Thursday, March 12, 2009

How to program your permanent reset chip

It's almost a year that I own this beautiful printer and it's some time right now that I know a couple of very interesting tricks to enjoy it even more.

First of all Samsung just released clp-310 (and it's black version: the clp-315): for all the owners of the clp-300 unfortunately it means that they are planning to dismiss this printer, since the new toner cartridges for clp-315 and clp-310 are very different from the older ones for clp-300.

Now I will present herein a technique that permits to turn the vast majority of aftermarkets (non OEM chips) into permanent reset chips; this means that you can turn a single chip into one that will last forever, since it will never expire. Common reset chips are cheap (4-7 dollars each), but they should be replaced as soon as the toner inside the cartridge finishes.

The total refill cost is quite expensive, because you have to add to the toner powder ($6 per recharge) the reset chip ($7). Let's see how to cut the costs related to the chips with a permanent reset chip.

To accomplish this task, you will need:
  1. I2C eeprom programmer; I will not describe how to build one on your own. Please refer to the very detailed schemes here: Chiprecharge Serial Programmer
  2. Ponyprog software or similar one
  3. Two aftermarket chips (aftermarket reset chips based on at34c02)
  4. Basic soldering skills
The Lock Protection

Samsung clp-300 (the printer) track of the total number of the pages printed (referred as PAGES), it remembers other things as well, like the number of the print jobs (referred as JOBS) performed so far and the serial number of the toner cartridge (referred as CRUM number).

Each cartridge has a chip on it, which is basically a serial eeprom. This eeprom is costantly written by the printer during all its lifetime span, and it's permanently locked when it expires. I have used the term expire because locked cartridges are not necessarily empty.

The printer has an internal counter which is associated to the last read CRUM number. The internal counter starts with a number of 0 and ends at 2000 for the black cartridge, or at 1000 for the other colors. The counter is increased by 1 for every printed page; when the counter reaches i.e. "2000", the chip on the toner is marked as empty and permanently locked.

When a new toner is inserted in the printer, the printer performs the following operations:
  1. For the very first 1000 pages the chip is not required (toner sold with the printer have no chip)
  2. The printer checks if the new CRUM on the chip is different from the previous one stored internally (date is NOT checked, just the CRUM)
  3. If the new CRUM number is valid for color and region, the printer writes 2 bytes (value A5) at 0x004A and 0x004B, to check if the eeprom has not been locked
  4. If 0x004A and 0x004B are both "A5", the printer sets its internal counter for PAGES and JOBS reading these data from the chip at 0x00C2-0x00C4 (PAGES), 0x00D4 (JOBS). Note: PAGES seem to be crumbled and xored with some data like the CRUM number.
  5. Finally the printer stores internally the new CRUM number
Note: Point n. 4 is controversal, because some people say that the printer resets its internal counter when the the installed toner is swapped with one that has been used but not finished. I can say that this behaviour maybe depends from the software inside the printer, since from the tests performed with my printer, exchanging toner never increased the number of pages for that particular cartridge.

The following image shows the bytes that are changed over time:

When the toner finishes the process is the following one:
  1. Array 0x0080 - 0x00F0 is moved to 0x0000 - 0x0070
  2. 0x004A is turned into AA
  3. Permanent (software) write protection is turned on

As it's possible to see, this lock protection has several flaws:
  1. No encryption is used
  2. Validation is performed by writing the same values at always the same locations
  3. Printer does't check if the writing operations on the chip were succesfully accomplished
Now the steps that we should perform to have a fully permant chips are quite clear:
  1. Our chip should have the value A5, A5 at ox004A ox004B
  2. The crum number, the color and the other information should be set correctly
  3. PAGES and JOBS should have the minimum value recognized as valid (i.e. 01, 01)
  4. The whole array should be write protected, so the printer is not able to change PAGES, JOBS and to lock the cartridge with "AA" at 0x004A.
Let's build our Permanent Chip

The following image represent the dump I used on my "Black" permanent reset chip for EUR region. Of course for different colours, the byte at 0x009B and 0x009E should change.

Now that we have the correct dump, we can transfer it on the chip using our home made I2C serial programmer. If you have any doubt on how to perform this operation, please read "FixYourOwnPrinter" thread before going any further.

You can use a very simple serial programmer like the one I made by myself:

Once the image is transferred correctly, we should enable the write protection. As specified on the Atmel documentation for 34c02 here, in addition to the Software Write Protection, we have the Hardware Write protection: "The WP pin can be connected to VCC, GND, or left floating. Connecting the WP pin to V will write protect the entire array, regardless of whether or not the software write protection has been enabled". Hardware protection prevents the printer from modify a single byte inside our chip, and of course it's reversible and leaves the write protect register untouched.

The most difficult part of this process is that the WP pin could be grounded (e.g. connected to GND -). If we cannot connect directly the WP to VCC, because it will result in a short circuit, we have to lift the WP pin. You can take a little help from a very thin steel wire (Wire Wrap), while you are heating the contacts:

The final stage is to solder the WP pin on top of the VCC pin:

The procedure it's almost finished. Almost, because when the toner finishes, our permanet chip is not erased, but the printer still remembers the CRUM number on it. To refill we should insert the second aftermarket chip once, and soon after swapping it with the permanent one. The easiest way, from my point of view, is to have 2 toner cartridges with 2 different permanent chips on it and alternatively using one and the other one after.

Note: this method of write protecting valid data with hardware protection, could work against other printers as well, including ones with encryption.