Gutenprint / CUPS Dye-sublimation drivers

  • Status Researching
  • Percent Complete
    10%
  • Task Type TODO
  • Category Canon Selphy CP/ES
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Medium
  • Reported Version 1.0
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Gutenprint / CUPS Dye-sublimation drivers
Opened by pizza - 2019-10-07
Last edited by pizza - 2020-02-27

FS#630 - Investigate port 59223 on wifi-enabled Selphy models

On CP900, CP910, CP1200, and CP1300, a telnet interface is present on port 59223. Upon connecting, it prompts for an unknown password.

Admin
pizza commented on 2019-10-20 00:42

On my CP1200:

$ telnet 192.168.20.183 59223
Trying 192.168.20.183...
Connected to 192.168.20.183.
Escape character is '^]'.
**** Welcome to SELPHY TELNET Server ****

login password=admin
login incorrect
login password=password
login incorrect
login password=selphy
login incorrect
login password=cp1200
login incorrect
login password=root
**** Quit from SELPHY TELNET Server ****
Connection closed by foreign host.
Admin
pizza commented on 2019-10-20 01:13
Interesting development; Canon released a v1.1.0.0 firmware update for the CP1200, so there's a firmware file that can be analyzed.
Admin
pizza commented on 2019-10-20 01:32
Also exists on the CP900 (ie the only wifi-enabled model of the older series): **** Welcome to EC329 TELNET Server ****
Admin
pizza commented on 2019-10-20 02:15

CP1200 (and CP900!) has a Conexant CX92137/DC1370 SoC -- containing an "ARM9 w/MMU"

EDIT: The CX9213x series has a ARM926EJ-S CPU, apparently running in Big Endian mode.

Admin
pizza commented on 2019-10-21 11:08
Debating picking up an otherwise-broken unit to attempt to attach a JTAG debugger. With the assumption that the FW image in flash is compressed, this would allow a proper FW dump. (Don't want to potentially sacrifice one of my two working Selphy CP models for this) (This is more of an intellectual exercise than anything else... )
Admin
pizza commented on 2019-10-21 22:44
Found a busted CP910 on ebay for very cheap -- I figure that at minimum, I'll get an extra paper tray and power supply out of the deal, and at best I'll be able to do FW/RAM dumps and also fix what's broken with the printer!
Admin
pizza commented on 2019-10-25 01:08
Received the jam-prone CP910. Confirmed it has the same telnet interface. Will proceed to try and find a JTAG port.
Admin
pizza commented on 2019-10-26 20:53
CN16 is my guess for the header with JTAG -- 11 pins, 3 are 3v3, 3 are GND, leaving five for the JTAG interface. The order is anyone's guess.
Admin
pizza commented on 2020-02-27 04:55
successfully extracted the 8MB flash on the CP910; lots of strings in there but oddly enough no mention of TELNET, login, password, IPP, or any of the strings present in the various web UIs. (the system runs ThreadX, and appears to have a tcp/ip stack in there..) I wonder if what I'm finding is just the bootloader, and the real firmware is compressed...
Admin
pizza commented on 2021-06-10 21:04

IPP-over-USB handling requires a wifi connection to be running -- so I suspect all network protocol processing is actually implemented within the ALPS wifi module's embedded firmware.

No idea how to dump that out, alas.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing