Reverse engineering for Paperang P2 ?

[matthieusalvat]

Hello,

Can you explain how you did the reverse engineering for Paperang P1 ?

I bought a Paperang P2 and with your program I can only display one black line (with the 300 black lines example) . I think it's just due to a small difference in the settings.

Thanks.

[ihciah]

I break the 360加固 first. It is like a shell outside the apk, which meant to stop you do reverse engine.
You can use a self-compiled android virtual machine to dump the dex.
After you get the dex file, you can use tools like jdgui to decompile it.

PS: the code of paperang app is very ugly...
I'll write a post to explain how I did it. But it's in Chinese, maybe you need google translate.

[ihciah]

Check this: https://www.ihcblog.com/miaomiaoji/

[akinazuki]

I think MiaoMiaoji PC Client can do more interesting thing
it write with QT
and they can print content by USB

[michal-klimek]

I break the 360加固 first.

I bought a PeriPage printer (http://ileadtek.com/sy) which seems to be very similar to a Paperang one. I've tried to reverse engineer their protocol too, but the "shell" is hard to be broken to me. If I correctly understand, the app is dynamically loading encrypted dex files. Do you have any clues on how should I start, and what tools should I use to get these dex files, to be decompiled?

[ihciah]

I break the 360加固 first.

I bought a PeriPage printer (http://ileadtek.com/sy) which seems to be very similar to a Paperang one. I've tried to reverse engineer their protocol too, but the "shell" is hard to be broken to me. If I correctly understand, the app is dynamically loading encrypted dex files. Do you have any clues on how should I start, and what tools should I use to get these dex files, to be decompiled?

Yes, you can try to get the raw dex using android virtual machine. Maybe there's a univeral unpacking VM now.
Also, if you cannot managed to remove the shell of dex, you can try to reverse the PC client(mentioned by @akechisatori , which I think is the easyest way, though it's another protocol. If there was a PC client I shall not reverse the APK).

[Defozo]

I have Paperang P2 and I was able to print self-test page. Unfortunately, when I try to print a .bmp file I get this:

/home/pi/.local/lib/python3.7/site-packages/numba/core/errors.py:154: UserWarning: Insufficiently recent colorama version found. Numba requires colorama >= 0.3.9
  warnings.warn(msg)
{'service-classes': ['1101'], 'profiles': [('1101', 258)], 'name': 'SerialPort', 'description': None, 'provider': None, 'service-id': None, 'protocol': 'RFCOMM', 'port': 1, 'host': '04:7f:0e:20:40:cf'}
Traceback (most recent call last):
  File "<string>", line 3, in recv
_bluetooth.error: (110, 'Connection timed out')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "printer.py", line 32, in <module>
    mmj.print_image_file("/home/pi/paperang/python-paperang/bmp_24.bmp")
  File "printer.py", line 23, in print_image_file
    image_data.im2binimage(ski.io.imread(path),conversion="threshold")))
  File "/home/pi/paperang/python-paperang/hardware.py", line 192, in sendImageToBt
    self.sendFeedLineToBt(self.padding_line)
  File "/home/pi/paperang/python-paperang/hardware.py", line 204, in sendFeedLineToBt
    self.sendToBt(msg, BtCommandByte.PRT_FEED_LINE)
  File "/home/pi/paperang/python-paperang/hardware.py", line 138, in sendToBt
    return self.recv()
  File "/home/pi/paperang/python-paperang/hardware.py", line 142, in recv
    raw_msg = self.sock.recv(self.max_recv_msg_length)
  File "<string>", line 5, in recv
bluetooth.btcommon.BluetoothError: [Errno 110] Connection timed out

Any update on this?

[ihciah]

I have Paperang P2 and I was able to print self-test page. Unfortunately, when I try to print a .bmp file I get this:

/home/pi/.local/lib/python3.7/site-packages/numba/core/errors.py:154: UserWarning: Insufficiently recent colorama version found. Numba requires colorama >= 0.3.9
  warnings.warn(msg)
{'service-classes': ['1101'], 'profiles': [('1101', 258)], 'name': 'SerialPort', 'description': None, 'provider': None, 'service-id': None, 'protocol': 'RFCOMM', 'port': 1, 'host': '04:7f:0e:20:40:cf'}
Traceback (most recent call last):
  File "<string>", line 3, in recv
_bluetooth.error: (110, 'Connection timed out')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "printer.py", line 32, in <module>
    mmj.print_image_file("/home/pi/paperang/python-paperang/bmp_24.bmp")
  File "printer.py", line 23, in print_image_file
    image_data.im2binimage(ski.io.imread(path),conversion="threshold")))
  File "/home/pi/paperang/python-paperang/hardware.py", line 192, in sendImageToBt
    self.sendFeedLineToBt(self.padding_line)
  File "/home/pi/paperang/python-paperang/hardware.py", line 204, in sendFeedLineToBt
    self.sendToBt(msg, BtCommandByte.PRT_FEED_LINE)
  File "/home/pi/paperang/python-paperang/hardware.py", line 138, in sendToBt
    return self.recv()
  File "/home/pi/paperang/python-paperang/hardware.py", line 142, in recv
    raw_msg = self.sock.recv(self.max_recv_msg_length)
  File "<string>", line 5, in recv
bluetooth.btcommon.BluetoothError: [Errno 110] Connection timed out

Any update on this?

Sorry, no further update. You can try to capture the packet since there may be some protocol update.

[Muraveiko]

Paperang p2 used:
{0xA5,0x01,LEGTH(2b), payload,CRC32(4b),0x5A}
payload - min 5 bytes {command_section,command, ?? , len}
command section:
1 - settings & info
2 - firmware(files) upload
3 - WiFi configure
4 - BT configure
5 - Thermal print
6 - Clocks
7 - WTF?
CRC32 also as 0x02..0x03 but alvays with def key
{5,0x1b} - send raster data

---

There is another package format that starts with 0x07.