Decode HP T250 printer firmware

Question

I recently bought an HP T250 Deskjet 24" printer and it uses 4 cartridges, the problem is, the price of the cartridges replacement is 1/3 of the printer's price, wich already is really expensive. So, I tryed to identify and extract the data saved on the cartridges chip, with no success I opened one of my depleted cartridges and found out that the chip inside is unrecognizable, probably HP made.

So, the second idea is to edit the firmware of the printer and make it skip the steps of original cartridge verification. I got my hands on a firmware update for my printer and decoded part of the code, but some part of the code still unrecognizable, I have no clue on what the hell is going on. So, can any of you guys help me?

The firmware can be obtained in:

https://ftp.hp.com/pub/softlib/software13/printers/SPRK/Firmware/spark_dist_pr2_001.2123A_nonassert_appsigned_lbi_rootfs_secure_signed.zip

To see part of the code just open it as a simple text file in Pycharm or a similar code editor.

EDIT:

It looks like some people may have some difficulty in understanding this so here's a little info on that:

The firmware update

It is compressed in .ful2 format and it looks like it contains PJL after some identification code. That identification code consists in basic stuff, like, the compatible printers with the update and it's version, also a lot of other non relevant stuff. See the code below:

ESC%-12345X@PJL
@PJL COMMENT MODEL=HP DesignJet T250 24-in
@PJL COMMENT MODEL=HP DesignJet T230 24-in
@PJL COMMENT MODEL=HP DesignJet T210 24-in
@PJL COMMENT MODEL=HP DesignJet T650 24-in
@PJL COMMENT MODEL=HP DesignJet T650 36-in
@PJL COMMENT MODEL=HP DesignJet T630 24-in
@PJL COMMENT MODEL=HP DesignJet T630 36-in
@PJL COMMENT MODEL=HP DesignJet Studio 24-in
@PJL COMMENT MODEL=HP DesignJet Studio 36-in
@PJL COMMENT VERSION=SPRKLFPR2N001.2123A.00
@PJL COMMENT DATECODE=20210531
@PJL UPGRADE SIZE=197360667
ESC%-12345X@PJL COMMENT (null)
@PJL ENTER LANGUAGE=FWUPDATE2
744
<?xml version='1.0' encoding='UTF-8'?>
<manifest xsi:noNamespaceSchemaLocation='webfwupdate.xsd' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
    <version>0.9</version>
    <signature>
        <signature_template_id>49be5195-1daa-474a-a957-1aa4ae38d9b1</signature_template_id>
        <public_key_id>bdfcc564-a078-4112-a089-179e73831f27</public_key_id>
        <signature_value>AgIAAAFvABQBAFjIABvxUhy/Z9sT9eS/GQAQWYLMUjSTOStYmadBHAFgGZkUZ+tu54GmiXCN4YWcQbHL2qjWkftzXtW10kkHmgAqJ+A4hz9IH0N/7KmZAGAR4fp8sg3YfDIZSkEcBkDJqsC/9sVlZOUwxuWhSyW6PEI9aCJvG3NJoH2gdGeCre7W80qWNHf/uzxa+euN3mTtwjXbl0gTd37GlF283yLz2fPZqKAQp5ErxU/BizaCCJguome7trW05CMI64y4qmsSp0fr4yDD505/tfrlBFDe7NiM32Mjx/RG1/XtTJOXblaIM/MEUOjvrxDEN+Q0qYSyll8rfhh7T+E3j9Zfn4s9gdQ=</signature_value>
        <digest>9Iz3jGRlyX3cVqPpJPa5lEfIfMHnyDqglPc6VNbGZLk=</digest>
    </signature>
    <signedInfo>
        <update_type>optional</update_type>
        <current_revision>ANY</current_revision>
        <updated_revision>SPRKLFPR2N001.2123A.00</updated_revision>
    &lt;LBI_blob&gt;
        &lt;blob_path&gt;SPRKLFPR2N001.2123A.00/lbi_blob.SPRKLFPR2N001.2123A.00_from_ANY&lt;/blob_path&gt;
        &lt;size_compressed&gt;16184472&lt;/size_compressed&gt;
        &lt;size_uncompressed&gt;17096704&lt;/size_uncompressed&gt;
        &lt;blob_digest_compressed&gt;SS8Yyasd1O6cCn1gebGwGGIgImUY7qfpSC15HW8gsMY=&lt;/blob_digest_compressed&gt;
        &lt;blob_digest_uncompressed&gt;NiJvvKui71DNumergMxMnh/P56YoYKt92ll7i1/tdpE=&lt;/blob_digest_uncompressed&gt;
    &lt;/LBI_blob&gt;
    &lt;rootfs_blob&gt;
        &lt;blob_path&gt;SPRKLFPR2N001.2123A.00/rootfs.SPRKLFPR2N001.2123A.00_from_ANY&lt;/blob_path&gt;
        &lt;size_compressed&gt;181174233&lt;/size_compressed&gt;
        &lt;size_uncompressed&gt;402653184&lt;/size_uncompressed&gt;
        &lt;blob_digest_compressed&gt;0Z8gY/L+gJmeJiQvwjke22Hc3iJVi2ara2dRNDywDRU=&lt;/blob_digest_compressed&gt;
        &lt;blob_digest_uncompressed&gt;3W/P3jtxEmeYqG1ywzFTMAVNNUq2FkGG0ml4AnskR5Q=&lt;/blob_digest_uncompressed&gt;
    &lt;/rootfs_blob&gt;







&lt;/signedInfo&gt;

</manifest>

This part is recognizable %-12345X this represents the escape code in ASCII, so, it looks like the "stuff" that I said before that I have no idea on what it is could have been writen in ASCII with the Motorola S-Record format. So the data is stored in a EEPROM/Flash, that gives us some advantage to extract the "root" from that code bellow those initial lines I've linked here.

But, even if I can get some useful data, I'm not sure if I'll be able to skip or completely remove the cartridge check from the firmware, first I have to find if the firmware update could change that kind of PJL and I'm not completely sure about it.

About the Cartridges

The cartridges used in my printer are HP's 712 model with a Black (80ml), Cyan (29ml), Magenta (29ml) and Yellow (29ml). Those cartridges have a chip inside them that stores some info about ink level, probably ink weight and density. That way the printer knows if you change it even very slightly.

Dump the data from the cartridge chip and reprogram it to be recognizable as a "new" cartridge is viable, but I'm not sure wich is easier. I couldn't find out if the chip inside the cartridge is a EEPROM/Flash, NAND or anything like that, and couldn't verify the ammount of data stored by the chip.