I recently picked up the Onyx Boox Poke 3 and Leaf for myself and partner so that we could read on a device that wasn't our phone (despite my efforts, it can still be a source of distraction and it's uncomfortable to read on). I saw it as a better alternative to Amazon Kindle because it supports EPUB eBook formats, has a USB-C connector, slim form factor, doesn't require an account to use, and doesn't need an internet connection whatsoever (even on first boot). I wanted something simple that I could plug in and just load my books onto. I had also read that it had an unlocked bootloader and that it was possible to gain root access.
The Onyx Boox devices are essentially Android tablets with e-ink displays, making them quite versatile. Me being the person who I am, I of course wanted to tinker with it and connect to the internet. These e-readers, however, are notorious for phoning home to Chinese servers (Mozilla even did a short write-up on them). To add insult to injury, they're also violating the Linux kernel license by not releasing their source code, so there's really no telling exactly what data is being sent or what kind of backdoors have been set up. Running PCAPdroid will give you an idea of the insane amount of data that's being shared, even while the device is sitting idle. The first week with these e-readers, I spent more time hacking away at them than actually using them for reading eBooks.
I wanted to document the steps I took to root and neuter the e-reader from sharing telemetry. Although this can be easily reconciled if I simply don't connect it to the internet, but doing so I will lose out of syncing KOReader and Wallabag.
There's a couple approaches for making Onyx Boox devices more privacy friendly and secure, but ultimately I was not able to completely disable it from sending pings without rooting the devices and running AFWall+. Granted, I've never owned an Amazon Kindle device so I don't know the amount of data that they collect, but being US based they at least must comply with software licenses. Because of these issues I somewhat regret my purchasing decision and I cannot recommend these devices to anyone whatsoever unless you can take the time to follow the steps outlined below.
Contents
First and foremost, install F-Droid by downloading the APK and dropping onto the e-reader. If you're like me, having applications for things like email is completely unnecessary (and misses the point of an e-reader IMO), but some Onyx applications need to be replaced. To be safe, it's important to install the replacement first before removing the Onyx version (especially the launcher).
Without modifying the firmware itself, it's possible to more or less neuter the Onyx Boox e-readers from phoning home to China by disabling and uninstalling the built-in Onyx applications and homescreen launcher. This does not completely stop the device from sharing telemetry, but I was able to cut down a substantial amount. This isn't the easiest task since they disable the options for remove/disable these apps from the device so we have to use ADB.
adb devices to confirm it's detectedAlthough it's running Android 10, the Boox OS does not display what applications (system or otherwise) are necessarily installed. You can find a workaround to access the Android settings or you can run the command adb shell pm list packages -f to display a list of all the installed applications. This outputs a long list of nonsense, so it's much easier to pipe it into a text file we can work with adb shell pm list packages -f > booxapps.
To uninstall an application, run the following.
adb shell pm uninstall -k --user 0 <package_to_uninstall>
If it's a system app and I'm not 100% sure what it does, I'll disable it rather than uninstalling it, otherwise reinstalling the app will require being doing via ADB instead of being able to do it locally on the device.
adb shell pm disable-user --user 0 <package_to_disable>
Here's a list of all the Onyx apps I uninstalled from the device, as well as others. As a reminder, if you're going to remove com.onyx, it's important to have a replacement homescreen launcher installed first. Another important note is that it's not a simple task setting lockscreen wallpapers without the Onyx launcher. The screen does not seem to lock without com.onyx and com.onyx.appmarket installed.
com.onyx
com.onyx.calculator
com.onyx.android.onyxotaservice
com.onyx.igetshop
com.onyx.floatingbutton
com.onyx.kreader
com.onyx.android.ksync
com.onyx.android.latinime
com.onyx.latinime
com.onyx.android.production.test
com.onyx.android.onyxotaservice
com.onyx.mail
com.onyx.dict
com.onyx.easytransfer
I've also disabled other applications, such as all of the Google and Qualcomm system apps. Obviously if you intend to use Google services, be careful which Google apps you remove. The Qualcomm and Google apps aren't malicious (though an argument could be made), but I view them as unnecessary nonetheless. Below are a list of apps I've removed and haven't had any issues.
I should note that I got a little trigger happy with disabling and uninstalling applications off the device. I haven't run into any issues removing all the preinstalled Onyx applications, however there are some preinstalled Google packages that I removed, one time disabling the ability to connect the e-reader to a laptop or other device via MTP. I think it might have been related to com.android.documentsui. If you need to reenable an application, run adb shell pm enable <package name>. If you uninstalled the application via ADB, you'll need to reinstall the application for the user first with adb shell cmd package install-existing <package name>.
Here's a list of other applications I uninstalled from the device:
com.simplemobiletools.clock
com.simplemobiletools.gallery
com.simplemobiletools.musicplayer
com.simplemobiletools.voicerecorder
org.chromium.chrome
com.google.android.gms
com.google.android.gsf
com.google.android.partnersetup
com.google.android.gms.setup
com.android.email
com.android.bips
com.android.protips
com.android.vending
org.codeaurora.bluetooth.batestapp
com.android.documentsui
com.android.egg
com.android.providers.blockednumber
com.android.printspooler
com.qualcomm.location
While uninstalling these apps, I realized that some of these "system apps" (that can't be uninstalled from the device) are actually Simple Mobile apps, such as the Clock, Gallery, Music, and the Voice Recorder. These are free and open source applications rebranded as Onyx apps, but I wouldn't trust them unless they were obtained from F-Droid or Simple Mobiles Github. Also, Onyx's "NeoBrowser" is simply a repackaged Google Chrome and even shows up as such - who knows what alterations have been made. The list above is by no means exhaustive. For example, I uninstalled all applications with "Google" in the title with the exception of com.google.android.webview (which is needed if the Wallabag app is installed).
Below is how I went about gaining root access to both the Onyx Poke 3 and Leaf. Much of this comes from this blog post (which is a very good resource and outlines a variety of methods to gain root access) as well as the how-to on DecryptBoox Github page and the Magisk install page. This section is really more of a summary of the steps I took.
python and python-pip installed on your system.pip install pycryptodome. If you're on arch, you can also run sudo pacman -S python-pycryptodome
http://data.onyx-international.cn/api/firmware/update?where={%22buildNumber%22:0,%22buildType%22:%22user%22,%22deviceMAC%22:%22%22,%22lang%22:%22en_US%22,%22model%22:%22Poke3%22,%22submodel%22:%22%22,%22fingerprint%22:%22%22}. python DeBooxUpx.py Poke3 (or the name of your device). We now have a decrypted file called update.zip. Extract files. (Thanks Nils for catching a typo).adb reboot fastboot which will boot the e-reader into fastboot mode. Note that this mode only displays only the Onyx logo.fastboot boot magisk_patched-24100_avvzI.img. After several seconds, device should boot with temporary root access. You can confirm root has been acquired by opening Magisk. Under "App", it will say "Installed: 24.1" (or whatever version you're using).adb reboot fastboot. Once on the Onyx screen appears, run fastboot flash boot magisk_patched-24100_avvzl.img.fastboot reboot to restart your device.Even after uninstalling all of the Onyx system application, using PCAPdroid I still occasionally pick up pings to Onyx servers. Whether or not this was because I hadn't disabled all of the Onyx software at the time, I'm not sure. However, you may want to keep some Onyx applications on your e-reader while also restricting their network access.
Since we have root, we can run AFWall+ and block everything system-wide except for the applications we want. In my case, I've set it to only allow access to apps I've checked. Specifically, I only want KOReader to have access to network access for syncing, dictionary, and Wikipedia searches, as well as F-Droid if KOReader needs to be updated or I'd like to install something else.
Note that because I'm blocking almost everything including system apps, it will say "No Internet" on the network I'm connected to. This may cause it to periodically drop the connection, so it must be set to say connected even if no internet connection is detected.
Thanks for reading. Feel free to send comments, questions, or recommendations to hey@chuck.is.