How to hack MFP / MFD RTOS ( Operating System )

**skynetto** · 06-27-2014, 09:11 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by PA3040

majority of our machines are only USB and not connected to PC.

My experiment models are Ricoh kir c3 and kir c4

Both models FRAM are communicating with BICU using SPI protocol, I can develop the embedded system to communicate with SPI to collect copy volume, apart from that not that much hard

Do you have any idea in this regard

Well in SPI mode I don't think you can do much because every application installed on SD card (and you need an SD card to run your app on the machine) needs to be approved by Ricoh, signed with their private key, decrypted using MFP public key and SD serialNumber, and if everything matchs you're allowed to run your app. It takes two weeks for Ricoh to respond back with a signed app from Ricoh server if you are a fully qualified Ridp developer so it want be to easy. Sorry to disencourage you but have read all the Ricoh protection system and the only way to hack it is to find some SD with CID field writeable in SPI mode wich is impossible as it is a read only manufacturer field. Maybe Arduino would help in hacking it as it has some software wich allowes sending SPI command 26 (write CID).

**Eric1968** · 06-27-2014, 09:13 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by rthonpm

To get anywhere on the heavily modified version of BSD Ricoh is using, you'd need super user access, which you won't get. If you were, you'd still have the issue of getting any kind of connection to a mobile network. With old school offline machines, your easiest way of getting metres is going to be the equally old school way of getting faxed metre sheets, or a manual collection once a month.

X2

Even if you could become the root user, there's still the fact that the machine has no outbound connection. One should have remote access to the counter, copy the counter value and send it somehow to a GSM- or Network connection, I'd say : Impossible!!

**PA3040** · 06-28-2014, 04:22 AM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by rthonpm

To get anywhere on the heavily modified version of BSD Ricoh is using, you'd need super user access, which you won't get. If you were, you'd still have the issue of getting any kind of connection to a mobile network. With old school offline machines, your easiest way of getting metres is going to be the equally old school way of getting faxed metre sheets, or a manual collection once a month.

I don't got BSD

What do you mean supper user access?

No. it shouldn't that much hard, I can simply input the mechanical counter signals to my embedded system. Apart from that I can manage

My concern is to take the signals or data from OS or any other digital out

As you advised at the moment we are collecting counters by FAX and those who do not have fax tech's go and collect

**PA3040** · 06-28-2014, 04:57 AM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by skynetto

Well in SPI mode I don't think you can do much because every application installed on SD card (and you need an SD card to run your app on the machine) needs to be approved by Ricoh, signed with their private key, decrypted using MFP public key and SD serialNumber, and if everything matchs you're allowed to run your app. It takes two weeks for Ricoh to respond back with a signed app from Ricoh server if you are a fully qualified Ridp developer so it want be to easy. Sorry to disencourage you but have read all the Ricoh protection system and the only way to hack it is to find some SD with CID field writeable in SPI mode wich is impossible as it is a read only manufacturer field. Maybe Arduino would help in hacking it as it has some software wich allowes sending SPI command 26 (write CID).

Really really thanks your reply
it is never discourage and I am happy to hear from you
Now I am gathering lot's of information's from this forum

The SPI i mean, That is the protocol ( Serial Peripheral Interface ) which communicate with FRAM that is using in the model of Ricoh kir c3 and kir c4

From the my first post I asked to reverse engineering OS. but in the middle I changed to at least collect copy count from the system and send to the main server in the our office via mobile network

**PA3040** · 06-28-2014, 05:06 AM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by Eric1968

X2

Even if you could become the root user, there's still the fact that the machine has no outbound connection. One should have remote access to the counter, copy the counter value and send it somehow to a GSM- or Network connection, I'd say : Impossible!!

It is possible the way I explained in my post #18. can you please advice me to develop it?

No. it shouldn't that much hard, I can simply input the mechanical counter signals to my embedded system. Apart from that I can manage

Thanks in advance

**Eric1968** · 07-01-2014, 08:28 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by PA3040

I don't got BSD

What do you mean supper user access?

No. it shouldn't that much hard, I can simply input the mechanical counter signals to my embedded system. Apart from that I can manage

My concern is to take the signals or data from OS or any other digital out

As you advised at the moment we are collecting counters by FAX and those who do not have fax tech's go and collect

Ricoh uses the (embedded) NetBSD Operating System. NetBSD is a multi-user Operating System, which is a Unix variant (BSD stands for Berkely Software Distribution). It is designed for embedded systems, like MFP's. The root user (or super user) can do anything on the system. The root user is the Administrator of the Operating System. He can alter files, delete files, grant priviledges to users, delete users, etc. Every process on this Operating System is running as a user process with no access to the Operating System itself. Resetting or altering the total counter is a very sensitive issue, so it is hidden very, very deep in the Operating System. It means that users have no permission to perform actions like deleting/viewing critical system files, alter them, or delete them. If you want access to the total counter, you'll need root access to the system and have a very good knowledge of the thousands lines of code of this Operating System, which is quiet impossible.

**PA3040** · 07-02-2014, 04:30 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by Eric1968

Ricoh uses the (embedded) NetBSD Operating System. NetBSD is a multi-user Operating System, which is a Unix variant (BSD stands for Berkely Software Distribution). It is designed for embedded systems, like MFP's. The root user (or super user) can do anything on the system. The root user is the Administrator of the Operating System. He can alter files, delete files, grant priviledges to users, delete users, etc. Every process on this Operating System is running as a user process with no access to the Operating System itself. Resetting or altering the total counter is a very sensitive issue, so it is hidden very, very deep in the Operating System. It means that users have no permission to perform actions like deleting/viewing critical system files, alter them, or delete them. If you want access to the total counter, you'll need root access to the system and have a very good knowledge of the thousands lines of code of this Operating System, which is quiet impossible.

Good details

But recently I showed that the Ricoh uses Xilinx FPFA's which I am using them. and earlier I showed they ware using Destiny, however for the high end they are using their won silicon.I am not awarded about NetBSD and thanks for that news

**Eric1968** · 07-02-2014, 07:12 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

You can also use Kyofleetmanager for this. Install the Printer DCA (Data Collector Agent) on every PC which connects to the machine via USB.
The Printer DCA collects counters, toner levels, etc. and sends this to the Kyofleetmanager server. I don't know how much Kyofleetmanager costs, but if you have a lot of USB-connected machines, it might be worth it.

**Eric1968** · 07-02-2014, 07:35 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Interesting video about Operating Systems.

**Phrag** · 07-03-2014, 02:27 AM

Theres a handy web based copier monitoring called print audit 6. It can monitor meter readings and consumable levels I believe for any manufacturer. It also monitors USB connected machines.

**Tonerbomb** · 07-03-2014, 04:06 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by Eric1968

You can also use Kyofleetmanager for this. Install the Printer DCA (Data Collector Agent) on every PC which connects to the machine via USB.
The Printer DCA collects counters, toner levels, etc. and sends this to the Kyofleetmanager server. I don't know how much Kyofleetmanager costs, but if you have a lot of USB-connected machines, it might be worth it.

If your an OKI dealer in the US they have a DCA available also that's free to OKI dealers. then there's printtrac thats not free

**PA3040** · 07-13-2014, 06:43 AM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by Eric1968

Ricoh uses the (embedded) NetBSD Operating System. NetBSD is a multi-user Operating System, which is a Unix variant (BSD stands for Berkely Software Distribution). It is designed for embedded systems, like MFP's. The root user (or super user) can do anything on the system. The root user is the Administrator of the Operating System. He can alter files, delete files, grant priviledges to users, delete users, etc. Every process on this Operating System is running as a user process with no access to the Operating System itself. Resetting or altering the total counter is a very sensitive issue, so it is hidden very, very deep in the Operating System. It means that users have no permission to perform actions like deleting/viewing critical system files, alter them, or delete them. If you want access to the total counter, you'll need root access to the system and have a very good knowledge of the thousands lines of code of this Operating System, which is quiet impossible.

Dear Eric,

I have few clarification
Does All MFP's are using NetBSD OS, I mean even low end MFP's Like MP2001L

**PA3040** · 07-13-2014, 06:46 AM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by Phrag

Theres a handy web based copier monitoring called print audit 6. It can monitor meter readings and consumable levels I believe for any manufacturer. It also monitors USB connected machines.

Dear phrag,

Do you know that most MFP's Mechanical counter and Digital counter are different. Do you know any reason?

**Eric1968** · 07-13-2014, 12:13 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by PA3040

Dear Eric,

I have few clarification
Does All MFS's are using NetBSD OS, I mean even low end MFP's Like MP2001L

As far as I know, they do. If you print the SMC-reports it's listed (don't know exactly where...)

**PA3040** · 07-13-2014, 12:32 PM

Re: How to hack MFP / MFD RTOS ( Operating System )

Originally posted by Eric1968

As far as I know, they do. If you print the SMC-reports it's listed (don't know exactly where...)

Ok , I will see it tomorrow and update

Thanks

How to hack MFP / MFD RTOS ( Operating System )

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment