HappyZ / dpt-tools

dpt systems study and enhancement
MIT License
565 stars 130 forks source link

Quaderno 1.6.60.04220FP #181

Open laurentbartholdi opened 3 years ago

laurentbartholdi commented 3 years ago

Hi, I just bought a Fujitsu Quaderno A4, and saw somewhere that the modifications you created should be compatible with that model (which I understand is really based on the same hardware as the Sony DPT-RP1).

However, the software version is indicated as 1.6.60.04220FP, and the root guide says that one should raise an issue if one has a software version not listed.

I also haven't seen any discussion on the possibilities for installing a new basic file manager. The one shipped by Fujitsu is extremely poorly designed: there is only one button, "Home"; no way of going back from "View Document" to "Files"; the only way to delete a file is to open it, delete, confirm, return to files; etc. If it were possible to flash a better manager, that would be great. Perhaps the one shipped with Sony's is better?

HappyZ commented 3 years ago

From janten's dtp-rp1-py I see it looks like the protocols for communications are the same.

The rooting idea (never tried, no device I can test):

  1. Obtain the update package file for Quaderno and see if https://github.com/HappyZ/dpt-tools/tree/master/fw_updater_packer_unpacker can unpack it
  2. If YES, then try the hacking PKG that obtains diagnosis mode access (need to validate if you can get into diagnosis mode)
  3. If YES, then you can backup the system and install DPT pkg (or since we are able to unpack Quaderno one then we should be able to get adb running in there as well by modifying their system)

If you can get me the package file for 1.6.60.04220FP I can help quickly check (1).

laurentbartholdi commented 3 years ago

Hi HappyZ! Unfortunately, it seems impossible to get hold of a package file for 1.6.60.04220FP -- if by that you mean the firmware. I searched, at least, on the fujitsu website but there's no such file; the upgrade is done purely via their program. Did I understand your question correctly?

On Wed, Apr 21, 2021 at 8:45 AM HappyZ @.***> wrote:

From janten's dtp-rp1-py https://github.com/janten/dpt-rp1-py I see it looks like the protocols for communications are the same.

The rooting idea (never tried, no device I can test):

  1. Obtain the update package file for Quaderno and see if https://github.com/HappyZ/dpt-tools/tree/master/fw_updater_packer_unpacker can unpack it
  2. If YES, then try the hacking PKG that obtains diagnosis mode access (need to validate if you can get into diagnosis mode)
  3. If YES, then you can backup the system and install DPT pkg

If you can get me the package file for 1.6.60.04220FP I can help quickly check (1).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/HappyZ/dpt-tools/issues/181#issuecomment-823819703, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARAQUHXCMK33OIFXTYUDQLTJZYAPANCNFSM42U4V7AQ .

-- Laurent Bartholdi laurent.bartholdigmailcom Mathematisches Institut, Georg-August Universität zu Göttingen Bunsenstrasse 3-5, D-37073 Göttingen, Germany

MuMu360121 commented 3 years ago

the same device as you,hope to help

FanFansfan commented 3 years ago

Hi HappyZ! Unfortunately, it seems impossible to get hold of a package file for 1.6.60.04220FP -- if by that you mean the firmware. I searched, at least, on the fujitsu website but there's no such file; the upgrade is done purely via their program. Did I understand your question correctly? On Wed, Apr 21, 2021 at 8:45 AM HappyZ @.***> wrote: From janten's dtp-rp1-py https://github.com/janten/dpt-rp1-py I see it looks like the protocols for communications are the same. The rooting idea (never tried, no device I can test): 1. Obtain the update package file for Quaderno and see if https://github.com/HappyZ/dpt-tools/tree/master/fw_updater_packer_unpacker can unpack it 2. If YES, then try the hacking PKG that obtains diagnosis mode access (need to validate if you can get into diagnosis mode) 3. If YES, then you can backup the system and install DPT pkg If you can get me the package file for 1.6.60.04220FP I can help quickly check (1). — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#181 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARAQUHXCMK33OIFXTYUDQLTJZYAPANCNFSM42U4V7AQ . -- Laurent Bartholdi laurent.bartholdigmailcom Mathematisches Institut, Georg-August Universität zu Göttingen Bunsenstrasse 3-5, D-37073 Göttingen, Germany

unpack the digital paper pc app, and you can find updater url: https://dppa-updatesite-prod.herokuapp.com/api. but unpacker from this repo can not unpack the update package. package url: https://dppa-updatesite-prod.herokuapp.com/api/firm/version/1.6.60.04220FP/200706_0634_FwUpdater.pkg

stavguo commented 3 years ago

@laurentbartholdi Were you able to root the Quaderno? I'm also interested in getting one, but I would like to download other apk's for reading.

laurentbartholdi commented 3 years ago

Unfortunately not. I tried a little, but not very hard: first problem was to find a rom, and already there i was stuck.

On Mon, May 31, 2021, 18:18 dmellogu @.***> wrote:

@laurentbartholdi https://github.com/laurentbartholdi Were you able to root the Quaderno? I'm also interested in getting one, but I would like to download other apk's for reading.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/HappyZ/dpt-tools/issues/181#issuecomment-851583482, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARAQUBISAYJS66NWU3FLQDTQOZGFANCNFSM42U4V7AQ .

ghost commented 3 years ago

I am also interested in updating my Quaderno

HappyZ commented 3 years ago

Sorry I'm just too busy these days. I'm not able to download through https://dppa-updatesite-prod.herokuapp.com/api/firm/version/1.6.60.04220FP/200706_0634_FwUpdater.pkg.

raytrace2021 commented 3 years ago

@HappyZ I think you could download pkg here: https://www.fmworld.net/download/digital-paper/sw/FwUpdater_gen1_1.6.60.04220FP.pkg

raytrace2021 commented 3 years ago

@HappyZ I tried but I think fw_updater_packer_unpacker doesn't work for FwUpdater_gen1_1.6.60.04220FP.pkg (failed in verifying data with signature) it sounds Quaderno uses different public key. How to get key.pub and key.private files for Quaderno?

jd445 commented 3 years ago

I know that there are some people who flash sony software to Quaderno, and then they crack it. But I do not know how to do that.

HappyZ commented 3 years ago

It's possible you can flash the official on an already rooted device with diagnosis mode access, and then in diagnosis mode dump the system and build a new pkg out of it.

Might be an interesting path to try. Unfortunately I no longer have my dpt rp1 so I can't try that.

On Wed, Oct 6, 2021, 21:16 Junjie Dong @.***> wrote:

I know that there are some people who flash sony software to Quaderno, and then they crack it. But I do not know how to do that.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/HappyZ/dpt-tools/issues/181#issuecomment-937430969, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDVEKSH5OJEAXPYASCBBALUFUNJVANCNFSM42U4V7AQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

torytyler commented 2 years ago

I have purchased a Quaderno a5 (gen1) from Japan, when it arrives in a few weeks I will try my best to achieve root. I will then post my findings for everyone to know. I can't believe that the only public method for these devices costs $300 from a shady company (goodereader). The device is so similar to the DPT that it shouldn't be too difficult, maybe a few offsets need to be changed... I will let you know ~

-edit- As posted above, the Fujitsu firmware 1.6.60.04220FP is signed and the private key differs from the Sony firmware packages. Because of this, we are unable to unpack the Fujitsu FwUpdater .pkg. We will have to downgrade the device (in diagnosis mode) to Sony v1.6.50.14130, Ultimately turning it into a DPT-CP1.

I am listing my current strategy that should theoretically work, I just need my hardware to test!

  1. get device to and plug into PC, validate successful connection.
  2. attempt to get into diagnosis mode and patch the updater script.
  3. when in the diagnosis. begin the recovery method, I will "install-pkg" the official cp1/rp1 SONY firmware v1.6.50.14130 (with disabled version check)
  4. If this step proceeds, then I can continue getting root and exploit the device as if it was a normal CP1.

edit 2 (removal of goodereader trash talk)- I take back most of what I said about goodereader... but they are still shady. I have come to the conclusion that they are drop shipping pre-hacked devices from TaoBao and not using any method here to root devices. they are known to drop ship and I say this because in the fine print of their root listing you have to purchase the root package at the same time you buy a new ereader.

Thanks for reading, stay safe guys <3

torytyler commented 2 years ago

Not the update you guys want to see -

I tried for a bit now, no luck. I am able to get the Quaderno detected by dpt-tools, and when I attempt to push the package files to enable diagnosis mode, (using "dpt-tools > fw") the update pushes, system reboots, and says update failed, error 90001. I also tried to push a previous modded firmware with the version check disabled, same thing occurred.

I do, however have public and private keys for the Quaderno, maybe they will be useful for decompiling the update pkg... I was unable to decompile ANY package, even official sony, so I think I'm using the script wrong lol (script crashes on signature check, even with stock sony fw + github keys). I don't know if they will be helpful, but I will provide the keys. They differ from the ones on the github, so maybe it's something! Sorry guys, I wouldn't have guessed the device would be this locked down. I feel so close, but so far. :(

I think the method HappyZ mentioned about pushing the Quaderno update to an ALREADY rooted dpt and decompiling is a solid path to try, but I don't have a cp1 available. I'll be lurking, and if I get anything going I'll let you know!

privatekey.txt publickey.txt

EDIT - Adding teardown photo, was seeing if there were headers to hard write a cp1 image... maybe I can compare a motherboard of a cp1 to see a if the hardware is changed (I think the blocking of diagnosis mode is done through software though)... the back cover just twists off fyi IMG_0171

one more edit - i'm going oldschool (ie 2018 cp1 hacking days, and making an OTG cable mod to force my way into diagnosis mode... will update)... so my new course of action is to manually connect to diagnosis mode, once in I can attempt to do an unofficial downgrade to sony version v1.6.50.14130. (then root with the corresponding modified boot.img)... if this doesn't work I give up. sorry for wall of text i'm trying my best to document my journey ~

torytyler commented 2 years ago

OTG cable mod no longer enables Diagnosis mode, so this means that the hardware exploit (otg cable) + software exploit (happyZ diagnosis update) are patched. I deem the Quaderno line + new patched DPT models un-hackable as of now, I tried every method.

HappyZ commented 2 years ago

If you got private and public key, why not pack the PKG in the way with the official private and public key you got and give it a try?


I probably misunderstood when you mentioned you have private key. It's the data encryption key or the PKG signature key? If it's only the data encryption key then packing PKG will not work. Packing it into the official PKG will need two private keys.

torytyler commented 2 years ago

It's the data encryption key or the PKG signature key?

the keys I have were found when pairing the device and were located in the C:\Users\user\AppData\Roaming\Fujitsu\DigitalPaperPCApp folder, might not be the right keys... the look similar to the ones provided in the github (same amount of characters per private/public)

I am able to decompile sony packages with keys provided here, then resign with the ones I have from my device, but when I push the update (official or not) it still fails with error 90001. I feel like the keys I have are similar but not the right ones because I am unable to dump fujitsu firmware file provided at https://www.fmworld.net/download/digital-paper/sw/FwUpdater_gen1_1.6.60.04220FP.pkg , with either my keys or the github ones.

where would I go about getting the keys if the ones I posted above are invalid?

edit --- I tried to flash just the fujitsu firmware provided above untouched (with dpt-tool) and it started the firmware update, got about half way then errored out... (90001). That's the furthest I got though, I saw a progress bar that time...

HappyZ commented 2 years ago

It's the data encryption key or the PKG signature key?

the keys I have were found when pairing the device and were located in the C:\Users\user\AppData\Roaming\Fujitsu\DigitalPaperPCApp folder, might not be the right keys... the look similar to the ones provided in the github (same amount of characters per private/public)

All RSA key pairs looks similar. If they are from DigitalPaperPCApp at best the private key is the data encryption key.. It would not be useful imo.

The original way shankerzhiwu did this was to take out the ROM and read the scripts to learn how to get into diagnosis mode. This will damage the device unless you have advanced skills to solder ROM back on device. The entry point of flashing PKG would also need to learn how the new device reads PKG, as well as how they decode it. There are loads of problems to solve.

torytyler commented 2 years ago

I see. Well at the very least I confirmed that all current methods do not work for these newer devices. Thanks for telling me how he found out about diagnosis mode, I was wondering about that! I will keep my eye out for further developments as time goes on, it's now beyond my scope.

edit - I was lucky enough to find a used rootable pre2019 Sony RP1 for $150... best of luck to those waiting for quaderno root, but if you really want root your best bet is to get a used sony device. as of 7/7/22

shuoyang234 commented 2 years ago

In my opinion the only way is to use the dump file from Sony dpt

tcetal commented 2 years ago

I purchased a Quadenro A5 2nd Generation from Fujitsu only to find it all locked up.

YES, I know goodereader has an unlock product for $299USD. BUT, I disagree with private companies locking up opensource software in order to sell it. That's why I sent my $300 to BountySource.

I am hoping others, also unhappy with this situation, will assist in raising this bounty until it becomes worth the effort of a knowledgeable hacker to restore the openness of the Android OS which runs this system.

Long live Free, as in beer, Software!

tcetal commented 2 years ago

The guys at goodereader figured it out. I'm pretty sure someone on this forum must be as clever.

maxidastier commented 2 years ago

I also purchased a Quadenro A5 2nd Generation and sent $120 to BountySource. I hope someone reads this and will figure out a way to unlock the device.

mikelxc commented 2 years ago

I have a dpt rp1 from Sony hacked using this guide. And as it’s finally showing its age, I’m getting a new Fujitsu v2. It’s gonna take a while for it to arrive, but I can try what I could do.

LianglRen commented 2 years ago

Here is A4_fw_unpacker from ygjsz for anyone have a 2nd generation of Fujitsu Quaderno, and the private/pub keys have already been uploaded by the author.

mikelxc commented 2 years ago

I see. Well at the very least I confirmed that all current methods do not work for these newer devices. Thanks for telling me how he found out about diagnosis mode, I was wondering about that! I will keep my eye out for further developments as time goes on, it's now beyond my scope.

edit - I was lucky enough to find a used rootable pre2019 Sony RP1 for $150... best of luck to those waiting for quaderno root, but if you really want root your best bet is to get a used sony device. as of 7/7/22

Not sure if you wanna collaborate, I do have a hacked original Sony DPT RP1 from 2018, and a new Quaderno. The furthest I get is also the same upgrade screen. It seems the exploits are patched, but the hacked service is available at GoodReader, so there must be a way to bypass the restrictions.

prakhar64 commented 2 years ago

Looking to access Google Play on my Quaderno A4 Gen. 2 as well. How can I help?

tcetal commented 2 years ago

Hello prakhar64,

If your are a hacker you can "hack" a solution and collect $320. If you are like me, you can make a contribution to boost the reward to a level that entices someone to break the security on the system.

Or you can hang around and wait for a good Samaritan.

Thanks for your interest!

mikelxc commented 2 years ago

Some updates on my side. All methods that worked for my Sony DPT are not working for Quaderno gen2. Contacted good reader and it turns out they are outsourcing all the hack to Zhishulin (纸书林), a Chinese company from Taobao. And all the devices have to be sent to China for hacking. So my conjecture is that there's no software exploit at this moment

prakhar64 commented 2 years ago

chrome_gPdX0TSTez

So looks like it's purely a software mod. That's good news. As soon as I have my paycheck, I will contribute up to $100 to the bounty to make it viable for a hacker who can get this done.

Happy to help in any way possible.

tcetal commented 2 years ago

That's great Prakhar, we'll get this done!

On Tue, 2022-10-11 at 22:51 -0700, Prakhar Srivastava wrote:

So looks like it's purely a software mod. That's good news. As soon as I have my paycheck, I will contribute up to $100 to the bounty to make it viable for a hacker who can get this done. Happy to help in any way possible. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: <HappyZ/dpt- @.***>

jni commented 2 years ago

Can someone post a link to the bounty and/or instructions on how to add to it? I searched for "Quaderno" in BountySource and I couldn't find it. I'll happily pledge another $300.

prakhar64 commented 2 years ago

Two links:

  1. A Chinese thread that has some details on the device + rooting. Google Translate will help.
  2. The BountySource link I think is for this. Can someone confirm? Will pledge some amount once someone can confirm this is the right one.
mikelxc commented 2 years ago

Two links:

  1. A Chinese thread that has some details on the device + rooting. Google Translate will help.
  2. The BountySource link I think is for this. Can someone confirm? Will pledge some amount once someone can confirm this is the right one.

Just read through the Chinese thread. It's a paid hack (they said it's less than half of the cost of "market price"). And it will require taking apart (so you still have to mail it to China). They are still working on the software, but looks pretty promising.

prakhar64 commented 2 years ago

Understood, @mikelxc. Though I didn't see a reference of disassembling the device -- just something about 'opening up the software'?

Also, if someone can confirm that the BountySource link I shared is the right one, @jni and I can contribute ~$400 to it.

tcetal commented 2 years ago

Yes Prakar, this is the correct BountySource link. My original post was for $300. Thanks for your interest, Tom.

On Sun, 2022-10-16 at 23:13 -0700, Prakhar Srivastava wrote:

Understood, @mikelxc. If someone can confirm that the BountySource link I shared is the right one, @jni and I can contribute ~$400 to it. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***

prakhar64 commented 2 years ago

Thanks for confirming, @tcetal. I've pledged another $100.

@jni, it's the same link in case you still want to contribute the $300.

Let's hope someone is able to upgrade our Quadernos!

jni commented 2 years ago

Done! It's getting pretty beefy! 😊

prakhar64 commented 2 years ago

My Quaderno A4 Gen. 2 is running firmware 1.1.00.15020FP. Should I avoid updating?

csdvrx commented 2 years ago

Should I avoid updating?

Yes: the kind of bugs that allow rooting are often found in earlier versions, and typically patched quickly.

The new firmwares don't seem to bring anything worthwhile, so I'd suggest waiting until someone is bothered enough by the current situation to try to hack the device.

HappyZ commented 2 years ago

Quickly gone through the comments. While I don't think I have any time (or device) to look into it, if anyone with sufficient knowledge want to explore further:

If I understand it correct, both use the same architecture. Therefore there should not be a significant difference than DPT: (1) There must be a diagnosis mode to handle system image updates; (2) there must be another way to access the diagnosis mode; and (3) PKG must be packed and unpacked in a similar way.

Diagnosis mode -> PKG -> Android -> App

Doing some deductions, there will be three directions to investigate: (a) from PKG to gain access diagnosis mode (b) from app to android and escalate to gain diagnosis mode (or maybe no need diagnosis mode, just gain access to Android is good enough for root only) (c) and if someone already has hacked device, it'll be a lot easier to reverse-engineer cuz you can compare a healthy system vs modified one

jni commented 2 years ago

@HappyZ I would be happy to ship my currently-useless device to you if you can find the time. ;)

prakhar64 commented 1 year ago

@jni, that would be wonderful if @HappyZ can find some time to look into this

manishkandimalla commented 6 months ago

hello guys, any updates on this ??

lucamolteni commented 4 months ago

Same here, any news? There’s still some interest in the quaderno. Perhaps I should ask how to buy from TaoBao 😀