Cartridge Canon PG-40 to Canon CLI-8 are chipped. Now what?

Now what?

This is surprising, noone realised that there are NO chip replacements for these? Nor it is possible to reset these chips. Especially the Canon PG-40, PG-50, CL-41, CL-51 are interesting. Very little data lines and lots of thick power connections that lead to a very large piece of MEMS silicon. The print speed is up to 22 pages per minute, so tha data rate is about...

Nozzle Text: Black: 320, Color: 384 x 3 colors (C, M, Y), the black is 600x600dpi, the color print up to 4800x1200dpi at much lower speeds.So, if the printed format is 8x11 inches and we print at 600dpi page in 3 seconds, we get 10 Mbit per second data rate (some kind of serial or serio-parallel multiplexing). I am not sure how exactly the cartridges communicate with the printer, but I would be happy to hear that some serious assymetrical ciphering is at least being used. Why? By no other means you can secure you place on cartridges sales. Aalmost every EPSON cartridge tha was made is now available from Print Rite, except of the very latest one printers - but to be fair, even the sellers of the EPSON 4000, 5000, 6000 line do not have cartridges for those on sale!

OK, it's been a year or more and nobody came with a hint on the Canon Pixma iP4200, iP5000 PGI-8 and PGI-5 cartridges, except of placing the old chip into a new fill tank. If I had some time and funding to hack into this...

"Erasing" EPROM without UV

There is no such thing as overerasing, but there are some gate effects that can prove helpful in getting to the protected content of memory chips. We start with EPROM FAMOS cell, because it is the oldest reprogrammable memory here and it served well for many, many years.

Basic disadvantage is quantum mechanics... You program this memory to "0" by tunelling some hot electrons under high electrical stress. You have to do it in short pulses... have you ever wondered why? You can oversaturate the sensing transistor by "too much programming" the FAMOS transistor, I guess the best is to use one solid long pulse, longer than the programming manual intended, if it is succesful, sor some time the cell might be read as a logical "1", that means unprogrammed state. Of course, if the programming circuitry is not disabled. (most probably not, IC designers are lazy creatures)

Any proof? I know you want me to quote some sources.. I will one day maybe, but I personally tried a cheaper single-chip video camera. It was pretty much IR sensitive, so colors were rather poor. The sun was rising and started to show in the window. As I pointed tha camera more to the sun, The sun appeared as bright, brighter, brightest and became a big black spot surrounded by white. So, you see that various hacks do exist on there big fat floating polysilicon gates. By the way, the camera CCD sensor is very similar to EPROM memory.

Next post might be about the specs of the old EEPROM and its read and write logical cell states and hypothetical modes of attack.

P.S. I have to mention memory cell size, programming protocol, supply voltage, supply voltage interference, logic glitch.

Hacking manual again.

OK, I get to the point of this blog finally. I will start with hunorous quote from some former police officer Spišiak: "Hackers are criminals if you don't know that!" The only thing I can add is: Yes, the same as students and researchers are.

IBM has published a vely large explanation of how low voltage supplies work in hacking logick circuits functionality. Would you imagine that logic gates manufactured in so called 65nm to 130nm processes DO WORK at supply voltages as low as 150mV for example?? Crazy? Yes. The whole principle is explained in this link, you can also get the PDF version here.

The IBM Journal of Research and Development is one of the most briliant technical magazines you can see, and this one is even free to public! If you want to be ahead of time and know general news 3-6 months ahead, use the journal.

Next, we start from the beginning, the FAMOS - EPROM memory cell hacking.

EPSON R1800 review, part 2

To sum it up, hypothesis confirmed. Hhat the printer lacks a bit is more vibrant RED and MAGENTA, but for printing human faces, this is more than adequate. Before buying this printer, note that there is CYAN in all green variants, there is CYAN in all blue from cyan to deeep blue (not to be confused with IBM computer), so if you are printing nature photos/trees and water, your CYAN cartridge will sink very quickly. As for the pigment lightfastness, I will yet have to test this. Maybe after the hse-ink-system will be installed ;)