Rooting and shelling the Telstra T-Hub / Sagem Homescreen / (Orange Tabbee?)

Many moons ago I started a project on regarding the rooting of the Telstra T-Hub. Whilst I've largely abandoned hackaday and its subsidiaries, this project is still sort of alive for me. There's a fair bit of detail on the old hackaday pages, so I strongly recommend you have a quick look at that page before continuing to read this post.

I mention in that page that there are two variants of the T-Hub, a more modern (and seemingly more plentiful) unit based on the iMX51 SOC from Freescale, and a harder to find unit based on the slower iMX31 SOC from the same company. The post there pretty well details how to pwn the iMX51 unit, but the operating system installed on the iMX31 is different (less FLASH memory space available) and so needs a slightly different payload. In a nutshell, the two key differences are these:

  1. No wget. Or, more accurately, a wget that doesn't work in the same way as the iMX51's. It is actually still present on the machine, but I ended up going for cURL instead.
  2. No dropbear. This means no SSH server once the firewall falls. This is countered by using busybox's built in telnetd service.

The rest of the attack is quite similar. In short:

  1. Boot the machine into the standard UI, then dial *352# in the phone application to drop into the debugger menu.
  2. Use the USB test function to execute commands as root. It has the same vulnerability as the iMX51.
  3. Adjust the filename/bootstrapper to use curl instead of wget when getting the real payload from the web.
  4. Drop the firewall.
  5. Enable the inetd service to start the telnetd server.
  6. Remount the / filesystem read-write
  7. Replace /etc/shadow so that we have a known login
  8. Telnet in.

Details to come...

Dell 2135cn/1320c & Xerox DocuPrint C1190 FS cartridge resetting

From a recent recycling effort, I have an entire Dell 2135cn (the 1320c is the same engine, but does not have the scanner), along with the partially completed Xerox from the title. The Dell is a blatantly obvious clone/rebadge of the Xerox, maybe not the exact same model but something very similar. They're a fairly reasonable unit that look tidy enough and seem to produce a sufficiently good output. Considering I paid nothing for them, this is a bit of a score.

Of course, the most important thing when choosing printers is how much you're going to be paying to keep the thing on the road. The remanufactured cartridges for these two are very good value, costing me about $45 Australian for an entire refill. Excellent value, but it could always be better. Toner bought in bottles can be had for about the same cost, but you get significantly more of it, with manufacturers claiming that their bottle refill kits will fill the cartridge 5 times over.

However, like always, there's a catch. The cartridges have a chip in them that prevents you from being able to refill them. I don't know if it actually stops you printing, as I've not gotten one down that far, but it certainly makes the machine complain. 

The chip, attached to the end of a magenta cartridge.

The chip, attached to the end of a magenta cartridge.

The chip consists of a SOIC-8 part, a transistor and some ancillary passives. The SOIC-8 is custom numbered and thus not searchable, but the collection of resistors off to one side look suspiciously like address-set resistors for an I2C EEPROM.

The chip, with my annotations.

The chip, with my annotations.

Thankfully, one of my cartridges is not like the others. The black El-Cheapo toner cheaped out on even the chip markings, and yielded the part number 24C02 - a 256 byte I2C EEPROM. I have dumped the contents of all the EEPROMs on my system, and they are attached to this post. I also took a couple of extra readings from the Magenta EEPROM, one before and one after printing a single test page.

Using the two snapshots from the Magenta cartridge, I was able to ascertain what values the printer was changing when a page was produced. To counter the toner meter, I set all the areas that changed to 0x00. Initially I did not expect this to work, as most machines have checksums to prevent you from doing this sort of thing. Incredibly, the printer swallowed it hook line and sinker, leading this post to not be very suspenseful!

I have attached all the relevant files to this post. I also include the file that I used to reset the magenta cartridge. I am 100% sure I botched something in doing this, but the printer seems happy with it so I am not overly keen on stuffing around with it any further.

I have also attached a dump from a photoconductor unit, that appears to use the same scheme, but I have not put any effort into trying to reset this yet.

black.BIN (256.00 bytes)

cyan.BIN (256.00 bytes)

dell magenta before.BIN (256.00 bytes) (before printing a test page)

dell magenta after - Copy.BIN (256.00 bytes) (after printing the test page)

dell magenta reset 1 page.BIN (256.00 bytes) (a lazy attempt at resetting the cart. To my immense surprise, this actually worked)

empty.BIN (256.00 bytes) (this is the dead photoconductor I have)

yellow.BIN (256.00 bytes)