Close

More protocol analysis

A project log for Ink Tank Encryption

I'm trying to find out how to use the EEPROM chips that might be in CLI-226 ink tanks to share public keys for public-private key encryption

alphaninjaalpha_ninja 08/31/2015 at 15:280 Comments

This is old information

For newer information, see the project log "I was wrong."

I've found that the following pattern is used:

(Part 1 of protocol—call/response: 16 - 8 bits.)

0xdef800:

Is always sent.

0xcf0000 or 0x000000:

Might have different values too, haven't done enough testing

0xdefc00:

Is always sent.

0xef0000:

Is always sent.

0xdee400:

Is always sent.

0xbc0000 or 0x000000:

Might have different values too, haven't done enough testing.

0xdef200:

Is always sent.

0x9b0000 or 0x000000:

Seems to be remaining ink pages or something—this is the same for every cartridge no matter in what slot it is.

0xdeec200:

Is always sent.

Then one of the following:

0xdeec00

0xdc0000


Part 2 of the protocol - 24 bit packages

Sometimes: 0xdf38 32

Always: 0xdf3c 32

Sometimes: 0xdf24 32

Sometimes: either 0xdf2c 64 or 0xdf32 32


In conclusion, the first part of xmissions is made up of 16-bit packages that start with 0xde and are replied to with some other 8-bit value (can also be 0). This is probably the read commandI'll have to test this hypothesis.

The second part of xmissions is made up of 24-bit packages that start with 0xdf and in the next two bytes most likely have the address and value after them. I haven't yet seen values other than 0x32 and 0x64. Thus, this is probably the read commandI'll have to test this hypothesis, too.

Discussions