So, earlier this month, I posted a note that the serial EEPROM on the main board contained the serial number and formatter ID, among other things, for the HP2600N printer. A little tinkering around has revealed that the watermark is likely not in this EEPROM either! After poking through a few promising areas, I tried just outright removing the EEPROM and printing a test page…the printer lost its serial number, calibration information, page count, MAC address, etc, but the watermark pattern was still there…which indicates that the watermark information is burned into a level much deeper than I had originally suspected in the printer’s core. Yowza! Back to the drawing board…something to sleep on.
For those joining late into this thread, you can read more about the color printer watermarks at this EFF webpage.
Bunnie,
I think the way that BMW implemented VIN coding (and odometer tamper detection) of the engine computer/radio/etc is instructive: Essentially every module has it’s own idea of what the VIN is and what the current mileage is. Every time the car is started all of the modules share with each other what they each respectively think the VIN and mileage is. If there is disagreement about the values a LED on the dash lights to indicate mileage tampering (and that LED is then forever lit due to the instrument cluster computer).
The only time a module updates it’s VIN is if the VIN is currently NULL and if the VIN the other modules are reporting is non-NULL. For example you install a factory-new instrument cluster, it’s VIN field is NULL until the first time you turn the ignition key and then it sets it’s VIN field based upon what the engine computer and chassis module are reporting.
And I forgot to mention that I’d suspect that the actual print engine has a serial number field that gets set once (and only once) when the machine is first powered up.
I doubt they’re seperately programmed, because that would be at least one extra manufacturing step not to mention the problem of field service. I.E. if it’s a seperate step then field service has to program the new engine with the serial number of the printer. Once you have field service instructions for doing that, you have to bet it will leak to customers/internet due to loose-lipped field service people. Not to mention that would encourage repair shops to keep part-donor printers around rather than buying new expensive parts from the manufacturer.
And that last point, forcing repairs to use factory new parts rather than salvaged used parts, is the real reason I suspect BMW implemented the scheme that they did.
Companies seem to finally adopting what we always knew: A very good source for restricted information in a given company environment are always the service contractees.
No matter if you needed free PayTV, unlocked PS2, Service-Smartcards or secret Codes – you check with the service guys – or become one yourself.
(With cars, there seems to be pretty wildwest style “business” when it comes to the controlling software for the various engines. I have SEEN software that runs with all major car brands in order to tune/diagnose/hack..
So back on topic – the watermarks would require some trackback to the machine, or they were useless. So we need some sort of “uniqueness”. On the other hand, they must not easily be changed.
It must read out a serial number, and generate the watermark with it, but this watermark should never change again -> burn in to the asic, or use some few bits in some ram cells at the other corner of the silicon :)
PS: @ roastbeef: thanks for the insight into VIN, interesting
Re: Scanner auto-white balance
Bunnie,
Can you hot-glue a microswitch such that it turns your blue LED strip off when the head is in the hidden area used for calibration?
Following up from Roastbeef’s idea, how about the microswitch feeding a DPDT relay? Wire this so that when the scanner is in the calibration zone the CCFL is on but the LEDs are off. As soon as it’s out of the calibration area, the relay trips to the other state, with the CCFL off and the LEDs on.
DPDT means that the LEDs and CCFL can be fed with different voltage supplies. If you can get away with feeding the LEDs from the input to the CCFL driver circuit though, you can ditch the relay and use an SPDT microswitch instead to switch from one to the other.
A different idea’s just come to me though – why not put a blue “gel” filter on the glass? Should be able to pick up a gel sheet from any music store that does stage lighting.
Could the watermark be filtered? Like for example tap into the bus where the color data is sent before being print?
I don’t know how color laser printers work, but if this information is sent unencrypted in the PCB then it could be filtered using a cpld or a uC. I don’t think you would loose too much quality in the printing by removing just the tone of the color used for the watermark.
Don’t think this helps much, but its my two cents…
It sounds like the watermark is probably encoded in one of the low level custom ASICS. I would imagine they put it in using a laser to trim fuses. If they cheap out and use a cut fuse to represent a zero and an untouched fuse to represent a one, then you could easily “anonymize” a printer by cutting the rest of the fuses to zero the serial number. I guess decapping is the way to go here…
Of course, they could also have two fuses per bit, and cut only one of them. If both fuses in a bit are cut then the printer refuses to print…
Eric,
I’d be disinclined to think of laser fuses simply because of the expense it would add to manufacturing (adding an extra step before packaging the die, tracking the serial numbers cut to eventually program the entire unit to that serial, etc), plus you then have the problem of field service. How do you program the serial of a field-replaced print engine/board? If you don’t/can’t change it, how to you then maintain a database that ties printed-watermark to original unit serial number?
At the price point these things are being sold at, there’s not much of a profit margin and I’d think the extra manufacturing steps associated with laser fuse serial numbering would cost too much.
Roastbeef,
It’s not as expensive as you think; nearly all analog ICs have laser fuses for increasing the performance of voltage references, current sources, etc. I would imagine that many digital ICs do the same.
Here’s another idea. Perhaps the ASIC has EPROM-type fuses that can be programmed once. A field replaced print engine would be blank, and once you install it, the printer writes the serial number into it. This would require a high voltage power supply (actually about 12V), which may be generated off-chip or perhaps by an on-chip charge pump.
For the chip IDs, it is possible to be embedded on chips when the wafer is tested. These IDs can later be read out as a way of tracking production line quality and … Normally these would be implemented as fuses and I’m not sure if people could change without secrete knowledge of the chip manufacture and without tearing off the chip package.
time and expense tracking…
Hi. Very nice blog. I\’ve been reading your other entries all day long..lol….