By nanana (nanana iz) ,sauce

Recently my school replaced the library printers, which means I need to find a way to print from my Linux laptop again. After digging through the user guide and reverse-engineering the provided driver (with some help from an LLM), I discovered the printers use a system called SmartPay by FujiFilm (spoiler: it is not smart).

How the client works:

• The software receive document

• convert into pdf (quite standard)

• compress into GZIP (why???)

• Users input username and password

• construct into Multipart Form

• Send request to printer server

• Receive response from the printer server

That what it can handle… so simple yet comes with its major problems, unsurprisingly.

• HTTP only: All connection is made HTTP only. Even if the printer is only accessible with internal WiFI only, it still exposes documents to MTIM attack (easily, do they skip security audit? That’s a huge risk!).

• Poor cross‑platform support: The official driver target Windows and Mac only. Using Linux? Good luck.

• No reliable job tracking: SImple design… they even do not brother to add tracking feature

• Reinventing the wheel: They just “invest” a proprietary(?) protocol instead of using IPP. IPP has been around of decades, with mature support: Job handling, encryption, authentication and cross‑platform compatibility. Creating a new protocol with security vulnerable, and being worse than open-source one is a joke.

It is simple to implement the client software on Linux (with LLM supports), but it also reflects the system’s poor choices; insecure connection, non-existing job handling and unnecessary protocol reinvention. Why those messy driver setup when you can use IPP with a proper authorization?

Also, here is the “smart” features:

• Terrible error handling: The server returns HTTP 200 but embeds “fail” in the response body.
• GZIP compression: The client must GZIP the PDF — a required step I only discovered by reverse engineering. Why is this necessary?
• Mystery fields: The form field “FileType” is undocumented; passing “S” works ¯\(ツ)/¯

They name the api endpoint as RestfulService/PrintClientFileUpload. How ironic that the system is not that restful.