decryptBooxUpdateUpx
decryptBooxUpdateUpx copied to clipboard
Hagb
How to download firmware for Leaf 3C ?
http://data.onyx-international.cn/api/firmware/update?where={"buildNumber":0,"buildType":"user","deviceMAC":"","lang":"zh_CN","model":"Leaf3C","submodel":"","fingerprint":"ONYX/BOOX/BOOX:11/RKQ1.210614.002/200:userdebug/release-keys"}
i'll try this link but it give 404 not found.
Is that the correct fingerprint? Just run that with "fingerprint":""
And you have a comma on the end.
@RenateUSB i use the adb shell getprop ro.build.fingerprint, is it correct ?
@RenateUSB btw do you know any method to allow the chinese versions devices can switch the server of boox, currently it only allow me use the china one.
Yes, but that link will get you something when you don't include fingerprint.
Yes, but that link will get you something when you don't include fingerprint.
Ah, i try with
http://data.onyx-international.cn/api/firmware/update?where={"buildNumber":0,"buildType":"user","deviceMAC":"","lang":"zh_CN","model":"Leaf3C","submodel":"","fingerprint":"ONYX/BOOX/BOOX:11/RKQ1.210614.002/200:userdebug/release-keys"}
and it work... thanks god.
@RenateUSB btw do you know any method to allow the chinese versions devices can switch the server of boox, currently it only allow me use the china one.
@RenateUSB do you have any idea with this, is there any file-system that i must modifer ?
No, I don't know anything about changing the Chinese frimware piecemeal. If the hardware is identical to the global version you could probably flash that.
I think don't do it. Even if the hardware is identical (which it may not be 100%), you could run into trouble with unalterable things like the MAC address (isn't that how Boox has updates that roll out unevenly?)... There could also be an efuse or something that isn't software.
If the idea of bricking your Boox doesn't bother you, go for it. Probably just fetch the "Poke4Lite" firmware...
But I don't see any huge advantage to changing the software. The only plus side would be you get to see the changelog in English when updating. And you can get rid of WeChat-related bloat... but the English version will have some other crap too, wouldn't it?
That said, thank you for the method to get the fingerprint. I didn't realize it was so easy...
BTW, you can use Linux or Windows as such (helps to see what version you'll download before actually downloading it):
curl -s --get --data-urlencode 'where={"buildNumber":0,"buildType":"user","deviceMAC":"","lang":"zh_CN","model":"Poke4","submodel":"","fingerprint":"Onyx/Poke4/Poke4:11/2024-03-09_10-12_3.5.1_9e7e86ef1/7961:user/dev-keys"}' 'http://en-data.onyx-international.cn/api/firmware/update'
A bit of squinting at the resulting JSON will tell you what version the link will fetch (and some additional JSON fields). I've been fiddling with mine to try to get 3.5.3 but no luck yet... I actually have 3.5.3 on my Boox but despite editing the fingerprint, no joy yet.
And on a Linux box this can download the file (same as above but with a pipe to jq which processes the JSON to get a download link):
curl -s --get --data-urlencode 'where={"buildNumber":0,"buildType":"user","deviceMAC":"","lang":"zh_CN","model":"Poke4","submodel":"","fingerprint":"Onyx/Poke4/Poke4:11/2024-03-09_10-12_3.5.1_9e7e86ef1/7961:user/dev-keys"}' 'http://en-data.onyx-international.cn/api/firmware/update' | jq -r .downloadUrlList[0] | xargs curl --remote-name
Huh? We're talking Poke4? The 3.5.3 is an incremental update: http://firmware.boox.com/d44fac2a875d020773fc0d47fcc3c707/update.upx
aaand, it looks like I was being dumb too. The way to get the incremental update is exactly as I show above (using the pre-update fingerprint). So, it's probably good to make note of fingerprints before updating as that is what is actually used to fetch the update.
Just sharing my findings on how to get updates. @hotrungnhan could fetch the Leaf3 full version (blank fingerprint) to totally replace their firmware with an English version, if they choose to live dangerously. I'm just comparing a bit because I too have a Chinese-version Boox and I really advise against trying to switching the firmware completely. Doing it partially would break updates completely.
I had actually used boot.img from the Poke4 Lite on my Poke4 (Chinese version) without realizing my mistake. I couldn't update until I replaced the boot.img with a proper Chinese one. And the hardware on those models is supposed to be identical.
aaand, it looks like I was being dumb too. The way to get the incremental update is exactly as I show above (using the pre-update fingerprint). So, it's probably good to make note of fingerprints before updating as that is what is actually used to fetch the update.
Just sharing my findings on how to get updates. @hotrungnhan could fetch the Leaf3 full version (blank fingerprint) to totally replace their firmware with an English version, if they choose to live dangerously. I'm just comparing a bit because I too have a Chinese-version Boox and I really advise against trying to switching the firmware completely. Doing it partially would break updates completely.
I had actually used boot.img from the Poke4 Lite on my Poke4 (Chinese version) without realizing my mistake. I couldn't update until I replaced the boot.img with a proper Chinese one. And the hardware on those models is supposed to be identical.
no no no you not dump man, problem is the fingerprint, and key to extract the ota right ?
Why didn’t find a way to patch it in the system ? Not only the boot partition, there so many partition you can patch when using edl mode ?
I read any post in reddit, and curiouly on the onyx config partition, which can contain fastboot fingerprint, and key for extract ota, did you try ?
https://www.reddit.com/r/Onyx_Boox/s/uZ3B2XUa5x
One more things you also need to patch the vb meta/vbmetasystem because it contain the verify hash of system and boot,… partition ?
I'm giving up. 3.5.3 OTA file has an incremental boot.img file. I can't seem to figure out how to merge the 3.5.3 Incremental update with the 3.5.1 full OTA to get a 3.5.3 boot.img - which is needed to safely root AND unroot the reader when it's time to do updates again.
I have too many other projects to do right to figure out EDL mode. Also, my wife uses the Boox often so I can't afford to brick it just yet.
I'm giving up. 3.5.3 OTA file has an incremental boot.img file. I can't seem to figure out how to merge the 3.5.3 Incremental update with the 3.5.1 full OTA to get a 3.5.3 boot.img - which is needed to safely root AND unroot the reader when it's time to do updates again.
I have too many other projects to do right to figure out EDL mode. Also, my wife uses the Boox often so I can't afford to brick it just yet.
ah by right, how did you distingust between incremental boot.img vs full one ? by size ?
How did you distinguish between incremental boot.img vs full one ? by size ?
Size is an indication, but an update can be partially incremental and partially full. You have to look at the payload.bin I'm not even sure of what model or update we're talking about here. So what is it?
Boox Leaf 3C after extract. Download from link below, is it full update ?
A 5MB boot.img on 3.5.3 vs 100MB in the 3.5.1 payload. So, yeah... pretty obvious it's an incremental update. It would be better if it were missing entirely (unpacked with Payload Dumper Gui v2.3). If the unzipped payload tops 3GB, it's probably a full image.
Here's how you do it if you only want to download 1 MB instead of 1.7 GB
C:\>curl http://firmware.boox.com/aa38badc7f47f53dd08eab1bac4dad39/update.upx -r 0-1048575 -o update.upx
C:\>DeBooxUpx.py Leaf3C
Saved decrypted file to update.zip
C:\>copy update.zip p.bin
C:\>findtext p.bin CrAU
0000025a CrAU
C:\>modfile /s p.bin 25a
C:\>paydump p.bin /v
Partition New Operations
-------------- ------ ----------------------------------------
abl 148 k REPLACE_XZ[1]
boot 96.0 M REPLACE[4], REPLACE_XZ[16], REPLACE_BZ[28]
dtbo 8.00 M REPLACE_XZ[1], REPLACE_BZ[3]
modem 38.6 M REPLACE_XZ[20]
product 503 M REPLACE[6], REPLACE_XZ[245], REPLACE_BZ[1]
recovery 96.0 M REPLACE[4], REPLACE_XZ[20], REPLACE_BZ[24]
system 1.96 G REPLACE[65], REPLACE_XZ[927], REPLACE_BZ[12]
system_ext 273 M REPLACE[12], REPLACE_XZ[125]
vbmeta 8.00 k REPLACE_XZ[1]
vbmeta_system 4.00 k REPLACE_XZ[1]
vendor 490 M REPLACE[1], REPLACE_XZ[243], REPLACE_BZ[1]
xbl 3.03 M REPLACE_XZ[2]
So, yes, this is a full update (of some partitions).
Here's how you do it if you only want to download 1 MB instead of 1.7 GB
C:\>curl http://firmware.boox.com/aa38badc7f47f53dd08eab1bac4dad39/update.upx -r 0-1048575 -o update.upx C:\>DeBooxUpx.py Leaf3C Saved decrypted file to update.zip C:\>copy update.zip p.bin C:\>findtext p.bin CrAU 0000025a CrAU C:\>modfile /s p.bin 25a C:\>paydump p.bin /v Partition New Operations -------------- ------ ---------------------------------------- abl 148 k REPLACE_XZ[1] boot 96.0 M REPLACE[4], REPLACE_XZ[16], REPLACE_BZ[28] dtbo 8.00 M REPLACE_XZ[1], REPLACE_BZ[3] modem 38.6 M REPLACE_XZ[20] product 503 M REPLACE[6], REPLACE_XZ[245], REPLACE_BZ[1] recovery 96.0 M REPLACE[4], REPLACE_XZ[20], REPLACE_BZ[24] system 1.96 G REPLACE[65], REPLACE_XZ[927], REPLACE_BZ[12] system_ext 273 M REPLACE[12], REPLACE_XZ[125] vbmeta 8.00 k REPLACE_XZ[1] vbmeta_system 4.00 k REPLACE_XZ[1] vendor 490 M REPLACE[1], REPLACE_XZ[243], REPLACE_BZ[1] xbl 3.03 M REPLACE_XZ[2]So, yes, this is a full update (of some partitions).
Do you have any book or source that have firmware/partition/boot knowledge like this ? I’m not a low-level dev, however this got me interested.
https://android.googlesource.com/platform/system/update_engine/+/refs/heads/main/update_metadata.proto