand what kind of data I could not.
 

Offline Technics66

  • Contributor
  • Posts: 10
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #131 on: July 27, 2018, 08:28:31 am »
Sorry. In the previous message, the .xls file is not incorrect. The data was truncated while saving in the xls. The full xlsx file is in the archive.
UPD.
Using the code for calculating the checksum
Code: [Select]
uint16_t crc16(const uint8_t* data_p, uint8_t length)
{
    uint8_t x;
    uint16_t crc = 0xFFFF;

    while (length--)
    {
        x = crc >> 8 ^ *data_p++;
        x ^= x >> 4;
        crc = (crc << 8) ^ ((uint16_t)(x << 12)) ^ ((uint16_t)(x <<5)) ^ ((uint16_t)x);
    }
    return crc;
}
Computed that 3 blocks and not 5.
1. 0x020 - 0x0BD. CRC16 in 0x0BE-0x0BF (158 byte + 2 byte CRC16)
2. 0x0C0 - 0x10D. CRC16 in 0x10E-0x10F (78 byte + 2 byte CRC 16)
3. 0x110 - 0x15D. CRC16 in 0x15E-0x15F (78 byte + 2 byte CRC 16) = block2
I will write a sketch for resetting the chip.
« Last Edit: July 27, 2018, 04:06:32 pm by Technics66 »
 

Offline AndreiKenig

  • Contributor
  • Posts: 11
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #132 on: July 27, 2018, 06:04:21 pm »
0x450 0x451 Initial Quanta (константа расчёта расхода тонера) постоянная
0xE3 0xE4 Изменяемая кванта
0x133 0x134 = 0xE3 0xE4 Изменяемая кванта
Initial Quanta значение по которому рассчитывается расход тонера на печать
Изменяемая кванта - откорректированное значение Initial Quanta в зависимости от вращения мешалки картриджа
Так же "изменяемая кванта" меняется от результата проверки OEM или NotOEM
 
The following users thanked this post: Alan.B, Technics66

Offline Alan.B

  • Contributor
  • Posts: 13
  • Country: ar
Re: Lexmark toner chip Ti046b1
« Reply #133 on: July 27, 2018, 09:05:20 pm »
Sorry. In the previous message, the .xls file is not incorrect. The data was truncated while saving in the xls. The full xlsx file is in the archive.
UPD.
Using the code for calculating the checksum
Code: [Select]
uint16_t crc16(const uint8_t* data_p, uint8_t length)
{
    uint8_t x;
    uint16_t crc = 0xFFFF;

    while (length--)
    {
        x = crc >> 8 ^ *data_p++;
        x ^= x >> 4;
        crc = (crc << 8) ^ ((uint16_t)(x << 12)) ^ ((uint16_t)(x <<5)) ^ ((uint16_t)x);
    }
    return crc;
}
Computed that 3 blocks and not 5.
1. 0x020 - 0x0BD. CRC16 in 0x0BE-0x0BF (158 byte + 2 byte CRC16)
2. 0x0C0 - 0x10D. CRC16 in 0x10E-0x10F (78 byte + 2 byte CRC 16)
3. 0x110 - 0x15D. CRC16 in 0x15E-0x15F (78 byte + 2 byte CRC 16) = block2
I will write a sketch for resetting the chip.

Technics66:
Analyzing your dumps, I saw that by inserting the cartridge with the new chip, the printer makes changes to the serial number ... Could you connect the analyzer and take data from all this? I was left without the printer, it was from a client, but I want to continue with the investigation.

I attach your dumps, I turned them into bin.

Regards!
 
The following users thanked this post: AndreiKenig

Offline AndreiKenig

  • Contributor
  • Posts: 11
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #134 on: July 27, 2018, 09:22:17 pm »
Sorry. In the previous message, the .xls file is not incorrect. The data was truncated while saving in the xls. The full xlsx file is in the archive.
UPD.
Using the code for calculating the checksum
Code: [Select]
uint16_t crc16(const uint8_t* data_p, uint8_t length)
{
    uint8_t x;
    uint16_t crc = 0xFFFF;

    while (length--)
    {
        x = crc >> 8 ^ *data_p++;
        x ^= x >> 4;
        crc = (crc << 8) ^ ((uint16_t)(x << 12)) ^ ((uint16_t)(x <<5)) ^ ((uint16_t)x);
    }
    return crc;
}
Computed that 3 blocks and not 5.
1. 0x020 - 0x0BD. CRC16 in 0x0BE-0x0BF (158 byte + 2 byte CRC16)
2. 0x0C0 - 0x10D. CRC16 in 0x10E-0x10F (78 byte + 2 byte CRC 16)
3. 0x110 - 0x15D. CRC16 in 0x15E-0x15F (78 byte + 2 byte CRC 16) = block2
I will write a sketch for resetting the chip.

Technics66:
Analyzing your dumps, I saw that by inserting the cartridge with the new chip, the printer makes changes to the serial number ... Could you connect the analyzer and take data from all this? I was left without the printer, it was from a client, but I want to continue with the investigation.

I attach your dumps, I turned them into bin.

Regards!

The printer never changes the serial number of the chip, which is in the range 0x440 - 0x44b and consists of 12 bytes

And attached dumps are not suitable for analysis, because there are a lot of incorrectly read data in them.



« Last Edit: July 27, 2018, 09:31:41 pm by AndreiKenig »
 

Offline Technics66

  • Contributor
  • Posts: 10
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #135 on: July 28, 2018, 04:00:49 am »
Alan.B
The serial number does not change. You took the dump from another chip. I spread two dumps from 50F5H00 with different serial numbers (CAP142340A90 & CAS1218556D7).
AndreiKenig
Is it possible to take a complete dump with TI046B1? Full dump can only be read directly from FRAM. I have not come across chips which could be considered a dump.  :(
 

Offline Kulick

  • Newbie
  • Posts: 2
  • Country: ru
Re: Lexmark toner chip Ti046b1
« Reply #136 on: August 08, 2018, 05:25:40 pm »
Hi, friends.
There are devices, there are chips and empty and new. Need help?
Can I join the decision? ;)
Thanks.
 

Offline driver_x

  • Contributor
  • Posts: 21
  • Country: af
Re: Lexmark toner chip Ti046b1
« Reply #137 on: August 09, 2018, 09:37:01 pm »

    • 0x82 is a kind of Status Register that the printers reads before asking anything else.
      • status 0x38 is "nothing more to say, please enter something into 0x81"
         
      • status 0x48 is "0x81 Register received 0x08" (lets call this mode 0x08)
      • status 0x88 is the following step : 14 bytes question has been write into 0x81 after having entered mode 0x08
         
      • status 0x49 is "0x81 Register received 0x09" (lets call this mode 0x09)
      • status 0x89 is the following step : 14 bytes question has been write into 0x81 after having entered mode 0x09

    • 0x80 is an information register where 16 bytes are read after having write the 0x81 register as described before, by 0x08 or 0x09 in a first time and then 14 bytes in a second time

    Registers that are being write :
    • 0x04 is the first register that is called on each cartridge, with a Stop occuring during ACK (there is no ACK or NACK bit), followed by a useless start stop, observed by oscilloscope too. Let's guess this is useless. But it's common to the 5 cartridges (well, 4 cartridge and 1 imaging drum).

    • 0x81 is the only one register that is written after closing the lid. It's a command register that influences the status register (0x82) and define what will be read into 0x80. We can see single byte writes on it (0x08 or 0x09) for selecting what looks like a mode, then a 14 bytes question write (with something that looks like it's totally unpredictable) before being able to read 16 bytes into 0x80 (16 bytes that also looks like they are totally unpredictable).


    This looks like the chip authenticating protocol described here: https://patents.google.com/patent/US20060224889A1/en?q=md5&assignee=lexmark



     

    Offline driver_x

    • Contributor
    • Posts: 21
    • Country: af
    Re: Lexmark toner chip Ti046b1
    « Reply #138 on: August 20, 2018, 10:20:38 pm »
    Here's some info i've discovered so far:
    The size of the FRAM is 2048 bytes. The size is specified here : http://techinsights.com/reports-and-subscriptions/open-market-reports/Report-Profile/?ReportKey=CAR-1504-802. Also you can verify this by trying to read addresses bigger than 2048 bytes, it will start to read from the beginning.

    The corespondence of the memory offsets and the registers discovered by pixconfig here: https://www.eevblog.com/forum/projects/lexmark-toner-chip-ti046b1/msg1472727/#msg1472727 is the following:

    Register 0x01>0x20>0x04 = memory offset 0x0420 = 1056 decimal
    Register 0x01>0x40>0x04 = memory offset 0x0440 = 1088 decimal
    [..]etc
    So basically you form the offset's hex number by reversing the order of the register's bytes.

    If you want to dump the entire chip, you can read the register 0x01>0x00>0x00 size 2048 (it didn't work for me) or read in two chunks of 1024 bytes (first 0x01>0x00>0x00 size 1024 then 0x>0x01>0x00>0x04 size 1024)

    @pixconfig:
    the following offsets are not read/written in your dumps, so this needs further investigation:

    Offset 0x160 (register 0x01>0x60>0x01), size 6 bytes, this one is repeating at offset 0x400 (register 0x01>0x00>0x04)

    also Offset 0x408 (register 0x01>0x08>0x04) - 4 bytes long - contains data that is not read/written in your dumps.

    Maybe there registers are written by the chip (the same way the copy of 20 00 register is written without any specific instruction from the printer.

    The other bytes that are not read/written contains either 00 f7 either 00.
    « Last Edit: August 20, 2018, 11:00:53 pm by driver_x »
     

    Offline driver_x

    • Contributor
    • Posts: 21
    • Country: af
    Re: Lexmark toner chip Ti046b1
    « Reply #139 on: August 21, 2018, 04:52:55 pm »
    Hi!
    The first 2 bytes are overwritten and they encrypt the first 32 bytes and the last 256 bytes.
    verified personally ;)
    First 32 bytes and last 256 are just a series of 00 F7, at least in my dump, here's the map I've made:
     

    Offline driver_x

    • Contributor
    • Posts: 21
    • Country: af
    Re: Lexmark toner chip Ti046b1
    « Reply #140 on: August 21, 2018, 09:55:59 pm »
    Some small research:


    >>>Only for starter cartridges<<<:

    Year of installation: 0xAF, size = 2 bytes
    Month of installation: 0xB2, size = 1 byte
    Day of installation : 0xB4, size = 1 byte

    Another timestamp:
    Year: 0xc3, size = 2 bytes
    Month: 0xc6, size = 1 byte
    Day: 0xc8, size = 1 byte

    Probably the expiration year: 0xD5, size=2 bytes

    Yet Another timestamp:
    Year: 0xd7, size = 2 bytes
    Month: 0xda, size = 1 byte
    Day: 0xdc, size = 1 byte

    >>>end only for starter cartridges<<<


    pageCount : 0x51 - 2 bytes
    serial : 0x440 - 12 bytes
    deviceID :  0x44c - 4 bytes
    partNumber : 0x455 - 8 bytes
    maxCapacity : 0x49A 2 bytes

    « Last Edit: August 22, 2018, 07:03:55 pm by driver_x »
     

    Offline Deathcore

    • Newbie
    • Posts: 3
    • Country: gb
    Re: Lexmark toner chip Ti046b1
    « Reply #141 on: August 22, 2018, 01:21:38 pm »
    Has anyone had any luck with doing the same with the Imaging Unit?
    I've mirrored the contents over from a brand new Imaging Unit to a Used one and the printer only seems to see the unit as "Defective" after about 20 seconds or so.

    The data structure seems to be different to the toners, as the 1st and 2nd 56 byte register show different contents.

    I'll put together some dumps and post them up when I can but would appreciate any help or pointers!
     

    Offline driver_x

    • Contributor
    • Posts: 21
    • Country: af
    Re: Lexmark toner chip Ti046b1
    « Reply #142 on: August 22, 2018, 01:37:43 pm »
    Searched for a Texas Instruments chip that is able to perform authentification using cryptographic functions, found this :
    http://www.ti.com/lit/an/slua389a/slua389a.pdf
    http://www.ti.com/lit/ds/symlink/bq26100.pdf

    but...

    From what I observe, in the 0x81 register is written the 14 bytes challenge, then from 0x80 is being read the 16 bytes response from the chip, and this is done 8 times for each cartridge. But the response does not look like a SHA-1 hash, first because SHA-1 is 20 byte long, and second because in all the the 8 responses of  16 bytes , bytes 7 and 8 are the same. MD5 is 16 bytes but the repetition of the bytes 7 and 8 in all the responses excludes any hash function(?)
    And second, the last 1024 bytes memory block might be read only in order to prevent the changing of the serial number, deviceID, maxCapacity , region and all the other cartridge factory parameters.

    Later:

    Connect your printer via ethernet, then in your internet browser type http://your_printer_ip/se (replace "your_printer_ip" with your real printer ip)
    Then go to "Dump SysDebugData" and do some search for "cyan",  yellow or whatever... you'll find some data about the cartridges.
    What is strange is that after resetting the 56 and 208 registers of a empty cartridge, of course that the printer is telling me to replace it and it does not take in consideration the information stored in the chip, as it is displaying the same number of printed pages, install date etc as they were before the resetting :((.
    « Last Edit: August 22, 2018, 09:33:49 pm by driver_x »
     

    Offline Deathcore

    • Newbie
    • Posts: 3
    • Country: gb
    Re: Lexmark toner chip Ti046b1
    « Reply #143 on: August 24, 2018, 03:05:01 pm »
    Just an update.
    I rewrote the all first 1024 bytes from a new Drum unit to a Used board and the unit is now giving me an "Imaging unit unsupported" error rather than "Imaging unit defective".

    Step in the right direction but still no luck, I suspect that the device is checking for a CRC somewhere or the 2nd set of 1024 bytes holds part number information and the used board that was overwritten was a "Black only" imaging unit rather than "Black and Colour".
     

    Offline amyk

    • Super Contributor
    • ***
    • Posts: 8240
    Re: Lexmark toner chip Ti046b1
    « Reply #144 on: August 25, 2018, 12:22:06 am »
    What is strange is that after resetting the 56 and 208 registers of a empty cartridge, of course that the printer is telling me to replace it and it does not take in consideration the information stored in the chip, as it is displaying the same number of printed pages, install date etc as they were before the resetting :((.
    The printer probably memorises the serials of the last X cartridges.
     

    Offline driver_x

    • Contributor
    • Posts: 21
    • Country: af
    Re: Lexmark toner chip Ti046b1
    « Reply #145 on: August 25, 2018, 08:19:17 am »
    Just an update.
    I rewrote the all first 1024 bytes from a new Drum unit to a Used board and the unit is now giving me an "Imaging unit unsupported" error rather than "Imaging unit defective".

    Step in the right direction but still no luck, I suspect that the device is checking for a CRC somewhere or the 2nd set of 1024 bytes holds part number information and the used board that was overwritten was a "Black only" imaging unit rather than "Black and Colour".
    I think we must have a sticky thread with the information we have found so far , because i see we are reinventing the wheel with each post:)

    Int the 56 bytes register is written the type and the color of the cartridge, so you can't just copy the first 1024 bytes from a type of cartridge to another type.
    The mapping of the bytes in the 56 bytes register was discovered by pixconfig here: https://www.eevblog.com/forum/projects/lexmark-toner-chip-ti046b1/msg1526623/#msg1526623
    We succedeed to set all the counters to zero, but it seems that the printer is also keeping in its internal memory the last parameters of each cartridge, so I see two solutions:

    1. Discover a way to change the cartridge serial number from the cartridge's memory
    2. Discover a way to clear the serials of the cartridges from the printer memory(they are not erased when you restore the printer to factory defaults)

     

    Offline Deathcore

    • Newbie
    • Posts: 3
    • Country: gb
    Re: Lexmark toner chip Ti046b1
    « Reply #146 on: August 25, 2018, 10:49:58 am »
    Apologies for the confusion, I have read through the thread a couple of times but I was looking at the Chip on the Imaging/Drum Unit not the toners. (Address 0x005)
    The imaging unit uses the same TI046B1 chip but the registers and data on the chip are in a different layout to the toners.

    I had copied the data from a good full chip to a used chip that the printer had not seen before, but it was still rejected, the drum unit may be checking for something other than just the serial number though.

    A sticky thread would be a very good idea though! :)
     

    Offline driver_x

    • Contributor
    • Posts: 21
    • Country: af
    Re: Lexmark toner chip Ti046b1
    « Reply #147 on: August 25, 2018, 01:59:26 pm »
    If you post the dump of the new chip and the used chip maybe we can discover what and where the printer is writing on the chip and try to reset the counters rather than to overwrite with data from another chip.
    For the cartridges we have also some bytes in the first 1024 segment that we don't know what are representing (the bytes surrounded with red line from the map posted by me here: https://www.eevblog.com/forum/projects/lexmark-toner-chip-ti046b1/msg1762853/#msg1762853 ) If you look with attention you will see that the group of 6 bytes from 0x160 repeats at the offset 0x400, with other words, the last bytes with values from the first 1024 segment are repeating in the second 1024 segment. If you overwrite the first segment then the values will not match. Maybe in the imaging drum chip there is a similar protection
     

    Offline driver_x

    • Contributor
    • Posts: 21
    • Country: af
    Re: Lexmark toner chip Ti046b1
    « Reply #148 on: August 28, 2018, 07:51:04 pm »
    Ok, some new update with the last discoveries:
    It seems that (at least for the starter cartridge i'm experimenting) that cleaning all the first 169 bytes(as in pixconfig's function) from the 208 register is making the printer to show the message: "replace the cartridge". I remember that the first time i saw this was in pixconfig's post after he wrote the function for resetting the 208 register. Then I thought that maybe the printer needs some info saved there (the timestamps for example) and I tried to reset only the first 15 bytes which is obvious that are encoding the toner usage (i was lucky because I saved the full dump before reseting, and I was able to restore the initial 208 register). Surprise! The printer no longer says to replace the cartridge and it says that the cartridge is full. ;)

    Here's the sysdebugdata log for the cartridge:

    Code: [Select]
    osikey Magenta Toner, serial CAH163060CDA valid 1, id 1:
      partNumber 38CSL14M, deviceID 65399522, pageCountValid 1, pageCount 801.
      pageRemainValid 1, pageRemain 1400.
      maxCapacity 1400, maxCapacityPages 1400, level 10.
      maxLevel 10, minLevel 0, increments 10%, SUPPLY_STATUS 0.
      SUPPLY_OSIGAUGE_TYPE 2, SUPPLY_EMAIL_TYPE 0
      Levels:
                      SUPPLY_EARLYWARN => LevelOn 1, LevelActive 0, TriggerValue 4, LevelMax 9, LevelMin 1, Behaviors 0xff, levid 0x1273, behid 0x126e, behav 0.
                      SUPPLY_NEARLYLOW => LevelOn 1, LevelActive 0, TriggerValue 3, LevelMax 9, LevelMin 1, Behaviors 0xff, levid 0x1274, behid 0x126f, behav 0.
                            SUPPLY_LOW => LevelOn 1, LevelActive 0, TriggerValue 2, LevelMax 9, LevelMin 1, Behaviors 0xff, levid 0x1579, behid 0x1270, behav 2.
                    SUPPLY_NEARLYEMPTY => LevelOn 1, LevelActive 0, TriggerValue 1, LevelMax 9, LevelMin 1, Behaviors 0xff, levid 0x1275, behid 0x1271, behav 2.
                          SUPPLY_EMPTY => LevelOn 1, LevelActive 0, TriggerValue 0, LevelMax 0, LevelMin 0, Behaviors 0x02, levid 0xffff, behid 0x1272, behav 4.
      type 2, prebate 2, refilled 2, afterMarket 0, carttype 0, menuPageSupport 0.
      installed INST, supported 1, ignoreMsgNotSupported 0, serialNumberIsReal 1
      dataValid 1, firstPercentReported 100, region 0, genuine 1, exposed 2, non-genuine IR 2
      flags:
        ignoreLevelWrnOnce 0
      supplyHasWarning 0, supplyHasIntervention 0, supplyHasNonContinueIntervention 0
      supplyGetConditionTextId 75577 (OK).

    Need to investigate why it shows  pageCount 801, maybe I have a bug somwhere in the resetting function.

    Later edit: no bug in the function, the printer is writing back on the chip the pageCount as soon you put the cartridge in the printer.

    208 register analysis:

    Start ByteEnd ByteDescription
    014Toner usage in steps
    1518Filled with zero
    1930Serial number of the Imaging Kit
    3136Date, maybe install date
    3744Printer serial number
    4546Filled with zero
    4748Unknown data
    4950Filled with zero
    5156Date, probably date of first warning?
    5764Printer serial number
    6566Probably page count at the date stored before
    6768Filled with zero
    6970Unknown data
    7176Date, probably date depleted?
    7784Printer serial number
    8586Probably page count at the date stored before
    8788Zero
    8990Unknown data
    9199Unknown data, values from 1 to 6 observed in each byte
    100110Zero
    111111A0 for starter kits, 00 for the others
    112114Zero
    115116Unknown data, seems to increase with as the cartridge gets depleted
    117118Zero
    119120Unknown data, seems to increase with as the cartridge gets depleted
    121122Zero
    123124Unknown data, seems to increase with as the cartridge gets depleted
    125126Zero
    127128Unknown data, seems to increase with as the cartridge gets depleted
    12912934 for starters, 00 for the others
    130144Printer Name
    145168Zero
    169198Unknown data, does not modify over time, maybe some kind of ID
    199205Zero
    206207CRC
    « Last Edit: August 29, 2018, 08:01:05 am by driver_x »
     

    Offline Kulick

    • Newbie
    • Posts: 2
    • Country: ru
    Re: Lexmark toner chip Ti046b1
    « Reply #149 on: September 19, 2018, 10:34:35 am »
    maxic81, почисти ящик) Не могу сообщение отправить.
     


    Share me

    Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
    Smf