Author Topic: Dymo 550 Thermal Printer DRM Hacking  (Read 52256 times)

0 Members and 1 Guest are viewing this topic.

Offline sleemanj

  • Super Contributor
  • ***
  • Posts: 3023
  • Country: nz
  • Professional tightwad.
    • The electronics hobby components I sell.
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #50 on: March 10, 2022, 08:50:04 am »
As for alternatives, my Brother 720NW will be prised from my cold dead hands. 

I use it for both shipping and general purpose with continuous label rolls, it has an auto cutter so a 62mm label of any length from about 15mm is printable (need enough to grab hold of).

Of course I do not buy original brother rolls, just knockoffs.

For shipping labels I have a script which detects a new shipping label PDF generated by teh courier's system splits it in two (because the brother is only a 62mm wide printer) and does a bit of massaging before printing.
~~~
EEVBlog Members - get yourself 10% discount off all my electronic components for sale just use the Buy Direct links and use Coupon Code "eevblog" during checkout.  Shipping from New Zealand, international orders welcome :-)
 

Offline hans

  • Super Contributor
  • ***
  • Posts: 1634
  • Country: nl
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #51 on: March 10, 2022, 09:21:11 am »
How hard is it to emulate an NFC IC with an MCU? That would be my first idea of making a "self-resetting" tag, but 13.56MHz doesn't sound easy to bitbang...
Not all that hard. I've been researching custom (UHF) RFID tags.. all you need is a diode receiver and an antenna switch.

These tags communicate with backscatter (far-field, UHF) or load modulation (inductive, 13.56MHz). The reader>label comunnicates by sending a carrier signal with ASK modulation (the NXP chips says a depth of 20-30%, or optionally 100%). The tag harvests energy from this carrier signal to power up, so 100% won't be used for passive tags. The label>reader communicates by shorting it's antenna or coil connection, which the reader can sense and demodulate the transmitted data.

The bitrate at which this happens is only in the order of kbps. These RFID tags only contain a few dozen bytes, maybe 256 for large tags, so it doesn't take long to read them.
The protocol is probably the tougher issue. I'm not sure what the NXP NFC tags use, or if it's proprietary. For UHF RFID tags most commonly EPCgen2 is used. It's quite an extensive standard, and also not really a mainstream industry to work on the tag side of things.. so probably requires a lot of investment to get a small result on the software part.

If the I2C is unprotected yet the tag is password protected... then the password should be somewhere in the I2C serial stream when a label gets printed.

I wonder what happens if you can get a new tag (or change the existing tag), and use a different password on it. Just write the original memory contents to that tag. If the password is changed, then the Dymo printer won't unlock the tag and can't decrement the remaining labels counter. Not sure if they are smart enough to check if the sent password will unlock the tag (or that the write was successful). If not, that should create a permanent fix, without the need of repeatedly "refreshing" the NFC tag, or diving into custom I2C slaves that emulate a dummy NFC reader.

edit: Oh I see the counter decrements on RD commands, instead. That complicates things a bit.
Still wondering if it's necessary to make a complete NFC clone. Perhaps sniffing for the first 24-bits of the code on the bus, and then corrupting the last few bits (just pull on SDA for a few cycles), is enough to make the RD operation invalid and have it not decrement. Again not sure if Dymo firmware deals with that situation, but the above can probably be done on a 30ct PIC.
« Last Edit: March 10, 2022, 09:33:05 am by hans »
 

Offline chefkoch84

  • Contributor
  • Posts: 41
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #52 on: March 10, 2022, 10:43:49 am »
Free speech at Amazon (#pay_to_win)

Edit:

tl;dr; Amazon blocks new reviews because of "unusual reviewing activity on this product"

Just have seen the EEVBlog2 Channel Video.
With that it gets even crazier:

They mix in old reviews (before DRM) and do not allow new reviews that would call them out !!!!!!
Does look quite fishy to me...


I might bye it... write the review.. and return it ;-) JUST TO FUCK THEM OVER:
(only the e-waste is a sad aspect of this strategy)
« Last Edit: March 10, 2022, 10:52:44 am by chefkoch84 »
 
The following users thanked this post: AlienRelics

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #53 on: March 10, 2022, 11:13:51 am »
The tags themselves largely correlate to the info from the developer documentation, though.
https://webcache.googleusercontent.com/search?q=cache:AoemJ-ugkRIJ:https://developers.dymo.com/+&cd=1&hl=en&ct=clnk&gl=ca

VERY interesting...  especially the "Counter Strategy" which is set to 1 on my rolls => 0x01 = Counting up from 0xFFFF – “amount of labels” – “Counter margin” to 0xFFFF.

It also seems that just the CRC32 in front is used to "protect" that data.

And since for some reasons my rolls do NOT report to have a write protection for the data blocks... I will try to set "Counter Strategy" to 0  and check what happens :o
After updating the NXP Tag Info app it no longer shows the first 32 blocks as writeable (seems was a bug in nxp app before).

Time to "guess" the write password.

Maybe that easy ???


JS
« Last Edit: March 10, 2022, 04:48:08 pm by js_12345678_55AA »
Easy PDK programmer and more: https://free-pdk.github.io
 

Online Psi

  • Super Contributor
  • ***
  • Posts: 9922
  • Country: nz
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #54 on: March 10, 2022, 11:54:40 am »
BUT since one can read the tags within the original box in the shop (without purchasing them) this would put DYMO at risk reporting original material as bad just because somebody did a readout of the box before it was pruchased...
Or write the tags too...and that ominous command starting with "D" suddenly becomes even more interesting. ;)

 :palm:  wow.  The TV-B-Gone tool has some competition,  DYMOLabel-B-Empty 

DYMO really have opened themselves up to a HUGE disaster if anyone gets the write password and builds a long range label tag writer.
Considering the write password may only be a 4byte number that ain't going to take long.
Greek letter 'Psi' (not Pounds per Square Inch)
 
The following users thanked this post: voltsandjolts

Offline AlienRelics

  • Supporter
  • ****
  • Posts: 65
  • Country: us
    • AE7HD
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #55 on: March 10, 2022, 12:58:31 pm »
I gave up on Dymo label printers when they stopped supporting the older serial and USB label printers due to a new Windows version. Funny, the new software for the new printers works just fine in the newer version.

They simply decided you have to buy a new printer by locking you out of the older printers.

As for Amazon, they decided based on no actual evidence that my reviews were "suspicious" and I can no longer post reviews at all.
Steven J Greenfield AE7HD
 

Offline AlienRelics

  • Supporter
  • ****
  • Posts: 65
  • Country: us
    • AE7HD
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #56 on: March 10, 2022, 12:59:37 pm »
Remember ESC codes? I could make my dot matrix printer dance. And the ESC codes were printed in the printer manual!
Steven J Greenfield AE7HD
 
The following users thanked this post: SeanB

Offline LightTangent

  • Newbie
  • Posts: 2
  • Country: gb
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #57 on: March 10, 2022, 06:50:41 pm »
Hey Dave,

Thanks for the great YT vid as always!

I noticed they've been doing a similar trick (on Amazon) in the UK, although it's rather interesting when you dig a little deeper.

They're pretty sneaky about it though... For example this listing:
https://www.amazon.co.uk/LabelWriter-Printing-Automatic-Recognition-Shipping/dp/B09DY3YT4Y

Has 3 different "models" - 2 of which are labels (which are what the majority of comments relate to), and 1 is the actual printer.

If you check the price history of the printer, it seems to have been added on Sept 24th (which seems a little early for the 550, but plausible I guess). Originally about £150, now around 100. I'm assuming it's the same printer though.
https://uk.camelcamelcamel.com/product/B09DY3YT4Y

If you check the labels, however, It seems that as expected they've only fairly recently had the DRM added.
https://uk.camelcamelcamel.com/product/B00028XNN6
https://uk.camelcamelcamel.com/product/B000HEZD7E

One label that from about 2019 through Late 2021 was around the 15 quid mark, has since jumped up to 22 quid, a 50% markup. Clearly the "DRM" flavour?
Another from 8 quid since around 2013 until late 2021, and then BOOM! 11 or 12 pounds.

There's around 1,000 (about 93% at 4* and above) reviews and of course the majority have naff-all to do with the 550 label printer.

"I've owned my LabelWriter 450 Turbo for ten years now, "...
"Have used these in my Dymo label printer for many years. Great for Christmas card addresses,"...
 etc.

Tried to send an email to Amazon to complain and got a fairly standard form response back feigning ignorance about what I was suggesting. They suggested if there's a problem with a particular review, to click the "Report" button (well, bugger clicking all of them!), or to get back to them with a specific ASIN number so they can investigate (which bearing in mind I provided 3 or 4 different links they already had!)

Interestingly then it seems that the deviant flaw in the whole system is that you can advertise multiple unrelated products under a single slug and present them as "models", even if that means you're selling completely different things - and the reviews are all aggregated under the same slug rather than each individual ASIN... and clearly Amazon just don't give a rats about it.

Tony


 

Offline mistial_dev

  • Contributor
  • Posts: 17
  • Country: ca
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #58 on: March 10, 2022, 07:12:54 pm »
Amazon shouldn't even allow you to do a sneaky product swap like that, a major failing of the system and gives them (Amazon) a bad name.  Surely there must be something in the T&C that prevents it at least if not a technical solution.

Amazon does have a report seller option.
 

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #59 on: March 10, 2022, 07:25:24 pm »
Just found that the READ password is different per TAG.

Looks like dymo followed the application note from NXP to use "dynamic passwords" derived from UID.

=> Labels in shops are safe. Nobody can invalidate (use) them. Also the "destroy" command has its own password (per tag for sure) which we don't know...

This means full tag emulation or waiting for "magix SLIX2 tags" are the only options.


JS
Easy PDK programmer and more: https://free-pdk.github.io
 
The following users thanked this post: hans, Psi, bitwelder, thm_w

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13725
  • Country: gb
    • Mike's Electric Stuff
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #60 on: March 10, 2022, 07:52:41 pm »

=> Labels in shops are safe. Nobody can invalidate (use) them. Also the "destroy" command has its own password (per tag for sure) which we don't know...
There are ways to remotely destroy RFID tags without the password, just sayin'..
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: Psi

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #61 on: March 10, 2022, 08:05:44 pm »

=> Labels in shops are safe. Nobody can invalidate (use) them. Also the "destroy" command has its own password (per tag for sure) which we don't know...
There are ways to remotely destroy RFID tags without the password, just sayin'..

Sure... microwaves... but this could also be used to destroy the adhesive of non RFID tags (cooking them in the shop), just sayin'...
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #62 on: March 10, 2022, 08:21:53 pm »
Finished some more tests.

The counter in SLIX2 tag is capped at 0xFFFF. Any attempt to increment the counter which has 0xFFFF as value gives an error response. Documentation of SLIX2 did not explain this.

JS
Easy PDK programmer and more: https://free-pdk.github.io
 

Online Psi

  • Super Contributor
  • ***
  • Posts: 9922
  • Country: nz
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #63 on: March 11, 2022, 03:05:59 am »
Just found that the READ password is different per TAG.
Looks like dymo followed the application note from NXP to use "dynamic passwords" derived from UID.
=> Labels in shops are safe. Nobody can invalidate (use) them. Also the "destroy" command has its own password (per tag for sure) which we don't know...

Ok, so they're not totally stupid then.

I've never really looked into NFC. Out of interest, if they had used the same password for each tag.
What sort of physical distance would you need to zero all the labels in big stack of pallets?
Assuming you had all the right equipment could someone have parked a van outside an amazon warehouse and cleared all the labels inside? Or would you need to get within 10m or so even with the best RF setup possible?
« Last Edit: March 11, 2022, 03:10:35 am by Psi »
Greek letter 'Psi' (not Pounds per Square Inch)
 

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13725
  • Country: gb
    • Mike's Electric Stuff
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #64 on: March 11, 2022, 09:07:16 am »
Just found that the READ password is different per TAG.
Looks like dymo followed the application note from NXP to use "dynamic passwords" derived from UID.
=> Labels in shops are safe. Nobody can invalidate (use) them. Also the "destroy" command has its own password (per tag for sure) which we don't know...

Ok, so they're not totally stupid then.

I've never really looked into NFC. Out of interest, if they had used the same password for each tag.
What sort of physical distance would you need to zero all the labels in big stack of pallets?
Assuming you had all the right equipment could someone have parked a van outside an amazon warehouse and cleared all the labels inside? Or would you need to get within 10m or so even with the best RF setup possible?
the inverse square law limits how far you could do anything, even with a lot of tx power - anything over about 1m would be impractical
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: Psi

Offline mistial_dev

  • Contributor
  • Posts: 17
  • Country: ca
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #65 on: March 11, 2022, 12:49:20 pm »
Finished some more tests.

The counter in SLIX2 tag is capped at 0xFFFF.

Yes, it would be.

Documentation of SLIX2 did not explain this.

It's a 16 bit counter, intended for consumption ("service cycle") tracking and similar.  If it rolled over, it would not be useful for that purpose.

If you read in 9.5.3.21, it describes the available options: read, increased by one, and reset to preset value with write.

If it rolled over from 0xFFFF to 0x0000, it wouldn't be an increment by one.  It would be a decrement by 65535.

There is technically a 3rd byte in the block, where it could continue increasing.  That value is listed as RFU, however, in the documentation.
 

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #66 on: March 11, 2022, 01:21:42 pm »
Anyone recognize that wire to board connector on the NFC PCB?  I don’t think it’s JST.  Molex maybe?

I measured the pitch to be 1.5mm which is identical to "JST ZH 6pin"
Unfortunately this is incorrect. JST ZH is still to big.


JS


BTW: I found the 6th pin meaning. It is "PDOWN" which has a pull up. When PDOWN is connected to GND then the reader IC is starting operation. PDOWN not connected or +3.3V then reader IC is powering down.

I also found a quick way to soft-reset the reader IC (tag connection) to speed up something like trying passwords:
when you
- send 0x00,0x80   (command_reg,power down flag set)
- wait 50 msec
- send 0x00,0x00   (command_reg,power down flag cleared)
then you do not have to send the long reader initialization sequence (programing all registers and protocol selection) and just can transceive the next commands to the tag (get random + set password  for next try).

Still with only 10 tries per second, guessing the 32 bit write password could take some time (>6 years). But for sure this can be speed up a lot... Only caveat, write password is most likely different per tag
« Last Edit: March 14, 2022, 11:09:35 am by js_12345678_55AA »
Easy PDK programmer and more: https://free-pdk.github.io
 
The following users thanked this post: mistial_dev

Offline mistial_dev

  • Contributor
  • Posts: 17
  • Country: ca
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #67 on: March 11, 2022, 01:50:32 pm »
I'm not too worried about the password at this point.  It looks like it is handled by the NFC chip, not the MCU, so I think it can largely be ignored if that chip is emulated.

My plan right now is to just have a BLE chip and an app where you can pick the SKU for the inserted media.  Since third party media won't have a RFID chip, that information will have to come from a database of some sort.  USB is simpler to implement, but requires physical modification to the case.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 8254
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #68 on: March 11, 2022, 02:28:31 pm »
How hard is it to emulate an NFC IC with an MCU? That would be my first idea of making a "self-resetting" tag, but 13.56MHz doesn't sound easy to bitbang...
Not all that hard. I've been researching custom (UHF) RFID tags.. all you need is a diode receiver and an antenna switch.

These tags communicate with backscatter (far-field, UHF) or load modulation (inductive, 13.56MHz). The reader>label comunnicates by sending a carrier signal with ASK modulation (the NXP chips says a depth of 20-30%, or optionally 100%). The tag harvests energy from this carrier signal to power up, so 100% won't be used for passive tags. The label>reader communicates by shorting it's antenna or coil connection, which the reader can sense and demodulate the transmitted data.

The bitrate at which this happens is only in the order of kbps. These RFID tags only contain a few dozen bytes, maybe 256 for large tags, so it doesn't take long to read them.
The protocol is probably the tougher issue. I'm not sure what the NXP NFC tags use, or if it's proprietary. For UHF RFID tags most commonly EPCgen2 is used. It's quite an extensive standard, and also not really a mainstream industry to work on the tag side of things.. so probably requires a lot of investment to get a small result on the software part.
I am reminded of these:

https://hackaday.com/2009/06/27/avr-rfid-tag/

https://hackaday.com/2011/09/26/barebones-pic-rfid-tag/

https://hackaday.com/2018/01/05/attiny-chip-abused-in-rfid-application/

Those are all 125kHz, but here's a 13.56MHz one:

https://hackaday.com/2013/11/14/a-diy-nfc-tag/

The IC used in the Dymo is ISO 15693 protocol, which is different from those above, but I suspect based on the existence of the last one, it should be emulatable.
 

Offline mistial_dev

  • Contributor
  • Posts: 17
  • Country: ca
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #69 on: March 11, 2022, 02:35:19 pm »
That would work, too.

I'm ripping out the whole NFC board and replacing it with an NFC IC emulator.  The advantage to that is that you don't actually need a tag at all, and can skip RF entirely.
 

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #70 on: March 11, 2022, 04:37:38 pm »
What IC to use for the I2C emulator...

Looking on availability of ICs and reproducability for others I'm looking at Arduino libraries (even that I don't like them).
There are I2C slave libs available which can be used on almost all platforms (AVR,STM32,ESP32,...)

Suggestions?
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline Julius

  • Contributor
  • !
  • Posts: 14
  • Country: lt
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #71 on: March 12, 2022, 12:24:17 am »
Get it working on Arduino and everybody will be able to port to their favorite IC.
 

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 7992
  • Country: gb
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #72 on: March 12, 2022, 12:52:17 am »
What IC to use for the I2C emulator...

One you can actually buy.
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37716
  • Country: au
    • EEVblog
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #73 on: March 12, 2022, 01:45:13 am »
FYI, amazon said on twitter they would do something about it and a few hours later a ton of old reviews have been removed.

 

Offline mistial_dev

  • Contributor
  • Posts: 17
  • Country: ca
Re: Dymo 550 Thermal Printer DRM Hacking
« Reply #74 on: March 12, 2022, 02:56:47 am »
What IC to use for the I2C emulator...

Looking on availability of ICs and reproducability for others I'm looking at Arduino libraries (even that I don't like them).
There are I2C slave libs available which can be used on almost all platforms (AVR,STM32,ESP32,...)

Suggestions?

CY8CKIT-059 if you want USB.  CY8CKIT-042-BLE-A if you want BLE.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf