What about MC-G01? #2
Comments
|
I've been looking into this and can see no reason why it wouldn't work for MC-G01 - it uses the same I2C EEPROM and the board looks identical. One thing was puzzling me. The board appears to have a resistor pulling pin 7 up to Vcc. Pin 7 is WC - write control - same as write protect for other versions of the chip - and when high inhibits writing to the chip. There's no contact connected to pin 7 to pull it to GND to enable writing but the printer obviously does write to the chip. Checking with a multi-meter, however, the |
|
Anyone has a dump of MC-G01? |
Is it possible to hex edit the rom to change the counter? Thanks |
As described in the Wiki
Sorry, no - for the reasons given by the author in the Wiki |
That was a reason for not uploading on github, sharing between users is fine. |
|
Be aware before sharing the rom with people you don't know. Previously, there was a person keep trying to ask the rom from me. Later it turns out he was planning to build customer resetter and plan to sell it. |
|
Has anyone analyzed the contents of the rom? Or a diff of dumps before and after count increment? Are we dealing with crypto signatures or encrypted content? Is it different from one unit to the other? |
For mc-g02, after you use the cartridge once, almost all the chars inside the rom get changed. I couldn't find an obvious counter inside it. Not sure if they use some encryption (and I believe no). But there seems to be some encoding/decoding used, so that you cannot see the raw counters. |
Exactly - it's not just a simple counter. The cartridge serial number is in the chip as well. |
I agree
If someone is that interested in getting the contents, buying a new cartridge isn't that expensive. |
|
Look what someone was nice enough to post |
|
|
|
@gaby64 Does the rom in pastebin reset your old mc-g01 successfully? By the way your rom looks very different from my mc-g02's. Yours contains far more zeros. |
|
I've looked at three sets of data now:
The pastebin file looks very similar to the brand new one. I've also done some basic analysis of the contents of the used one and this corresponds with the contents of the others. The 2048 bytes of the chip are organised as six distinct sections: Section 1 - 64 bytes. Section 2 - duplicate of section 1 Section 3 - 320 bytes Section 4 - duplicate of section 3 Section 5 - 640 bytes Section 6 - duplicate of section 5 Each section has checksum bytes (1st or last two bytes?) such that if you add contents as little-endian 16-bit numbers, each section sums to 0xA5A5, ignoring any overflow. The duplicate sections are - presumably - to mitigate against data corruption. There is exactly twice the amount of data in section 5 as in section 3, so I imagine these are tables logging something about each time ink is deposited in the cartridge. I also suspect that the first warning given to the user about replacing the cartridge is given when a certain number of entries is reached and the printer stops printing altogether when the tables are full or very close to full. That's all I've got. |
|
This service mode eeprom report data might be usefull: For full: For empty: |
The rom did successfully reset my old mc-g01 |
|
Can anyone confirm the hack works on the MC-G01 cartridge? |
@gaby64 seems to have confirmed. But I am not sure if he was using the tool in this repo unchanged. |
I used it unchanged, can confirm it works. |
|
This works for me too❤️ |
|
|
|
Write the dump before cartridge fill. |
That someone is a really nice person! |
|
And I see they sell new sponge for the cartridge on Aliexpress if you don't want to make a mess cleaning it. 5 for 16.41€, that's cheaper than one cartridge from Canon: |
|
Having looked inside both a Canon cartridge and an AliExpress one, I don't think those pads will fit a genuine Canon maintenance cartridge. |
|
Just to confirm...you looked inside a MC-G01 specifically? |
|
Yes - I took it apart to have a go at cleaning the pads. Quite a messy process! I took pictures but may not have them any more. I'll see if I can find them. |
|
I hope you'll find your pics. On this one, you see how they're supposed to fit: (Which means the top of the stack of the Aliexpress replacement sponge goes to the bottom of the cartridge) |
|
You're in luck, I found the pictures in my computer's trash bin. After looking at the three cartridges as described in my post on 14 Oct 2023, I bought one of those Chinese versions and read the data on the chip (which is as expected but with a, presumably, random serial number encoded in the first two blocks of 64 bytes. I also dismantled it to see why the pads advertised on AliExpress looked so different to the ones I found in the genuine Canon cartridge. Internally the design is quite different. The Canon cartridge divides the internal space with plastic barriers and uses 12 unique custom-cut pads. I photographed them as I removed them for cleaning, labelling them with a marker pen to help with reassembly after cleaning and drying (some hope - the pads went all very dark after soaking and rinsing to remove the ink - but I was able to reassemble OK). Anyway - here are the pictures of the Canon internals as I removed the pads:
|
|
Thank you, that's very interesting. So the Chinese pads might work in a Chinese cartridge, but that's it. |
|
I believe they're designed to fit the Chinese cartridges which all seem to be the same design (based on identical labelling on all versions I've found on the web). |
It looks like someone pasted the same but after one purge of the printer to compare the differences: So it looks like you could erase all data, except for the serial number and strategically place a few 0xA5 values to end up with an "empty" cartridge. But I wonder if the printer remembers the serial number of the last cartridge and throws out an error. |
|
Does this still work for anyone? the pastebin dumps don't work for me, printer throws error 1725 'the maintenance cartridge cannot be recognised'. I've verified the ROM to make certain the data is correct. It looks like canon may be reading this as well and blocked these dumps in a firmware update. |
|
what printer model ? |
GX7050 |
That would be such a dick move! Have you read your EEPROM before reflashing it? Maybe you could use your original serial number and just clear the purging values |
Yeah, I read out the full cartridge, but it looks like it zaps the original structure - ended up with a block of 512 bytes repeated 4 times, and no serial number in sight. I have a new (3rd party) MC-G01 cartridge arriving today - will read it out before installing. Pisses me off - the whole point of going the ink tank route was not to deal with cartridge crap anymore. I guess they still find a way to screw you on replacements. Happy to pay a higher base price for a printer that I can fix on the spot - why do none of these companies actually make a decent consumer/prosumer printer? |
|
@Vrobenmat I'm as pissed off as you are. I'm looking to update this code to make a simple ESP based device with the correct pinout that just clears these cartridges. If you can post another dump in addition to the pastebin above I'd really appreciate it. If I can compare a few I can write some code to just zero these out. |
Did you read the virgin cartridge and again after a couple cycles to see which bits change? |
|
I honestly threw it in without reading (because I needed to bloody print something...) Not used it that much since then, will pull it out and give it a read. |
I copied that over to the sketch_hack_write.ino and flashed my MC-G01 using a Seeduino Xiao. GX6050 is printing again — Thank you so much guys! |
I did the same thing, I have a used one and a partially used one I'll read out and post here. Hoping to work out how to generate a random serial number and zero the correct slots. That way we won't need to share a ROM but the reading part won't be neccessary. Also should stop Canon blocking by serial number if they decide to do that (e.g. keeping a list of used serials on the printer or a blacklist). |
Does this work with MC-G01, too?
The text was updated successfully, but these errors were encountered: