# Rooting Sony's e-reader DPT-RP1 and DPT-CP1



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## sartrism (Aug 12, 2017)

And here you can find source codes.

oss.sony.net/Products/Linux/dp/DPT-RP1.html


----------



## Droidriven (Aug 12, 2017)

sartrism said:


> Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.
> 
> I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.
> 
> ...

Click to collapse



You must be an iPhone user that isn't familiar with android. Jailbreak in is an Apple thing, not an android thing. 

In android it's called "rooting" and it isn't quite the same thing as jailbreaking an Apple device.

This device does not at all seem to be worth the price, especially considering the limitations it has. What a waste of hardware.

I would assume that you could port something from one of those other devices to work on yours but it really depends on how your hardware is designed compared to those devices. 

Does your device have a typical bootloader like other android devices? 

Is the bootloader unlocked? 

If it is locked, can it be unlocked? 

Does the device use fastboot or does it have a flash mode that is used with a specific PC flashtool? 

If it is unlocked or if you can unlock it and it has a flash mode that can actually be used, you might be able to port a custom recovery from one of the devices you named then use that recovery to somehow root the device. If the device can't install android apps then it would probably involve using adb to root the device.


I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## sartrism (Aug 12, 2017)

Droidriven said:


> You must be an iPhone user that isn't familiar with android. Jailbreak in is an Apple thing, not an android thing.
> 
> In android it's called "rooting" and it isn't quite the same thing as jailbreaking an Apple device.
> 
> ...

Click to collapse



Thanks for suggesting a general principle! I just use the word jailbreaking not because I'm an iPhone user. What I actually want to do as the first step is not rooting an android system, but revealing it from the current customized linux system. Rooting is the next step if necessary. If the word choice is still not accurate and bothers you, I apologize.

It has apparently no typical bootloader, and neither PC nor adb recognize it as an android device. In fact, direct USB file transfer is blocked so I need to use Sony's designated software. But an android system surely coexists according to the hacker who already rooted it.


----------



## Droidriven (Aug 12, 2017)

sartrism said:


> Thanks for suggesting a general principle! I just use the word jailbreaking not because I'm an iPhone user. What I actually want to do as the first step is not rooting an android system, but revealing it from the current customized linux system. Rooting is the next step if necessary. If the word choice is still not accurate and bothers you, I apologize.
> 
> It has apparently no typical bootloader, and neither PC nor adb recognize it as an android device. In fact, direct USB file transfer is blocked so I need to use Sony's designated software. But an android system surely coexists according to the hacker who already rooted it.

Click to collapse



Without some kind of way to flash or interface with the device there isn't much you can do.

I have a kindle fire HD that didn't come with a typical android system but does have a typical bootloader. The Amazon OS was removed and now it's full blown android but it required a "second" bootloader. You don't have a bootloader so I'm not sure what your options are with that device.



I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## MarkBell (Aug 13, 2017)

Droidriven said:


> You must be an iPhone user that isn't familiar with android. Jailbreak in is an Apple thing, not an android thing.
> 
> In android it's called "rooting" and it isn't quite the same thing as jailbreaking an Apple device.
> 
> ...

Click to collapse



Jailbreaking is the process of modifying any electronic device in order to remove restrictions imposed by a manufacturer (Apple) or operator (to allow the installation of unauthorized software).

Rooting is the act of gaining access to the root account of a device (such as a smartphone or computer).

There is a huge difference between the two. You can't just say that rooting is Android's version of jailbreaking. Not accurate in the least.

https://www.androidpit.com/jailbreak-android

Sent from my SM-G928T using Tapatalk


----------



## Droidriven (Aug 13, 2017)

MarkBell said:


> Jailbreaking is the process of modifying any electronic device in order to remove restrictions imposed by a manufacturer (Apple) or operator (to allow the installation of unauthorized software).
> 
> Rooting is the act of gaining access to the root account of a device (such as a smartphone or computer).
> 
> ...

Click to collapse



You're reading too much into what I said.

Basically, what I said was that jailbreaking isn't an android thing, it's an Apple thing(didn't say it was exclusively an Apple thing, just NOT an android thing). It applies to more than just Apple devices but on this website dedicated to mobile platforms, I'm only referring to its application in the mobile device world. For the mobile world it's pretty much only an Apple thing(still not exclusively but mostly so). 

Then I said that in the android world it's called rooting(not exclusively an android thing, just NOT an Apple thing). And that jailbreaking and rooting aren't the same thing(this does not say that rooting is android's version of jailbreaking, that would imply that they are the same thing, I'm saying they aren't the same thing)

Basically, explaining what they "aren't", you explained what they "are".

I understand the difference, but thank you.


I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## MarkBell (Aug 13, 2017)

Droidriven said:


> You're reading too much into what I said.
> 
> Basically, what I said was that jailbreaking isn't an android thing, it's an Apple thing(didn't say it was exclusively an Apple thing, just NOT an android thing). It applies to more than just Apple devices but on this website dedicated to mobile platforms, I'm only referring to its application in the mobile device world. For the mobile world it's pretty much only an Apple thing(still not exclusively but mostly so).
> 
> ...

Click to collapse



I tend to read too deeply into everything. It's the way I am. Lol.

Sent from my SM-G928T using Tapatalk


----------



## thisvip (Aug 22, 2017)

Could you please post some information about usb device? Just like PID & VID. 
Do it like:
Connect DPT-RP1 to Linux, and then type this command 'lsusb'
P.S. Under Windows or MacOS system, you can find the information from system settings...


----------



## @[email protected] (Aug 22, 2017)

*happy to help with simple things*



thisvip said:


> Could you please post some information about usb device? Just like PID & VID.
> Do it like:
> Connect DPT-RP1 to Linux, and then type this command 'lsusb'
> P.S. Under Windows or MacOS system, you can find the information from system settings...

Click to collapse



Bus 001 Device 008: ID 054c:0be5 Sony Corp.


----------



## sartrism (Aug 24, 2017)

It is good to see some people have been interested in this thread.

So far, I realized that the hacker used a hardware hacking method. I actually obtained the hacked system apps from one of his customer. I guess he did sometihng like directly modifying eMMC to root and put "USBDeviceSwitcher.apk" to allow an usual USB connection. Since I don't want to take such risk, I decided to wait until the first firmware to see if there could be an indirect way to penetrate the system files. But if you want to analyze the hacked system, contact me.


----------



## George Malas (Aug 24, 2017)

sartrism said:


> It is good to see some people have been interested in this thread.
> 
> So far, I realized that the hacker used a hardware hacking method. I actually obtained the hacked system apps from one of his customer. I guess he did sometihng like directly modifying eMMC to root and put "USBDeviceSwitcher.apk" to allow an usual USB connection. Since I don't want to take such risk, I decided to wait until the first firmware to see if there could be an indirect way to penetrate the system files. But if you want to analyze the hacked system, contact me.

Click to collapse



Does it have a web browser? Maybe you can utilize for example the Stagefright Exploit + DirtyC0W to get root.


----------



## mcplectrum (Aug 25, 2017)

I have found out some interesting stuff about the device with the help of the Digital Paper App.

The app is built using electron and there is a file: /Applications/Digital\ Paper\ App.app/Contents/Resources/app.asar 
This file contains the electron javascript files, which handle all the communication with the device. 
It can be extracted with: sudo asar extract app.asar output 
(github_com/electron/asar)
This also requires node to be installed: with e.g.  brew install node (changelog_com/posts/install-node-js-with-homebrew-on-os-x)

The app communicates with the device via Restlet-Framework/2.3.7 on port 8443 with tcp (no matter if it is the bluetooth, wifi or usb connection).
This is the only port that is open.

In the file:  /Applications/Digital\ Paper\ App.app/Contents/Resources/output/node_modules/mw-error/lib/codeparams.js you can find all the relative paths, which are getting called during e.g. file transfer, firmware update and stuff.   

Running the app and placing breakpoints reveals that before you can transfer files and stuff:
  '/auth'
  '/auth/nonce/'
are called in order to authenticate, which looks e.g. like url digitalpaper.local:8443/auth/nonce/1e9ee24d-6613-433a-9770-76b04333ac95
the last part of the call is the "client_id": "1e9ee24d-6613-433a-9770-76b04333ac95", which is retrieved via the url digitalpaper.local:8443/auth call.
 digitalpaper.local:8443/auth/

Important:
In /Applications/Digital\ Paper\ App.app/Contents/Resources/output/lib/config.js
change the line 
config.DEVBUILD = false;
to
config.DEVBUILD = true;


After you finished your modifications you have pack the output folder again:
sudo asar pack output app.asar

I did not have time to continue, but the following relative urls look promising (especially recovery_mode):

  '/testmode/auth/nonce',
  '/testmode/auth',
  '/testmode/launch',
  '/testmode/recovery_mode',
  '/testmode/assets/{}',


----------



## sartrism (Aug 26, 2017)

mcplectrum said:


> I have found out some interesting stuff about the device with the help of the Digital Paper App.
> 
> The app is built using electron and there is a file: /Applications/Digital\ Paper\ App.app/Contents/Resources/app.asar
> This file contains the electron javascript files, which handle all the communication with the device.
> ...

Click to collapse



Hope you get some result from wifi side. I also realized they use the port 8443 but couldn't get further as you.

For whom trying to hack it, here is the link for the already 'hacked' system apps (including the original files) - that of the famous hacked RP1 video. Inside the subfolder S1, there are also the hacked system apps for DPT-S1 just in case.

https://www.dropbox.com/sh/dvtvokdzrgwjc83/AACXOJA-E56nUpUfiWUOzrM3a?dl=0


----------



## sartrism (Aug 26, 2017)

George Malas said:


> Does it have a web browser? Maybe you can utilize for example the Stagefright Exploit + DirtyC0W to get root.

Click to collapse



The stock device has no web browser, no sd-card, no usb connection, and no typical system. I think SONY was haunted by some security issues maybe because they thought the major users are lawyers or very important people? lol


----------



## jaensch (Aug 31, 2017)

Any chance to create a buffer overflow PDF to attack RP1's pdf reader?


----------



## jess91 (Sep 6, 2017)

I am unable to help, but wanted to let you know I am definitely interested in and supportive of this. If this device can be unlocked as suggested in that one youtube video then I would buy it, despite the steep price.


----------



## Droidriven (Sep 6, 2017)

jess91 said:


> I am unable to help, but wanted to let you know I am definitely interested in and supportive of this. If this device can be unlocked as suggested in that one youtube video then I would buy it, despite the steep price.

Click to collapse



If you're interested and supportive of this then go buy one anyway and apply yourself to going forward figuring out how to get it done. Other than that, you're not supportive, you're just hopeful that someone figures it out and then you'll probably go get one. 

DO NOT CONTACT ME  VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## Paderico (Sep 7, 2017)

Hey guys,

I also recently got the RP1 and am also looking for ways to mod it. Big kudos and thanks to all of you for posting this! This alread is amazing. @sartrism: can you maybe give me a hint how to load the files on the rp1? Sorry if this might be a stupid question but I'm new to adroid and that stuff.


----------



## Paderico (Sep 8, 2017)

Paderico said:


> Hey guys,
> 
> I also recently got the RP1 and am also looking for ways to mod it. Big kudos and thanks to all of you for posting this! This alread is amazing. @sartrism: can you maybe give me a hint how to load the files on the rp1? Sorry if this might be a stupid question but I'm new to adroid and that stuff.

Click to collapse



Just a little update from my side. I'm currently tryng to recreate the steps @mcplectrum was using. It seems that my RP1 also uses other ports. I tried to wireshark the USB and WiFi connection. By that I saw that often GET /registration/information is called for Host: localhost:58052. Moreover the first call is GET /register/serial_number also on port 5808. This was via USB. 
Trying to trigger the /auth/ call via Telnet returns nothing unfortunately. But also the 8080 port is open. Trying to call digitalpaper.local:8443/auth/ returns nothing on firefox. 

@mcplectrum: how did you get the client_id and what would one need that for?

I also tried to change the config.DEVBUILD  to true but that seemed to change nothing at all. 

So to sum up what we know:
The device is using some kind of android structure, the source code seems to use the uboot bootloader, all communication is done by a rest restlet framework. So actually there should be some kind of way to use the restlet framework to PUT or POST the modified files. 
The other option would be directly flash the eMMC right? I would take the risk and just load it on my device and see what happens. Any hints on how to do that?


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## Droidriven (Sep 8, 2017)

Paderico said:


> Just a little update from my side. I'm currently tryng to recreate the steps @mcplectrum was using. It seems that my RP1 also uses other ports. I tried to wireshark the USB and WiFi connection. By that I saw that often GET /registration/information is called for Host: localhost:58052. Moreover the first call is GET /register/serial_number also on port 5808. This was via USB.
> Trying to trigger the /auth/ call via Telnet returns nothing unfortunately. But also the 8080 port is open. Trying to call digitalpaper.local:8443/auth/ returns nothing on firefox.
> 
> @mcplectrum: how did you get the client_id and what would one need that for?
> ...

Click to collapse



If you're up to it, try some kind of RIFF box/OctoBox setup. 

DO NOT CONTACT ME  VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## Paderico (Sep 8, 2017)

Droidriven said:


> If you're up to it, try some kind of RIFF box/OctoBox setup.

Click to collapse



Not quite sure what you mean by that.


----------



## Droidriven (Sep 8, 2017)

Paderico said:


> Not quite sure what you mean by that.

Click to collapse



It's a piece of hardware that is used to directly connect to various points on the motherboard to directly interface/flash/modify the device.

Do a Google search for:

Android RIFF box

It's quite technical but you might be interested. It is also used to revive hard bricked devices that won't power on.

DO NOT CONTACT ME  VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## Paderico (Sep 8, 2017)

Droidriven said:


> It's a piece of hardware that is used to directly connect to various points on the motherboard to directly interface/flash/modify the device.
> 
> Do a Google search for:
> 
> ...

Click to collapse



Okay cool thanks. Checked that quickly, so what's then left is to find a way to find a driver that connects the RIFF Box USB port with the USB cable provided by Sony. Otherwise one would need to brutally open the device to get some connection which might ruin the device. Correct me if I'm wrong.


----------



## Droidriven (Sep 8, 2017)

Paderico said:


> Okay cool thanks. Checked that quickly, so what's then left is to find a way to find a driver that connects the RIFF Box USB port with the USB cable provided by Sony. Otherwise one would need to brutally open the device to get some connection which might ruin the device. Correct me if I'm wrong.

Click to collapse



There are always risks involved but USB connectivity is more limited than opening the device and connecting directly to the necessary points on the motherboard, it pretty much allows pushing/pulling whatever you want anywhere you want. It gives you the opportunity such that if you force something and it bricks the device, you may be able to revive to normal and try something else. Some of the android guys out there use this to root/modify devices even though there are no "normal" or standard tools to root the device. There are typically no guides for doing this because it isn't a common enough practice, usually on those "in the know" or the "inner circle" use it. Users on that level typically already have the necessary skills to use this tool so there is no need for truly in depth guides for using this tool on various devices.

DO NOT CONTACT ME  VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## Paderico (Sep 8, 2017)

Droidriven said:


> It's a piece of hardware that is used to directly connect to various points on the motherboard to directly interface/flash/modify the device.
> 
> Do a Google search for:
> 
> ...

Click to collapse





Droidriven said:


> There are always risks involved but USB connectivity is more limited than opening the device and connecting directly to the necessary points on the motherboard, it pretty much allows pushing/pulling whatever you want anywhere you want. It gives you the opportunity such that if you force something and it bricks the device, you may be able to revive to normal and try something else. Some of the android guys out there use this to root/modify devices even though there are no "normal" or standard tools to root the device. There are typically no guides for doing this because it isn't a common enough practice, usually on those "in the know" or the "inner circle" use it. Users on that level typically already have the necessary skills to use this tool so there is no need for truly in depth guides for using this tool on various devices.
> 
> DO NOT CONTACT ME  VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE

Click to collapse



Totally get that and totally agree. But there is no way to gently open the device as there are no screws or something like that just plastic parts pressed into each other.


----------



## Droidriven (Sep 8, 2017)

Paderico said:


> Totally get that and totally agree. But there is no way to gently open the device as there are no screws or something like that just plastic parts pressed into each other.

Click to collapse



A very thin edged tool or screwdriver should get it started then get a fingernail in the crack and run it around the edge, staying in the crack, it should separate similar to a zipper as you go around, continue moving along the edge using the thin tool if your fingernail doesn't work. 

DO NOT CONTACT ME  VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE


----------



## expollai (Sep 15, 2017)

according to the hacker's claims, he didn't root the device, didn't touch any hardware, just lifted the limitations  that sony blocking user installing 3rd party apps.  So after unblocking, the machine would still be under warranty.  One thing was for sure, he didn't do it through NFC


----------



## sartrism (Sep 20, 2017)

expollai said:


> according to the hacker's claims, he didn't root the device, didn't touch any hardware, just lifted the limitations  that sony blocking user installing 3rd party apps.  So after unblocking, the machine would still be under warranty.  One thing was for sure, he didn't do it through NFC

Click to collapse



That's different from what I heard. The hacker also sell cracking service of DPT-S1, and it is confirmed by one of his customer that he disassembled the device. I believe that he used the same method because it is quite immediate after DPT-RP1 was released, so it is reasonable to assume that he removed the back cover to root it.

And it is definitely rooted, for the customer could extract system apps for me using root explorer, which is not allowed in unrooted devices.


----------



## sartrism (Sep 20, 2017)

Paderico said:


> Okay cool thanks. Checked that quickly, so what's then left is to find a way to find a driver that connects the RIFF Box USB port with the USB cable provided by Sony. Otherwise one would need to brutally open the device to get some connection which might ruin the device. Correct me if I'm wrong.

Click to collapse



Such physical damage is the "risk" I was talking about  
You may refer to this to understand how the things are going in general: http://solderwiresandplastic.com/20...the-amazon-firetv-to-achieve-root-privileges/


----------



## expollai (Sep 20, 2017)

sartrism said:


> That's different from what I heard. The hacker also sell cracking service of DPT-S1, and it is confirmed by one of his customer that he disassembled the device. I believe that he used the same method because it is quite immediate after DPT-RP1 was released, so it is reasonable to assume that he removed the back cover to root it.
> 
> And it is definitely rooted, for the customer could extract system apps for me using root explorer, which is not allowed in unrooted devices.

Click to collapse



you can check:
//item.taobao.com/item.htm?id=545535809916&ns=1&abbucket=8#detail

---------- Post added at 03:51 AM ---------- Previous post was at 03:27 AM ----------




expollai said:


> you can check:
> //item.taobao.com/item.htm?id=545535809916&ns=1&abbucket=8#detail

Click to collapse



also
//item.taobao.com/item.htm?id=550465848108
//item.taobao.com/item.htm?id=522747481985

As far as I know, there were 2 ways to unblock S1, the above one seemed to be the better ( the original function not affected).


----------



## sartrism (Sep 20, 2017)

expollai said:


> you can check:
> //item.taobao.com/item.htm?id=545535809916&ns=1&abbucket=8#detail
> 
> ---------- Post added at 03:51 AM ---------- Previous post was at 03:27 AM ----------
> ...

Click to collapse



)

I know all of those links, but guaranteed warranty does not necessarily mean that it modifies nothing. For example, I can root or disassemble my phone without sacrificing warranty unless the manufacturer explicitly put seals or some software for security.

And the most accurate information can be obtained from the device already cracked, not from websites. If you think you can access to system files with an app without rooting, could you explain how? Otherwise, the hacker is lying for at least one point.


----------



## jess91 (Sep 27, 2017)

Droidriven said:


> If you're interested and supportive of this then go buy one anyway and apply yourself to going forward figuring out how to get it done. Other than that, you're not supportive, you're just hopeful that someone figures it out and then you'll probably go get one.
> 
> DO NOT CONTACT ME  VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE

Click to collapse



I can't afford it. I am looking to sell my 9.7 ONYX and trade up to a 13.3 and would prefer this Sony if it can 100% open epub.


----------



## priyamjani (Oct 6, 2017)

I have the DPT-S1 which is the previous model to the RP1 and would be willing to help. But I have no experience with the stuff that is being discussed on this forum. The pictures of the DPT-S1 internals have been published here https://imgur.com/a/lilxB . The PRS-T1 which is an older smaller ereader was also hacked and is discussed here https://www.mobileread.com/forums/showthread.php?t=179445&page=4 . May be a similar approach is possible for the S1 or RP1 or both?


----------



## James.Zhu (Oct 6, 2017)

the hacker offer onsite service, someone said he just use half hour working on the device and no need to physically open it.


----------



## Jen_Shia (Oct 7, 2017)

Can anyone show me a workable link that offers a hack service? As far as I tried, they are all dead. I am willing to pay for my old DPT S1. For example, turn it into an external monitor.


----------



## Paderico (Nov 14, 2017)

James.Zhu said:


> the hacker offer onsite service, someone said he just use half hour working on the device and no need to physically open it.

Click to collapse



So the question is then back on how to load a modified firmware on the device. I assume nobody here has made any progress yet, right?


----------



## @[email protected] (Nov 14, 2017)

Paderico said:


> So the question is then back on how to load a modified firmware on the device. I assume nobody here has made any progress yet, right?

Click to collapse



There's a thread on mobileread forums, thread 3607586, that has some relevant work. 

MobileRead Forums > E-Book Readers > Sony Reader > A Javascript to transfer files without using Digital Paper App for Sony DPT-RP1

By reverse-engineering the communication protocol of the machine, it's possible to execute various operations, including uploading files, taking a screenshot, etc.  The list of operations includes '/system/controls/update_firmware' and '/testmode/recovery_mode', which are suggestive...

This isn't the same as running full android on the tablet, but it's awfully nice just to be able to upload files directly from a Linux machine, without having to use the Mac/Windows-only app.


----------



## jess91 (Nov 22, 2017)

The Onyx Boox Max 2 Pro will be available in a few weeks. It is a significant improvement on the first Boox Max and the DPT-RP1 in hardware and has Android 6.0 and will still be cheaper than the Sony.

I'm a Sony fan but Sony has lost my custom on this.


----------



## thisvip (Nov 22, 2017)

null....................


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## CapitainDerya (Jan 3, 2018)

*Good share.*

@sartrism

Can you provide all system files using some sort of Android App which can backup file system. I think testmode requires password which is saved in SQlite. testmode  has right to reboot in diagnostic mode. Normal user has not authentication for this. Software engineers of this system looks like have a Web Development background. DPT-RP1 runs like a webserver.


----------



## hadesome1 (Jan 8, 2018)

hope has any process


----------



## CapitainDerya (Jan 8, 2018)

I think we are so close to success


----------



## hadesome1 (Jan 22, 2018)

any news?


----------



## skirhir (Feb 4, 2018)

I've been looking into the USB pairing process.

The device  reports idPorduct=0x0be5
It lists a CDC ACM  (serial) interface, and a USB HID interface.

I don't know what the HID is for, but the serial one is used to send some configuration that restarts the device USB interface.

After restarting, the device shows a different idProduct=0x0bdd . This one has an RNDIS NIC Interface that can be used to connect to the REST API.

/****************/

This is just a guess, but maybe there are other serial commands available that allow debugging/rootin/jaillbraking.

This is a capture of the USB port, maybe somebody else has seen a similar USB setting before
https://drive.google.com/open?id=1P-K9vW-XlzOZ6KqozaEO_Jr8CbLPlo8r


----------



## mateng1996 (Feb 20, 2018)

*jailbreak DPT-RP1 please*

As a Chinese student who can not afford the jailbreak fee, I hope you guys can be able to jailbreak DPT-RP1 sooner and release the crack files for free.


----------



## jess91 (Feb 25, 2018)

While this remains interesting, it is now really mostly an intellectual challenge. The new Onyx Boox 2 is superior device with same screen but far better features, very happy with mine. 6 months ago I would have purchased the Sony if they hadn't done all this nonsense of locking every little thing down. Hopefully Sony will learn in future, I like their products but not to the level of buying when there are better alternatives, they are missing the boat.


----------



## stevenvo (Feb 25, 2018)

jess91 said:


> While this remains interesting, it is now really mostly an intellectual challenge. The new Onyx Boox 2 is superior device with same screen but far better features, very happy with mine. 6 months ago I would have purchased the Sony if they hadn't done all this nonsense of locking every little thing down. Hopefully Sony will learn in future, I like their products but not to the level of buying when there are better alternatives, they are missing the boat.

Click to collapse



I guess you have not actually used the DPT-RP1 so there wasn't any real experience that you can refer to after you own the Onyx Boox 2. 
I have owned both devices and this is my review: https://www.mobileread.com/forums/showpost.php?p=3660223&postcount=10 
TLDR; Boox2 is just too heavy to hold for a long time, writing is not natural, however, Sony locking software sucks, but their rendering and writing software is way better than neoreader - however still lack of basic features. In the end I return the Boox 2 and will focus on rooting the Sony.


----------



## jess91 (Mar 3, 2018)

stevenvo said:


> I guess you have not actually used the DPT-RP1 so there wasn't any real experience that you can refer to after you own the Onyx Boox 2.
> I have owned both devices and this is my review: https://www.mobileread.com/forums/showpost.php?p=3660223&postcount=10
> TLDR; Boox2 is just too heavy to hold for a long time, writing is not natural, however, Sony locking software sucks, but their rendering and writing software is way better than neoreader - however still lack of basic features. In the end I return the Boox 2 and will focus on rooting the Sony.

Click to collapse



Correct, I haven't used the RP1, there is no point. The better hardware can not make up for the software restrictions, as nice and pretty as the Sony may be it is useless to people who need formats beyond just PDF. Shortsighted and total overkill decision by Sony, they should have made an "open" variant that lets install apps to open epub, etc.


----------



## sartrism (Mar 6, 2018)

jess91 said:


> The better hardware can not make up for the software restrictions

Click to collapse



Actually the opposite is more accurate in my opinion. At least RP1 has better chance to be perfect after software update or rooting (and it is possible to root in China by investing some money). To be honest, most of RP1/S1 users didn't move to other devices although Sony's attitude has been so disappointing. It is very interesting to see that the most aggressive people are actually ones who don't own RP1 yet.

Anyway, I think iOS users would be interested in this post by a Japanese user, who adapts python scripts to be implemented in iPhone or iPad.


----------



## ghostwheel (Mar 17, 2018)

I have the boox max, not the max 2. But for what the DPT-RP1 does, it is superior to the MAX2- annotating PDFs. The Neo 2 app for annotating is quite bad. 
First, you can't just start writing - you have to press on  screen, and select annotation. 
The annotations are also not saved directly to the file. You have to export, and then it is saved to a new file somewhere on your device. 
Neo 2 also doesn't play nicely with Dropbox - you can't just open a file from dropbox, edit in Neo 2, and save the changes. 
For note taking, the supplied papers are really bad - the lines are too thick and dark. 
There is also no good way to convert a bunch of notes to PDFs. You have to convert to png page by page,.. (I think)

All these problems exist since the Max days, and should take very little for a competent programmer to fix, but Onyx doesn't really care. You can use other note taking apps on android, but none currently work well with the stylus and the e-ink - much too slow!
So, for now hacking the RP1 could give benefits for people who want to use the device for taking notes and annotating pdfs.

---------- Post added at 03:41 ---------- Previous post was at 03:20 ----------

I'm not sure this helps, but this project implements communicating with the RP1:
https://github.com/janten/dpt-rp1-py


----------



## hdwrp (Apr 17, 2018)

PCBs of DPT-RP1 and new DPT-CP1 look identical (I can't post links yet):
mobileread.com/forums/attachment.php?attachmentid=163532&d=1523968266
fccid.io/AK8DPTRP1/Internal-Photos/Short-Term-Confidential-Internal-Photo-3309371

Same hardware except the display size.


----------



## hadesome1 (Apr 24, 2018)

hope has any process


----------



## altopalo (Aug 9, 2018)

Don't have enough knowledge to do such kind of rooting. Hope someone can help. Thanks in advance.


----------



## Droidriven (Aug 9, 2018)

altopalo said:


> Don't have enough knowledge to do such kind of rooting. Hope someone can help. Thanks in advance.

Click to collapse



You obviously haven't read this whole thread. This discussion was started quite some time ago and they aren't any closer to gaining root than when the thread first started so unless you have something to add to finding a possible way to root this device, there is nothing you can add to or gain from this thread.

Sent from my LGL84VL using Tapatalk


----------



## Atcold (Aug 14, 2018)

*On sale on Amazon*

I wanted to point out that the device is now on sale on Amazon (see attachment).


----------



## Nvechenyu (Aug 24, 2018)

Whenever I connect to WiFi, it would pop up a web browser. It opens Baidu.com automately which is quite strange. I can visit any website by searching in baidu but I cannot download anything. I don't know if this is useful for your guys.


----------



## jess91 (Sep 3, 2018)

Thought about you guys. This is now mainstream, not limited to some guy in China. Goodereader is now selling the RP1 and newer smaller CP1 with Android 5.1.1.

https://goodereader.com/blog/electr...-dpt-rp1-and-dpt-cp1-can-now-run-android-apps
https://goodereader.com/blog/product/sony-digital-paper-dpt-rp1-android-5-1-1-with-google-play
https://www.youtube.com/watch?v=UUbK6JctplI
https://www.youtube.com/watch?v=etokGSqDs2E


----------



## hdwrp (Sep 6, 2018)

Don't be mistaken. Goodereader is just reselling the very same stuff of the person "Ladyhack" from China.
It's called affiliation.
I would not be surprised if the item would be shipped by the very same person from China.
The hack is Sony's internal leak.


----------



## Anti-paradox (Sep 23, 2018)

hdwrp said:


> Don't be mistaken. Goodereader is just reselling the very same stuff of the person "Ladyhack" from China.
> It's called affiliation.
> I would not be surprised if the item would be shipped by the very same person from China.
> The hack is Sony's internal leak.

Click to collapse



I can't agree more, this leak surely comes from Sony's internal.
As you can tell, most software engineering are done by Linfiny Japan, which is a subsidiary of Eink, cooperated with Sony, as a platform for their  E-ink development. And I am certain that some insider find this "jailbreaking" lucrative.

This thread haven't gain any actual progress ever since it is started, and I bet the hacker must have required more info from their engineering department than any one of us.

I have this device for over six months now and I am trying to hack into it, and here's what I found so far.

The device itself is running Debian, which is a linux platform, with android supports.
The E-reader utility is a separate App on this device, which means each time you open a document this App launches itself, and it is not integrated with any other parts. This App is called "DigitalPaperApp" 

I recently hack into the PC software so that you can upload any firmware onto this device with a modified version of DigitalPaperApp, linked below:
https://github.com/Antiparadox/Sony-Digital-Paper-Hack"]https://github.com/Antiparadox/Sony-Digital-Paper-Hack

My plan is to install a hacked version of update package into this device, and this is now possible because Sony just released its new version of firmware, which is now downloaded and included into my git repo, (v1.4.0.1)

Unfortunately this .pkg file is assumed to use the same protocol as Sony's PlayStation internal update file, which means Un-pack and repackaging this update file is surely no easy task.

I will look into the this file and see what I can find, and hopefully this will reveal a major breakthrough.


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## shankerzhiwu (Oct 6, 2018)

*some light on rooting*

I have kicked my DPT-RP1 into diagnose mode. 

The method is plugging an OTG cable whose ID pin is soldered with 7.87 k resistor to GND. Press and hold home button while the device is booting up. Finally you will get a gray rectangle at the center of the screen. On the computer, a USB modem device will be detected and a login tty will be on that tty.

Now, the question arises that we need to crack the login password. The shadow hash is 
	
	



```
$6$HtJrWqxU$gJtuFqZLU/tOwjrXY1dxLgh021mKpNlI4wOn8eEkiD3qj7Tb69.iKNh6KpzE6rotBaCGPH3PjYDKPbmHaaDCw1
```
.

Does anyone have any idea on that hash?


----------



## jra166 (Oct 9, 2018)

Anti-paradox said:


> I recently hack into the PC software so that you can upload any firmware onto this device with a modified version of DigitalPaperApp, linked below:
> https://github.com/Antiparadox/Sony-Digital-Paper-Hack"]https://github.com/Antiparadox/Sony-Digital-Paper-Hack

Click to collapse



I guess it isn't as easy as buying the GoodeReader hacked version, ripping the firmware, and uploading it with your modified PC software?  So the remaining challenge is how to get the firmware off of a hacked DPT, yes?


----------



## yanzi (Oct 15, 2018)

shankerzhiwu said:


> I have kicked my DPT-RP1 into diagnose mode.
> 
> The method is plugging an OTG cable whose ID pin is soldered with 7.87 k resistor to GND. Press and hold home button while the device is booting up. Finally you will get a gray rectangle at the center of the screen. On the computer, a USB modem device will be detected and a login tty will be on that tty.
> 
> ...

Click to collapse



Interesting findings. What does it say upon booting?


----------



## cypresstwist (Oct 22, 2018)

shankerzhiwu said:


> Now, the question arises that we need to crack the login password. The shadow hash is
> 
> 
> 
> ...

Click to collapse



It's a sha512 encryption HASH. You can put hashcat to work to crack it.


----------



## Honami754 (Oct 24, 2018)

cypresstwist said:


> It's a sha512 encryption HASH. You can put hashcat to work to crack it.

Click to collapse



rockyou.txt tried with no outcomes. Try something harder
Also how did he got the shadow hash without a complete system dump?


----------



## shankerzhiwu (Nov 1, 2018)

yanzi said:


> Interesting findings. What does it say upon booting?

Click to collapse



Nothing. Because the USB modem device seen on the host computer is emulated by the DPT device with USB Gadget.

---------- Post added at 08:10 AM ---------- Previous post was at 08:02 AM ----------




Honami754 said:


> rockyou.txt tried with no outcomes. Try something harder
> Also how did he got the shadow hash without a complete system dump?

Click to collapse



Yes, I have. If the hash is cracked, DPT can be rooted without disassembling and re-soldering the eMMC chip. However, I desoldered the eMMC chip and dumped the firmware. However, I now have trouble re-soldering the chip back after modifying the content inside. The PCB is too thin that it was broken when heated. The device is now totally a brick and I have sent it to an experienced engineer to see if it can get recovered.


----------



## hadesome1 (Nov 8, 2018)

Another chinese hacks DPT-RP1 and DPT-CP1，support *Magisk & Xposed*. Can be used as a computer monitor，Looks so cool！
=
And he supports *remote hack*！
=
https://item.taobao.com/item.htm?id=571237107893
=
The video link
https://v.youku.com/v_show/id_XMzkwODcxNzA4OA==.html
=


----------



## shankerzhiwu (Nov 12, 2018)

*Rooted DPT-RP1*



shankerzhiwu said:


> I have kicked my DPT-RP1 into diagnose mode.
> 
> The method is plugging an OTG cable whose ID pin is soldered with 7.87 k resistor to GND. Press and hold home button while the device is booting up. Finally you will get a gray rectangle at the center of the screen. On the computer, a USB modem device will be detected and a login tty will be on that tty.
> 
> ...

Click to collapse



Hi, all I have ROOTed my DPT-RP1 (in fact., my friend's). Here is a brief guide:

Before rooting:

1. Make a usb OTG cable described in the quoted post, aka. an OTG cable whose ID pin is soldered with 7.87 k resistor to GND.
2. Make sure that you can reproduce the steps described in the quoted post and get a login tty.
3. Press the reset button with a sim-ejector or so to put the device in normal mode. Don't worry, you won't lose your user data.
4. Prepare dpt-rp1-py tool (https://github.com/janten/dpt-rp1-py), make sure you can communicate with your DPT with that tool.

Rooting steps:

1. Download the modified firmware. Sha256sum is 5b9a10201d1cf29fbb072ebbfed517d22ddc00f014aef3ee816e43c2932e3803.
2. "Flash" the firmware into the device using `dptrp1 update`.
3. After flashing, the device will complain that firmware upgrading has failed.
4. Power off the device, and kick your device into diagnose mode. The password for root is set to `12345`
5. Now you have FULL control over your own device. Do whatever you want.


The download link for the modified firmware is https://gofile.io/?c=ezd8UX


----------



## ghostwheel (Nov 13, 2018)

*Amazing!*

Wow! Amazing (in theory... haven't tried it yet). 
Thanks!


----------



## silvertriclops (Nov 13, 2018)

Who's gonna be the guinea pig? I want to try it but can't afford another one if I screw mine up.


----------



## shankerzhiwu (Nov 13, 2018)

silvertriclops said:


> Who's gonna be the guinea pig? I want to try it but can't afford another one if I screw mine up.

Click to collapse



Though I won't be responsible for any loss, the risk of losing a device is very low. The firmware I modified does not contain any meaningful payload. Even if anything should go wrong, the worst result would be that the firmware is simply ignored by the device and nothing happens.


----------



## 30sheets (Nov 13, 2018)

Hi everyone, and many thanks to the people who are putting lots of efforts into freeing the DPT-RP1 software.

I am ready to hack my own device. However, I would like first to ask @shankerzhiwu if he/she could explain how the modified firmware was generated? Is there a source for it, that I could compile myself? Or is it just some manual edit of Sony's official firmware?

Also, I would find it interesting if anyone has a particular tip on creating an OTG cable with the right configuration for this operation. I guess I could do it all by myself by following a tutorial, but I would find it reassuring if someone could share their experience about their own method of manufacturing the cable.

Again, many thanks to everyone involved.


----------



## shankerzhiwu (Nov 13, 2018)

30sheets said:


> Hi everyone, and many thanks to the people who are putting lots of efforts into freeing the DPT-RP1 software.
> 
> I am ready to hack my own device. However, I would like first to ask @shankerzhiwu if he/she could explain how the modified firmware was generated? Is there a source for it, that I could compile myself? Or is it just some manual edit of Sony's official firmware?
> 
> ...

Click to collapse



It is manually modified from official FactoryReset.pkg. You can find it at https://github.com/octavianx/Unpack-and-rebuild-the-DPT-RP1-upgrade-firmware 

By reading the `start_eufwupdater.sh`, you will know why my modified firmware works.

WARNING: If anyone wants to run `start_eufwupdater.sh` or `start_eufwupdater2.sh` with my modified firmware on his/her own computer, please DO NOT run as root, or the system could be damaged.


----------



## shankerzhiwu (Nov 13, 2018)

30sheets said:


> Hi everyone, and many thanks to the people who are putting lots of efforts into freeing the DPT-RP1 software.
> 
> I am ready to hack my own device. However, I would like first to ask @shankerzhiwu if he/she could explain how the modified firmware was generated? Is there a source for it, that I could compile myself? Or is it just some manual edit of Sony's official firmware?
> 
> ...

Click to collapse



About the OTG cable, I have no shortcut available. Pinout of micro usb plugs can be found on https://en.wikipedia.org/wiki/USB_(Physical)#Pinouts . The 7.87 k resistor should be soldered between ID(PIN 4) and GND(PIN 5). Alternately, you can also use a 7.5k resistor. Since such resistor value is beyond OTG standard, you have to do the solder work. For simplicity, a breakout board can be used like www.digikey.com/product-detail/en/sparkfun-electronics/BOB-10031/1568-1192-ND/5673778 . Moreover, you can also choose to only solder the resistor itself without a USB cable. If so, after the gray rect is shown on the screen, the OTG plug can be safely disconnected and a normal USB to micro USB cable can be used to connect the DPT to your computer. 

The detailed steps for entering diagnose mode are :

1. Power off your DPT.
2. Connect the OTG cable.
2. Press and hold the Home button.
3. With the Home button pressed, press and release the Power button. 
4. Continue holding the Home button. See if anything is shown on the screen.
4.a. If "Welcome" screen shows, which means that the Home button is not detected pressed when booting, go back to step 1.
4.b. If nothing is shown on the screen and the power LED is also not flashing, which means that you are too nervous to trigger the power button -- your DPT is not powered on at all, go back to step 3.
4.c. if nothing is shown on the screen and the power LED keeps flashing, then the Home button can be released.
5. Wait for about 12 seconds. See if anything is shown on the screen.
5.a. If the screen flashes blank and the power LED stops flashing and turns off, which means that the id resistor is not soldered well (ill-connected or wrong value)., check your OTG cable and go back to step 2.
5.b. if a gray rect is shown on the screen, the device is now in diagnose mode
6. If a USB cable is not soldered with the micro USB plug, you can now unplug it and use a normal micro USB cable to connect the DPT with your computer.
7. A USB modem device should now be detected on the computer. Use a serial terminal software to access the diagnose tty.


----------



## silvertriclops (Nov 14, 2018)

I'm not knowledgeable enough to do this but is there any way you could modify the package to provide a way to access the shell without the OTG cable? I personally don't have a soldering iron but would love to root mine. Could maybe include an SSH server (and assume that anyone who wants to root it knows how to secure it further), or ADB, or possibly enable the debug port in normal mode.

In fact, it probably has ADB already and is just disabled.


----------



## shankerzhiwu (Nov 14, 2018)

silvertriclops said:


> I'm not knowledgeable enough to do this but is there any way you could modify the package to provide a way to access the shell without the OTG cable? I personally don't have a soldering iron but would love to root mine. Could maybe include an SSH server (and assume that anyone who wants to root it knows how to secure it further), or ADB, or possibly enable the debug port in normal mode.
> 
> In fact, it probably has ADB already and is just disabled.

Click to collapse



Sorry, but I have no idea how to make such a package. What I can do is only write at most about 230 bytes to an arbitrary file. As a result, the best thing could be to override the file containing the password hash.

BTW, There is no adbd available and it should be compiled and enabled by yourself.


----------



## shankerzhiwu (Nov 14, 2018)

shankerzhiwu said:


> Sorry, but I have no idea how to make such a package. What I can do is only write at most about 230 bytes to an arbitrary file. As a result, the best thing could be to override the file containing the password hash.
> 
> BTW, There is no adbd available and it should be compiled and enabled by yourself.

Click to collapse



Hi, all
Good news for guys who do not want to make the OTG cable! I made another firmware to remove the detection of the special id resistor. The download link is https://gofile.io/?c=NE6qV8 and the sha256sum is ce57b43fe59364724580908e967fa4d68eab608a457ad3a3a4a249cd009d3b1d.

Use this firmware ONCE and ONLY ONCE, and the detection of the special id resistor will be removed. To enter diagnose mode, only pressing Home button is needed. 

WARNING: I recommend AGAINST the use of this firmware, because I did not test this firmware on a not-rooted device. If something unexpected happens, the firmware may do harm to your diagnose environment, which means including but not limited to: 
* your DPT may not be able do firmware upgrade anymore, or
* your DPT may get stuck in diagnose mode and cannot boot normally.


----------



## cypresstwist (Nov 14, 2018)

*Play Store?*



shankerzhiwu said:


> Hi, all
> Good news for guys who do not want to make the OTG cable! I made another firmware to remove the detection of the special id resistor. The download link is https://gofile.io/?c=NE6qV8 and the sha256sum is ce57b43fe59364724580908e967fa4d68eab608a457ad3a3a4a249cd009d3b1d.

Click to collapse



Would you be able to implement Google PlayStore functonality in this firmware? I would love to have Pocket and EPUB support on this device.


----------



## silvertriclops (Nov 14, 2018)

cypresstwist said:


> Would you be able to implement Google PlayStore functonality in this firmware? I would love to have Pocket and EPUB support on this device.

Click to collapse



From what OP said earlier it looks like adding apps to the firmware is not possible. I don't want to risk my device with the non-OTG firmware but will try to get ahold of the right cable later today and start experimenting with installing the play store.


----------



## shankerzhiwu (Nov 14, 2018)

cypresstwist said:


> Would you be able to implement Google PlayStore functonality in this firmware? I would love to have Pocket and EPUB support on this device.

Click to collapse



Some clarification is needed for my two "firmware"s. They are NOT real firmwares, and they cannot upgrade or downgrade your system. Nothing meaningful is contained in them. The ONLY function of the "JB.pkg" firmware is to set the root password for the diagnose environment and "JB2.pkg" firmware is to disable the detection of the special ID resistor. The two firmwares are independent and of different functions. They both exploit the same bug in the firmware upgrade script. 

Valid firmwares are digital signed and cannot be repacked without the signing private key.

---------- Post added at 02:27 AM ---------- Previous post was at 02:04 AM ----------




silvertriclops said:


> From what OP said earlier it looks like adding apps to the firmware is not possible. I don't want to risk my device with the non-OTG firmware but will try to get ahold of the right cable later today and start experimenting with installing the play store.

Click to collapse



After gaining root privilege, you can do anything you want to your device. I can give some suggestions:

* Manually disable OTG detection. The modification is at `/usr/local/bin/diag_functions`.  Make the function `DIAG_get_mode` always return 0. (My JB2.pkg does the same ting)

* Backup your current firmware

* Add an adbd program into the iniramfs image and make adb work

 * Install a third-party launcher

However, this can be a huge task. At fist I thought it could simple and straight forward after gaining root privilege. After installing several applications, I found most normal Android applications not fit the digital paper screen well. The rendered text is too thin and hard to recognize. As a result, for normal users who only want to read epub books, I strongly recommend the rooted version sold on Taobao and GoodReader or their rooting services. Judging from their demo video, I think the root service is worth itself.

---------- Post added at 02:34 AM ---------- Previous post was at 02:27 AM ----------

BTW, the diagnose mode is not a standard Android recovery environment but a simplified ubuntu system.


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## silvertriclops (Nov 14, 2018)

How do you install apps? pm utility won't work simply after mounting /dev/mmcblk0p9 in diag mode (as expected) but I can't figure out how to get a shell in normal mode.


----------



## shankerzhiwu (Nov 15, 2018)

silvertriclops said:


> How do you install apps? pm utility won't work simply after mounting /dev/mmcblk0p9 in diag mode (as expected) but I can't figure out how to get a shell in normal mode.

Click to collapse



Use adb shell


----------



## silvertriclops (Nov 15, 2018)

Any way you could post your adbd? I can't get cross compiling down


----------



## yanzi (Nov 15, 2018)

shankerzhiwu said:


> Use adb shell

Click to collapse



hey great work! just want to say thank you! it's a clever way using pkg to overwrite and reset password for root. Have you tried to disable the pkg validation and install a customized pkg? If not, I'll take a look at it. But first try your method. Thanks again.

I know how to de-compile and compile pkg, with a self signed key. So it will be very helpful without needing usb anymore.

Another thing I haven't tried is to trigger the wifi webpage to display and through web vulnerabilities. Have you looked at it also? So I can confirm it works or not.

Sorry that's a lot of questions. But I'm quite busy lately so it would be awesome if you can share your thoughts and what you have tried other than the USB interface.

=============== 
and if possible, can you explain how'd you find the offset in pkg where it starts to validate AES and insert the following hex?


```
9043D58142271DC68044D8D8ACCCA48B139BD00B7FE9883E72BDBCF65EFCFCE9908143829900B781D7969536263688ECFEB29D24C362935EEAA7411FA13BAAC64004F72E7B7CB80E112AFED37C0A154DBC16B887A876CD584802563C159B54F6EA0F765F0EDBD0959D03DF2CF78AA74DB112CEB1E3A11A392E0B339A5ECCEF5179374BE8555016198FF7085B9416F385610F1211397FE5AA7AA6067A24FEADB5DF2D151435B70FA38F0CB38053A0E8E8D3114A8CACF5C70C697F554122BF863D6F9C0B488B62EE2FC224441DB6CF582EFC892B41F65212D9D69173FE4022681B49DD1CD31FB4CBC9BDD2F5FCFAE466779A5A0907A1F1653F629CF39246
```

=== 
never mind i got it

====

confirm it works; thanks for the great work again


----------



## shankerzhiwu (Nov 16, 2018)

yanzi said:


> hey great work! just want to say thank you! it's a clever way using pkg to overwrite and reset password for root. Have you tried to disable the pkg validation and install a customized pkg? If not, I'll take a look at it. But first try your method. Thanks again.

Click to collapse



Regarding the bash scripts, disabling the validation is not possible. The package is digitally signed and we do not have the signing private key. It is not wise to crack RSA digital signature/private key.



yanzi said:


> I know how to de-compile and compile pkg, with a self signed key. So it will be very helpful without needing usb anymore.
> 
> Another thing I haven't tried is to trigger the wifi webpage to display and through web vulnerabilities. Have you looked at it also? So I can confirm it works or not.

Click to collapse



No, I haven't. Because I am not familar with Android things. 



yanzi said:


> Sorry that's a lot of questions. But I'm quite busy lately so it would be awesome if you can share your thoughts and what you have tried other than the USB interface.
> 
> ===============
> and if possible, can you explain how'd you find the offset in pkg where it starts to validate AES and insert the following hex?
> ...

Click to collapse


----------



## yanzi (Nov 16, 2018)

shankerzhiwu said:


> Regarding the bash scripts, disabling the validation is not possible. The package is digitally signed and we do not have the signing private key. It is not wise to crack RSA digital signature/private key.
> 
> 
> 
> No, I haven't. Because I am not familar with Android things.

Click to collapse



Yea I know you can't directly bypass the pkg validation. But it's possible after your hack I believe, with few tweaks. I like your solution. I was thinking about this direction, and I'm so glad you did it! Thanks again. If you don't mind, I will refer your hack in my original git and add a small script to automate this a bit. I confirm for a non rooted device, you can disable id check first, and then change password. But now this method is released, and I'm not sure how SNY reacts and whether they will update this.


----------



## shankerzhiwu (Nov 16, 2018)

yanzi said:


> Yea I know you can't directly bypass the pkg validation. But it's possible after your hack I believe, with few tweaks.

Click to collapse



You can directly replace the public key used for verification with your own. The command is `rawdata --set_dump=sig_key < your_own_pub_key`. Actually, the public key is stored in offset 0x83000 of the emmc flash.




yanzi said:


> I like your solution. I was thinking about this direction, and I'm so glad you did it! Thanks again. If you don't mind, I will refer your hack in my original git and add a small script to automate this a bit. I confirm for a non rooted device, you can disable id check first, and then change password.

Click to collapse



Thanks for your confirmation and your refer is welcomed



yanzi said:


> But now this method is released, and I'm not sure how SNY reacts and whether they will update this.

Click to collapse



Yeah, let's see what is going on next. However, the bug occurs in the script `start_eufwupdater.sh` and you know it is this script that calls the update script inside the firmware. What will happen if a running script is replaced? It is not easy for a firmware update to get this bug repaired.


----------



## chenlong828 (Nov 16, 2018)

how to enable the adb after get root privileges? Can you give us a detail step?

Thanks for your effort!



shankerzhiwu said:


> You can directly replace the public key used for verification with your own. The command is `rawdata --set_dump=sig_key < your_own_pub_key`. Actually, the public key is stored in offset 0x83000 of the emmc flash.
> 
> 
> 
> ...

Click to collapse


----------



## yanzi (Nov 16, 2018)

chenlong828 said:


> how to enable the adb after get root privileges? Can you give us a detail step?
> 
> Thanks for your effort!

Click to collapse



The concept is to dump your boot partition, unpack it on your computer, unpack ramdisk, add adbd to /sbin/ and change the default.prop, and repack and flash it back to partition `/dev/mmcblk0p8`

Dump boot partition via `dd if=/dev/mmcblk0p8 of=/tmp/boot.img bs=4M`

When I get time this weekend i'll try it


----------



## sekkit (Nov 20, 2018)

Hi,
       I know how to make apps display properly on DPT RP1. according to taobao root service description, it says XPOSED can adjust dpi for apps so that it can be larger.
      Also changing the dpi settings of system can work too.


----------



## yanzi (Nov 20, 2018)

sekkit said:


> Hi,
> I know how to make apps display properly on DPT RP1. according to taobao root service description, it says XPOSED can adjust dpi for apps so that it can be larger.
> Also changing the dpi settings of system can work too.

Click to collapse



Cool. I have get the adb working and su working now. Need a small break in Thanksgiving and will be back digging more about dpi settings. 

DPT is now a fully functional Android tablet, with ink screen!


----------



## silvertriclops (Nov 20, 2018)

yanzi said:


> Cool. I have get the adb working and su working now. Need a small break in Thanksgiving and will be back digging more about dpi settings.
> 
> DPT is now a fully functional Android tablet, with ink screen!

Click to collapse



How exactly did you mod the boot partition? I know how to dump it but I'm afraid of modifying it because if I do it wrong then my tablet is bricked.


----------



## yanzi (Nov 20, 2018)

silvertriclops said:


> How exactly did you mod the boot partition? I know how to dump it but I'm afraid of modifying it because if I do it wrong then my tablet is bricked.

Click to collapse



I wrote a tool to do it: https://github.com/HappyZ/dpt-tools (verified under MacOS only)

Although there is a chance, as long as you have the diagnosis mode, you can fix the brick by dd the boot.img back to the right partition. You can check out my code to learn a bit more. 

Boot.img is modified via mkbootimg. You can check out https://github.com/HappyZ/dpt-boot-img/tree/1.4.01.16100-mod to see what I have changed.


And if you want to modify the system.img, you need to change the header size to 32. I also included those a while ago in the github. I'm more interested into building a pkg so you can directly flash it, rather than dumping it to the system partition though. It would be fun to have, just like Android.


----------



## silvertriclops (Nov 21, 2018)

yanzi said:


> I wrote a tool to do it: https://github.com/HappyZ/dpt-tools (verified under MacOS only)
> 
> Although there is a chance, as long as you have the diagnosis mode, you can fix the brick by dd the boot.img back to the right partition. You can check out my code to learn a bit more.
> 
> ...

Click to collapse



This tool is great! Not perfect and I had to do a few things manually though.

Anyway, I backed up my boot partition and flashed your modded one. Now I'm able to connect with adb shell, but the device itself never gets past the Welcome screen and pulls up the password prompt. Also su is not working, it just opens up another limited permission shell.


----------



## yanzi (Nov 21, 2018)

silvertriclops said:


> This tool is great! Not perfect and I had to do a few things manually though.

Click to collapse



Thanks, what didn't work? I can fix it.



silvertriclops said:


> Anyway, I backed up my boot partition and flashed your modded one. Now I'm able to connect with adb shell, but the device itself never gets past the Welcome screen and pulls up the password prompt. Also su is not working, it just opens up another limited permission shell.

Click to collapse



It shall boot without problems especially you are just flashing the boot partition. What's the password prompt? You mean the diagnosis mode?

I haven't tested the su part in the automated script but tried the steps manually. There might be some issues in the script. You can refer to the system approach in update-script from SuperUser.apk to do it manually.


----------



## silvertriclops (Nov 21, 2018)

yanzi said:


> Thanks, what didn't work? I can fix it.
> 
> 
> 
> ...

Click to collapse



The password prompt on the device itself, where it asks for the password for decryption before it finishes booting. And not sure what's up with su, I'm not very experienced with this stuff but it seems like the binary exists, just not doing what it's supposed to.

edit: just restored my original boot.img backup and it's still stuck on the welcome screen with the loading circle...


----------



## yanzi (Nov 21, 2018)

silvertriclops said:


> The password prompt on the device itself, where it asks for the password for decryption before it finishes booting. And not sure what's up with su, I'm not very experienced with this stuff but it seems like the binary exists, just not doing what it's supposed to.

Click to collapse



Oh the device encryption is enabled? I have never enabled it so I never tested that.. that could be it.. 

You shall restore your original boot.img, and disable encryption and try it. 

And su didn't work might be because of it. There's a script to run daemonsu to allow su kicking in, and if it stucks at the decryption, it could be not running at all.

---------- Post added at 09:13 AM ---------- Previous post was at 09:09 AM ----------




silvertriclops said:


> edit: just restored my original boot.img backup and it's still stuck on the welcome screen with the loading circle...

Click to collapse



Did you check the md5 of your backed up boot.img? Is it successfully copied? (match the md5 of your backup)

You shall be checking "adb logcat" to see what's wrong.


----------



## silvertriclops (Nov 21, 2018)

yanzi said:


> Oh the device encryption is enabled? I have never enabled it so I never tested that.. that could be it..
> 
> You shall restore your original boot.img, and disable encryption and try it.
> 
> And su didn't work might be because of it. There's a script to run daemonsu to allow su kicking in, and if it stucks at the decryption, it could be not running at all.

Click to collapse



Restored my original boot.img and it still gets stuck at the welcome screen. How do you disable encryption on this? I thought it was enabled by default and nothing you can do to change it.

Or are you running this right after you run /usr/local/bin/factory_reset.sh?

edit just ran factory_reset and it definitely wipes data (I had everything backed up of course) but still gets stuck on the welcome screen


----------



## yanzi (Nov 21, 2018)

silvertriclops said:


> Restored my original boot.img and it still gets stuck at the welcome screen. How do you disable encryption on this? I thought it was enabled by default and nothing you can do to change it.
> 
> Or are you running this right after you run /usr/local/bin/factory_reset.sh?

Click to collapse



No I didn't do any reset. I thought it was encryption as I never saw password prompt before. I guess if you don't set password protections on device, there should be no prompt. I did check the modded boot.img before I made changes and the version on my device are matched. There may be something wrong with the su script that changes device behavior.

Can you validate in diagnosis mode the following file exists in /system parition?
first mount partition `/dev/mmcblk0p9` and assuming mount point is `/mnt/Lucifer/` then:

/mnt/Lucifer/bin/app_process
/mnt/Lucifer/bin/app_process32
/mnt/Lucifer/bin/app_process_init

And oh I did find a small bug in the script: you should `mv /mnt/Lucifer/bin/.ext/su /mnt/Lucifer/bin/.ext/.su`

I find where your problem could be. It shall miss file `/mnt/Lucifer/bin/app_process` and `/mnt/Lucifer/bin/app_process_init` due to some bugs I had in the script.  Sorry about that. I'll write you a step-by-step guide to fix it.


----------



## hdwrp (Nov 21, 2018)

yanzi said:


> Cool. I have get the adb working and su working now. Need a small break in Thanksgiving and will be back digging more about dpi settings.
> 
> DPT is now a fully functional Android tablet, with ink screen!

Click to collapse



Could you please confirm DPT-RP1 with fully functional Android can connect to Bluetooth keyboard to type or to turn the PDF pages?
Thank you.


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## silvertriclops (Nov 21, 2018)

yanzi said:


> No I didn't do any reset. I thought it was encryption as I never saw password prompt before. I guess if you don't set password protections on device, there should be no prompt. I did check the modded boot.img before I made changes and the version on my device are matched. There may be something wrong with the su script that changes device behavior.
> 
> Can you validate in diagnosis mode the following file exists in /system parition?
> first mount partition `/dev/mmcblk0p9` and assuming mount point is `/mnt/Lucifer/` then:
> ...

Click to collapse



I remember when I checked, app_process did not exist. I'm assuming that's where the problem is as that's a pretty essential file.

I just copied the latest official FwUpdater.pkg to my device and ran it with start_eufwupdater.sh. It booted fine to the setup screen after that, so at least I know that as long as I can boot into diag I can recover it.

Another thing I have found is that if you're in diag and run /usr/local/bin/mass_storage, it'll mount as a mass storage device to your PC. Copying files that way is much faster than through serial. Then eject, ctrl-c, 
	
	



```
mount /dev/mmcblk0p16 /mnt/sd
```


----------



## yanzi (Nov 21, 2018)

silvertriclops said:


> Restored my original boot.img and it still gets stuck at the welcome screen. How do you disable encryption on this? I thought it was enabled by default and nothing you can do to change it.
> 
> Or are you running this right after you run /usr/local/bin/factory_reset.sh?
> 
> edit just ran factory_reset and it definitely wipes data (I had everything backed up of course) but still gets stuck on the welcome screen

Click to collapse



Download the following file:
View attachment app_process32_original.tar.gz

And do the following (in diagnosis mode):
```
mount /dev/mmcblk0p9 /mnt/Lucifer/
cd /mnt/Lucifer/bin
rm app_process
rm app_process32
rm app_process32_original
rm app_process_bak
rm app_process_init
ln -s /system/xbin/daemonsu /mnt/Lucifer/bin/app_process
ln -s /system/xbin/daemonsu /mnt/Lucifer/bin/app_process32
```

Then use the tool to upload file unzipped from above tar by:
```
push-file
> Local folder path: app_process_original
> DPT file path: /mnt/Lucifer/bin
```
Then:
```
cp /mnt/Lucifer/bin/app_process_original /mnt/Lucifer/bin/app_process_init
chown 0.2000 /mnt/Lucifer/bin/app_process_init
chmod 0755 /mnt/Lucifer/bin/app_process_init
```

This should solve the problem.


----------



## yanzi (Nov 21, 2018)

silvertriclops said:


> I remember when I checked, app_process did not exist. I'm assuming that's where the problem is as that's a pretty essential file.
> 
> I just copied the latest official FwUpdater.pkg to my device and ran it with start_eufwupdater.sh. It booted fine to the setup screen after that, so at least I know that as long as I can boot into diag I can recover it.
> 
> ...

Click to collapse



That's elegant. Well, I was just reinventing the wheel then. Good to know it works! 

Good to hear, I wrote you a small recovery steps also.. I fixed the script (hopefully) so it wouldn't make the same mistake again.


----------



## Anti-paradox (Nov 21, 2018)

yanzi said:


> That's elegant. Well, I was just reinventing the wheel then. Good to know it works!
> 
> Good to hear, I wrote you a small recovery steps also.. I fixed the script (hopefully) so it wouldn't make the same mistake again.

Click to collapse



Hi, thanks for the all those involved, you guys are amazing!
Now I am also trying to install a-the ABD on my device, but it appears to be unauthorized, 
So how do I fix it, do I just kill add server, and request for reboot?
Also, how would adbkey(provided) help in this process?
Thanks!


----------



## yanzi (Nov 21, 2018)

Anti-paradox said:


> Hi, thanks for the all those involved, you guys are amazing!
> Now I am also trying to install a-the ABD on my device, but it appears to be unauthorized,
> So how do I fix it, do I just kill add server, and request for reboot?
> Also, how would adbkey(provided) help in this process?
> Thanks!

Click to collapse



You just need to follow the key pairing process and provide the adbkey. I agree it is not a great approach but..

Backup your original adbkey from ~/.android/adbkey to ~/.android/adbkey_bak
And replace it with the provided one

After you got su you can replace /adb_keys with your own public key.

---------- Post added at 10:40 AM ---------- Previous post was at 10:25 AM ----------




silvertriclops said:


> I remember when I checked, app_process did not exist. I'm assuming that's where the problem is as that's a pretty essential file.
> 
> I just copied the latest official FwUpdater.pkg to my device and ran it with start_eufwupdater.sh. It booted fine to the setup screen after that, so at least I know that as long as I can boot into diag I can recover it.
> 
> ...

Click to collapse



Ok I have tested the su part of the script and it should fully work now. Plz let me know.


----------



## Anti-paradox (Nov 21, 2018)

yanzi said:


> You just need to follow the key pairing process and provide the adbkey. I agree it is not a great approach but..
> 
> Backup your original adbkey from ~/.android/adbkey to ~/.android/adbkey_bak
> And replace it with the provided one
> ...

Click to collapse



Thanks!, but how would you push the existing adbkey to the device to replace the old one? 
I tried add -push no success.
Any ideas on how to do that? (did it already)
still working on it...
Ok, so it is still not authorized, 
I backup the adbkey, along with adbkey.pub, so here is what it looks like now:
adbkey		adbkey_bak	adbkey_bak.pub
where the adbkey is the given one
Now how can I fix this issue?


----------



## yanzi (Nov 21, 2018)

Anti-paradox said:


> Thanks!, but how would you push the existing adbkey to the device to replace the old one?
> I tried add -push no success.
> Any ideas on how to do that?
> many thanks!

Click to collapse



Assuming your adbkey is in `/magic/path/adbkey`
And the public key is in `/magic/path/adbkey.pub` (should not be needed but just in case, it's here)
Detailed steps in a terminal is:
```
adb kill-server
cd ~/.android/
mv adbkey adbkey_bak
mv adbkey.pub adbkey.pub_bak
cp /magic/path/adbkey adbkey
cp /magic/path/adbkey.pub adbkey.pub
adb devices
```
And I think this should work

And after you get su, replace the /adb_keys in device to your own adbkey.pub, and restore your own private and public keys.


----------



## Anti-paradox (Nov 21, 2018)

yanzi said:


> Assuming your adbkey is in `/magic/path/adbkey`
> And the public key is in `/magic/path/adbkey.pub` (should not be needed but just in case, it's here)
> Detailed steps in a terminal is:
> ```
> ...

Click to collapse



A lot of thanks, solved!
Turns out I rename the wrong file, silly mistake there.


----------



## silvertriclops (Nov 21, 2018)

yanzi said:


> Download the following file:
> View attachment 4648071
> 
> And do the following (in diagnosis mode):
> ...

Click to collapse



I wasn't able to get that to work. But since it looks like you updated the script I might as well try that again. Going to take a break and bike a few miles then factory reset my DPT again so I can try your updated script with a clean slate (no pun intended)

Anyone want to set up a discord server? That would be easier than checking this thread every few minutes, and once a solution is found we could post it here.


----------



## Anti-paradox (Nov 21, 2018)

*sudo access declined*

I tried to ssh into the device and try some sudo commands, but it seems that I am not able to gain this su access.
This is what pops up when I type "get-su-bin"
[info] Mounting /system partition..
[error] name 'folder' is not defined
How would this be fixed?
Thanks Again!


----------



## silvertriclops (Nov 21, 2018)

Anti-paradox said:


> I tried to ssh into the device and try some sudo commands, but it seems that I am not able to gain this su access.
> This is what pops up when I type "get-su-bin"
> [info] Mounting /system partition..
> [error] name 'folder' is not defined
> ...

Click to collapse



Open python_api/libDPT.py

Find this line:

```
if not self.diagnosis_mkdir(folder):
```

Replace it with: 


```
if not self.diagnosis_mkdir(mountpoint):
```


----------



## Anti-paradox (Nov 21, 2018)

silvertriclops said:


> Open python_api/libDPT.py
> 
> Find this line:
> 
> ...

Click to collapse



Emm. the bug is somehow still there:
here's what I got:
[info] Mounting /system partition..
[info] /mnt/Lucifer already exist
[info] Mounted to 
[error] Nothing happened..
I checked the InteractivePy file, it should be the problem with mount point(Although I have no idea about what this will do)
Could you check this issue again? Many Thanks!


----------



## yanzi (Nov 21, 2018)

Anti-paradox said:


> Emm. the bug is somehow still there:
> here's what I got:
> [info] Mounting /system partition..
> [info] /mnt/Lucifer already exist
> ...

Click to collapse



Update the script and try again. The folder check was flipped.


----------



## Anti-paradox (Nov 21, 2018)

Anti-paradox said:


> Emm. the bug is somehow still there:
> here's what I got:
> [info] Mounting /system partition..
> [info] /mnt/Lucifer already exist
> ...

Click to collapse



I think this could be the issues, in libDPT.py, line 166:
if self.diagnosis_isfolder('{}/xbin'.format(mountpoint)):
            return mountpoint
and same file in line 120:
'''
        check if file exists given file path
        '''
        cmd = "[[ -d {} ]] && echo 'YESS' || echo 'NONO'".format(folderp)
        return 'YESS' in self.diagnosis_write(cmd)

where it is set to false, which is why the mount point is left empty, leading to failure.


----------



## yanzi (Nov 21, 2018)

Anti-paradox said:


> I think this could be the issues, in libDPT.py, line 166:
> if self.diagnosis_isfolder('{}/xbin'.format(mountpoint)):
> return mountpoint
> and same file in line 120:
> ...

Click to collapse



Yea I just fixed it. Thanks for trying out. I don't have a clean device now so I can't fully test it. See if with the update you get it through.


----------



## Anti-paradox (Nov 21, 2018)

yanzi said:


> Update the script and try again. The folder check was flipped.

Click to collapse



many thanks!
I just tested this version, issues completely solved!
Sudo access reclaimed successfully.


----------



## yanzi (Nov 21, 2018)

Anti-paradox said:


> many thanks!
> I just tested this version, issues completely solved!
> Sudo access reclaimed successfully.

Click to collapse



Can you go to `adb shell` and then `su` to test it? Just need confirmation as I did the script after I manually did everything.


----------



## Anti-paradox (Nov 21, 2018)

yanzi said:


> Can you go to `adb shell` and then `su` to test it? Just need confirmation as I did the script after I manually did everything.

Click to collapse



Yes it has been tested, rock solid.
The user appears as "root"
Also, where would be the best place to install Apks in order for them to show up on the home screen?
Thanks in advance

Here's what I found under system/apps:
ActionExecutor
ActionSenderService
AppLauncher
ApplicationGateway
BasicDreams
Bluetooth
Browser
Can we somehow evoke the built-in browser?


----------



## yanzi (Nov 21, 2018)

Anti-paradox said:


> Yes it has been tested, rock solid.
> The user appears as "root"
> Also, where would be the best place to install Apks in order for them to show up on the home screen?
> Thanks in advance

Click to collapse



It won't show up on home screen unless you install a launcher. There are tons of places to download APKs.

But I want to warn you and anyone who gets su:
*
It will leave your system in vulnerable states. Try to avoid installing any suspicious APKs. It is now as weak as any other Android rooted devices.*


----------



## p4s2wd (Nov 21, 2018)

*How to enable ADB on dpt1*

1. Launch the "Android setting" via a Launcher

2. Go to "System" and find "About phone"

3. Find "Build number", and click it in 7 times. The machines says you're the "Developer".

4. Back to "System", there is new Menu "Developer options" displayed.

5. Go to "Developer options", and find "USB debugging", enable it.

6. Connected the RP1 and PC via USB cable

7. On PC, run the adb devices, it will find the device.

8. With ADB, you can do anything you want 

---------- Post added at 05:06 AM ---------- Previous post was at 05:02 AM ----------




yanzi said:


> It won't show up on home screen unless you install a launcher. There are tons of places to download APKs.
> 
> But I want to warn you and anyone who gets su:
> *
> It will leave your system in vulnerable states. Try to avoid installing any suspicious APKs. It is now as weak as any other Android rooted devices.*

Click to collapse



The home button is defined from /etc/dp_extensions, you could copycat the "NoteList" into "Browser" as following
Browser_extension.xml
Browser_strings-en.xml
Browser_strings-en.xml.bak
Browser_strings-ja.xml
Browser_strings-zh_CN.xml
ic_homemenu_browser.png

The URI for Browser is component=com.android.browser/.BrowserActivity


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## Anti-paradox (Nov 21, 2018)

p4s2wd said:


> 1. Launch the "Android setting" via a Launcher
> 
> 2. Go to "System" and find "About phone"
> 
> ...

Click to collapse



Many thanks to this follow up, since I am also thinking about adding the default browser to my home screen.
Could you clarify on "copycat the "NoteList" into "Browser"?
Are these files you listed pre-existing files? And if so, where do I find them?
I am a bit confused about what this will actually do...
Thanks!


----------



## yanzi (Nov 21, 2018)

p4s2wd said:


> 1. Launch the "Android setting" via a Launcher
> 
> 2. Go to "System" and find "About phone"
> 
> ...

Click to collapse



Interesting stuff! Taking notes now 

---------- Post added at 01:24 PM ---------- Previous post was at 01:23 PM ----------




hdwrp said:


> Could you please confirm DPT-RP1 with fully functional Android can connect to Bluetooth keyboard to type or to turn the PDF pages?
> Thank you.

Click to collapse



I only know Bluetooth works. I don't have a keyboard to test but I assume it works also. There's nothing preventing it working.

---------- Post added at 01:25 PM ---------- Previous post was at 01:24 PM ----------




Anti-paradox said:


> Many thanks to this follow up, since I am also thinking about adding the default browser to my home screen.
> Could you clarify on "copycat the "NoteList" into "Browser"?
> Are these files you listed pre-existing files? And if so, where do I find them?
> I am a bit confused about what this will actually do...
> Thanks!

Click to collapse



He meant you can use adb shell to get into device, and add an extra file named Browser to folder /etc/dp_extensions and use the similar contents in NoteList.


----------



## p4s2wd (Nov 21, 2018)

Anti-paradox said:


> Many thanks to this follow up, since I am also thinking about adding the default browser to my home screen.
> Could you clarify on "copycat the "NoteList" into "Browser"?
> Are these files you listed pre-existing files? And if so, where do I find them?
> I am a bit confused about what this will actually do...
> Thanks!

Click to collapse



1. Boot rp1 into DIAG mode, and mount SYSTEM into /mnt/system

2. mkdir /mnt/system

3. mount -t ext4 -o rw /dev/mmcblk0p9 /mnt/system

4. cd /mnt/system/etc/dp_extensions

5. cp -pir NoteList Browser

6. cd Browser, and renamed all files under this folder as following: 
Browser_extension.xml
Browser_strings-en.xml
Browser_strings-ja.xml
Browser_strings-zh_CN.xml
ic_homemenu_browser.png

7. Modify Browser_extension.xml and change "NoteList" with "Browser", and also change the URI value with "intent:#Intent;component=com.android.browser/.BrowserActivity;end", order with 7

8. Modify Browser_strings-en.xml and change "NoteList" with "Browser".

9. Reboot

10. Once the machine booted, process "Home" button, you will see the miracle


----------



## Anti-paradox (Nov 21, 2018)

p4s2wd said:


> 1. Boot rp1 into DIAG mode, and mount SYSTEM into /mnt/system
> 
> 2. mkdir /mnt/system
> 
> ...

Click to collapse



Interesting, I see what you mean.
I suppose the first step, as you listed it, is to get rid of "read-only" state for the sys.
The question is, how would you Access RP1 and fix mount points? 
Adb shell do not allow this in Diag mode, so I have to think of some of ways.
Any ideas?
Thanks


----------



## p4s2wd (Nov 21, 2018)

Anti-paradox said:


> Interesting, I see what you mean.
> I suppose the first step, as you listed it, is to get rid of "read-only" state for the sys.
> The question is, how would you Access RP1 and fix mount points?
> Adb shell do not allow this in Diag mode, so I have to think of some of ways.
> ...

Click to collapse



You can boot the rp1 into diag mode, you're the root in DIAG mode. You can mount the partition and change anything you want.


----------



## chenzhongli (Nov 21, 2018)

*Dpt-rp1 emmc   pin*

Dpt-rp1 emmc   pin


----------



## silvertriclops (Nov 21, 2018)

Any way whoever has the taobao rooted DPT can post their dp_extensions folder? No matter what changes I make to mine, AppLauncher crashes on boot. (In fact, now it's crashing even after undoing all changes so I have to wipe and start over again...)


----------



## ghostwheel (Nov 22, 2018)

chenzhongli said:


> Dpt-rp1 emmc   pin

Click to collapse



Thank you! Can you explain what this is and how to use it?


----------



## sisyphose (Nov 22, 2018)

*brick*

hello, i do it follow your code, and I don't understand 6-9 how to use, then i reboot it, the restart remain"welcome" and could not login into the system, can you help me solve it? Thank u


p4s2wd said:


> 1. Boot rp1 into DIAG mode, and mount SYSTEM into /mnt/system
> 
> 2. mkdir /mnt/system
> 
> ...

Click to collapse




---------- Post added at 12:09 PM ---------- Previous post was at 11:16 AM ----------




yanzi said:


> Download the following file:
> View attachment 4648071
> 
> And do the following (in diagnosis mode):
> ...

Click to collapse



Hello，I use putty and did  this step "ln -s /system/xbin/daemonsu /mnt/Lucifer/bin/app_process32", and I reboot the device, now the restart remain"welcome" and could not login into the system, can you help me solve it? Thank u

---------- Post added at 12:58 PM ---------- Previous post was at 12:09 PM ----------




silvertriclops said:


> This tool is great! Not perfect and I had to do a few things manually though.
> 
> Anyway, I backed up my boot partition and flashed your modded one. Now I'm able to connect with adb shell, but the device itself never gets past the Welcome screen and pulls up the password prompt. Also su is not working, it just opens up another limited permission shell.

Click to collapse



I meeted the same problem， did you solve it already?


----------



## softtrain (Nov 23, 2018)

mount -t ext4 -o rw /dev/mmcblk0p9 /mnt/system
run ./usr/local/bin/factory_start.sh ./mnt/system/etc/FactoryReset.pkg
this could help to restore the system


----------



## silvertriclops (Nov 23, 2018)

softtrain said:


> mount -t ext4 -o rw /dev/mmcblk0p9 /mnt/system
> run ./usr/local/bin/factory_start.sh ./mnt/system/etc/FactoryReset.pkg
> this could help to restore the system

Click to collapse



This won't restore system, it just wipes data. If you're getting stuck on the welcome spinner, you need to reset system. 

You need the official FwUpdater.pkg (should be inside this zip https://github.com/Antiparadox/Sony-Digital-Paper-Hack/tree/master/firmware 1.4.0.1) and the unzip keys (https://github.com/octavianx/Unpack-and-rebuild-the-DPT-RP1-upgrade-firmware?files=1).

Method one: If you use a Unix PC (or windows with WSL) follow the instructions in the 2nd github to unpack the FwUpdater.png. Pull out system.img and use extract_sparse_file to flash it to the appropriate mmcblk. 

Method two: Put FwUprater.pkg and the out folder with the keys on the device itself, and use start_eufwupdater.sh to run the update on the device. Do note that it will update, but the next time you boot into diag it'll update it again. So after running it, reboot back into diag so it can run the update again before you make any changes.

None of these should wipe your data but you may have to anyway because of encryption stuff. For that you want to use factory_reset.sh in diag, or do it manually. 

Sorry I can't get the exact commands right now. I'm on my phone. I'll write a better tutorial once I get back to my laptop.


----------



## eigenloss (Nov 24, 2018)

Hey all, 

I have a DPT-S1 which unfortunately has a physically damaged/corrupted eMMC - doesn't boot and the CPU doesn't release a GOOD signal. 

Is anyone able to share their boot image or a copy of the non-user partitions on their tablet? I may be able to figure out which testpoints on the board give access to the DAT0/CMD/CLK/VCC/VCCQ pins if any of you have readers.

Thanks so much!

---------- Post added at 05:46 AM ---------- Previous post was at 05:19 AM ----------

It will definitely be easier to dump an image over USB/root, but here is a pinout for the record. The resistors are labeled in the (blurry) image as described below.






1 - DAT0 
2 - DAT1
3 - either CLK or CMD
4 - either CMD or CLK
5 - DAT3
6 - DAT2

Edit: this is the DPT-RP1 thread, isn't it.


----------



## Anti-paradox (Nov 24, 2018)

*iWnn Ime keyboard crashes*

Hi, does anyone encounter a keyboard crash after rooting this device?
I did not install any app on this devices, and hardly use any features after rooting (except the browser, changing the language to Jpn) 
But this morning when I wake up, the built-in iWnn ice keyboard crashes, whenever I demand an input, this menages pops up:
"Unfortunately, the iWnn ime keyboard has stopped"
Any light on this?
Thanks


----------



## Anti-paradox (Nov 24, 2018)

Anti-paradox said:


> Hi, does anyone encounter a keyboard crash after rooting this device?
> I did not install any app on this devices, and hardly use any features after rooting (except the browser, changing the language to Jpn)
> But this morning when I wake up, the built-in iWnn ice keyboard crashes, whenever I demand an input, this menages pops up:
> "Unfortunately, the iWnn ime keyboard has stopped"
> ...

Click to collapse



Update: Got it;
Here's something that might be interesting to look at:
https://developer.android.com/reference/android/provider/Settings
if you change input_method and disable Iwnn, you should be fine!


----------



## p4s2wd (Nov 25, 2018)

Anti-paradox said:


> Hi, does anyone encounter a keyboard crash after rooting this device?
> I did not install any app on this devices, and hardly use any features after rooting (except the browser, changing the language to Jpn)
> But this morning when I wake up, the built-in iWnn ice keyboard crashes, whenever I demand an input, this menages pops up:
> "Unfortunately, the iWnn ime keyboard has stopped"
> ...

Click to collapse



Enabled the ADB and tried to run the following command

adb shell am start -a android.settings.LOCALE_SETTINGS

Once the UI display, select the English, and reboot the device again.


----------



## dimitrios.tziouris (Nov 26, 2018)

Has anybody been able to use the rooted DPTRP1 as an external monitor? A small guide would be great!


----------



## p4s2wd (Nov 27, 2018)

You can enable the input method with following command:

am start -a android.settings.INPUT_METHOD_SETTINGS


----------



## Anti-paradox (Nov 28, 2018)

Does any one has any idea how to launch app launcher in the terminal? I accidentally crash it after altering certain attributes
I tried am start -a android.intent.action.MAIN -n com.sony.apps.applauncher/.activities.MainActivity  
but the name of the activity is not correct, so I cannot debug on that.
Any help? Thanks!


----------



## Anti-paradox (Nov 28, 2018)

Anti-paradox said:


> Does any one has any idea how to launch app launcher in the terminal? I accidentally crash it after altering certain attributes
> I tried am start -a android.intent.action.MAIN -n com.sony.apps.applauncher/.activities.MainActivity
> but the name of the activity is not correct, so I cannot debug on that.
> Any help? Thanks!

Click to collapse



Updates:
It seems that this app cannot be launched, as no luanchable activity is provided...


----------



## silvertriclops (Nov 29, 2018)

Anti-paradox said:


> Updates:
> It seems that this app cannot be launched, as no luanchable activity is provided...

Click to collapse




```
input keyevent KEYCODE_HOME
```

The default home screen is set as the main DP app (unless you install another launcher) but pushing the home button on this device (which that command does) pulls up the AppLauncher.

---------- Post added at 06:21 PM ---------- Previous post was at 06:11 PM ----------

Things I'm still trying to figure out - has anyone gotten these down besides ladyhack and the other taobao guys?


Adding stuff like the home screen, browser, etc in App Launcher. I tried to copy one of the dp extension folders and modified it exactly as @p4s2wd said here but it either doesn't show up, or App Launcher crashes on boot and can't be fixed without wiping /data.
DPI stuff. Doubling the DPI works great for most apps but then the DP app gets messed up. Anyone know of a way to mod the DP app or something so changing the DPI doesn't screw it up?
OneNote crashes as soon as I try to draw with the pen  any other note apps that have been tested to work?
The DP app stores its PDFs in folders and files with random filenames. If I change those filenames will it still work? Trying to figure out if I can use a sync app so I can use the DP note app without having to sync with Sony's PC app and instead just use Google Drive.
Status bar (not that big of a deal) and nav bar (actually useful) seem to be not only disabled but completely missing from the system. I tried to enable the nav bar in build.prop and nothing happened. This means no back button. I did try installing a 3rd party nav bar but it doesn't auto hide in the DP app, the home button just opens the App Launcher and the recents screen also seems to be completely missing.


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## sartrism (Nov 30, 2018)

I updated the original post briefly summarize what you guys did. It's so awesome! I also changed the title because my question has been answered.

Sorry that I'm not familiar with XDA and I didn't follow all the conversations, so let me know if I need to add more. For example, I feel sorry that I don't know who should I give the credit.


----------



## jess91 (Nov 30, 2018)

Thanks for sharing.

What exactly does this "root" allow out of the box? Does it unlock ability to hidden options in Sony's DP software itself, for example to allow opening of formats other than pdf using Sony's own software? Does it allow access to device storage as a regular USB drive without having to transfer books using Sony's software?

I understand apps can be sideloaded using apk files but to get full Android with features like Google Play Store requires the "taobao" firmware and this is not available. Is that right?


----------



## hdwrp (Nov 30, 2018)

Anybody able to install Google Play Store so we can download and use paid apps?


----------



## sartrism (Dec 1, 2018)

jess91 said:


> Thanks for sharing.
> 
> What exactly does this "root" allow out of the box? Does it unlock ability to hidden options in Sony's DP software itself, for example to allow opening of formats other than pdf using Sony's own software? Does it allow access to device storage as a regular USB drive without having to transfer books using Sony's software?
> 
> I understand apps can be sideloaded using apk files but to get full Android with features like Google Play Store requires the "taobao" firmware and this is not available. Is that right?

Click to collapse





hdwrp said:


> Anybody able to install Google Play Store so we can download and use paid apps?

Click to collapse



I didn't use any metaphor. Rooting is rooting. You can always sideload gapps or extract necessary components from them as usual. If you want 'taobao' firmware whatever that is, you can ask one of kind users here who already have that to get the image and flash it.

But why though? E-readers are different from android tablets by their purpose. It is a common wisdom among e-reader users to use minimal and optimized apps for those devices. (They are usually made by manufacturers and extracted from these kinds of rooted devices.) You can sideload a decent reader that supports many formats other than pdf and some dedicated bookstore apps including kindle. I don't see any reason why I have to shop in Play Store as I do in smartphones.


----------



## zambo91 (Dec 1, 2018)

Hi guys
Im following the rooting since a year now
Will be possible to unlock the blutootg with the root?
Possibility to pair a page turner would be a "buy now" news for me
Or do you think will be possible in the near future?


----------



## jess91 (Dec 1, 2018)

sartrism said:


> I didn't use any metaphor. Rooting is rooting. You can always sideload gapps or extract necessary components from them as usual. If you want 'taobao' firmware whatever that is, you can ask one of kind users here who already have that to get the image and flash it.
> 
> But why though? E-readers are different from android tablets by their purpose. It is a common wisdom among e-reader users to use minimal and optimized apps for those devices. (They are usually made by manufacturers and extracted from these kinds of rooted devices.) You can sideload a decent reader that supports many formats other than pdf and some dedicated bookstore apps including kindle. I don't see any reason why I have to shop in Play Store as I do in smartphones.

Click to collapse



The Taobao firmware has been mentioned frequently in this and other threads and is about more than just Google Play. My main curiosity is whether there are features in the Sony software that could be unlocked with root. If, for example, root can be exploited to use epub files with Sony's software this would, for my needs, eliminate having to sideload a secondary ereader app like Moon+ Reader avoiding issues such as DPI which is one of several arguments to still opt for the Taobao, see:



shankerzhiwu said:


> However, this can be a huge task. At fist I thought it could simple and straight forward after gaining root privilege. After installing several applications, I found most normal Android applications not fit the digital paper screen well. The rendered text is too thin and hard to recognize. As a result, for normal users who only want to read epub books, I strongly recommend the rooted version sold on Taobao and GoodReader or their rooting services. Judging from their demo video, I think the root service is worth itself.

Click to collapse


----------



## hdwrp (Dec 1, 2018)

sartrism said:


> You can always sideload gapps or extract necessary components from them as usual. If you want 'taobao' firmware whatever that is, you can ask one of kind users here who already have that to get the image and flash it.
> 
> But why though? E-readers are different from android tablets by their purpose. It is a common wisdom among e-reader users to use minimal and optimized apps for those devices. (They are usually made by manufacturers and extracted from these kinds of rooted devices.) You can sideload a decent reader that supports many formats other than pdf and some dedicated bookstore apps including kindle. I don't see any reason why I have to shop in Play Store as I do in smartphones.

Click to collapse



The only purpose for DPT-RP1 for me would be to read/display sheet music. The best app is not free on Google Play Store. I don't want to use modified app version because I want to pay/support the developer.
I could have only this app and nothing else on DPT-RP1.

As mentioned before the original DPT-RP1 uses Bluetooth only for data transfer. It is not possible to connect Bluetooth page turner to turn pages wirelessly. It is disabled.
Unfortunately nobody here confirmed yet that one can connect Bluetooth keyboard to type (or pager turner) to rooted DPT-RP1.


----------



## sartrism (Dec 1, 2018)

jess91 said:


> The Taobao firmware has been mentioned frequently in this and other threads and is about more than just Google Play. My main curiosity is whether there are features in the Sony software that could be unlocked with root. If, for example, root can be exploited to use epub files with Sony's software this would, for my needs, eliminate having to sideload a secondary ereader app like Moon+ Reader avoiding issues such as DPI which is one of several arguments to still opt for the Taobao, see:

Click to collapse



As I said, there are some dedicated e-ink specialized apps made by e-reader manufacturers. I can read EPUB perfectly on my rooted DPT-RP1 without any hassle, and those apps cannot be found on Play Store. Of course a general app like Moon+ is not made for e-reader.

I totally agree with @shankerzhiwu's opinion you quoted. If you are a type of person asking "Can I do XXX after this?" then better buy Taobao one. Is it too expensive? There is no way to save both your money and time.

I highly doubt Taobao guys hacked sony's apk though as you described. What I have seen in those videos is just using similar apps I mentioned above to open epub or comic books. (Something like internal apps from Onyx devices.) As far as I know, Sony's app is based on Foxit pdf reader and it is impossible to load epub on it in the first place. Let me know if I'm wrong.


----------



## jess91 (Dec 2, 2018)

Hello sartrism, I can't tell if it is intentional or you are even aware but your latest replies are unnecessarily confrontational. 



sartrism said:


> As I said, there are some dedicated e-ink specialized apps made by e-reader manufacturers. I can read EPUB perfectly on my rooted DPT-RP1 without any hassle, and those apps cannot be found on Play Store. Of course a general app like Moon+ is not made for e-reader..

Click to collapse



What exactly does this mean please? That you have simply sideloaded another app that is not impacted by the DPI issue? Otherwise, if root opens up the ability, whether custom or through built-in existing options, within Sony's DP software such as accepting epub please confirm your findings and share any procedure. If you have otherwise found a solution to the DPI issue described impacting sideloaded apps please share your procedure.



sartrism said:


> I totally agree with @shankerzhiwu's opinion you quoted. If you are a type of person asking "Can I do XXX after this?" then better buy Taobao one. Is it too expensive? There is no way to save both your money and time..
> 
> I highly doubt Taobao guys hacked sony's apk though as you described. What I have seen in those videos is just using similar apps I mentioned above to open epub or comic books. (Something like internal apps from Onyx devices.) As far as I know, Sony's app is based on Foxit pdf reader and it is impossible to load epub on it in the first place. Let me know if I'm wrong.

Click to collapse



Your opinion on the use cases for Google Play Store or certain apps on an e-reader, however valuable they may be, were not the main topic. Understanding the obstacles and complexities to reach desired functionality and ability I and others are asking about are important factors in the decision process to purchase a DPT. It is not about paying for the Taobao fw, security is a sacrifice this way, it is not just about cost. Anyone who can afford a DPT can afford the service premium from Taobao/Goodreader, that is not the point. The questions are to understand the gap between root and Taobao, not debate about personal opinions and situations. Getting back to the point, as you've followed the root process shared here on your device if you can positively confirm any of the questions, including very simple ones like on bluetooth limitations asked by hdwrp it would be appreciated.


----------



## shankerzhiwu (Dec 4, 2018)

hdwrp said:


> The only purpose for DPT-RP1 for me would be to read/display sheet music. The best app is not free on Google Play Store. I don't want to use modified app version because I want to pay/support the developer.
> I could have only this app and nothing else on DPT-RP1.
> 
> As mentioned before the original DPT-RP1 uses Bluetooth only for data transfer. It is not possible to connect Bluetooth page turner to turn pages wirelessly. It is disabled.
> Unfortunately nobody here confirmed yet that one can connect Bluetooth keyboard to type (or pager turner) to rooted DPT-RP1.

Click to collapse



I tried to pair the rooted DPT with a bluetooth keyboard, and the DPT cannot discover the keyboard for pair while my laptop can. 

I also tried to pair my DPT with a bluetooth headset, and this time, the DPT can pair with the headset but no sound was in the headset when I was playing some music in web browser.

However, the DPT is totally an Android device, I think there must be some method to enable a full functional bluetooth. Maybe someone on this forum can. I am not familiar with Android system, so I cannot give you more help.


----------



## sartrism (Dec 4, 2018)

shankerzhiwu said:


> I tried to pair the rooted DPT with a bluetooth keyboard, and the DPT cannot discover the keyboard for pair while my laptop can.
> 
> I also tried to pair my DPT with a bluetooth headset, and this time, the DPT can pair with the headset but no sound was in the headset when I was playing some music in web browser.
> 
> However, the DPT is totally an Android device, I think there must be some method to enable a full functional bluetooth. Maybe someone on this forum can. I am not familiar with Android system, so I cannot give you more help.

Click to collapse



Actually that is more difficult than you think. It has no HID profile (like the outdated Android phones 10 years ago) so you can only use the bluetooth to transfer files as is. Resolving this should involve with repacking bluetooth.default.so library as some mods provide, but it is a kernel-level modification which is too risky and too much in my opinion.

A workaround is using wifi instead, for there are some apps making your another device as a wifi remote.


----------



## hdwrp (Dec 4, 2018)

I have asked goodereader if their Taobao version can connect to Bluetooth keyboard/turner but got no reply.
I do not know anybody with Taobao RP1.


----------



## shankerzhiwu (Dec 4, 2018)

sartrism said:


> Actually that is more difficult than you think. It has no HID profile (like the outdated Android phones 10 years ago) so you can only use the bluetooth to transfer files as is. Resolving this should involve with repacking bluetooth.default.so library as some mods provide, but it is a kernel-level modification which is too risky and too much in my opinion.
> 
> A workaround is using wifi instead, for there are some apps making your another device as a wifi remote.

Click to collapse



I wonder if you have any idea about the DPI issue?


----------



## sartrism (Dec 4, 2018)

shankerzhiwu said:


> I wonder if you have any idea about the DPI issue?

Click to collapse



It's not an 'issue', in my opinion. For example, if you use other large readers like Onyx Boox Max 2 (which is fully open to use Android), it has also the same small-font problem with generic apps. This is exactly the same huh when you first use 4K monitor.

One trick is changing DPI of the device, using some apps or the comand *adb shell wm density XXX*, say. (XXX should be larger than 160 which is the default value.)
Note that, DPT-RP1 has 1650x2200 pixels with default density 160. Compared to this, Pixel XL has 1440x2560 pixels with default density 560.

But if an app is not developed for such low density devices, so is not flexible with respect to the change of DPI, then it might look awkward. The problem here is that Sony's dedicated apps are broken if you change DPI too much.

So my solution is changing DPI depending on which app you use. "App Settings" with Xposed framework provides this feature but it did not work, unfortunately. Instead I use another app "Tasker" so that some apps are open then change the DPI as I want, and change it back when they are closed.

Ideally, it would be better to use apps specifically designed to respond with DPT-like devices.


----------



## deedee4 (Dec 5, 2018)

Definitely needed a 'for dummies' walkthrough. Rundown of where I got stuck for anybody else:
Make sure to cd (change directory) to the 'dpt-tools-master' folder before attempting the "pip httpsig pyserial" (in bash/terminal/cmd) step.
The deviceid and key files after using the Sony Digital Paper application are simply located in AppData/Roaming/Sony Corporation/Digital Paper App/...
Spent a good few hours banging my head trying to install 'MINGW64' and failing to use a live Linux USB before realizing the backup step is technically optional and thus so is mingw. 
Fixing the unauthorized error just involves copying the included adbkey file to your .android folder (after renaming the original) and running the adb command 'adb kill-server'.

A question: Does anybody know where the button layout .kl file is for the DPT? Mine has a broken power button and I was hoping to add a 'Wake' command to the Home button so that I can exit sleep mode with it, instead of having to plug it in every time.


----------



## sartrism (Dec 5, 2018)

deedee4 said:


> A question: Does anybody know where the button layout .kl file is for the DPT? Mine has a broken power button and I was hoping to add a 'Wake' command to the Home button so that I can exit sleep mode with it, instead of having to plug it in every time.

Click to collapse



Try xposed framework + xposed additions to remap your physical keys.


----------



## ghostwheel (Dec 5, 2018)

OK, finally rooted. Was a bit complicated.
I have a question: after installation, various things are on the device. Browser, 10086.cn, Search, File Manager.
Were these things on the DPT, but couldn't be seen, or did the firmware/whatever I installed also install these?

I took the kindle apk from my phone, and installed it. Works well. Actually, I have some problems. Reading magazines, such as "New Scientist" works well. When reading books, the adjust font size dialog doesn't seem to go away, I have to exit and restart Kindle after setting font size. Not too bad. But reading newspapers, such as "New York Times" doesn't work. I can see table of content, and first page on each article, but when I try to go to the next page Kindle crashes.

I installed multi-action Home button. Its main advantage is that you can specify what app to launch when pressing the area at the bottom of the screen. So I can launch my launcher. I don't know how to go to pro version, so that back and menu button will also work.

The regular home button still launches the sony menu at the top. I haven't edited that yet.

Update: I installed "back button anywhere", which gives both home and back.
Before, I tried Button Savior (which can't launch arbitrary app) and multi-action home (which doens't have back button) Another interesting option is UDN lite (https://forum.xda-developers.com/showthread.php?t=2270198), but I can't get it to hide, and it covers other things on the screen.

As launcher I'm using e-ink launcher. Maybe later something like ReLaunch or ReLaunchX could work.

Squid (note taking) is too slow. 
PDF and DJVU reader works, is quite fast, but has a few hikups. Workable, though. (Converting to PDF and reading on the sony app is probably still better)

I have a "Rii ultra slim wireless keyboard", which I did manage to pair. When I click on the gear at the right of the bluetooth list item for the device, I see "Use for -> input device" with an empty tick box, but I can't enable it....


----------



## silvertriclops (Dec 6, 2018)

Is there anyone who can dump /system from their taobao RP1 and upload it somewhere?


----------



## silvertriclops (Dec 6, 2018)

Sorry for being really late on this, but I have finished with the instructions to restore system if you've corrupted it and/or are unable to get past the welcome screen. Of course you have to be able to boot into diagnostic to do it so don't mess that up.

https://github.com/jbschooley/DPTstuff (As of posting this, it's still uploading so be patient)

After flashing system, if you still can't boot it or stuff crashes, boot back into diag, run /usr/local/bin/factory_reset.sh, then reflash system.



hdwrp said:


> I have asked goodereader if their Taobao version can connect to Bluetooth keyboard/turner but got no reply.
> I do not know anybody with Taobao RP1.

Click to collapse



I remember calling one of the Goodereader guys a while ago. Think it was to ask if I could trade the DPT unlock service for a crap ton of pizza since I'm flat broke and had a hookup for cheap pizza :laugh: unfortunately he said heck no but that doesn't matter anymore. I'll dig around and see if I can find that number again.

edit: here's the number I called


----------



## p4s2wd (Dec 7, 2018)

silvertriclops said:


> Is there anyone who can dump /system from their taobao RP1 and upload it somewhere?

Click to collapse



You could download the pkg from http://kdroid.club/dpt1-user/, pls do unpack the pkg and dd system.img only.


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## silvertriclops (Dec 7, 2018)

p4s2wd said:


> You could download the pkg from http://kdroid.club/dpt1-user/, pls do unpack the pkg and dd system.img only.

Click to collapse



Holy crap, where did you find that? I stuck it into Google and can't find any forum posts about it. Also it looks like the last update was just last week.

I'm definitely trying this as soon as I can ?


----------



## p4s2wd (Dec 7, 2018)

silvertriclops said:


> Holy crap, where did you find that? I stuck it into Google and can't find any forum posts about it. Also it looks like the last update was just last week.
> 
> I'm definitely trying this as soon as I can ?

Click to collapse



https://www.hi-pda.com/forum/viewth...a=page=1&amp;filter=type&amp;typeid=69&page=1, there are few people discussing the same topic and you may learn a bit with google translate


----------



## sekkit (Dec 7, 2018)

p4s2wd said:


> there are few people discussing the same topic and you may learn a bit with google translate

Click to collapse



I can read, but my account hasn't been approved. Can u make a screenshot so that we can share the info.


----------



## silvertriclops (Dec 7, 2018)

Bad news about the kdroid.club image. It works, but has something blocking anything from working unless it checks in with the taobao seller to prove that I purchased an activation code. But I have unpacked system.img and will try installing components of it into the default (rooted) image.


----------



## ghostwheel (Dec 7, 2018)

Did someone notice slowdowns after rooting?

On my machine, even small PDFs will get stuck for a few seconds, and pages won't turn, even the HOME button will not respond.
I think that when I turned off WiFi these slowdowns stopped. I somehow suspect that one of my installed programs is trying to access
google play services, or something like that, or download ads. I'll continue to check. I'll also try to uninstall  some of my apps and check if things improve.

UPDATE: so I uninstalled pretty much all apps, rebooted, and still had slowdowns that made it really hard to work.
I'm not sure what is causing this. Another possibility is that 2 computers that weren't mine might have been running the Digital Paper app on the same network....


----------



## sekkit (Dec 7, 2018)

silvertriclops said:


> Bad news about the kdroid.club image. It works, but has something blocking anything from working unless it checks in with the taobao seller to prove that I purchased an activation code. But I have unpacked system.img and will try installing components of it into the default (rooted) image.

Click to collapse



same here. do u use the boot.img shipped with dpt-tools or that hacked firmware? On my device the default boot stuck at Welcome.

---------- Post added at 08:12 PM ---------- Previous post was at 08:09 PM ----------




silvertriclops said:


> Bad news about the kdroid.club image. It works, but has something blocking anything from working unless it checks in with the taobao seller to prove that I purchased an activation code. But I have unpacked system.img and will try installing components of it into the default (rooted) image.

Click to collapse



remove that startup app(I guess the name is JSONClient.apk) that blocks system from entering desktop, and repack the img, I think that'll do.


----------



## silvertriclops (Dec 8, 2018)

hdwrp said:


> I have asked goodereader if their Taobao version can connect to Bluetooth keyboard/turner but got no reply.
> I do not know anybody with Taobao RP1.

Click to collapse





sekkit said:


> same here. do u use the boot.img shipped with dpt-tools or that hacked firmware? On my device the default boot stuck at Welcome.
> 
> ---------- Post added at 08:12 PM ---------- Previous post was at 08:09 PM ----------
> 
> ...

Click to collapse



anyone else able to mess with it? I use my DPT for taking notes and sheet music every day and it gets annoying having to reflash, root, and sync all my docs before I go to class every day


----------



## sekkit (Dec 8, 2018)

silvertriclops said:


> anyone else able to mess with it? I use my DPT for taking notes and sheet music every day and it gets annoying having to reflash, root, and sync all my docs before I go to class every day

Click to collapse



 If u can't afford the time, better go with Boox Max2


----------



## ghostwheel (Dec 8, 2018)

sekkit said:


> If u can't afford the time, better go with Boox Max2

Click to collapse



No amount of tinkering with the DPT will make the Book Max2 better!

---------- Post added at 23:09 ---------- Previous post was at 23:06 ----------




sekkit said:


> remove that startup app(I guess the name is JSONClient.apk) that blocks system from entering desktop, and repack the img, I think that'll do.

Click to collapse



Sorry, how do you pack/unpack the pkg files?

I guess another option is to install them, and then make the corrections/deletions in diagnosis mode.


----------



## sekkit (Dec 9, 2018)

ghostwheel said:


> No amount of tinkering with the DPT will make the Book Max2 better!
> 
> ---------- Post added at 23:09 ---------- Previous post was at 23:06 ----------
> 
> ...

Click to collapse



use dpt-tools' shell scripts to unpack them.
I tried that, but dpi messed up, and JSONClient.apk might be a preparation app that init the system, so bypassing it will cause neoreader not being installed.


----------



## silvertriclops (Dec 9, 2018)

sekkit said:


> use dpt-tools' shell scripts to unpack them.
> I tried that, but dpi messed up, and JSONClient.apk might be a preparation app that init the system, so bypassing it will cause neoreader not being installed.

Click to collapse



I wouldn't suggest modifying the system.img before installing it. Instead, flash it along with the provided boot.img, wait for it to boot, then boot up in diag mode and rename JSONClient.apk to something like JSONClient.apk.old so it won't run. See if that works. 

To be honest though I don't really trust running that firmware. I'd rather mod the original firmware myself instead of dealing with the Chinese stuff. Now that I sorta figured out how to add other stuff to the applauncher, all I want is a bottom nav bar that contains a back button and isn't some 3rd party app that still overlaps the DP app. I don't know why that nav bar, and the status bar, have been completely removed from the firmware. Will probably need some framework-res.apk and/or systemui.apk editing to restore those. Either way, this firmware doesn't help with that.


----------



## SylentStryke (Dec 9, 2018)

*HappyZ dpt-tools confusion*

I am currently trying to root my DPT-RP1 and am a bit confused about how to follow this HappyZ *dpt-tools* README. When running root I get the following error

```
>>> root
[info] Please make sure you have charged your battery before this action.
[info] Thank shankerzhiwu (and his/her anonymous friend) a lot on this hack!!!All credits go to him (and his/her anonymous friend)!
>>> Have you disabled the id check already? [yes/no]: yes
[info] Congrats! You are half-way through! You have disabled the OTG ID check
[info] fw updating in progress.. do NOT press anything..
[error] https://192.168.1.35:8443/system/controls/update_firmware/file
[error] request error 401:
[error] * error_code: 40100
[error] * message: Authentication is required.
[error] failed to upload file
[error] Failed to upload shankerzhiwu_changepwd pkg
```

Just curious should I be running "root" then following this wiki *boot.img-unpack-and-pac*k then running "diagnosis" mode to install su and setup adb or am I going about it all wrong? Was also unsure if I still needed to create a custom OTG usb or if that step is no required anymore and everything can be done through software?


----------



## shankerzhiwu (Dec 9, 2018)

SylentStryke said:


> I am currently trying to root my DPT-RP1 and am a bit confused about how to follow this HappyZ *dpt-tools* README. When running root I get the following error
> 
> ```
> >>> root
> ...

Click to collapse



Have you provide valid id and key file to the script? 

BTW, you should answer no for the first question if your dpt has never been rooted. 

Remember,  HappyZ's tool is not able to handle some corner cases, which may make your device stuck in a boot loop or so and unrepairable without disassembling (Don't ask me how I know that). Use this tool on your own risk.

---------- Post added 10th December 2018 at 12:00 AM ---------- Previous post was 9th December 2018 at 11:31 PM ----------

Alternatively, you can directly use dpt-rp1-py to flash the two firmwares. which is exactly the same as HappyZ's dpt-tools. The detailed steps are:

1. Download dpt-rp1-py. Follow the instructions given on the readme page.
2. Learn how to use dpt-rp1-py. At least, you can use the tool to upload/download pdf documents to/from your device.
3. Download the two .pkg files under https://github.com/HappyZ/dpt-tools/tree/master/python_api/assets .
4. Flash the two packages into your device with dpt-rp1-py.

Suppose your command for uploading pdf documents is: 

```
dptrp1 --client-id xxx --key xxx --addr xxx upload ./file.pdf Document/Articles/file.pdf
``` 

Then your command for flashing the packages should be: 

```
dptrp1 --client-id xxx --key xxx --addr xxx update /path/to/xxx.pkg
```

Flash the two packages one and another. When finishing firmware update for one package, your device will complain that the upgrade has failed. Just ignore it and continue to flash the other one.

---------- Post added at 12:09 AM ---------- Previous post was at 12:00 AM ----------

If you find this method is too complex for you, please wait until someone can contribute a more easy-to-use tool for rooting dpt-rp1.


----------



## yanzi (Dec 11, 2018)

shankerzhiwu said:


> Have you provide valid id and key file to the script?
> 
> BTW, you should answer no for the first question if your dpt has never been rooted.
> 
> ...

Click to collapse



Lol thanks for being the first person trying it, and sorry about all the issues created to you  
I should have now fixed most bugs.

It is possible to prepare a flashable pkg to prevent troubles, but since now we have taobao firmware, it looks like we can easily use theirs with just a few tweaks. They now support bluetooth HID also, which is a huge plus.

I will keep an eye on the system updates etc. later.


----------



## azureliar (Dec 13, 2018)

deleted. sent direct msg.


----------



## jess91 (Dec 14, 2018)

silvertriclops said:


> To be honest though I don't really trust running that firmware. I'd rather mod the original firmware myself instead of dealing with the Chinese stuff.

Click to collapse



Exactly. The Taobao fw is helpful in reverse engineering for solutions and for extracting certain components. Not more. Foolish to install it wholesale. But good to see it is being used as a source, last I checked and replied some pages ago the vocal users at the time were clueless about taobao fw and giving attitude over features not being necessary.


----------



## Marathon2112 (Dec 14, 2018)

Would anyone know if there is a way to mount the rooted device as an external drive to drag and drop PDFs on it? This would be much more convenient than having to use janten's dpt-rp1-py script (on Linux).


----------



## silvertriclops (Dec 15, 2018)

Marathon2112 said:


> Would anyone know if there is a way to mount the rooted device as an external drive to drag and drop PDFs on it? This would be much more convenient than having to use janten's dpt-rp1-py script (on Linux).

Click to collapse



Seconded looking for something like this. I haven't found a way because the Sony apps have their own weird organization for storing PDFs and use a database to keep track of them. Also the official DP app only works on Android 6+ while the device runs 5.1.1, what the heck?

I'm thinking the best way to do this would be for someone to write their own android app that wraps janten's script. I would if I had time for that.


----------



## serige (Dec 21, 2018)

Can anyone comment on the battery drain after rooting?


----------



## silvertriclops (Dec 21, 2018)

serige said:


> Can anyone comment on the battery drain after rooting?

Click to collapse



I still charge mine once every 2 weeks, haven't noticed a difference as long as I don't leave wifi on


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## johntaylors (Dec 27, 2018)

*!error*

I cannot authenticate my dpt-rp1 using dpt-tools.py. The IP address is right as far as I know.  What should I do right now?


----------



## johntaylors (Dec 28, 2018)

*adb*



yanzi said:


> That's elegant. Well, I was just reinventing the wheel then. Good to know it works!
> 
> Good to hear, I wrote you a small recovery steps also.. I fixed the script (hopefully) so it wouldn't make the same mistake again.

Click to collapse



Sorry to bother you. My dpt-rp1 is not shown in adb devices. I followed every step and got to root the device. Without connecting as an adb device, the dpt-rp1 cannot download a launcher and apps.  What's the problem here? Thanks!


----------



## serige (Dec 28, 2018)

I am able to root the device. Many thanks for the hard work!

I am trying to use Moon+ to locate my pdf files, but I couldn't find the corresponding System Storage folder where I store my pdf's.


----------



## johntaylors (Dec 28, 2018)

*adb*



serige said:


> I am able to root the device. Many thanks for the hard work!
> 
> I am trying to use Moon+ to locate my pdf files, but I couldn't find the corresponding System Storage folder where I store my pdf's.

Click to collapse



Are you able to connect the device to adb shell? How do you do that? I flashed the modded boot image, but the device did not show up as an adb device.


----------



## serige (Jan 2, 2019)

johntaylors said:


> Are you able to connect the device to adb shell? How do you do that? I flashed the modded boot image, but the device did not show up as an adb device.

Click to collapse



Make sure you flash the correct image, the one boot-1.4.01.16100-mod-happyz-181214.img, it will confirm the MD5 sum once you flash an image, make sure that is the correct MD5. In my case, I had to rename the img file under /root directory before it will flash the the image I uploaded. Hope it helps.


----------



## digiflash (Jan 6, 2019)

Everthing worked. Can connect via diagnose and adb isn't working. Tried it on a Win 10 and Linux Mint 18.3. Sony Digital Paper App is still working via USB
The copied boot image has MD5 72c3f46f0459dadb64be4d9e6c075be2 
not 
1867e8378c68753224677f8e00f81aad
like in your MD5 file. Whats wrong?

Update 1: You have to rename or remove the boot.img.bak in the "/root" directory.

Now I'm getting "error: insufficient permissions for device". SD drive mount is working

Update 2: The following 2 commands worked to get "adb shell" running.
adb kill-server 
sudo adb start-server

Now I tried to add a Launcher icon without success. Nothing appears after the steps in the ADB tricks.
Another question. Is it possible to sync PDFs directly to the device for example with Dropbox and use it it the Sony Reader App?


----------



## jra1662 (Jan 6, 2019)

quick post with some info:

I have the GoodeReader hacked DPT-RP1 and thought maybe the versions of Google Play services and Google play store could be of useful information for those trying to get the play store working on this hack. 

Google Play Services 14.7.99 
Google Play Store 5.10.30

My brief thoughts on the hacked version from GoodeReader, shipped directly from China to me...  It's buggy and not as smooth an experience as I hoped.   Many apps from the play store, the less developed apps, fail to even load, while the more advanced apps are more often to work.  Few other quirks, more thorough thoughts are posted in the mobileread.com forums.  Good luck and continued success to all working on this!


----------



## smx06 (Jan 6, 2019)

Many thanks for the tutorial (1st page) - all works! Hint: use COMx instead of /dev/tty.xxx if you're using Windows.

Just one question so far: any hints how to change font in default web-browser? (or system-wide) Cause seems default fonts (orig.Chinese?) have enormous char intervals when displaying Cyrillic texts.
NB: replacing /system/fonts/Roboto*.ttf with local fonts doesn't help... Also seems replaced font disappeared from Browser--settings--accessebility--Font style list

p.s. maybe it is useful to make a short list of tested apps like the first page notes (to save our testing time)
For example Rotation_Control_Pro_v.1.1.9 is very useful for forced landscape mode


----------



## smx06 (Jan 7, 2019)

smx06 said:


> Just one question so far: any hints how to change font in default web-browser? (or system-wide) Cause seems default fonts (orig.Chinese?) have enormous char intervals

Click to collapse



fixed with editing fonts.xml system_fonts.xml  etc
(inwin kbd started to crash after this but it can be changed to other keyboard with adb shell am start -a android.settings.INPUT_METHOD_SETTINGS after this installed "hacker's keyboard" app works!)
p.s.
seems fonts replacing was not so good idea, native DigitalPaperApp also crashes (which is much worse than unneeded inwin-keyboard crashes)
the problem with DPapp crash is in fonts_split_1_common.xml when i replace 
<font weight="xxx" style="normal">SSTJpPro-Regular.otf</font>  
with        
 <font weight="xxx" style="normal">Roboto-Regular.ttf</font> 
(the 2nd font have no Jap symbols inside, maybe this is the source, curious how to solve it)


----------



## smx06 (Jan 13, 2019)

smx06 said:


> seems fonts replacing was not so good idea, native DigitalPaperApp also crashes (which is much worse than unneeded inwin-keyboard crashes)
> the problem with DPapp crash is in fonts_split_1_common.xml when i replace

Click to collapse



self-answering:
there is no need to touch fonts_split_1_common.xml then DPapp works OK and changing fonts.xml is enough to make browser using replaced Roboto-xx.ttf


----------



## sekkit (Jan 25, 2019)

shankerzhiwu said:


> I have kicked my DPT-RP1 into diagnose mode.
> 
> The method is plugging an OTG cable whose ID pin is soldered with 7.87 k resistor to GND. Press and hold home button while the device is booting up. Finally you will get a gray rectangle at the center of the screen. On the computer, a USB modem device will be detected and a login tty will be on that tty.
> 
> ...

Click to collapse



where is the resistor in your photo?
I need to solder a cable for myself to unlock a special hacked rp1. Because your JB1/2.pkg both not working.


----------



## shankerzhiwu (Jan 25, 2019)

sekkit said:


> where is the resistor in your photo?
> I need to solder a cable for myself to unlock a special hacked rp1. Because your JB1/2.pkg both not working.

Click to collapse



Please refer to https://forum.xda-developers.com/showpost.php?p=78150544&postcount=74 for detailed description of the cable. The resistor was not shown clearly on the photo because it is a SMD one.

BTW, what happened to your dpt? I don't think the cable is a skeleton key.


----------



## sekkit (Jan 25, 2019)

There is some post setup procedure happening of kdroid firmware even with it activation frontend bypassed.


----------



## sekkit (Jan 31, 2019)

Hi, thx 4 ur works


----------



## shankerzhiwu (Jan 31, 2019)

sekkit said:


> Hi, Im studying ur method.
> openssl enc -d -aes-256-cbc -K ZGFlbW9uOng6MToxOjovdXNyL3NiaW46L2Jpbi9mYWxzZQpub2JvZH -k
> 6eDo2NTUzNDo2NTUzNDo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKcm9vdDo -k
> MSQxJEFlZ2VZbTFRYWFUeWQvMWZPaVhWZDA6MDowOjovcm9vdDovYmluL3NoCg== -none -in /tmp/aes256.key -out /etc/passwd -a  55460c2e3abf285af96fe660c0880bc
> ...

Click to collapse



I won't give any explanation for the exploit. 

P.S. As I've warned before, please do NOT use the unpack script against the two modified firmwares, or your computer may be seriously damaged.


----------



## hltdev (Feb 15, 2019)

i apologize if this was already asked, but is all the info in this thread applicable to the dpt-s1?


----------



## Droidriven (Feb 18, 2019)

hltdev said:


> i apologize if this was already asked, but is all the info in this thread applicable to the dpt-s1?

Click to collapse



Probably not, each model number is different, this usually means some kind of change or difference in methods and software used to modify the device.

Sent from my LGL84VL using Tapatalk


----------



## hdwrp (Feb 25, 2019)

Just a quick question if anybody had a luck to enable Bluetooth keyboard/page turner to turn pages wirelessly.


----------



## zambo91 (Mar 10, 2019)

hdwrp said:


> Just a quick question if anybody had a luck to enable Bluetooth keyboard/page turner to turn pages wirelessly.

Click to collapse



I'm very interested aswell 
Thank you


----------



## jra1662 (Apr 23, 2019)

I have a couple questions for you all.    

1) Is it difficult to open the DPT-RP1 as in removing the back cover?    What is the best way to do this and are there any issues with putting it back together after?

2) Can the Storage/Rooted system settings be moved to another DPT-RP1? (ie: swapping an SSD if the screen fails)

Thank you.


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## buzic (May 16, 2019)

silvertriclops said:


> I'm not knowledgeable enough to do this but is there any way you could modify the package to provide a way to access the shell without the OTG cable? I personally don't have a soldering iron but would love to root mine. Could maybe include an SSH server (and assume that anyone who wants to root it knows how to secure it further), or ADB, or possibly enable the debug port in normal mode.
> 
> In fact, it probably has ADB already and is just disabled.

Click to collapse



Lord of the forum, good afternoon! I am in Moldova. I recently bought a sony dpt rp1. Looking for step by step instructions with screenshots. Please, who can help, I will be grateful. I don’t know English (((((. I really need to install an android. I tried to re-read all the messages from the forum thread, but I still can’t figure out how to do it. Thanks in advance to everyone, especially the team who could solve the Android installation problem on sony dpt rp1 .


----------



## sartrism (May 18, 2019)

hdwrp said:


> Just a quick question if anybody had a luck to enable Bluetooth keyboard/page turner to turn pages wirelessly.

Click to collapse





zambo91 said:


> I'm very interested aswell
> Thank you

Click to collapse



I assume it is possible (though I didn't try because it is told the bluetooth connection with DPA is disabled instead). Check this out.
https://github.com/HappyZ/dpt-tools..._unpacker/pkg_example/flashable_bluetooth_hid


----------



## Naz6uL (May 20, 2019)

*RP1 Rooted - Kindle App version??*

Hi guys, so after sucessfuly rooted my DPT-RP1, I'm trying the diffrents  Kindle app versions, so far the bets one had been the just 2.0 Mb Lite version, but is not quite good due some issues displaying the library content.

Has anybody found out a better version to use on it and if possible share it?


----------



## pacodepanam (May 21, 2019)

buzic said:


> Lord of the forum, good afternoon! I am in Moldova. I recently bought a sony dpt rp1. Looking for step by step instructions with screenshots. Please, who can help, I will be grateful. I don’t know English (((((. I really need to install an android. I tried to re-read all the messages from the forum thread, but I still can’t figure out how to do it. Thanks in advance to everyone, especially the team who could solve the Android installation problem on sony dpt rp1 .

Click to collapse




Hello guys,

Great work there. It looked like the retro engineering work was a hassle.
It's true that some rookie tutorial, ideally in video, would help to get our mind around where we are jumping into with the routing described in Github.

I'm sure many would love to see that.

Thanks again for the work! 

Cheers,

Paco


----------



## jra1662 (May 29, 2019)

I have had some success with solving the battery drain issue.   I am using an app called *Autostarts* and preventing some behind the scenes programs from running.    It is VERY difficult to navigate on e-paper.  I had to download it on another device to see the menu options and tap blindly on the DPT.

So far I have primarily disabled 'Google Play Services' and 'Cell Broadcasts' in multiple locations and this appears to have extended the battery life significantly when on wi-fi.   

I am sure I have not achieved optimal battery life yet, but I am thrilled with the results so far!  Perhaps others can contribute their findings as well.


----------



## yanzi (Jun 3, 2019)

buzic said:


> Lord of the forum, good afternoon! I am in Moldova. I recently bought a sony dpt rp1. Looking for step by step instructions with screenshots. Please, who can help, I will be grateful. I don’t know English (((((. I really need to install an android. I tried to re-read all the messages from the forum thread, but I still can’t figure out how to do it. Thanks in advance to everyone, especially the team who could solve the Android installation problem on sony dpt rp1 .

Click to collapse



I suppose you can use google translate to translate this wiki page.. https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide

I'm not planning to record videos as the steps are extremely simple now. And it shall hardly brick your device, unless you did something in diagnosis mode, which you never need to use during the process..

---------- Post added at 01:52 PM ---------- Previous post was at 01:49 PM ----------




sartrism said:


> Update (5/18/2019)
> 
> Since the first tool was released, HappyZ has improved many features so I think I can just refer to
> 
> ...

Click to collapse



Please make changes to the wiki at your wish. I think it's open to public and anyone can change it (with github account).


----------



## digiflash (Jun 7, 2019)

--


----------



## buzic (Jun 18, 2019)

*DPT rp1  - root successfully*

I used the instruction from HappyZ for which I am very grateful to him. True, I used the help of my friend programmer and the image of the MACOS Installed on the vm player.
After receiving the root, it is a pleasure to work with a book.
Only there are two questions:
1. How to install multilingual keyboard layout.?
2. How to connect a blutouth keyboard?
I want to make myself a typewriter.
Thanks for any hints.


----------



## digiflash (Jun 21, 2019)

I rooted my DPT-RP1 but now want to undo this root. I wasn't that successful. Currently I can't pair via USB. Getting Error code messages (code will be provided). I did a soft-reset which doesn't change boot settings.
Is there any working tutorial to unroot and hard-reset the device?


----------



## yanzi (Jul 4, 2019)

digiflash said:


> I rooted my DPT-RP1 but now want to undo this root. I wasn't that successful. Currently I can't pair via USB. Getting Error code messages (code will be provided). I did a soft-reset which doesn't change boot settings.
> Is there any working tutorial to unroot and hard-reset the device?

Click to collapse



to unroot the Android, just flash the modded official pkg @ https://github.com/HappyZ/dpt-tools/wiki/PKGs-I-Made#officials (since you don't have usb access to Android somehow, you can get into diagnosis mode, and follow my script instructions to do `install-pkg`)
and do a soft reset afterwards (using system setting -> "initialize DPT device")

if in any case it has crashes after you flash the modded official pkg, after getting into the Android system, do a hard reset by pressing the reset button for x seconds

and just fyi, it is easy to unroot for the Android system part, but not that easy to "unroot" the diagnosis mode.


----------



## stevenvo (Jul 5, 2019)

I was on root, and tried upgrading to new version from Sony. Now my device is stuck at a gray square box in the center when booted. Any advice  ?


----------



## chenzhongli (Jul 8, 2019)

send  drawer


----------



## Higgins_DE (Jul 13, 2019)

Gents, this is a little off topic, apologies. I have a DPT-RP1 in Europe. Play Store doesn't let me install Sony's Android app. Any chance anyone of you could post the apk? Many thanks.


----------



## stevenvo (Jul 16, 2019)

chenzhongli said:


> send  drawer

Click to collapse



Sorry, what does that mean?


----------



## yanzi (Jul 21, 2019)

stevenvo said:


> Sorry, what does that mean?

Click to collapse



the grey box at center means you are in diagnosis mode..

just press the reset key lightly once, and it should power off

then turn it back on



or you can choose to connect it via serial port (or simply use dpt-tools) and type reboot.


----------



## eribone (Jul 28, 2019)

is there a way to downgarade from 15110 to 09061


----------



## jra1662 (Aug 1, 2019)

Satrism and HappyZ, 

Thank you for the work you've done for the DPT-RP1.  I'm currently running the v1.6.00.15110 firmware WITH ADB and Launcher built in.   I haven't noticed any of the flaws/bugs, but will you be releasing the new 1.6.02 firmware with ADB and Launcher built into the firmware like before?  Thanks!


----------



## Hipolitodo (Aug 2, 2019)

Can be normally upgrade after unroot the Android without "unroot" the diagnosis mode?


----------



## shanenjax (Aug 20, 2019)

*OS X Mojave and rooting DPT-RP1*



silvertriclops said:


> Who's gonna be the guinea pig? I want to try it but can't afford another one if I screw mine up.

Click to collapse



Has anyone attempted this using OS X Mojave ?


----------



## 88% (Nov 3, 2019)

*Private server?*

I'd love to get a DPT-R1, but I'd need to keep it synced (2-way) with a private server.  It seems that I could do this through something like Syncthing now that these geniuses have managed to get root working on the device (respect!) 

Would anyone recommend against rooting for only this purpose? 

If the only 3rd party app I'm running is something like Syncthing, should I expect to have similar performance to the Stock reader when highlighting or making notes? 

Does encryption still work after rooting?

Has anyone got a similar set up? How do you like it?


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## serige (Jan 3, 2020)

I got my DPT-CP1 rooted, but somehow my keyboard's layout totally messed up (see picture).
Basically the keyboard layout is shrunken while the actually button is not (so I would have to press the empty area on the top right corner of the input area for the backspace key). Does anyone know how to fix it?


----------



## milkmansson (Jan 10, 2020)

shanenjax said:


> Has anyone attempted this using OS X Mojave ?

Click to collapse



Dunno if you still need this - but I'm on Catalina and it worked for me!

---------- Post added at 04:52 AM ---------- Previous post was at 04:46 AM ----------

Hi Team; I successfully rooted, in an attempt to get my drawing tool of choice (OneNote) to work.  Sadly I got the same results as other posters here.

I have only one problem, which is that any pencil strokes written (in Sony's app) to a PDF or to a new blank document show up for a moment, but then blink away a few moments afterwards.  Opening a pre-existing hand-drawn document (one made before I rooted it) all the strokes showed briefly, then were removed completely (the file was left on the system, but effectively was blanked).

Anyone seen this or have any pointers?  TIA!!

FYI - thinking about this... I haven't tried resetting the device - is there a known safe way to do this that doesn't wipe my rooting of it? :/

Troubleshooting steps that haven't helped:
1. Press the Home button/Settings/System Setting/Initialize Digital Paper/Yes/Yes again did not delete my documents as it said it would, and problem still exists.
2. second method from Happy Z (holding reset button) also didn't work
3. logcat shows this:
E/document_foxit( 2647): report_error: 9, cannot set annotation creation time (-9) in add_element
E/document_foxit( 2647): report_error: 9, cannot set annotation modified time (-9) in add_element

Having a hunt about, perms on /sdcard are:
[email protected]:/ # ls /sdcard/ -al                                              
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Alarms
drwxrwx--x root     sdcard_r          2019-11-28 18:18 Android
drwxrwx--- root     sdcard_r          2020-01-10 13:26 Books
drwxrwx--- root     sdcard_r          2019-11-27 19:11 DCIM
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Download
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Movies
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Music
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Notifications
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Pictures
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Podcasts
drwxrwx--- root     sdcard_r          2019-11-27 19:11 Ringtones
drwxrwx--- root     sdcard_r          2019-11-27 19:14 dp_app_data
drwxrwx--- root     sdcard_r          2019-11-28 13:22 dp_user_storage
drwxrwx--- root     sdcard_r          2020-01-10 13:26 kindle
drwxrwx--- root     sdcard_r          2019-11-28 18:22 koreader
-rw-rw---- root     sdcard_r    19800 2019-11-28 10:14 launcher_mod.tar.gz

...don't know if this looks good or not...


----------



## milkmansson (Jan 16, 2020)

*Further analysis*



milkmansson said:


> Dunno if you still need this - but I'm on Catalina and it worked for me!
> 
> ---------- Post added at 04:52 AM ---------- Previous post was at 04:46 AM ----------
> 
> ...

Click to collapse



Bugger - looks like i've hosed the application somehow.  Followed the unroot instructions ((Can't post links - its HappyZ's /dpt-tools/wiki/The-Unroot-Guide on github), including factory reset.  Factory reset didn't wipe the /sdcard files, and the problem remains.  Any ideas?  Thanks In Advance!


----------



## jra1662 (Jan 24, 2020)

Took a shot on ordering a DPT-CP1 at the discounted price of $399 in the hopes of getting a model manufactured before September 2019.  Should get here next week, but where do I find the manufacture date?


----------



## buzic (Mar 24, 2020)

*New firmware 2020*

Desktop application offers to install version 1.6.50.14130, is available. Will there be root access?
Tell me what improvements are in the new firmware and is it worth it to flash ??
sorry for my english(


----------



## kixster (Apr 26, 2020)

buzic said:


> Desktop application offers to install version 1.6.50.14130, is available. Will there be root access?
> Tell me what improvements are in the new firmware and is it worth it to flash ??
> sorry for my english(

Click to collapse



Yes. The new firmware (1.6.50.14130) has been rooted as well.
You can find the details here at HappyZ's Github wiki page (Sorry, I am a new user and cannot post any external links yet)


----------



## xpierro (May 3, 2020)

I've been able to root it, and make a sample app that can manage the Stylus a little bit. There's a few tricks that make this device not fully stylus-enabled by standard android apps. I explain it here a bit (but read the code if interested):
github / xpierrohk / DPT_template

It boils down to having secret and specific Sony knowledge to be able to make the stylus manageable. Oh and it handles pressure perfectly, I wonder if they'll push us a new upgrade in 2 years for it like they did for the Wifi.


----------



## cephasara (May 5, 2020)

xpierro said:


> I've been able to root it, and make a sample app that can manage the Stylus a little bit. There's a few tricks that make this device not fully stylus-enabled by standard android apps. I explain it here a bit (but read the code if interested):
> github / xpierrohk / DPT_template
> 
> It boils down to having secret and specific Sony knowledge to be able to make the stylus manageable. Oh and it handles pressure perfectly, I wonder if they'll push us a new upgrade in 2 years for it like they did for the Wifi.

Click to collapse



Thanks for sharing. I see your port of dpt-rp1-py (DigitalPaperApp) has a root command. Does this work on DPT-RP1s without diagnosis mode?

I have been trying to find a way to root since my DPT-RP1 appears to have patched out the method mentioned in HappyZ's rooting guide.


----------



## xpierro (May 5, 2020)

cephasara said:


> Thanks for sharing. I see your port of dpt-rp1-py (DigitalPaperApp) has a root command. Does this work on DPT-RP1s without diagnosis mode?
> 
> I have been trying to find a way to root since my DPT-RP1 appears to have patched out the method mentioned in HappyZ's rooting guide.

Click to collapse



Well the goal of that rooting is mostly to allow diag mode (patch functions to allow non OTG cable and change password). So you don't need diag mode to root.

I used the exact same scripts as HappyZ but I repack them inline in java to change and test fast if I want to try new things. (I m useless in python, I just can't read it fast lol). I retested and fixed it a bit, and it now works reliably on mac and linux. One way to test mine quickly is to edit src/main/resources/root/updates/standard/FwUpdater/eufwupdater.sh to remove


> ./startprocess.sh
> ./finished.sh

Click to collapse



It will just display a few lines.

If that works, and your problem is ONLY the diag mode not accesible later on, I can help you. We could integrate a boot.img with adb inside and then you'd use adb instead of the diag mode which is fine. In exchange I'll harass you to figure out what they changed hehe.

But we need to find out if Sony patched either the openssl injection OR the diag mode functions somehow. If they patched the injection (the thing that allows us to launch a root script) the only thing that might help is redo a emmc dump of the chip itself like the first guy did.


----------



## timpster (Oct 20, 2021)

Hello, I've been visiting these forums for about the same amount of time I've been into Linux.  Usually don't have anything to post but I would like to know:

Can I just run a android 5 compatible APK for VNC or some full desktop mirror over wi-fi?  I'd like to show people Linux on a touch-based interface and a bright, outdoor readable screen.  I don't want to be tethered to a mouse, keyboard etc.


----------



## xiaoyuz (Mar 1, 2022)

hi every one，who knows  ，I can use this root fujitsu quaderno a4 gen 2?????????????


----------



## n4n (Mar 15, 2022)

xiaoyuz said:


> hi every one，who knows  ，I can use this root fujitsu quaderno a4 gen 2?????????????

Click to collapse



You should try Fujitsu Quaderno forums, very unlikely someone with Sony's e-reader DPT-RP1 or DPT-CP1 would know about unrelated hardware.


----------



## tomek.sergey (Apr 18, 2022)

Hi
A Year ago I purchased a Sony DPT-RP1 ebook reader on ebay.
Actually I thought it had a stock firmware without any "hacks" etc.
But upon receiving it, I noticed it had an unblocked Play Store and had the ability to install new apps.
It has stock firmware 1.4.02.09061. 
Now I want to update it, but cannot (it gives me error: Unable to update. Error code: 900001).
I guess this is because it has special firmware by GoodeReader.
Is this possible to update at all?
How can I totally reset it to the stock firmware without any "hacks" and playStore?


----------



## n4n (Apr 18, 2022)

tomek.sergey said:


> Hi
> A Year ago I purchased a Sony DPT-RP1 ebook reader on ebay.
> Actually I thought it had a stock firmware without any "hacks" etc.
> But upon receiving it, I noticed it had an unblocked Play Store and had the ability to install new apps.
> ...

Click to collapse



The guide is posted here.
Do not attempt to flash over the hacked firmware without proper steps as it frequently bricks the device.


----------



## tomek.sergey (Apr 26, 2022)

n4n said:


> The guide is posted here.
> Do not attempt to flash over the hacked firmware without proper steps as it frequently bricks the device.

Click to collapse



I have tried to flash the stock (modded by HappyZ) firmware upon rooted device, but after reboot it still says update failed error 900001.
Performed soft reset after that, does not help either.
Can it be GoodEreader rolled some sophisticated update so it blocks any attempts to update?
Did not try the diagnosis mode though...

Has anybody here tried to unroot the device hacked by GoodEreader?


----------



## n4n (Apr 27, 2022)

tomek.sergey said:


> I have tried to flash the stock (modded by HappyZ) firmware
> Has anybody here tried to unroot the device hacked by GoodEreader?

Click to collapse



Sadly, I have no additional advice on what to do (I provided a link in my previous post from a quick Internet search).
Personally, I was able to restore the factory firmware from modded about 2 years ago, using information found on the Internet. Do not remember details.

Sorry, can not spend more time searching Internet for resolution. It's something you should be able to do yourself, information is posted somewhere...

Good luck.


----------



## Stronzo22 (May 8, 2022)

Hi,
I'm trying to root my DPT-RP1 with the HappyZ's   dpt-tools.py  on Windows, but without success.
I can get the device into diagnostic mode and connect via COM-port. Then I can start  "install-pkg"  from diagnosis  mode   (fw command doesn't exist), drop FwUpdater.pkg onto the divice and do a reboot as instructed by the script.
The divice reboots, shows HappyZ's update-screens and starts as usual. No error messages.
But there seems to be no change of the device at all. No Android settings, no launcher, no message. Nothing changed. There's also no ADB-connection ("adb devices" list is empty). 
I tried flashable_supersu.pkg and flashable_mod_boot_img_1.6.50.14130.pkg (matching fw-version).
Does anybody have any ideas how to continue?
Thanks!


----------



## n4n (May 8, 2022)

Did you read the guide?


----------



## Stronzo22 (May 9, 2022)

n4n said:


> Did you read the guide?

Click to collapse



Yes, after you posted the link, thanks.  I also read this.

Edit: Solved! Device is rooted and Ink-Launcher installed.


----------



## ferncc (May 24, 2022)

Stronzo22 said:


> Yes, after you posted the link, thanks.  I also read this.
> 
> Edit: Solved! Device is rooted and Ink-Launcher installed.

Click to collapse



Hi, what firmware version do you have? I want to buy a used one on eBay, but first I want to make sure I can root it. How is your experience with generic android applications?


----------



## sartrism (Aug 11, 2017)

Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
   - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there  Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) *pip httpsig pyserial* on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use *get-su-bin* because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using *adb install*.
Use *adb shell am start -a android.intent.action.MAIN* to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
*adb shell wm density 320* changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute *wm density reset* when the apps are closed. 
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices 

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!


----------



## czarjosh (Jul 29, 2022)

xiaoyuz said:


> hi every one，who knows  ，I can use this root fujitsu quaderno a4 gen 2?????????????

Click to collapse



Did you ever figure this out?    I bought a Fujitsu Quaderno and trying to figure out how to get a bit more out of it.


----------



## n4n (Jul 30, 2022)

The short answer: NO


----------



## hdwrp (Aug 14, 2022)

Dasung rebranded Sony Digital Paper DPT-RP1, except it has Android 5.1. It is called Dasung A4.


----------



## Stronzo22 (Oct 15, 2022)

ferncc said:


> Hi, what firmware version do you have? I want to buy a used one on eBay, but first I want to make sure I can root it. How is your experience with generic android applications?

Click to collapse



Hi, sorry, a bit late:  Fw is 1.6.50.14130 (latest)
It's still an E-Reader, not a tablet.  So performance is low and not comparable.
Scrolling is not smooth. Apps benefit from b/w-optimization.


----------



## n4n (Oct 15, 2022)

Stronzo22 said:


> It's still an E-Reader, not a tablet.  So performance is low and not comparable.
> Scrolling is not smooth. Apps benefit from b/w-optimization.

Click to collapse



You have to know what you are buying, what's the purpose of the device and what's the intended use.
Sony e-reader although it does run android for its functions is not for use as an android device.
Also learn what the e-paper technology is and how it is working, so you will not have unreasonable expectations
Beyond originally intended usage as a PDF document reader, you can get extended features as an e-book device, maybe to read your emails as well. Nothing else.
No reason to spend a couple of hundred dollars if your intended use is not e-book functions with large screen and long battery life (these are the only advantages of this device).
Buy used Android tablet with color screen which will cost you less than $100 if you need anything else.


----------



## Stronzo22 (Oct 16, 2022)

Exactly!   I use it as a music sheet reader/annotator.


----------



## n4n (Oct 16, 2022)

Definitely a very good way to use it, for musicians it should be excellent
This might be good together with it https://flat.io not sure why it says you have to pay for it, my school has it for free.


----------

