Does this site look plain?

This site uses advanced css techniques

Hawking Technology has a large line of networking products, and these include H-PS1U USB Internet Print Server and the PN7127P Parallel Internet Print Server. These are both very small units, that have a USB host port and a parallel port (respectively).

NOTE - All of our original research was on the USB version of this unit, and we found very late in the game that that parallel version was highly similar. Almost everything that applies to the USB applies to the other unit as well.

Though there are two LEDs, there are no switches or jumpers: all setup (including IP address assignment) is done over the network. The manufacturer provides a nice Windows GUI tool for configuration, (PSAdmin), but we've found how to talk to the device to set the IP address directly. Once it's addressed, then the rest of the configuration is done via telnet or a browser interface.

When the unit powers up, it has IP address "", which is of course completely bogus. But it's also listening for broadcasts to port 20540/udp, and if it sees a specially-formatted packet, it responds with a full configuration packet of 1030 bytes.

We've written a tool in Perl that can perform some of the required low-level device setup from the UNIX command line, obviating the Windows GUI tool.

Hawking Print Server Configuration Utility

Hardware Components

Both units are about the same size, and when the plastic clamshell case is opened, it reveals an Ethernet circuit board with a printer interface daughterboard.

Key components of the USB unit include:

The unit's specs claim that it requires 5 volts at a shocking 2000 mA. It does run pretty hot, but it's likely that the current drain is not this much in practice: the USB port has to supply a certain amount of power for the attached device, and this may simply allow for plenty of draw. This has by far the most compact power brick we've ever seen.

But: the parallel unit has a 2000 mA supply as well (though not the tiny power brick), so we can't tell whether they're angling for a single power brick across the product line (minimizing inventory issues) or whether they really do draw that much current. We've not yet taken to measure the current drain.

Our analysis has shown that the USB unit has positively abysmal network performance in spite of what appear to be generally decent components.

Network Device Discovery

By sniffing the network while PSAdmin is running, we've seen three kinds of packets. Two are very similar and are clearly device-discovery packets intended to search out all the print servers on the network. These packets are 48 bytes large, and mostly filled with zeros.

| N | E | T |\0 |\4 |\1 |   42 more zeros  | query device params

| N | E | T | P |\4 |\10|\1 |\0 | 40 more  | query port params

| Z | O |\0 |\1 |     44 more zeros        |

We're not sure what the difference is, and we believe that only the first one actually provokes a response from the devices we have on hand. PSAdmin sends 15 of these queries, alternating each time, spaced around 750msec apart. It's clearly trying to figure out just what's on the network by querying multiple times, and if only one is known to be attached, we can stop after we get the first one. We're guessing that that "ZO" queries are Netware related.

Edit - 2010/08 - the very helpful Peter Gutmann reported:

The "ZO" packet is from Zero One Technologies (ZOT), who make the PS1U, Hawking just rebrand it. The Hawking PS12U is probably a ZOT PUN1200, not sure what the 1U is but you can find info on the range at, the best way to match them up is to look at the names for the firmware files, for the 1U it'll be MPSxx, and then look for the ZOT product with the same firmware filename.

Device boot behavior

When the unit first powers on, it makes a number of queries to the local network. It makes Novell-related requests that tcpdump describes as ipx-sap=nearest-req, then one as ipx-sap-resp where it it identifies itself as a Novell print server.

It ARPs for the default gateway, then performs a number of aarp probes which appear to be related to Appletalk.

We've not found a way to disable these protocols that we are sure we aren't using. We're still looking.

Configuration Packet Format

The information packet from the device and the one we used to set new parematers have the same format. They're 1030 bytes large (1024 + 6?), and it appears to be a fixed-format structure. We have decoded many of the key parameters here which allow us manipulate them directly. It is not a full decoding, because many of these parameters can be set by telnetting into the device so there was little point in digging too deeply.

Length Description
0x000 6 Header "NET\x00\x84\x00"
0x006 6 MAC (Ethernet) address
0x00E 18 Printer Name
0x022 4 IP Address
0x02A 7 Configuration password (in cleartext)
0x033 16 Firmware revision (ASCII)
0x153 15 Netware Printer name
0x184 4 Netmask
0x188 4 Default Gateway
0x18C 1 DHCP enabled?
0x18E 15 SNMP "Contact" information
0x19E 24 SNMP "Location" information
0x1D1 1 SNMP config bits
0x01: enable traps
0x02: enable auth traps
0x08: community string #1 R/O
0x10: community string #1 R/W
0x20: community string #2 R/O
0x40: community string #2 R/W
0x1B7 12 SNMP community string #1
0x1C4 12 SNMP community string #2
0x1D2 4 SNMP Trap #1 IP address
0x1D6 4 SNMP Trap #2 IP address
0x1FF 32 Appletalk Zone
0x220 12 Appletalk Port Name
0x22D 20 Appletalk Printer Type

A broadcast on a network with multiple print servers could return multiple responses, and to set the parameters we modify a few bytes in that response and re-broadcast it. Though all the units on the network will receive the packet, only the one whose MAC address matches will accept the update.

Once the configuration has been programmed, the device must be told to save and reset itself to make it fully take effect, and we've observed that PSAdmin sends this packet:

| N | E | T |\0 |\8 |  43 more zeros       | reset device

NOTE - we send this packet to the broadcast address, which probably all printservers on the network, but we found about this packet very late in the game and just weren't up to modifying the tool to send to the device itself. Sorry.

Open ports
Port Purpose
23/tcp telnet
80/tcp http for configuration
515/tcp lpr
631/tcp ipp
20560/udp configuration and setup