Dymo 550 Thermal Printer DRM Hacking

[voltsandjolts]

Maybe a strange thought, but can we not find a way to flash the firmware of the older 5XL's to the new ones?

That would require the extraction of firmware from the STM32 MCU in the older 5XLs.
That's not easy because of security features in the STM32 MCU.
But it might be possible, some folks have had success in bypassing those security features, as mentioned above in reply #143

[ballfanta]

I purchased my 5XL a while ago, my SN is QG1340XXXXXXA so obviously mine works fine with the hack. It is so disappointing to find that they seem to have actively blocked this .

@js_12345678_55AA any further progress on working around dymos latest effort?  I can scan my 4x6 labels.  I have another 5 rolls that i need to find at the house or i can um scan some at the local supplier. and also thanks for your efforts.

Does anybody know the sequence of the serial numbers, that we know at least which one the old hack works and for which one the new hack is needed.

Maybe for me to start

I have a 5XL bought last year which is working: QG1450022xxxA
I have a 5XL this year (bought in April) which is not working: QG2350146xxxA

I don't share the full serial number, never now who's reading it .

Maybe a strange thought, but can we not find a way to flash the firmware of the older 5XL's to the new ones?

[BaronPils]

Would the following be possible

Adding bluepill firmware with multiple label-signatures on it.
Each restart of the firmware will result in a new label set.
Ideally you would only switch labelset when it is empty, but I doubt if this is feasible.

If the firmware would store like 30-50x label-ids you would still have like 6-10k labels you can print.
For a normal consumer like me this would result in 10years usage.

[fantasy2]

If I understand correctly, even with the firmware update, as long as you have a SLIX2_TAG that has never been used before, you can still select any dymo label(match & mix), since the data is separate from the tag ID's? What happens if you use the same tag ID with different data? Does the counter still count down but then for this different label? I wonder why they haven't thought of creating a hash that would include the SLIX2 data and ID.

[fantasy2]

I just got a new Dymo 5XL and tore it down since people mentioned that the new 5XL does not work anymore while the old one does.

And surprise surprise, the new boards are different.

There is now a 128kbit eeprom added to the board. It's a BL24C128A.
I'm sure that's where they are storing it now and not inside the STM itself.

So.. I wonder what would happen if you keep that IC reset? I wonder if the printer would continue.
Would it make sense to read the (unencrypted?) data and figure some more out?


Also, I was looking for the IC of the 3volt power supply, but I couldn't find it yet. It's different from the normal 550. I was wondering how many amps it would allow to pull. If we could use an ESP32-C3 to be the middleman, then it would be easy to wirelessly reprogram it with different ID's. But the C3 pulls max 500mA so I was a bit hesitant to try it out.

[tooki]

I would expect that the instantaneous current draw of the printhead and motor are at least as large as the maximum of an ESP32. (Of course, I don’t know whether the printhead and motor are powered from the 3V rail.) Could you just use a little DC-DC converter directly from the DC input in the printer?

[fantasy2]

Those are both powered from 24Volt. There is a very beefy elco for that.
Something plug and play without having to solder something to the dymo would be my preference to make it more widely accessible.

The datasheet of the CLRC663(RFID reader) says it uses 350mA while transmitting with a max of 500mA. So there is potential!

[js_12345678_55AA]

I just got a new Dymo 5XL and tore it down since people mentioned that the new 5XL does not work anymore while the old one does.

And surprise surprise, the new boards are different.

There is now a 128kbit eeprom added to the board. It's a BL24C128A.
I'm sure that's where they are storing it now and not inside the STM itself.

So.. I wonder what would happen if you keep that IC reset? I wonder if the printer would continue.
Would it make sense to read the (unencrypted?) data and figure some more out?

BL24C128A = 16kByte EEPROM thats a lot of extra memory to store UIDs and counter values.
Looking at the overall security of the device and software I highly doubt they added an encryption layer and even if they might have, than for sure something in ECB mode...
So wild guess... emulating the EEPROM from bluepill and replay the empty factory state after each power cycle will most likely solve the problem.
And adding a I2C EEPROM emulation to bluepill is just another few lines in the project. Unfortunately one would need to unsolder the EEPROM and add some wires for an emulation to work (no plug and play naymore ;-)

Can you make some high res pictures of the PCB?

Unfortunately I don't have one of the new printers and I'm not sure how to identify...
Maybe we can identify new and old versions with the serial number on the box.
I have 2 old versions with following serial number sticker on box:
OLD: QE13508005...
OLD: QE34400474...

BTW: @D*YM*0 ..., since it looks like you read here ;-) WHERE is the new FCC approval for the obviously changed hardware

Also, I was looking for the IC of the 3volt power supply, but I couldn't find it yet. It's different from the normal 550. I was wondering how many amps it would allow to pull. If we could use an ESP32-C3 to be the middleman, then it would be easy to wirelessly reprogram it with different ID's. But the C3 pulls max 500mA so I was a bit hesitant to try it out.

Why ESP32... Now since even iPhone can do HCE, an Android or iPhone should be able to emulate a NFC-TAG which could be used to communicate with bluepill over the NFC antenna from the spool reader.

Just not having enough time is the only limit here ;-)

JS

[ashconnor]

Came upon this thread after buying a 5XL before reading about the DRM. D'oh.

I saw a guy is selling a solution on eBay (video below). This one appears to be able to print any label, although it shows an error in the software.

Any ideas on how this is being done? I love the fix here (thanks js_12345678_55AA!) but not easily being able to switch labels without a legit tag is a minor drawback.

[js_12345678_55AA]

Came upon this thread after buying a 5XL before reading about the DRM. D'oh.

I saw a guy is selling a solution on eBay (video below). This one appears to be able to print any label, although it shows an error in the software.

Any ideas on how this is being done? I love the fix here (thanks js_12345678_55AA!) but not easily being able to switch labels without a legit tag is a minor drawback.

Very suspicious...

SUSPICIOUS EBAY LISTING DO NOT BUY: https://www.ebay.com/itm/266955199429

- so why is there a heatshrink covering a PCB which very much looks like a STM32 bluepill ?
- why a specific spool type is printed on a sticker on the heatshrink?

Smells like a fraudster not respecting the GPL, selling others work...

At least we can "learn" something from his ebay listing (even that seems incorrect...):
"If it starts with QE2xx ; QF2xx; QG1xx the LabelChip should work. Higher numbers/letter is uncertain, Lower numbers + Letters is Ok."

JS

[ashconnor]

I had a suspicion he might be ripping you off. Wasn't sure though because his works a little different.