MobileRead Forums - View Single Post

x3oo · 05-14-2026, 05:22 PM

i have more:
# PocketBook Firmware Internals — Analysis Summary

## Device
- Model: PocketBook InkPad 3 Pro (PB740-2 / U740-2)
- Firmware analyzed: 6.5.2917 and 6.8.4521

## SWUPDATE.BIN Structure

### Container Format
- ZIP file containing `SWUPDATE.BIN` + `fwinfo.xml`
- SWUPDATE.BIN header (1024 bytes):
```
magic[0x10] = "PocketBookUpdate"
model[0x20] = e.g. "PB740-2"
unknown1[0x50]
padding1[0x40]
uint32
padding2[0x3C]
fwParts[0x30] = 48 partition entries (each 16 bytes)
```
- Partition entry: `{ type: u32, reserved: u32, offset: u32, size: u32 }`
- Actual file offset = partition.offset + 1024 (header size)
- Data at partition offset is gzip-compressed

### Partition Types
| Type | Name | Content |
|------|------|---------|
| 0x73 | swupdate.tar.gz | Update scripts + bitmaps |
| 0x65 | app.img / ebrmain | gzip-compressed cramfs containing /ebrmain/ |
| 0x72 | rootfs.img | Root filesystem |
| 0x40 | elf.img | ELF binary |
| 0x61 | a.img | Kernel/app image |
| 0x6b,0x63,0x75,0x76,0x54 | various | Other system partitions |

### Extraction
- Use `dump_pocketbook_update.py dump_no_hash SWUPDATE.BIN` (from Synacktiv/KOLANICH)
- Requires kaitai-struct-compiler and compiled `pocketbook_swupdate.py`
- Partitions are gzip-compressed; use `gzip -d` (handles trailing garbage with warning)

## Filesystem Layout

### Read-only (cramfs at /ebrmain/)
```
/ebrmain/config/
device.cfg — Device identity (brand=default, model=Pocket740-2, etc.)
settings/settings.json — Settings menu definition (JSON)
settings/*.json — Sub-menus (epub_key.json, pdf_key.json, accounts.json)
control_panel/shortcuts_db.json — Shortcut definitions
control_panel/shortcuts/shortcuts_bt.json — BT-enabled shortcuts
control_panel/shortcuts/shortcuts_nobt.json — BT-disabled shortcuts

/ebrmain/cramfs/bin/
pocketbook — Main UI/display server
explorer.app -> explorer-3 — Home screen / app launcher
settings.app — Settings app (loads BT panel internally)
bt_configurator.app — Bluetooth panel (InkView app)

/ebrmain/cramfs/lib/
libhwconfig.so — Hardware capability functions (device_has_*)
libbluetooth_manager.so — Bluetooth D-Bus manager
libbluetooth_ui.so — Bluetooth UI widgets
libbluetooth_.so — Other BT libraries
```

### Writable (/mnt/ext1/system/)
```
config/
settings/settings.json — User override of settings menu
settings/rootsettings.json — Pbjb custom settings submenu
rootsettings.cfg — Pbjb service flags (hash-protected)
global.cfg — User preferences (hash-protected)
control_panel/user_shortcuts.json — Active shortcuts
device.cfg — Runtime device config override
```

### Runtime (/var/run/)
```
settings.cfg — Generated feature flags (CRC32 hash-protected)
settings.cfg.back — Backup for hash validation
device.cfg — Runtime device identity
```

## Config File Hash Protection

### CRC32 Hash
- Format: `#XXXXXXXX` as last line of `.cfg` files
- Algorithm: Standard CRC32 (zlib/PKZip) of body content (all lines before hash, including trailing newline)
- Verified with `rootsettings.cfg` hash `#2355e950`
- When hash is broken → firmware restores from `.back` file
- `sed -i` editing breaks hash → changes are silently reverted

### Hash Computation
```python
import binascii
body = open('file.cfg').read().rsplit('#', 1)[0] # content before hash
crc = binascii.crc32(body.encode()) & 0xFFFFFFFF
print(f'#{crc:08x}')
```

## Bluetooth Implementation

### Hardware
- Realtek RTL8761ATV on UART `/dev/ttyS2`
- Firmware: `/lib/firmware/rtlbt/rtl8761a_fw` + `rtl8761a_config`
- Attach tool: `/sbin/rtk_hciattach -s 115200 ttyS2 rtk_h5`
- Power control: `/sys/devices/soc/bt.6/enable`

### Software Stack
- BlueZ 5.52 — `/usr/libexec/bluetooth/bluetoothd`
- bluealsa v4.1.1 — `/usr/libexec/bluetooth/bluealsa` (A2DP source)
- Agent: `/usr/bin/bluetooth_agent_app` (PocketBook GUI agent)
- AVRCP: `/usr/bin/avrcp_dbus_manager`
- Vendor script: `/lib/modules/bt_ctrl.sh` (on, off, start, stop)

### BT Panel Architecture
- `settings.app` loads BT panel internally via `class_id: "bluetooth"`
- `bt_configurator.app` — standalone BT settings app
- Uses `libbluetooth_ui.so` (UI) + `libbluetooth_manager.so` (D-Bus BlueZ interface)
- Key functions: `BluetoothManager::SetPowered(bool)`, `IsBluetoothEnabled`
- Reference: `bluetooth_module.cpp` compiled into settings.app

### Feature Gating
1. **`device_has_bluetooth()`** in `libhwconfig.so` at offset 0xF028
- 28-byte function: loads flag from struct offset 0x344, compares with 0
- Returns 0 for PB740-2 with brand=default/CIS
- All `device_has_*` functions follow identical pattern (different struct offsets)
2. **`IsBluetoothEnabled`** in `libbluetooth_manager.so` and `libbluetooth_ui.so`
- Secondary check, likely checks BlueZ adapter presence
3. **`custom_enabler`** in settings.json: `["have_bt:", "have_bt:1"]`
- Reads from `/var/run/settings.cfg`
- Two-condition format: key exists + value=1

### Patching device_has_bluetooth
- Function at file offset 0xF028 (in .text section)
- Patch: `MOV R0, #1; BX LR` = `01 00 A0 E3 1E FF 2F E1` (8 bytes)
- Pad remaining 20 bytes with NOPs (`00 00 A0 E1`)
- Deploy via bind-mount: `mount -o bind /mnt/secure/lib/libhwconfig.so /ebrmain/cramfs/lib/libhwconfig.so`
- **NOTE**: This patch alone does NOT fix the BT toggle — `IsBluetoothEnabled` is the actual toggle gate

## Localization/Region System
- Regions in dragon.tar: `demos_740-2_WW.d.tgz`, `demos_740-2_CIS.d.tgz`, `demos_740-2_RU.d.tgz`
- These contain ONLY setup wizard images (PNG slides) — NO device.cfg variants
- `brand=default` in device.cfg maps to locale based on `partner` field
- `partner=default` → CIS, `partner=bookland` → ?
- No EU variant exists in the firmware
- Localization packages do NOT affect Bluetooth feature availability

## Pbjb (Jailbreak/Services) Architecture
- Installs to `/mnt/secure/` (separate partition, survives updates)
- Init scripts in `/mnt/secure/etc/init.d/` (run by custom rcS)
- Settings injected via `/mnt/ext1/system/config/settings/settings.json`
- `services-installer.sh`: prepends "Rooted device settings" submenu to settings.json
- **Firmware 6.8 breaks pbjb**: settings.json override no longer takes effect
- SSH/USBNet/init scripts still work (low-level components)
- Settings UI integration is what's broken

## D-Bus Configuration
- `/etc/dbus-1/system.d/bluetooth.conf` — allows root, reader, sreader
- `bluealsa.conf` — separate bluealsa D-Bus policy
- `sudo` is restricted: only allows specific commands for user `reader`
- `bluetooth_agent_app` CAN launch as reader via `sudo -u reader`

## Key File Locations Summary
| File | Purpose | Writable? |
|------|---------|-----------|
| /ebrmain/config/device.cfg | Device identity (brand, model) | No (cramfs) |
| /ebrmain/config/settings/settings.json | Settings menu template | No (cramfs) |
| /mnt/ext1/system/config/settings/settings.json | User settings override | Yes |
| /var/run/settings.cfg | Runtime feature flags | Yes (tmpfs) |
| /var/run/device.cfg | Runtime device identity | Yes (tmpfs) |
| /mnt/secure/device.cfg | Pbjb device config override | Yes |
| /mnt/ext1/system/config/rootsettings.cfg | Pbjb service flags | Yes |
| /mnt/ext1/system/config/global.cfg | User preferences | Yes |

## CRC32 Hash Known Values
| File | Have BT | CRC32 Hash |
|------|---------|------------|
| settings.cfg | 0 | `#01fb3e1b` |
| settings.cfg | 1 | `#6776102f` |
| rootsettings.cfg (original) | N/A | `#2355e950` |
| rootsettings.cfg (+bt=1) | N/A | `#8c0c26d7` |

## Feature Struct Layout (libhwconfig.so)

All `device_has_*()` functions read from a shared feature struct at runtime.
Each function loads a pointer from GOT, dereferences it, then reads a byte
at a specific offset. The struct is populated at boot from device.cfg files.

| Offset | Feature | Expected | Function |
|--------|---------|----------|----------|
| 0x130 | touchpanel | 1 (TRUE) | device_has_touchpanel |
| 0x160 | slider | ? | device_has_slider |
| 0x16c | gyroscope | ? | device_has_gyroscope |
| 0x178 | extcard | ? | device_has_extcard |
| 0x2d0 | audio | 1 (TRUE) | device_has_audio |
| 0x2e0 | usb | ? | device_has_usb |
| 0x2e4 | usbhost | 0 (FALSE) | device_has_usbhost |
| 0x2e8 | frontlight | 1 (TRUE) | device_has_frontlight |
| 0x334 | lightsensor | ? | device_has_lightsensor |
| **0x344** | **bluetooth** | **0 (FALSE)** | **device_has_bluetooth** |
| 0x348 | wifi | 1 (TRUE) | device_has_wifi |
| 0x354 | gsm | 0 (FALSE) | device_has_gsm |

### Function Code Pattern
All functions are 28 bytes ARM: LDR from GOT; LDR deref; LDR byte; CMP; MOVNE; BX LR.
Patch: replace first 8 bytes with \`01 00 A0 E3 1E FF 2F E1\` (MOV R0,#1; BX LR).
Only fixes device_has_bluetooth — BT toggle gated by IsBluetoothEnabled.

## Firmware 6.8 Breaking Changes

### What broke
- User settings.json overrides no longer take effect
- Pbjb and Bluetooth settings entries filtered out despite correct file content
- Files ARE read (strace confirmed) but entries silently rejected

### What still works
- Init scripts, bind mounts, CRC32-correct settings.cfg writes
- BT hardware + BlueZ full stack via init scripts

### Hypothesis
Firmware 6.8 added JSON validation/signature check. Only firmware-template
entries accepted. User additions silently filtered.

## Boot Flow

Kernel -> /sbin/init -> /mnt/secure/rcS (runs init.d/*.sh) -> ./pocketbook
-> explorer.app -> settings.app

## Remaining Paths
1. Live memory patch: modify feature struct byte at +0x344 in running process
2. IsBluetoothEnabled LD_PRELOAD shim for libbluetooth_manager.so
3. Firmware downgrade to 6.5 (restores settings.json override)
4. Alternate config injection via /mnt/secure/device.cfg

## Firmware Version Comparison

| Feature | 5.20.1155 | 6.5.2917 | 6.8.4521 |
|---------|-----------|----------|----------|
| device_has_bluetooth() | NOT PRESENT | ? | Present (returns 0) |
| IsBluetoothEnabled() | NOT PRESENT | ? | Present |
| BT gating | have_bt only | ? | have_bt + device_has_bluetooth + IsBluetoothEnabled |
| SH_BLUETOOTH shortcut | NOT PRESENT | ? | Present |
| shortcults_bt.json | NOT PRESENT | ? | Present |
| Pbjb settings override | ? | Working | BROKEN |
| BT libraries/tools | Full | Full | Full |

### Key Discovery
Firmware 5.20 has NO compiled C++ checks for Bluetooth beyond settings.cfg:have_bt.
The BT panel toggle was controlled SOLELY by the have_bt flag in settings.cfg.
This means on 5.20, setting have_bt=1 (with CRC32) would fully enable BT UI.

Firmware 6.8 added device_has_bluetooth() in libhwconfig.so AND IsBluetoothEnabled()
in libbluetooth_*.so as additional gates, AND broke pbjb settings.json override.
This triple-lock makes BT UI impossible to enable without binary patching.

## Strategy
1. Downgrade to 6.5 (already on device): likely restores pbjb + simpler BT gating
2. Downgrade to 5.20: simplest BT gating (have_bt only) but risk of driver issues

and
changelog.md
# InkPad 3 Pro (U740-2) Firmware Changelog

## 6.8.4521 — 2025-01-27 *(current)*
- FLAC audio support
- Ukrainian TTS voice
- BT headset disconnect fixes during music playback
- LCP DRM profile 2.x

## 6.8.3558 — 2024-05-14
- Dropbox new auth schema
- CBZ dark mode fixes, EPUB cover/position fixes
- Browser dark mode page inversion

## 6.8.2462 — 2023-11-02
- **DARKmode** added
- **Configurable Control Panel** — Bluetooth shortcut now available
- Notes filtering, morphological dictionaries, text suggestions
- **Auto-reconnect BT headphones after startup**
- BT LE uHID device pairing fixes
- BT headphones reconnect after sleep fix
- **Likely broke pbjb settings.json override**

## 6.7.1702 — (Jan 2023?)
- Improved BT audio codecs (MPEG, LDAC, AAC, SBC)
- Reading gestures, translation notes, Photo Frame app

## 6.5.2917 — 2022-07-26
- AZW/AZW3 support, more dictionaries, sleep logo
- Armenian/Georgian/Ukrainian etc UI languages
- Faster PDF engine (Pdfium), EPUB3 fixes
- **No `device_has_bluetooth()` function — BT gated by have_bt only**

## 6.5.1381 — 2021-12-22
- **"Stabile Bluetooth-Verbindung mit Bluetooth-Audiogeräten"**
- Faster boot, Dropbox sync fixes

## 6.5.768 — 2021-10-18
- Photo Frame app, LCP book renewal/return
- PDF Quick engine (Pdfium), scroll mode for fixed layout
- Pinch-to-zoom dictionary, FB2 footnote fixes

## 6.4.330 — 2021-06-30
- New keyboard UI with long-press characters
- OTF/TTC font support, Chinese pinyin input
- TTS voice download from reader UI
- No BT changes

## 6.3.691 — 2021-03-31
- LCP DRM support, PDF contrast/brightness/gamma
- EPUB processing speed/quality improvements
- Onleihe app, series support in shop
- No BT changes

## Key Technical Facts
- **`device_has_bluetooth()` function**: NOT in 6.5; ADDED in 6.8
- **`IsBluetoothEnabled()` function**: NOT in 6.5; ADDED in 6.8
- **Pbjb settings.json override**: Works in 6.5; BROKEN in 6.8
- **BT in 6.5**: Gated ONLY by `have_bt:1` in settings.cfg (CRC32-protected)
- **BT in 6.8**: Triple-gated by `have_bt` + `device_has_bluetooth()` + `IsBluetoothEnabled()`
- **Downgrade path**: 6.8 → 6.5 = restored pbjb + simple BT unlocking

## 5.20.1155 — 2019-07-30 *(earliest)*
- FB2 hyphenation, footnote UI, font hinting fixes
- DjVu/CBR/CBZ cover scanner
- Touchscreen disable during reading
- Browser autocomplete, M4B audiobook fixes
- **No BT changes** — BT hardware present, no compiled C++ BT checks

05-14-2026, 05:22 PM	#2
x3oo Connoisseur Posts: 61 Karma: 3656 Join Date: Feb 2009 Device: cybook	i have more: # PocketBook Firmware Internals — Analysis Summary ## Device - Model: PocketBook InkPad 3 Pro (PB740-2 / U740-2) - Firmware analyzed: 6.5.2917 and 6.8.4521 ## SWUPDATE.BIN Structure ### Container Format - ZIP file containing `SWUPDATE.BIN` + `fwinfo.xml` - SWUPDATE.BIN header (1024 bytes): ``` magic[0x10] = "PocketBookUpdate" model[0x20] = e.g. "PB740-2" unknown1[0x50] padding1[0x40] uint32 padding2[0x3C] fwParts[0x30] = 48 partition entries (each 16 bytes) ``` - Partition entry: `{ type: u32, reserved: u32, offset: u32, size: u32 }` - Actual file offset = partition.offset + 1024 (header size) - Data at partition offset is gzip-compressed ### Partition Types \| Type \| Name \| Content \| \|------\|------\|---------\| \| 0x73 \| swupdate.tar.gz \| Update scripts + bitmaps \| \| 0x65 \| app.img / ebrmain \| gzip-compressed cramfs containing /ebrmain/ \| \| 0x72 \| rootfs.img \| Root filesystem \| \| 0x40 \| elf.img \| ELF binary \| \| 0x61 \| a.img \| Kernel/app image \| \| 0x6b,0x63,0x75,0x76,0x54 \| various \| Other system partitions \| ### Extraction - Use `dump_pocketbook_update.py dump_no_hash SWUPDATE.BIN` (from Synacktiv/KOLANICH) - Requires kaitai-struct-compiler and compiled `pocketbook_swupdate.py` - Partitions are gzip-compressed; use `gzip -d` (handles trailing garbage with warning) ## Filesystem Layout ### Read-only (cramfs at /ebrmain/) ``` /ebrmain/config/ device.cfg — Device identity (brand=default, model=Pocket740-2, etc.) settings/settings.json — Settings menu definition (JSON) settings/.json — Sub-menus (epub_key.json, pdf_key.json, accounts.json) control_panel/shortcuts_db.json — Shortcut definitions control_panel/shortcuts/shortcuts_bt.json — BT-enabled shortcuts control_panel/shortcuts/shortcuts_nobt.json — BT-disabled shortcuts /ebrmain/cramfs/bin/ pocketbook — Main UI/display server explorer.app -> explorer-3 — Home screen / app launcher settings.app — Settings app (loads BT panel internally) bt_configurator.app — Bluetooth panel (InkView app) /ebrmain/cramfs/lib/ libhwconfig.so — Hardware capability functions (device_has_) libbluetooth_manager.so — Bluetooth D-Bus manager libbluetooth_ui.so — Bluetooth UI widgets libbluetooth_.so — Other BT libraries ``` ### Writable (/mnt/ext1/system/) ``` config/ settings/settings.json — User override of settings menu settings/rootsettings.json — Pbjb custom settings submenu rootsettings.cfg — Pbjb service flags (hash-protected) global.cfg — User preferences (hash-protected) control_panel/user_shortcuts.json — Active shortcuts device.cfg — Runtime device config override ``` ### Runtime (/var/run/) ``` settings.cfg — Generated feature flags (CRC32 hash-protected) settings.cfg.back — Backup for hash validation device.cfg — Runtime device identity ``` ## Config File Hash Protection ### CRC32 Hash - Format: `#XXXXXXXX` as last line of `.cfg` files - Algorithm: Standard CRC32 (zlib/PKZip) of body content (all lines before hash, including trailing newline) - Verified with `rootsettings.cfg` hash `#2355e950` - When hash is broken → firmware restores from `.back` file - `sed -i` editing breaks hash → changes are silently reverted ### Hash Computation ```python import binascii body = open('file.cfg').read().rsplit('#', 1)[0] # content before hash crc = binascii.crc32(body.encode()) & 0xFFFFFFFF print(f'#{crc:08x}') ``` ## Bluetooth Implementation ### Hardware - Realtek RTL8761ATV on UART `/dev/ttyS2` - Firmware: `/lib/firmware/rtlbt/rtl8761a_fw` + `rtl8761a_config` - Attach tool: `/sbin/rtk_hciattach -s 115200 ttyS2 rtk_h5` - Power control: `/sys/devices/soc/bt.6/enable` ### Software Stack - BlueZ 5.52 — `/usr/libexec/bluetooth/bluetoothd` - bluealsa v4.1.1 — `/usr/libexec/bluetooth/bluealsa` (A2DP source) - Agent: `/usr/bin/bluetooth_agent_app` (PocketBook GUI agent) - AVRCP: `/usr/bin/avrcp_dbus_manager` - Vendor script: `/lib/modules/bt_ctrl.sh` (on, off, start, stop) ### BT Panel Architecture - `settings.app` loads BT panel internally via `class_id: "bluetooth"` - `bt_configurator.app` — standalone BT settings app - Uses `libbluetooth_ui.so` (UI) + `libbluetooth_manager.so` (D-Bus BlueZ interface) - Key functions: `BluetoothManager::SetPowered(bool)`, `IsBluetoothEnabled` - Reference: `bluetooth_module.cpp` compiled into settings.app ### Feature Gating 1. `device_has_bluetooth()` in `libhwconfig.so` at offset 0xF028 - 28-byte function: loads flag from struct offset 0x344, compares with 0 - Returns 0 for PB740-2 with brand=default/CIS - All `device_has_` functions follow identical pattern (different struct offsets) 2. `IsBluetoothEnabled`* in `libbluetooth_manager.so` and `libbluetooth_ui.so` - Secondary check, likely checks BlueZ adapter presence 3. `custom_enabler` in settings.json: `["have_bt:", "have_bt:1"]` - Reads from `/var/run/settings.cfg` - Two-condition format: key exists + value=1 ### Patching device_has_bluetooth - Function at file offset 0xF028 (in .text section) - Patch: `MOV R0, #1; BX LR` = `01 00 A0 E3 1E FF 2F E1` (8 bytes) - Pad remaining 20 bytes with NOPs (`00 00 A0 E1`) - Deploy via bind-mount: `mount -o bind /mnt/secure/lib/libhwconfig.so /ebrmain/cramfs/lib/libhwconfig.so` - NOTE: This patch alone does NOT fix the BT toggle — `IsBluetoothEnabled` is the actual toggle gate ## Localization/Region System - Regions in dragon.tar: `demos_740-2_WW.d.tgz`, `demos_740-2_CIS.d.tgz`, `demos_740-2_RU.d.tgz` - These contain ONLY setup wizard images (PNG slides) — NO device.cfg variants - `brand=default` in device.cfg maps to locale based on `partner` field - `partner=default` → CIS, `partner=bookland` → ? - No EU variant exists in the firmware - Localization packages do NOT affect Bluetooth feature availability ## Pbjb (Jailbreak/Services) Architecture - Installs to `/mnt/secure/` (separate partition, survives updates) - Init scripts in `/mnt/secure/etc/init.d/` (run by custom rcS) - Settings injected via `/mnt/ext1/system/config/settings/settings.json` - `services-installer.sh`: prepends "Rooted device settings" submenu to settings.json - Firmware 6.8 breaks pbjb: settings.json override no longer takes effect - SSH/USBNet/init scripts still work (low-level components) - Settings UI integration is what's broken ## D-Bus Configuration - `/etc/dbus-1/system.d/bluetooth.conf` — allows root, reader, sreader - `bluealsa.conf` — separate bluealsa D-Bus policy - `sudo` is restricted: only allows specific commands for user `reader` - `bluetooth_agent_app` CAN launch as reader via `sudo -u reader` ## Key File Locations Summary \| File \| Purpose \| Writable? \| \|------\|---------\|-----------\| \| /ebrmain/config/device.cfg \| Device identity (brand, model) \| No (cramfs) \| \| /ebrmain/config/settings/settings.json \| Settings menu template \| No (cramfs) \| \| /mnt/ext1/system/config/settings/settings.json \| User settings override \| Yes \| \| /var/run/settings.cfg \| Runtime feature flags \| Yes (tmpfs) \| \| /var/run/device.cfg \| Runtime device identity \| Yes (tmpfs) \| \| /mnt/secure/device.cfg \| Pbjb device config override \| Yes \| \| /mnt/ext1/system/config/rootsettings.cfg \| Pbjb service flags \| Yes \| \| /mnt/ext1/system/config/global.cfg \| User preferences \| Yes \| ## CRC32 Hash Known Values \| File \| Have BT \| CRC32 Hash \| \|------\|---------\|------------\| \| settings.cfg \| 0 \| `#01fb3e1b` \| \| settings.cfg \| 1 \| `#6776102f` \| \| rootsettings.cfg (original) \| N/A \| `#2355e950` \| \| rootsettings.cfg (+bt=1) \| N/A \| `#8c0c26d7` \| ## Feature Struct Layout (libhwconfig.so) All `device_has_()` functions read from a shared feature struct at runtime. Each function loads a pointer from GOT, dereferences it, then reads a byte at a specific offset. The struct is populated at boot from device.cfg files. \| Offset \| Feature \| Expected \| Function \| \|--------\|---------\|----------\|----------\| \| 0x130 \| touchpanel \| 1 (TRUE) \| device_has_touchpanel \| \| 0x160 \| slider \| ? \| device_has_slider \| \| 0x16c \| gyroscope \| ? \| device_has_gyroscope \| \| 0x178 \| extcard \| ? \| device_has_extcard \| \| 0x2d0 \| audio \| 1 (TRUE) \| device_has_audio \| \| 0x2e0 \| usb \| ? \| device_has_usb \| \| 0x2e4 \| usbhost \| 0 (FALSE) \| device_has_usbhost \| \| 0x2e8 \| frontlight \| 1 (TRUE) \| device_has_frontlight \| \| 0x334 \| lightsensor \| ? \| device_has_lightsensor \| \| 0x344* \| bluetooth \| 0 (FALSE) \| device_has_bluetooth \| \| 0x348 \| wifi \| 1 (TRUE) \| device_has_wifi \| \| 0x354 \| gsm \| 0 (FALSE) \| device_has_gsm \| ### Function Code Pattern All functions are 28 bytes ARM: LDR from GOT; LDR deref; LDR byte; CMP; MOVNE; BX LR. Patch: replace first 8 bytes with \`01 00 A0 E3 1E FF 2F E1\` (MOV R0,#1; BX LR). Only fixes device_has_bluetooth — BT toggle gated by IsBluetoothEnabled. ## Firmware 6.8 Breaking Changes ### What broke - User settings.json overrides no longer take effect - Pbjb and Bluetooth settings entries filtered out despite correct file content - Files ARE read (strace confirmed) but entries silently rejected ### What still works - Init scripts, bind mounts, CRC32-correct settings.cfg writes - BT hardware + BlueZ full stack via init scripts ### Hypothesis Firmware 6.8 added JSON validation/signature check. Only firmware-template entries accepted. User additions silently filtered. ## Boot Flow Kernel -> /sbin/init -> /mnt/secure/rcS (runs init.d/.sh) -> ./pocketbook -> explorer.app -> settings.app ## Remaining Paths 1. Live memory patch: modify feature struct byte at +0x344 in running process 2. IsBluetoothEnabled LD_PRELOAD shim for libbluetooth_manager.so 3. Firmware downgrade to 6.5 (restores settings.json override) 4. Alternate config injection via /mnt/secure/device.cfg ## Firmware Version Comparison \| Feature \| 5.20.1155 \| 6.5.2917 \| 6.8.4521 \| \|---------\|-----------\|----------\|----------\| \| device_has_bluetooth() \| NOT PRESENT \| ? \| Present (returns 0) \| \| IsBluetoothEnabled() \| NOT PRESENT \| ? \| Present \| \| BT gating \| have_bt only \| ? \| have_bt + device_has_bluetooth + IsBluetoothEnabled \| \| SH_BLUETOOTH shortcut \| NOT PRESENT \| ? \| Present \| \| shortcults_bt.json \| NOT PRESENT \| ? \| Present \| \| Pbjb settings override \| ? \| Working \| BROKEN \| \| BT libraries/tools \| Full \| Full \| Full \| ### Key Discovery Firmware 5.20 has NO compiled C++ checks for Bluetooth beyond settings.cfg:have_bt. The BT panel toggle was controlled SOLELY by the have_bt flag in settings.cfg. This means on 5.20, setting have_bt=1 (with CRC32) would fully enable BT UI. Firmware 6.8 added device_has_bluetooth() in libhwconfig.so AND IsBluetoothEnabled() in libbluetooth_.so as additional gates, AND broke pbjb settings.json override. This triple-lock makes BT UI impossible to enable without binary patching. ## Strategy 1. Downgrade to 6.5 (already on device): likely restores pbjb + simpler BT gating 2. Downgrade to 5.20: simplest BT gating (have_bt only) but risk of driver issues and changelog.md # InkPad 3 Pro (U740-2) Firmware Changelog ## 6.8.4521 — 2025-01-27 (current) - FLAC audio support - Ukrainian TTS voice - BT headset disconnect fixes during music playback - LCP DRM profile 2.x ## 6.8.3558 — 2024-05-14 - Dropbox new auth schema - CBZ dark mode fixes, EPUB cover/position fixes - Browser dark mode page inversion ## 6.8.2462 — 2023-11-02 - DARKmode added - Configurable Control Panel — Bluetooth shortcut now available - Notes filtering, morphological dictionaries, text suggestions - Auto-reconnect BT headphones after startup - BT LE uHID device pairing fixes - BT headphones reconnect after sleep fix - Likely broke pbjb settings.json override ## 6.7.1702 — (Jan 2023?) - Improved BT audio codecs (MPEG, LDAC, AAC, SBC) - Reading gestures, translation notes, Photo Frame app ## 6.5.2917 — 2022-07-26 - AZW/AZW3 support, more dictionaries, sleep logo - Armenian/Georgian/Ukrainian etc UI languages - Faster PDF engine (Pdfium), EPUB3 fixes - No `device_has_bluetooth()` function — BT gated by have_bt only ## 6.5.1381 — 2021-12-22 - "Stabile Bluetooth-Verbindung mit Bluetooth-Audiogeräten" - Faster boot, Dropbox sync fixes ## 6.5.768 — 2021-10-18 - Photo Frame app, LCP book renewal/return - PDF Quick engine (Pdfium), scroll mode for fixed layout - Pinch-to-zoom dictionary, FB2 footnote fixes ## 6.4.330 — 2021-06-30 - New keyboard UI with long-press characters - OTF/TTC font support, Chinese pinyin input - TTS voice download from reader UI - No BT changes ## 6.3.691 — 2021-03-31 - LCP DRM support, PDF contrast/brightness/gamma - EPUB processing speed/quality improvements - Onleihe app, series support in shop - No BT changes ## Key Technical Facts - `device_has_bluetooth()` function: NOT in 6.5; ADDED in 6.8 - `IsBluetoothEnabled()` function: NOT in 6.5; ADDED in 6.8 - Pbjb settings.json override: Works in 6.5; BROKEN in 6.8 - BT in 6.5: Gated ONLY by `have_bt:1` in settings.cfg (CRC32-protected) - BT in 6.8: Triple-gated by `have_bt` + `device_has_bluetooth()` + `IsBluetoothEnabled()` - Downgrade path: 6.8 → 6.5 = restored pbjb + simple BT unlocking ## 5.20.1155 — 2019-07-30 (earliest) - FB2 hyphenation, footnote UI, font hinting fixes - DjVu/CBR/CBZ cover scanner - Touchscreen disable during reading - Browser autocomplete, M4B audiobook fixes - No BT changes — BT hardware present, no compiled C++ BT checks