![[Steve Friedl Logo]](/images/unixwiz-logo-140x80.gif){kind=logo}
This site uses advanced css techniques
Hawking Technology has a large line of networking products, and these include H-PS1U USB Internet Print Server and the PN7127P Parallel Internet Print Server. These are both very small units, that have a USB host port and a parallel port (respectively).
NOTE - All of our original research was on the USB version of this unit, and we found very late in the game that that parallel version was highly similar. Almost everything that applies to the USB applies to the other unit as well.
Though there are two LEDs, there are no switches or jumpers: all setup (including IP address assignment) is done over the network. The manufacturer provides a nice Windows GUI tool for configuration, (PSAdmin), but we've found how to talk to the device to set the IP address directly. Once it's addressed, then the rest of the configuration is done via telnet or a browser interface.
When the unit powers up, it has IP address "1.2.3.4", which is of course completely bogus. But it's also listening for broadcasts to port 20540/udp, and if it sees a specially-formatted packet, it responds with a full configuration packet of 1030 bytes.
We've written a tool in Perl that can perform some of the required low-level device setup from the UNIX command line, obviating the Windows GUI tool.
• Hawking Print Server Configuration Utility
Both units are about the same size, and when the plastic clamshell case is opened, it reveals an Ethernet circuit board with a printer interface daughterboard.
Key components of the USB unit include:
The unit's specs claim that it requires 5 volts at a shocking 2000 mA. It does run pretty hot, but it's likely that the current drain is not this much in practice: the USB port has to supply a certain amount of power for the attached device, and this may simply allow for plenty of draw. This has by far the most compact power brick we've ever seen.
But: the parallel unit has a 2000 mA supply as well (though not the tiny power brick), so we can't tell whether they're angling for a single power brick across the product line (minimizing inventory issues) or whether they really do draw that much current. We've not yet taken to measure the current drain.
Our analysis has shown that the USB unit has positively abysmal network performance in spite of what appear to be generally decent components.
By sniffing the network while PSAdmin is running, we've seen three kinds of packets. Two are very similar and are clearly device-discovery packets intended to search out all the print servers on the network. These packets are 48 bytes large, and mostly filled with zeros.
+---+---+---+---+---+---+------------------+ | N | E | T |\0 |\4 |\1 | 42 more zeros | query device params +---+---+---+---+---+---+------------------+ +---+---+---+---+---+---+---+---+----------+ | N | E | T | P |\4 |\10|\1 |\0 | 40 more | query port params +---+---+---+---+---+---+---+---+----------+ +---+---+---+---+--------------------------+ | Z | O |\0 |\1 | 44 more zeros | +---+---+---+---+--------------------------+
We're not sure what the difference is, and we believe that only the
first one actually provokes a response from the devices we have on
hand. PSAdmin sends 15 of these queries, alternating each time,
spaced around 750msec apart. It's clearly trying to figure out just
what's on the network by querying multiple times, and if only one
is known to be attached, we can stop after we get the first one.
We're guessing that that "ZO" queries are Netware related.
Edit - 2010/08 - the very helpful Peter Gutmann reported:
The "ZO" packet is from Zero One Technologies (ZOT), who make the PS1U, Hawking just rebrand it. The Hawking PS12U is probably a ZOT PUN1200, not sure what the 1U is but you can find info on the range at http://www.01tech.com/p3-2download.asp, the best way to match them up is to look at the names for the firmware files, for the 1U it'll be MPSxx, and then look for the ZOT product with the same firmware filename.
When the unit first powers on, it makes a number of queries
to the local network. It makes Novell-related requests that
tcpdump describes
as
It ARPs for the default gateway, then performs a number of
We've not found a way to disable these protocols that we are sure we aren't using. We're still looking.
The information packet from the device and the one we used to set new parematers have the same format. They're 1030 bytes large (1024 + 6?), and it appears to be a fixed-format structure. We have decoded many of the key parameters here which allow us manipulate them directly. It is not a full decoding, because many of these parameters can be set by telnetting into the device so there was little point in digging too deeply.
| Offset (hex) |
Length | Description |
|---|---|---|
| 0x000 | 6 | Header "NET\x00\x84\x00" |
| 0x006 | 6 | MAC (Ethernet) address |
| 0x00E | 18 | Printer Name |
| 0x022 | 4 | IP Address |
| 0x02A | 7 | Configuration password (in cleartext) |
| 0x033 | 16 | Firmware revision (ASCII) |
| 0x153 | 15 | Netware Printer name |
| 0x184 | 4 | Netmask |
| 0x188 | 4 | Default Gateway |
| 0x18C | 1 | DHCP enabled? |
| 0x18E | 15 | SNMP "Contact" information |
| 0x19E | 24 | SNMP "Location" information |
| 0x1D1 | 1 | SNMP config bits 0x01: enable traps 0x02: enable auth traps 0x08: community string #1 R/O 0x10: community string #1 R/W 0x20: community string #2 R/O 0x40: community string #2 R/W |
| 0x1B7 | 12 | SNMP community string #1 |
| 0x1C4 | 12 | SNMP community string #2 |
| 0x1D2 | 4 | SNMP Trap #1 IP address |
| 0x1D6 | 4 | SNMP Trap #2 IP address |
| 0x1FF | 32 | Appletalk Zone |
| 0x220 | 12 | Appletalk Port Name |
| 0x22D | 20 | Appletalk Printer Type |
A broadcast on a network with multiple print servers could return multiple responses, and to set the parameters we modify a few bytes in that response and re-broadcast it. Though all the units on the network will receive the packet, only the one whose MAC address matches will accept the update.
Once the configuration has been programmed, the device must be told to save and reset itself to make it fully take effect, and we've observed that PSAdmin sends this packet:
+---+---+---+---+---+----------------------+ | N | E | T |\0 |\8 | 43 more zeros | reset device +---+---+---+---+---+----------------------+
NOTE - we send this packet to the broadcast address, which probably all printservers on the network, but we found about this packet very late in the game and just weren't up to modifying the tool to send to the device itself. Sorry.
| Port | Purpose |
|---|---|
| 23/tcp | telnet |
| 80/tcp | http for configuration |
| 515/tcp | lpr |
| 631/tcp | ipp |
| 20560/udp | configuration and setup |
![[Steve's Email]](/images/steve-email.gif)
![[RSS Feed available]](/images/feed-icon-14x14.png){kind=icon}