I recently picked up the Onyx Boox Poke 3 and Leaf for myself and partner so that we could read on a device that wasn't our phone (despite my efforts, it can still be a source of distraction and it's uncomfortable to read on). I saw it as a better alternative to Amazon Kindle because it supports EPUB eBook formats, has a USB-C connector, slim form factor, doesn't require an account to use, and doesn't need an internet connection whatsoever (even on first boot). I wanted something simple that I could plug in and just load my books onto. I had also read that it had an unlocked bootloader and that it was possible to gain root access.
The Onyx Boox devices are essentially Android tablets with e-ink displays, making them quite versatile. Me being the person who I am, I of course wanted to tinker with it and connect to the internet. These e-readers, however, are notorious for phoning home to Chinese servers (Mozilla even did a short write-up on them). To add insult to injury, they're also violating the Linux kernel license by not releasing their source code, so there's really no telling exactly what data is being sent or what kind of backdoors have been set up. Running PCAPdroid will give you an idea of the insane amount of data that's being shared, even while the device is sitting idle. The first week with these e-readers, I spent more time hacking away at them than actually using them for reading eBooks.
I wanted to document the steps I took to root and neuter the e-reader from sharing telemetry. Although this can be easily reconciled if I simply don't connect it to the internet, but doing so I will lose out of syncing KOReader and Wallabag.
There's a couple approaches for making Onyx Boox devices more privacy friendly and secure, but ultimately I was not able to completely disable it from sending pings without rooting the devices and running AFWall+. Granted, I've never owned an Amazon Kindle device so I don't know the amount of data that they collect, but being US based they at least must comply with software licenses. Because of these issues I somewhat regret my purchasing decision and I cannot recommend these devices to anyone whatsoever unless you can take the time to follow the steps outlined below.
First and foremost, install F-Droid by downloading the APK and dropping onto the e-reader. If you're like me, having applications for things like email is completely unnecessary (and misses the point of an e-reader IMO), but some Onyx applications need to be replaced. To be safe, it's important to install the replacement first before removing the Onyx version (especially the launcher).
Without modifying the firmware itself, it's possible to more or less neuter the Onyx Boox e-readers from phoning home to China by disabling and uninstalling the built-in Onyx applications and homescreen launcher. This does not completely stop the device from sharing telemetry, but I was able to cut down a substantial amount. This isn't the easiest task since they disable the options for remove/disable these apps from the device so we have to use ADB.
adb devicesto confirm it's detected
Although it's running Android 10, the Boox OS does not display what applications (system or otherwise) are necessarily installed. You can find a workaround to access the Android settings or you can run the command
adb shell pm list packages -f to display a list of all the installed applications. This outputs a long list of nonsense, so it's much easier to pipe it into a text file we can work with
adb shell pm list packages -f > booxapps.
To uninstall an application, run the following.
adb shell pm uninstall -k --user 0 <package_to_uninstall>
If it's a system app and I'm not 100% sure what it does, I'll disable it rather than uninstalling it, otherwise reinstalling the app will require being doing via ADB instead of being able to do it locally on the device.
adb shell pm disable-user --user 0 <package_to_disable>
Here's a list of all the Onyx apps I uninstalled from the device, as well as others. As a reminder, if you're going to remove
com.onyx, it's important to have a replacement homescreen launcher installed first. Another important note is that it's not a simple task setting lockscreen wallpapers without the Onyx launcher. After about a month without it, I ended up reinstalled the Onyx launcher just set the lockscreen wallpaper.
com.onyx com.onyx.calculator com.onyx.android.onyxotaservice com.onyx.appmarket com.onyx.pinyinime com.onyx.floatingbutton com.onyx.kreader com.onyx.android.ksync com.onyx.android.latinime com.onyx.latinime com.onyx.android.production.test com.onyx.android.onyxotaservice com.onyx.mail com.onyx.dict com.onyx.easytransfer
I've also disabled other applications, such as all of the Google and Qualcomm system apps. Obviously if you intend to use Google services, be careful which Google apps you remove. The Qualcomm and Google apps aren't malicious (though an argument could be made), but I view them as unnecessary nonetheless. Below are a list of apps I've removed and haven't had any issues.
I should note that I got a little trigger happy with disabling and uninstalling applications off the device. I haven't run into any issues removing all the preinstalled Onyx applications, however there are some preinstalled Google packages that I removed, one time disabling the ability to connect the e-reader to a laptop or other device via MTP. I think it might have been related to com.android.documentsui. If you need to reenable an application, run
adb shell pm enable <package name>. If you uninstalled the application via ADB, you'll need to reinstall the application for the user first with
adb shell cmd package install-existing <package name>.
Here's a list of other applications I uninstalled from the device:
com.simplemobiletools.clock com.simplemobiletools.gallery com.simplemobiletools.musicplayer com.simplemobiletools.voicerecorder org.chromium.chrome com.google.android.gms com.google.android.gsf com.google.android.tts com.google.android.partnersetup com.google.android.gms.setup com.android.quicksearchbox com.android.providers.downloads com.android.email com.android.bips com.android.bookmarkprovider com.android.cellbroadcastreceiver com.android.dreams.phototable com.android.protips com.android.providers.calendar com.android.providers.contacts com.android.vending com.android.printservice.recommendation com.android.wallpaper.livepicker org.codeaurora.bluetooth.batestapp com.android.documentsui com.android.theme.color.purple com.android.theme.color.green com.android.theme.color.ocean com.android.theme.color.space com.android.theme.color.orchid com.android.theme.color.black com.android.theme.color.cinnamon com.android.theme.icon.teardrop com.android.egg com.android.providers.telephony com.android.providers.blockednumber com.android.printspooler com.android.settings.intelligence com.qualcomm.location
While uninstalling these apps, I realized that some of these "system apps" (that can't be uninstalled from the device) are actually Simple Mobile apps, such as the Clock, Gallery, Music, and the Voice Recorder. These are free and open source applications rebranded as Onyx apps, but I wouldn't trust them unless they were obtained from F-Droid or Simple Mobiles Github. Also, Onyx's "NeoBrowser" is simply a repackaged Google Chrome and even shows up as such - who knows what alterations have been made. The list above is by no means exhaustive. For example, I uninstalled all applications with "Google" in the title with the exception of
com.google.android.webview (which is needed if the Wallabag app is installed).
Below is how I went about gaining root access to both the Onyx Poke 3 and Leaf. Much of this comes from this blog post (which is a very good resource and outlines a variety of methods to gain root access) as well as the how-to on DecryptBoox Github page and the Magisk install page. This section is really more of a summary of the steps I took.
python-pipinstalled on your system.
pip install pycryptodome
python DebooxUpx.py Poke3(or the name of your device). We now have a decrypted file called update.zip. Extract files.
adb reboot fastbootwhich will boot the e-reader into fastboot mode. Note that this mode only displays only the Onyx logo.
fastboot boot magisk_patched-24100_avvzI.img. After several seconds, device should boot with temporary root access. You can confirm root has been acquired by opening Magisk. Under "App", it will say "Installed: 24.1" (or whatever version you're using).
adb reboot fastboot. Once on the Onyx screen appears, run
adb reboot fastboot flash boot magisk_patched-24100_avvzl.img.
Even after uninstalling all of the Onyx system application, using PCAPdroid I still occasionally pick up pings to Onyx servers. Whether or not this was because I hadn't disabled all of the Onyx software at the time, I'm not sure. However, you may want to keep some Onyx applications on your e-reader while also restricting their network access.
Since we have root, we can run AFWall+ and block everything system-wide except for the applications we want. In my case, I've set it to only allow access to apps I've checked. Specifically, I only want KOReader to have access to network access for syncing, dictionary, and Wikipedia searches, as well as F-Droid if KOReader needs to be updated or I'd like to install something else.
Note that because I'm blocking almost everything including system apps, it will say "No Internet" on the network I'm connected to. This may cause it to periodically drop the connection, so it must be set to say connected even if no internet connection is detected.
Thanks for reading. Feel free to send comments, questions, or recommendations to email@example.com.