peripage-python icon indicating copy to clipboard operation
peripage-python copied to clipboard
verified publisher icon bitrate16

Protocol reverse engineering

Open bitrate16 opened this issue 4 years ago • 6 comments

Peripage printer should have some opcodes or return codes that will return information about temperature state or overheat warning. It is necessary to find out how to check overheat state of the printer and pause printing without loosing the part of the data. In addition it is necessary to find out the opcodes that will return if the cover of the printer is opened.

Features to be implemented:

  • Thermal warning handle
  • Requesting printer temperature
  • Pausing on overheat
  • Detection of cover being opened

bitrate16 avatar Mar 24 '21 10:03 bitrate16

I reverse engineered the Peripage apk in the spring of 2020. If there are opcodes to get these indications, the app does not make use of them. I'll admit, however, that the reverse engineering that went into the ppa6-python project uncovered something that I never found - ASCII printing.

fsckyou avatar Feb 17 '22 01:02 fsckyou

May I get an hint on the best way to reverse the app? I have no problems working with Java but have next to zero experience with Android development. I'm playing with jadx to see if I can get some code out, but if you have a recipe I can follow, I can put an extra pair of eyes on this.

namero999 avatar Apr 19 '22 10:04 namero999

May I get an hint on the best way to reverse the app?

Try looking at akptool for app decompiling/patching/recompiling, and, as you said, jadx. In addition you can reverse-engineer bluetooth communication by enabling Developer option Bluetooth HCI snoop and viewing bluetooth dump in wireshark as I did initially. I would suggest using python jupyter notebook to play with data send/receive with pybluez library

bitrate16 avatar Apr 19 '22 10:04 bitrate16

Looked over the trivial set of codes and here is overview of the range: Request -> Response:

10ff1000 + BYTE -> set concentration [0-3]
10ff1001 + BYTE -> set ??? [0-3]
10ff20f1        -> b'V2.11_304dpi'
10ff20f0        -> b'IP-300'
10ff20f1        -> f/w
10ff20f2        -> s/n
10ff20f3        -> OK
10ff20f4 + STR  -> set s/n
10ff3010        -> h/w
10ff3011        -> name
10ff3012        -> b'\x00\x15\x83\x15\xbc_\xc0\x15\x83\x15\xbc_'
10ff3013        -> NONE
10ff40[00-ff]   -> b'\x00'
10ff50f1        -> batt
10ff50f2        -> b'\x00\x00'
10ff70          -> b'PeriPage+BC5F|00:15:83:15:BC:5F|C0:15:83:15:BC:5F|V2.11_304dpi||44'

Additionally, to enter printing mode (reset()): 10FFFE011B40.

To exit print mode: 10FFFE45

1D0C or 1C in print mode to fast-feed paper

1B4A[01-FF] to feed document start/end

bitrate16 avatar May 09 '23 17:05 bitrate16

Also, it seems that printer really does not react to POS commands from https://escpos.readthedocs.io/en/latest/commands.html

@eliasweingaertner, have a look

bitrate16 avatar May 09 '23 17:05 bitrate16

Also, unchecked fact is that USB protocol 1:1 same as bluetooth protocol

bitrate16 avatar May 09 '23 17:05 bitrate16