Recently, I picked up a few printers from Craigslist… for the unbeatable price of $0. My goal was to use them for a trade-show simulation network, allowing conference attendees to experiment with them.
However, my research led to something far more intriguing than I had anticipated.
It all started when I couldn’t find a datasheet for the processor inside the HP OfficeJet 8600 I had acquired. That piqued my interest, leading me down a fascinating hardware-hacking rabbit hole. Now, I want to share my findings with the community – hoping someone can shed light on this mystery, provided they aren’t bound by an NDA.
So, let’s dive into the research behind this board, the printers themselves, and the unusual processor nomenclature I encountered, including the string “ASIC ID”.
Down the device triage rabbit hole
Disassembling these printers was no easy task. It’s remarkable just how many components go into a single printer – and how long it takes to break one down. Each teardown took roughly two hours, just to extract the relevant parts for a testbench.
Once disassembled, I connected the printer’s “guts” and began analyzing how the device operates. Unsurprisingly, it wasn’t happy about the missing components, responding with a series of warning messages and an angry sequence of tones from the speaker.
Interestingly, the Hewlett Packard part returns an ASIC ID when a webpage 404s, which helps correlate processors with specific printer or scanner models. Below is the processor string and an image of the processor (note the 1825-xxxx marking on top). While I haven’t yet found a direct correlation between the ASIC ID and the 1825 string, I have confirmed that the same processor in different devices will return the same ASIC ID.
(For curious souls out there, ASIC = application specific integrated circuit.)
Returned from a 404 request: {CLP1CN2011AR, ASIC id 0x00320104}
This processor is a plastic ball grid array (PBGA) 420, a custom system-on-chip (SoC) or the SPEAr 1310 developed by STMicroelectronics (ST) and Hewlett-Packard (HP) for printers. While ST primarily manufactures ARM processors, it produces relatively few PBGA processors, making this one easier to identify based on its architecture and packaging.
As I continued down the rabbit hole, this processor appeared to be a SPEAr 1310. While I can’t fully confirm it, the IO mappings, images of similar use cases, and comparisons with other embedded platforms suggest it’s the most likely candidate. Notably, the SPEAr 1310 is an existing processor from STMicroelectronics.
Digging deeper, I dumped the flash memory, probed for hardware debug interfaces, and ran basic tools against the binary to further analyze the system.
An interesting find: The UART on the HP OfficeJet 8600 is not password-protected – though it should be for security reasons. The unit I acquired runs a version of VxWorks and consists of three sections which are compressed.
Here are the strings from the stripped NAND flash:
Debug Event
Cortex-R4
Cortex-A9
Marvel PJ4
1176
Cortex-A7
Not Listed
narel
bkdcl
weber_base_nandboot_pp1
clustersvr1.psr.rd.hpicorp.net
main.out
Oefd4662c594feec1852be6115f43033f462437eUp next, Figure 5 shows a function that decompiled nicely in Ghidra. Due to incorrect mapping of the binary, some addresses didn’t resolve properly.
The UART shell:
[Boot] ******************************************************
[Boot] Firmware build timestamp: Tue Jan 10, 2012 07:07:52AM
[Boot] ASIC ID 0x00320104 : 0x000070f9 (Tejas RevA .1 fabo ST)
[Boot] Entering NOS_HW_MCASIC_init
[Boot] Unmapped Board ID (Compiled in): 0x48bf (bitpacked) M:0x04 F:0x45 N:0x1f
[Boot] Unmapped Board ID (from NVM): 0x48a7 (bitpacked) M:0x04 F:0x45 N: 0x07
[Boot] Remapped Board ID (table): 0x48a7 (bitpacked) M:0x04 F:0x45 N: 0x07
[nos_ui] mcu is ST, code ver. 0x00; Coulomb #0x60; AUO 4.3; Raw ADC: 0x3fff
[Boot] NVM powerdown state = 0x00000003
[Boot_fp] : pb: 0x00000001
[FPMCU] _powerup_buttons (raw value-›button ID): 0xa0-›0x2000, 0x00-›0x2000
[Boot] Load mode = 0x00000004
[Boot] SPI Device 0 : MX25L1605 (2 Megabytes) (ID:0x00c22015)
[Boot] SPI Device 1 : No ROM found (ID:0x00000000)
[Boot] SPI Device 2 : No ROM found (ID:0x00000000)
[Boot] SPI Device 3 : No ROM found (ID:0x00000000)
[Boot]: App 0x00000000: copy 0x019ffff8 bytes fr NAND 0x00020800 to 0x26600000.
[Boot] Done loading applications; Executing boot-processor at: 0x27ffd67c.
[Boot] calling (*0x27ffd67c)()
[Boot] ******************************************************
[Boot] Firmware build timestamp: Wed Mar 11, 2020 06:49:38AM
[Boot] ASIC ID 0x00320104 : 0x000070f9 (Tejas RevA .1 fab0 ST)
[Boot] Entering NOS_HW_MCASIC_init
[Boot] Unmapped Board ID (Compiled in): 0x48bf (bitpacked) M:0x04 F:0x45 N:0x1f
[Boot] Unmapped Board ID (from NVM): 0x48a7 (bitpacked) M:0x04 F:0x45 N: 0x07
[Boot] Remapped Board ID (table): 0x48a7 (bitpacked) M:0x04 F:0x45 N:0x07
[nos_ui] mcu is ST, code ver. 0x00; Coulomb #0x60; AUO 4.3; Raw ADC: 0x3fff
[Boot] NVM powerdown state = 0x00000002
[Boot_fp] : pb: 0x00000000
[FPMCU] _powerup_buttons (raw value-›button ID): 0x00-›0x2000, 0x00-›0x2000
[Boot] Load mode = 0x00000004
Phys block out of range!
[Boot] No image file found
[Boot] SPI Device 0 : MX25L1605 (2 Megabytes) (ID:0x00c22015)
[Boot] SPI Device 1 : No ROM found (ID:0x00000000)
[Boot] SPI Device 2 : No ROM found (ID: 0x00000000)
[Boot] SPI Device 3 : No ROM found (ID: 0x00000000)
[Boot] calling (*0x20a22a29)()
-› These datapoints didn’t do much for me – with the exception of now being able to pull the ASIC ID remotely. If you remember from the enumeration at the beginning of the article, I could pull the ASIC ID from the device if a 404 was returned. In the UART output, there are ASIC ID strings that match (as well as processor strings like Tejas RevA .1 fab0 ST). This may mean this is, in fact, just an ST processor obfuscated for HP, like the SPEAr 1310 PBGA.
Here are the images side by side:
Then I looked through old forums and threads on ST, Marvell’s, and HP’s webpages for any reason why HP printers may have obfuscated what processors they are utilizing in their printers. ST confirmed the numbering scheme 1825-xxx is some sort of proprietary part.
Processors, processors, processors
I started searching on Censys for the string “ASIC ID” and found many, many targets. I then collected the ASIC IDs of the targets, found images of the internal motherboard on Ebay, and cropped them below. Here are correlations of the printer model, ASIC ID, and a photo of the ASIC.
Processors located outside of Censys
Splotches and dots: Considering printer steganography
As you can see, each processor features the 1825-xxxx marking. Unfortunately, searching for these strings doesn’t yield much useful information – except in the case of Marvell’s 88PA series. Both Marvell and PMC provide datasheets for similar processors, but these documents are often limited in detail and restricted in public distribution, making it difficult to gather meaningful insights.
So… what might be going on here?
Is there a government regulation preventing HP from using commercial off-the-shelf (COTS) processors?
Are there technical challenges – perhaps related to ink and printing – that require HP to develop custom ASICs?
Why do some commercial processors look nearly identical to these, aside from different markings?
These are all questions I’d love to answer, but so far, the answers remain elusive.
Many modern printers embed nearly invisible yellow dots on printed documents. This practice, known as printer steganography or a machine identification code (MIC), began in the 1980s when Xerox agreed to encode “hidden information” in its printers to help the U.S. government track the source of printed materials. These dots contain details such as the printer’s make, model, serial number, and the exact time of printing. Printer steganography is now standard in modern printers, as shown in Figure 20 (below).
Originally introduced to combat counterfeiting in the early days of color laser printing, this tracking system has since been used in various investigations. Notably, in 2017, NSA whistleblower Reality Winner was identified and arrested after authorities traced a leaked document back to its printer using these encoded dots. Under a blacklight, these microscopic yellow dots may become visible. Implementing this tracking mechanism may require specialized hardware, leading manufacturers like HP to develop custom ASICs for their printers.
Modern printers can detect and prevent the copying of banknotes, often by recognizing certain embedded patterns such as the EURion constellation. Discovered by researcher Markus Kuhn in 2002, the EURion pattern appears in many currencies worldwide. In one case, a Xerox printer refused to replicate a banknote after detecting this pattern. Likewise, software applications – including Adobe Photoshop – employ a Counterfeit Deterrence System (CDS) that stops users from scanning or printing currency. These protective measures commonly rely on identifying the EURion constellation (or similar features) and may even contribute to the need for a custom processor.
Printers also regularly handle sensitive information, including PII, Social Security numbers, driver’s license numbers, and other highly confidential data. If a printer were fully reverse-engineered, the amount of accessible information could be staggering. Unfortunately, many modern printers contain vulnerabilities, such as CVE-2022-3942, that could be exploited.
Security concerns – particularly regarding data protection – may also play a role in HP’s unique processor naming conventions.
What does it all (possibly) mean?
One possible explanation for this “processor obfuscation” is that HP uses a custom ASIC manufactured across different suppliers with similar chip carriers. However, based on the strings I found, decompilation results, and the processor package of the HP OfficeJet Pro 8600, this seems unlikely.
Another possibility that was discussed is that the chip could be fabricated with logic directly embedded in the silicon to encode machine identification information for printed documents. While this could explain some design choices, it also seems improbable.
The most likely scenario is that these processors are commercial off-the-shelf (COTS) components allocated exclusively to Hewlett Packard under contract, preventing them from being sold to the general public under the same part number. It could also serve as a way for HP to maintain close relationships with ASIC manufacturers while ensuring their processors remain distinct from those used in civilian and government equipment.
From my research on the 8600, if you find a part from the same manufacturer (e.g., Marvell, PMC) with a similar package and a matching production timeline, you may have identified the processor family.
I hope this article sparks community interest in uncovering why HP takes this approach with their processors. It’s fascinating that a major corporation would invest the time and resources into either developing a custom ASIC for this purpose or rebranding an existing one. Natural curiosity – which leads to tackling these kinds of puzzles – is exactly what Zetier is all about. Take a peek at the rest of our blog for more puzzles and information.
Have you ever uncovered or demystified an unknown processor? We’d like to hear about it! Shoot us an email at hello@zetier.com.
Thinking “hey, that was an interesting article”?
Share this hardware-hacking rabbit hole on HackerNews →
Editor’s Note: If you enjoy hardware hacking, then try to hack our DEFCON CTF-inspired badge! Crack the code on LinkedIn, X, or Reddit, and win your own badge to tackle the firmware puzzle. We’ll break down both solutions on our blog soon. To stay tuned, you can join our newsletter in the footer ↓
