About Hacked Firmware Dump

[sekkit]

I've a friend who owns a US ver. of DPT RP1. Which is hacked with the same firmware from taobao. And his device is activated. Will it be any difference if get that system dump?

[HappyZ]

you can ask him to dump all partitions and we can learn a bit more from there; so far I have found several "protections" from the taobao images, and if you flash it directly it won't bypass the welcome page.

[sekkit]

1) flash factory firmware, finish setup. 2) flash that hacked fw & boot.img(important), and reboot to wifi page, connect wifi maybe and reboot. 3) in diagnosis mode delete JSONClient.apk, rename DigitalPaperApp.apk.bak3 to DigitalPaperApp.apk. reboot. 4) now u will be in DPT's desktop.

BTW, can u give me th script to dump all partitions, so that I can do it for u(Not familiar with android^^)

[sh-miller]

@HappyZ
thanks to your wonderful project, i have rooted my dpt-rp1 by your guide, and installed kindle, Xposed.

1. because DPI reason, the kindle font is to small.
2. use the App Setting module of Xposed adjust for each app's DPI , by the way, dpt-rp1 can install this module , but when use it open other app like browse or kindle it show the app stopped.

so @sekkit 's information maybe give us some important clue.

[sekkit]

@sh-miller how did u do that? I installed xposed but appsettings will crash upon open. Did u flash a TWRP recovery on DPT?

[sh-miller]

@sekkit , in my DPT-RP1 , the appsettings also crash when open other app using appsettings. I hope you can dump the firmware of taobao , and i'm not sure this firemware http://kdroid.club/dpt1-user/ is come from taobao.

[sekkit]

@sh-miller yes, I am almost sure it is. Because I read in Chinese, it also has another firmware made for another distributor http://kdroid.club/dpt2-user, it contains everything including bluetooth module, etc.

[HappyZ]

thanks @sekkit ! This is a great thing to see. Can you comment on difference between user.181211.zip and user.181129.zip If you have tried it?

[sekkit]

@HappyZ 更新内容(20181210)： 1.USB声卡、键盘等支持 2.蓝牙声音、键盘等支持 3.全局对比度、漂白调节功能 4.rp1、cp1机型原生系统升级为1.4.02 I think if just hack the hacked firmware might be more practical and time saving.

[ziegfeld]

@sekkit , in my DPT-RP1 , the appsettings also crash when open other app using appsettings. I hope you can dump the firmware of taobao , and i'm not sure this firemware http://kdroid.club/dpt1-user/ is come from taobao.

Dude, it is. I can even show you the item link with watermark of this site URL in some of the images.

[ziegfeld]

1. flash factory firmware, finish setup.
2. flash that hacked fw & boot.img(important), and reboot to wifi page, connect wifi maybe and reboot.
3. in diagnosis mode delete JSONClient.apk, rename DigitalPaperApp.apk.bak3 to DigitalPaperApp.apk. reboot.
4. now u will be in DPT's desktop.

BTW, can u give me th script to dump all partitions, so that I can do it for u(Not familiar with android^^)

Did you try all this and it worked? It looks legit. If it works you do not need to dump img for HappyZ then. This just works :)

But AFAIK boot.img has an EID verification; but your point 3 only addressed system.img changes. Edit: Unless by "hacked fw and boot.img" you meant, FwUpdater.pkg from taobao, and the happyZ mod boot.img.

[HappyZ]

@HappyZ 更新内容(20181210)： 1.USB声卡、键盘等支持 2.蓝牙声音、键盘等支持 3.全局对比度、漂白调节功能 4.rp1、cp1机型原生系统升级为1.4.02 I think if just hack the hacked firmware might be more practical and time saving.

This is great. I'll take a look at it when I have time this weekend.

[HappyZ]

I have added the guide based on your feedbacks. Please check if those were valid. If so you can close this issue.

[sh-miller]

JSONClient

1. flash factory firmware, finish setup.
2. flash that hacked fw & boot.img(important), and reboot to wifi page, connect wifi maybe and reboot.
3. in diagnosis mode delete JSONClient.apk, rename DigitalPaperApp.apk.bak3 to DigitalPaperApp.apk. reboot.
4. now u will be in DPT's desktop.

BTW, can u give me th script to dump all partitions, so that I can do it for u(Not familiar with android^^)

Did you try all this and it worked? It looks legit. If it works you do not need to dump img for HappyZ then. This just works :)

But AFAIK boot.img has an EID verification; but your point 3 only addressed system.img changes. Edit: Unless by "hacked fw and boot.img" you meant, FwUpdater.pkg from taobao, and the happyZ mod boot.img.

hi, the JSONClient.apk verify the EID, the most important thing is execute cmd "/sbin/eid rev" , so can rewrite JSONClient.apk , let execute "/sbin/eid rev", remove other invalid code.

[sekkit]

@sh-miller what do u mean by saying '/sbin/eid rev', does it adjust the display dpi?

[sh-miller]

@sekkit it is not adjust the DPI, i'm NOT flash taobao firmware, Is there somebody flash the taobao firmware ? I heard of the taobao firmware is protected and need auto code ? if not pass, the taobao firmware is not working, i'm not suse it caused by JSONClient.apk . the cmd "/sbin/eid rev" is come from JSONClient.apk when auth pass.

[sekkit]

@sh-miller I manage to rewrite JSONClient.apk, and only /sbin/eid is executed. BUT I failed to decompile the original package. Could post some code here as a reference so I can rewrite a packge using Android Studio.

update: I did remade a apk and will upload it to /system/app see if it works.

[sh-miller]

@sekkit please use http://kdroid.club/dpt2-user/ , user.181211.zip , I have uploaded at https://drive.google.com/open?id=1ykraXBPWk1zqiuq3BaslU095JxIvRGcp the main code is:

protected void onPostExecute(Object ret) { String result = (String)ret; if(result == null) { return; } if((result.equals("")) || (result.equals("ERROR"))) { state.setText(0x7f040001); return; } String subresult = result.substring(0x0, 0x4); if((subresult.equals("PASS")) || (subresult.equals("SUCC"))) { String execsh = 0x0; try { execsh = String.format("/sbin/eid recv", ); Process process = Runtime.getRuntime().exec(execsh); process.getErrorStream().close(); process.getInputStream().close(); process.getOutputStream().close(); process.waitFor(); } catch(IOException localIOException1) { } catch(InterruptedException localInterruptedException2) { } if(subresult.equals("SUCC")) { String pass = getResources().getString(0x7f040003); String left = getResources().getString(0x7f040004); String right = getResources().getString(0x7f040005); subresult = result.substring(0x4); state.setText(pass + left + subresult + right); } else { state.setText(0x7f040003); } rebootwait = 0x3; doreboot = true; return; } if(subresult.equals("BUSY")) { state.setText(0x7f040007); return; } if(subresult.equals("USED")) { state.setText(0x7f040006); return; } if(subresult.equals("FAIL")) { if(!regtested) { regtested = true; btncheck1.setVisibility(0x8); btncheck2.setVisibility(0x0); row2.setVisibility(0x0); row3.setVisibility(0x0); row4.setVisibility(0x0); row5.setVisibility(0x0); row6.setVisibility(0x8); state.setText(0x7f040008); return; } state.setText(0x7f040009); return; } state.setText(0x7f040002); }

waiting for you good news!

[sekkit]

@sh-miller thx I am working on it. what tool u used for decompilation?

[sh-miller]

@sekkit use this tool Smali2Java.

[sekkit]

@sh-miller I bypassed the activation and started eid service, but the AppLauncher always crashes. Im investigating it.

[sh-miller]

@sekkit Exciting news！！！
use adb command start the app, is there some error in logcat ?

[sekkit]

@sh-miller no adb so need to integrate one into boot.img.

[ziegfeld]

@sekkit have you tried the steps in your second post here, edited 2 days ago, yourself? I tried twice, it did not work. Stuck in booting "welcome" screen.

So can you share the modified (only leaving "eid rev" part) JSONClient.apk? I can help take a look at the next step, and why your AppLauncher fails.

[ziegfeld]

@sekkit also try recover /system/framework/framework-res.pak A friend noticed that it is just like DigitalPaperApp.apk, replaced by .pak.bak2 and .pak.bak2 and their sizes does not match. @sh-miller It would be great for you to have a look on what's the difference :)

[p4s2wd]

@sh-miller I bypassed the activation and started eid service, but the AppLauncher always crashes. Im investigating it.

Can you try to run following command to enable the AppLauncher.

cd /data/system mv ExtMgr.db ExtMgr.db_bak mv ExtMgr.db-journal ExtMgr.db-journal_bak reboot

[sekkit]

@sekkit have you tried the steps in your second post here, edited 2 days ago, yourself? I tried twice, it did not work. Stuck in booting "welcome" screen.

So can you share the modified (only leaving "eid rev" part) JSONClient.apk? I can help take a look at the next step, and why your AppLauncher fails.

u need to reboot after flash the system.img&boot.img, into the activation page. and then reboot& go back to diagnosis mode, mv JSONClient.apk to jca(any name is ok), reboot.

[sekkit]

@sh-miller I bypassed the activation and started eid service, but the AppLauncher always crashes. Im investigating it.

Can you try to run following command to enable the AppLauncher.

cd /data/system mv ExtMgr.db ExtMgr.db_bak mv ExtMgr.db-journal ExtMgr.db-journal_bak reboot

OK, I'll try later.

[HappyZ]

Since we have figured out how to build a pkg package, please consider to build a flashable pkg (or modify based on taobao pkg) so other people can take advantage of this.

[ziegfeld]

@sekkit have you tried the steps in your second post here, edited 2 days ago, yourself? I tried twice, it did not work. Stuck in booting "welcome" screen. So can you share the modified (only leaving "eid rev" part) JSONClient.apk? I can help take a look at the next step, and why your AppLauncher fails.

u need to reboot after flash the system.img&boot.img, into the activation page. and then reboot& go back to diagnosis mode, mv JSONClient.apk to jca(any name is ok), reboot.

Sorry pal, I am confused. Is this what you did to have "bypassed the activation and started eid service"? I thought you have recompiled the modified java files and converted to smali and packed to JSONClient.apk and that is how you "bypassed the activation and started eid service".

Because from my understanding that line in JSONClient.apk is the only way to start eid process.

Edit: I guess the answer ot my questions are YES. I tried what you said. I am in the same situation now. Note that DigitalPaperApp.apk.bak2 and framework-res.apk.bak2 will be automatically renamed back to .apk so no need to take care of it I guess. I am stuck in DigitalPaperApp initial document reading just as after a factory reset. But the menu button would not get anything up but a screen blink. I am trying @p4s2wd 's suggestion to lean up database files and see. If it does not work, I will try if I can use the adb in their system.img in diagnosis mode.

Still, the best way to go is what @sh-miller said, "recompiled the modified java files and converted to smali and packed to JSONClient.apk" this will get everything right, esp the eid process which does some system init functions.

[ziegfeld]

@HappyZ hi, I do not understand what this part in your readme is trying to do.. does "Launcher app" mean the box popping up after pressing menu button in the pdf reader/note-taker of the original factory system?

Launcher app

DPT Launcher is funny. It uses ExtensionManagerService that scans through /etc/dp_extensions. Ideally we shall have an automated tool to add/remove icons (not a plan), but for now, a commandline approach is the following:

Re-mount your system to be writable (requiring sudo), and then use NoteCreator as a template:

Also the taobao system has no /mnt/system/data folder after "mount -t ext4 -o rw /dev/mmcblk0p9 /mnt/system" in diag mode. So no way to clear the ExtMgr.db cache. (cc @p4s2wd )

My situation now is after what @sekkit suggested, it's stuck in DigitalPaperApp pdf reader and menu button press will only blink screen once. Any thoughts please?

Thanks and Regards, ziegfeld

[HappyZ]

what's the related output from adb logcat when you click the button and the screen blinks? if too long to post, you can send it to me via email yz at 9pm.me

[sekkit]

JSONClient.apk.zip This is the apk for replacing JSONClient, when exit, it'll start digitalapp automatically.

[ziegfeld]

JSONClient.apk.zip This is the apk for replacing JSONClient, when exit, it'll start digitalapp automatically.

@sekkit @HappyZ I tried it.

I am using the 1129 firmware in case the 1210 update has new verification methods. Because at least I know 1210 has the linux kernel updated. This JSONClient.apk works in the sense that hitting menu button will bring up a "JSONClient" application, it has a underlined space that's fillable, and has "/sbin/eid recv" in front of that. then 2 button "RUN" and "EXIT"

hitting run will pop up some pop-up messages, in order : CLICK OKOKOK111 OKOKOK222 OKOKOK333 OKOKOK444 then nothing else. Hit exit, it's the DigitalPaperApp again. Press menu button again brings up this JSONClient app again. Nothing changed, hit run will pop up CLICK/OKOKxxx et al.

So I reboot to diag. But it cannot and instead shows "initialzing.." and the "factory new in the box" DPT screen "welcome to a brand new world of reading and writing! press POWER button to begin"; then I press power button, it shows "encrypt the system" then boots up to this JSONClient "/sbin/eid recv" screen again. Now after I hit exit, it's blank screen.. the DigitalPaperApp is gone too.. Unless I press menu button and JSONClient shows up again. so I only have this JsonClient and nothing else now.

Edit: I am able to get to diag mode, by holding menu and press power in that "welcome to a brand new word" screen instead of just press power button.

I will try a brand new taobao boot.img and system.img with your JSONClient.apk again and report back.

Edit: still the same result doing brand new. It stuck at JSONClient because it kind of ask for a string maybe. after inputing anything (or nothing), it's just CLICK/OKOKOKxxxx sequences and nothing else. No DigitalPaperApp. I will give it a rest for now till later tonight.. thanks.

[sekkit]

if u see no error message that means eid service is started. else there will through exception message. @ziegfeld I think there are more actions happened underhood.

[ziegfeld]

@sekkit yeah I agree. Previously I messed up with /etc/dp_extensions/ and got some errors. This time no errors about applications stop working. But the WIFI-verification code is only working in this JSONClient.apk to call eid service right? How come this could effect something else?

[sekkit]

@sekkit yeah I agree. Previously I messed up with /etc/dp_extensions/ and got some errors. This time no errors about applications stop working. But the WIFI-verification code is only working in this JSONClient.apk to call eid service right? How come this could effect something else?

I'll post source code tmr see if anyone knows how to enable next step. Seems not really activated.

[sh-miller]

@sekkit also try recover /system/framework/framework-res.pak A friend noticed that it is just like DigitalPaperApp.apk, replaced by .pak.bak2 and .pak.bak2 and their sizes does not match. @sh-miller It would be great for you to have a look on what's the difference :)

I am in the same situation now. Note that DigitalPaperApp.apk.bak2 and framework-res.apk.bak2 will be automatically renamed back to .apk so no need to take care of it I guess.

@ziegfeld
as you said, DigitalPaperApp.apk is automatically renamed back to .apk, if true， that need have a look on DigitalPaperApp.apk.bak2 different from sony's DigitalPaperApp.apk. and which app( which progress do this rename work) .

[sh-miller]

@sekkit now my' dpt-rp1 is only rooted, is there any risk to flash taobao firmware ? it means we can flash sony's firmware back as we want.

1. is there any guide flash taobao firmware?
2. use firmware http://kdroid.club/dpt2-user/ , user.181211.zip .
3. use hacked JSONClient.apk .

[qz-lab]

I'm exhausted! I have tried all the Taobao firmwares and none of them ever worked.

• After flashing the firmware, restart the dpt and the wifi connection panel appears. It needs me to provide a verification code (which of course I don't have ...).
• Then reboot the dpt into the diagnose mode, flash 'python_api/assets/boot-1.4.01.16100-mod-happyz-181118.img' and reboot again. It's stuck at the 'welcome' panel with two arrows rotating. 'adb' works, but unfortunately I'm not an Android programmer ...

By the way, the same problem presents on the ' http://kdroid.club/dpt2-user/user.181211.zip' too. So, is there anyone who can provide an original firmware? I just want to restore everything back, the way they were. Crying ...

[HappyZ]

@Zack-Q check https://github.com/HappyZ/dpt-tools/issues/31

[ziegfeld]

@sh-miller just follow what @sekkit said in post #3 (which equals to this git repo readme session of taobao pkg guide) and what he said today to me, in this thread. but the state-of-the-art is just as what I and @sekkit described. LaucherApp not working, under the hood verification remains after the JSONClient fix tries.

The risk is as our dear @happyZ said, bootloop and soft bricked. Not unbricked yet I guess.. All other situations are okay, as long as you can get into diag mode you can go back fresh.

I wish both my java2smali and smali2java worked (and my java skill too:D) so that I can know these .apk better.. or that I had a 52pojie.cn bbs account to post questions there.

@sekkit thanks man. So much hassle already by now and I really think a dump of your friends activated system would help really a lot. I wish I knew the dd command for it :) cc @p4s2wd

Also @p4s2wd raised the concern that kdroid.club/dpt1 and /dpt2 might be respectively for rp1 and cp1: we don't know which is which..

[sekkit]

I'm exhausted! I have tried all the Taobao firmwares and none of them ever worked.

• After flashing the firmware, restart the dpt and the wifi connection panel appears. It needs me to provide a verification code (which of course I don't have ...).
• Then reboot the dpt into the diagnose mode, flash 'python_api/assets/boot-1.4.01.16100-mod-happyz-181118.img' and reboot again. It's stuck at the 'welcome' panel with two arrows rotating. 'adb' works, but unfortunately I'm not an Android programmer ...

By the way, the same problem presents on the ' http://kdroid.club/dpt2-user/user.181211.zip' too. So, is there anyone who can provide an original firmware? I just want to restore everything back, the way they were. Crying ...

HappyZ's boot won't boot with Hacked firmware. That has been said. retrying that is useless. We need better approach to analyze the startup process.

[sekkit]

This issue is too long, I opened up a new one, we can disscuss there. https://github.com/HappyZ/dpt-tools/issues/32

[HappyZ]

closing as a modified system.img has been released https://github.com/HappyZ/dpt-tools/issues/37

[Sfinx]

kdroid files are not available anymore. can please anybody upload these zips to gdrive/mega ? thanks !

[ziegfeld]

kdroid files are not available anymore. can please anybody upload these zips to gdrive/mega ? thanks !

It would be good to open a new issue for this. Also I heard about another Taobao DPT Hack merchant has pkg out there (1500RMB value :D); it would be great if someone can share that too.

[Sfinx]

done #51

[xiyuemu]

kdroid files are not available anymore. can please anybody upload these zips to gdrive/mega ? thanks !

It would be good to open a new issue for this. Also I heard about another Taobao DPT Hack merchant has pkg out there (1500RMB value :D); it would be great if someone can share that too.

1500RMB_pkg uploaded #52