I recently picked up the Onyx Boox Poke 3 and Leaf for myself and partner so that we could read on a device that wasn’t our phone (despite my efforts, it can still be a source of distraction and it’s uncomfortable to read on). I saw it as a better alternative to Amazon Kindle because it supports EPUB eBook formats, has a USB-C connector, slim form factor, doesn’t require an account to use, and doesn’t need an internet connection whatsoever (even on first boot). I wanted something simple that I could plug in and just load my books onto. I had also read that it had an unlocked bootloader and that it was possible to gain root access.
The Onyx Boox devices are essentially Android tablets with e-ink displays, making them quite versatile. Me being the person who I am, I of course wanted to tinker with it and connect to the internet. These e-readers, however, are notorious for phoning home to Chinese servers (Mozilla even did a short write-up on them). To add insult to injury, they’re also violating the Linux kernel license by not releasing their source code, so there’s really no telling exactly what data is being sent or what kind of backdoors have been set up. Running PCAPdroid will give you an idea of the insane amount of data that’s being shared, even while the device is sitting idle. The first week with these e-readers, I spent more time hacking away at them than actually using them for reading eBooks.
I wanted to document the steps I took to root and neuter the e-reader from sharing telemetry. Although this can be easily reconciled if I simply don’t connect it to the internet, but doing so I will lose out of syncing KOReader and Wallabag.
There’s a couple approaches for making Onyx Boox devices more privacy friendly and secure, but ultimately I was not able to completely disable it from sending pings without rooting the devices and running AFWall+. Granted, I’ve never owned an Amazon Kindle device so I don’t know the amount of data that they collect, but being US based they at least must comply with software licenses. Because of these issues I somewhat regret my purchasing decision and I cannot recommend these devices to anyone whatsoever unless you can take the time to follow the steps outlined below.
Replacements for Onyx Applications
First and foremost, install F-Droid by downloading the APK and dropping onto the e-reader. If you’re like me, having applications for things like email is completely unnecessary (and misses the point of an e-reader IMO), but some Onyx applications need to be replaced. To be safe, it’s important to install the replacement first before removing the Onyx version (especially the launcher).
- KOReader replaces much of the capabilities of the Onyx launcher, specifically the parts used for navigating books and reading files.
- OLauncher replaces the Onyx launcher as the homescreen launcher.
- Material Files for managing files. KOReader can handle some file manipulation, but Material Files is a fully fledged file manager that’s useful.
- Optional: Fennec (ie Firefox) replaces “NeoBrowser” (ie modified Chrome). There is EinkBro, as a replacement browser, but although it looks nice on an e-ink display, it wasn’t very good at blocking ads. Note that I currently have a browser installed as KOReader supports both dictionaries and the ability to look up and saving Wikipedia articles.
- Optional: Vinyl replaces the Music application. It’s not the prettiest on an e-ink display, but it works.
Disabling & Uninstalling Onyx System Apps via ADB
Without modifying the firmware itself, it’s possible to more or less neuter the Onyx Boox e-readers from phoning home to China by disabling and uninstalling the built-in Onyx applications and homescreen launcher. This does not completely stop the device from sharing telemetry, but I was able to cut down a substantial amount. This isn’t the easiest task since they disable the options for remove/disable these apps from the device so we have to use ADB.
- Go to Apps > Menu > App Management and USB debugging
- Make sure you have ADB installed on your computer
- Connect the e-reader to your computer and
adb devicesto confirm it’s detected
- There will be a prompt on the e-reader to allow USB debugging. Check “Always allow”, and then tap Allow
Although it’s running Android 10, the Boox OS does not display what applications (system or otherwise) are necessarily installed. You can find a workaround to access the Android settings or you can run the command
adb shell pm list packages -f to display a list of all the installed applications. This outputs a long list of nonsense, so it’s much easier to pipe it into a text file we can work with
adb shell pm list packages -f > booxapps.
To uninstall an application, run the following.
adb shell pm uninstall -k --user 0 <package_to_uninstall>
If it’s a system app and I’m not 100% sure what it does, I’ll disable it rather than uninstalling it, otherwise reinstalling the app will require being doing via ADB instead of being able to do it locally on the device.
adb shell pm disable-user --user 0 <package_to_disable>
Here’s a list of all the Onyx apps I uninstalled from the device, as well as others. As a reminder, if you’re going to remove
com.onyx, it’s important to have a replacement homescreen launcher installed first. Another important note is that it’s not a simple task setting lockscreen wallpapers without the Onyx launcher. After about a month without it, I ended up reinstalled the Onyx launcher just set the lockscreen wallpaper.
com.onyx com.onyx.calculator com.onyx.android.onyxotaservice com.onyx.appmarket com.onyx.pinyinime com.onyx.floatingbutton com.onyx.kreader com.onyx.android.ksync com.onyx.android.latinime com.onyx.latinime com.onyx.android.production.test com.onyx.android.onyxotaservice com.onyx.mail com.onyx.dict com.onyx.easytransfer
I’ve also disabled other applications, such as all of the Google and Qualcomm system apps. Obviously if you intend to use Google services, be careful which Google apps you remove. The Qualcomm and Google apps aren’t malicious (though an argument could be made), but I view them as unnecessary nonetheless. Below are a list of apps I’ve removed and haven’t had any issues.
I should note that I got a little trigger happy with disabling and uninstalling applications off the device. I haven’t run into any issues removing all the preinstalled Onyx applications, however there are some preinstalled Google packages that I removed, one time disabling the ability to connect the e-reader to a laptop or other device via MTP. I think it might have been related to com.android.documentsui. If you need to reenable an application, run
adb shell pm enable <package name>. If you uninstalled the application via ADB, you’ll need to reinstall the application for the user first with
adb shell cmd package install-existing <package name>.
Here’s a list of other applications I uninstalled from the device:
com.simplemobiletools.clock com.simplemobiletools.gallery com.simplemobiletools.musicplayer com.simplemobiletools.voicerecorder org.chromium.chrome com.google.android.gms com.google.android.gsf com.google.android.tts com.google.android.partnersetup com.google.android.gms.setup com.android.quicksearchbox com.android.providers.downloads com.android.email com.android.bips com.android.bookmarkprovider com.android.cellbroadcastreceiver com.android.dreams.phototable com.android.protips com.android.providers.calendar com.android.providers.contacts com.android.vending com.android.printservice.recommendation com.android.wallpaper.livepicker org.codeaurora.bluetooth.batestapp com.android.documentsui com.android.theme.color.purple com.android.theme.color.green com.android.theme.color.ocean com.android.theme.color.space com.android.theme.color.orchid com.android.theme.color.black com.android.theme.color.cinnamon com.android.theme.icon.teardrop com.android.egg com.android.providers.telephony com.android.providers.blockednumber com.android.printspooler com.android.settings.intelligence com.qualcomm.location
While uninstalling these apps, I realized that some of these “system apps” (that can’t be uninstalled from the device) are actually Simple Mobile apps, such as the Clock, Gallery, Music, and the Voice Recorder. These are free and open source applications rebranded as Onyx apps, but I wouldn’t trust them unless they were obtained from F-Droid or Simple Mobiles Github. Also, Onyx’s “NeoBrowser” is simply a repackaged Google Chrome and even shows up as such – who knows what alterations have been made. The list above is by no means exhaustive. For example, I uninstalled all applications with “Google” in the title with the exception of
com.google.android.webview (which is needed if the Wallabag app is installed).
Rooting the Onyx Boox Poke 3 and Leaf
Below is how I went about gaining root access to both the Onyx Poke 3 and Leaf. Much of this comes from this blog post (which is a very good resource and outlines a variety of methods to gain root access) as well as the how-to on DecryptBoox Github page and the Magisk install page. This section is really more of a summary of the steps I took.
- Make sure USB debugging and developer settings are enabled.
Note: Getting access to the Android settings also isn’t straight forward. I accessed the standard AOSP settings by installing OLauncher from F-Droid and accessing from the apps drawer. Go to Settings > About tablet and scroll to the bottom where it says Build number and tap on it 7 or so times until it says “You’re a developer”.
- You need to have
python-pipinstalled on your system.
- Go to the decryptBooxUpdateUPX project page on GitHub, download the zip and extract your project folder.
- Run the following command:
pip install pycryptodome
- Download the firmware for your Boox device from Onyx’s website. Drop the zip file into your project folder and extract the update.upx file.
- Then run
python DebooxUpx.py Poke3(or the name of your device). We now have a decrypted file called update.zip. Extract files.
- Install Magisk by downloading the apk from Github.
- Drop both the boot.img file and the magisk apk onto your Poke3 or Leaf.
- Install the Magisk apk and open. Click Install. Click Next, then tap “Select and Patch a File” Select boot image, then select “Let’s Go”.
- After a couple minutes, the process will complete and you should have magisk_patched-24100_T5qRP.img on the Downloads directory (your image filename may vary). Move that file to your computer in the project directory.
adb reboot fastbootwhich will boot the e-reader into fastboot mode. Note that this mode only displays only the Onyx logo.
- To make sure root has been achieved, we’ll boot the image before flashing:
fastboot boot magisk_patched-24100_avvzI.img. After several seconds, device should boot with temporary root access. You can confirm root has been acquired by opening Magisk. Under “App”, it will say “Installed: 24.1” (or whatever version you’re using).
- To flash the patched image permanently, again run
adb reboot fastboot. Once on the Onyx screen appears, run
adb reboot fastboot flash boot magisk_patched-24100_avvzl.img.
- We have root!
Installing and Setting up AFWall+
Even after uninstalling all of the Onyx system application, using PCAPdroid I still occasionally pick up pings to Onyx servers. Whether or not this was because I hadn’t disabled all of the Onyx software at the time, I’m not sure. However, you may want to keep some Onyx applications on your e-reader while also restricting their network access.
Since we have root, we can run AFWall+ and block everything system-wide except for the applications we want. In my case, I’ve set it to only allow access to apps I’ve checked. Specifically, I only want KOReader to have access to network access for syncing, dictionary, and Wikipedia searches, as well as F-Droid if KOReader needs to be updated or I’d like to install something else.
Note that because I’m blocking almost everything including system apps, it will say “No Internet” on the network I’m connected to. This may cause it to periodically drop the connection, so it must be set to say connected even if no internet connection is detected.
- Onyx Boox Poke-Leaf series firmware
- decrypt Boox Update Upx on Github by Junyu Guo
- Magisk installation instructions
- Thomas’ Random Hackery: Hacking the Onyx Boox Note Air E-Ink Tablet
Thanks for reading. Feel free to send comments, questions, or recommendations to firstname.lastname@example.org.