diff --git a/src/network-services-pentesting/9100-pjl.md b/src/network-services-pentesting/9100-pjl.md
index 522bca080c0..4a647293b37 100644
--- a/src/network-services-pentesting/9100-pjl.md
+++ b/src/network-services-pentesting/9100-pjl.md
@@ -54,15 +54,45 @@ msf> use auxiliary/scanner/printer/printer_delete_file
## Printers Hacking tool
-This is the tool you want to use to abuse printers:
+This is the tool you want to use to abuse printers: [PRET](https://github.com/RUB-NDS/PRET)
+## XPS/TrueType VM exploitation (Canon ImageCLASS)
-{{#ref}}
-https://github.com/RUB-NDS/PRET
-{{#endref}}
+- Deliver XPS over PJL:
+ - `@PJL ENTER LANGUAGE = XPS`
+ - Then send the XPS ZIP bytes on the same TCP connection.
+
+- Minimal XPS page referencing an attacker font:
+
+```xml
+
+```
+
+- RCE primitive summary (TrueType hinting VM):
+ - Hinting bytecode in TTF is executed by a TrueType VM. Canon’s VM lacked stack bounds checks.
+ - CINDEX: OOB stack read → info leak
+ - DELTAP1: unchecked relative stack pivot → controlled writes with subsequent pushes
+ - Combine `WS`/`RS` (VM storage write/read) to stage values and perform a precise 32-bit write after pivot.
+
+- Exploit outline:
+ 1) Create XPS with the page above and include `/Resources/evil.ttf`.
+ 2) In `fpgm`/`prep`, use `CINDEX` to leak and compute `stack_cur`.
+ 3) Stage target value with `WS`; pivot with `DELTAP1` to the destination; use `RS` to write it (e.g., to a function pointer) to gain PC control.
+
+- Send over 9100/tcp:
+
+```bash
+{ printf "@PJL ENTER LANGUAGE = XPS\r\n"; cat exploit.xps; } | nc -q0 9100
+```
+
+- `exploit.xps` is a valid XPS ZIP containing `Documents/1/Pages/1.fpage` and `/Resources/evil.ttf`.
## **Shodan**
- `pjl port:9100`
+## References
+- [Hacking printers using fonts (Canon ImageCLASS TrueType VM bugs)](https://haxx.in/posts/2025-09-23-canon-ttf/)
+- [Apple TrueType Reference Manual – Instruction Set and VM (26.6 fixed point)](https://developer.apple.com/fonts/TrueType-Reference-Manual/RM05/Chap5.html)
+
{{#include ../banners/hacktricks-training.md}}