inkpad 3 pro bluetooth hacked

[x3oo]

i have the pb740-2 inkpad 3 pro
a regional variant without bluetooth but it looks like you can activate it:
Device: embedded Linux / Allwinner sunxi, kernel 3.10.65+, shell at /mnt/secure.

Goal: bring up Bluetooth.

Kernel config:
- Bluetooth core enabled.
- UART HCI enabled:
CONFIG_BT_HCIUART=y
CONFIG_BT_HCIUART_H4=y
CONFIG_BT_HCIUART_RTKH5=y
CONFIG_RTL_BT_LPM=y
- USB Bluetooth disabled:
# CONFIG_BT_HCIBTUSB is not set
- SDIO Bluetooth disabled:
# CONFIG_BT_HCIBTSDIO is not set

Conclusion: Bluetooth is not USB or SDIO. It is UART-attached Realtek Bluetooth.

Serial ports:
- /dev/ttyS0 exists and is the active kernel console.
/proc/consoles shows ttyS0 -W-
Do not use ttyS0 for Bluetooth.
- /dev/ttyS2 exists and is the Bluetooth UART.

Firmware:
- Firmware directory exists:
/lib/firmware/rtlbt
- Present files:
/lib/firmware/rtlbt/rtl8761a_config
/lib/firmware/rtlbt/rtl8761a_fw
- /sbin/rtk_hciattach expects /lib/firmware/rtlbt and recognizes rtl8761a firmware names.

Tools:
- /sbin/hciattach exists
- /usr/bin/hciconfig exists
- /sbin/rtk_hciattach exists
- bluetoothd is not in PATH, but vendor script uses:
/usr/libexec/bluetooth/bluetoothd
/usr/libexec/bluetooth/bluealsa

Important vendor script:
- /lib/modules/bt_ctrl.sh

Contents/behavior:
- Requires argument: on/off/start/stop.
- on:
echo 1 >/sys/devices/soc/bt.6/enable
rtk_hciattach -s 115200 ttyS2 rtk_h5
hciconfig hci0 noscan
echo 1 >/proc/bluetooth/sleep/lpm
- off:
echo 0 >/proc/bluetooth/sleep/lpm
killall rtk_hciattach
echo 0 >/sys/devices/soc/bt.6/enable
- start:
starts bluetoothd, bluealsa, bluetooth_agent_app, avrcp_dbus_manager
- stop:
kills those services.

Critical finding:
Direct rtk_hciattach attempts failed before enabling BT power/reset:
- rtk_h5 produced “3-wire sync pattern resend” and “H5 sync timed out”.
- rtk_h4 produced “init timed out, read local ver fails”.
- generic any created a dummy hci0 but with BD Address 00:00:00:00:00:00, zero MTU/features, RX bytes 0, and HCI command tx timeouts.
Reason: BT power rail/reset was not enabled.

After enabling power via the vendor path, dmesg showed success:
- [AXP] enable axp22_aldo1
- sunxi-bt bt.6: check bluetooth bt_power voltage: 3000000
- Bluetooth: h5_open
- Bluetooth: hci_uart_register_dev
- rtk_btcoex: BTCOEX hci_rev 0x1e7b
- rtk_btcoex: BTCOEX lmp_subver 0x7c2a
- BT_LPM hostwake line change

Current working state observed:
hciconfig -a showed:
- hci0 Type: Primary Bus: UART
- BD Address: 00:E0:4C:23:99:87
- ACL MTU: 1021:8
- SCO MTU: 255:16
- UP RUNNING
- RX/TX bytes nonzero
- Features nonzero
- rtk_hciattach process running:
rtk_hciattach -s 115200 ttyS2 rtk_h5

Caveat:
Running “sh /lib/modules/bt_ctrl.sh on” again while rtk_hciattach is already running may print:
Enable BT power ... OK
Load BT firmware ... fail
because UART/HCI is already claimed. Check ps/hciconfig first.

Clean startup from off:
sh /lib/modules/bt_ctrl.sh off
sleep 2
sh /lib/modules/bt_ctrl.sh on
sh /lib/modules/bt_ctrl.sh start

Clean shutdown:
sh /lib/modules/bt_ctrl.sh stop
sh /lib/modules/bt_ctrl.sh off

Useful checks:
hciconfig -a
ps | grep -E 'rtk_hciattach|hciattach'
dmesg | tail -80

Potential remaining issue:
hciconfig -a once showed:
Can't read local name on hci0: Connection timed out
despite hci0 being UP RUNNING with a real BD_ADDR and nonzero RX/TX. Suggested next commands:
echo 0 >/proc/bluetooth/sleep/lpm 2>/dev/null
hciconfig hci0 reset
sleep 1
hciconfig hci0 up
hciconfig hci0 name
hciconfig -a

Main conclusion:
Bluetooth works as Realtek UART H5 on ttyS2, but only after enabling board-specific BT power via /sys/devices/soc/bt.6/enable, best done through /lib/modules/bt_ctrl.sh.

[x3oo]

i have more:
# PocketBook Firmware Internals — Analysis Summary

## Device
- Model: PocketBook InkPad 3 Pro (PB740-2 / U740-2)
- Firmware analyzed: 6.5.2917 and 6.8.4521

## SWUPDATE.BIN Structure

### Container Format
- ZIP file containing `SWUPDATE.BIN` + `fwinfo.xml`
- SWUPDATE.BIN header (1024 bytes):
```
magic[0x10] = "PocketBookUpdate"
model[0x20] = e.g. "PB740-2"
unknown1[0x50]
padding1[0x40]
uint32
padding2[0x3C]
fwParts[0x30] = 48 partition entries (each 16 bytes)
```
- Partition entry: `{ type: u32, reserved: u32, offset: u32, size: u32 }`
- Actual file offset = partition.offset + 1024 (header size)
- Data at partition offset is gzip-compressed

### Partition Types
| Type | Name | Content |
|------|------|---------|
| 0x73 | swupdate.tar.gz | Update scripts + bitmaps |
| 0x65 | app.img / ebrmain | gzip-compressed cramfs containing /ebrmain/ |
| 0x72 | rootfs.img | Root filesystem |
| 0x40 | elf.img | ELF binary |
| 0x61 | a.img | Kernel/app image |
| 0x6b,0x63,0x75,0x76,0x54 | various | Other system partitions |

### Extraction
- Use `dump_pocketbook_update.py dump_no_hash SWUPDATE.BIN` (from Synacktiv/KOLANICH)
- Requires kaitai-struct-compiler and compiled `pocketbook_swupdate.py`
- Partitions are gzip-compressed; use `gzip -d` (handles trailing garbage with warning)

## Filesystem Layout

### Read-only (cramfs at /ebrmain/)
```
/ebrmain/config/
device.cfg — Device identity (brand=default, model=Pocket740-2, etc.)
settings/settings.json — Settings menu definition (JSON)
settings/*.json — Sub-menus (epub_key.json, pdf_key.json, accounts.json)
control_panel/shortcuts_db.json — Shortcut definitions
control_panel/shortcuts/shortcuts_bt.json — BT-enabled shortcuts
control_panel/shortcuts/shortcuts_nobt.json — BT-disabled shortcuts

/ebrmain/cramfs/bin/
pocketbook — Main UI/display server
explorer.app -> explorer-3 — Home screen / app launcher
settings.app — Settings app (loads BT panel internally)
bt_configurator.app — Bluetooth panel (InkView app)

/ebrmain/cramfs/lib/
libhwconfig.so — Hardware capability functions (device_has_*)
libbluetooth_manager.so — Bluetooth D-Bus manager
libbluetooth_ui.so — Bluetooth UI widgets
libbluetooth_.so — Other BT libraries
```

### Writable (/mnt/ext1/system/)
```
config/
settings/settings.json — User override of settings menu
settings/rootsettings.json — Pbjb custom settings submenu
rootsettings.cfg — Pbjb service flags (hash-protected)
global.cfg — User preferences (hash-protected)
control_panel/user_shortcuts.json — Active shortcuts
device.cfg — Runtime device config override
```

### Runtime (/var/run/)
```
settings.cfg — Generated feature flags (CRC32 hash-protected)
settings.cfg.back — Backup for hash validation
device.cfg — Runtime device identity
```

## Config File Hash Protection

### CRC32 Hash
- Format: `#XXXXXXXX` as last line of `.cfg` files
- Algorithm: Standard CRC32 (zlib/PKZip) of body content (all lines before hash, including trailing newline)
- Verified with `rootsettings.cfg` hash `#2355e950`
- When hash is broken → firmware restores from `.back` file
- `sed -i` editing breaks hash → changes are silently reverted

### Hash Computation
```python
import binascii
body = open('file.cfg').read().rsplit('#', 1)[0] # content before hash
crc = binascii.crc32(body.encode()) & 0xFFFFFFFF
print(f'#{crc:08x}')
```

## Bluetooth Implementation

### Hardware
- Realtek RTL8761ATV on UART `/dev/ttyS2`
- Firmware: `/lib/firmware/rtlbt/rtl8761a_fw` + `rtl8761a_config`
- Attach tool: `/sbin/rtk_hciattach -s 115200 ttyS2 rtk_h5`
- Power control: `/sys/devices/soc/bt.6/enable`

### Software Stack
- BlueZ 5.52 — `/usr/libexec/bluetooth/bluetoothd`
- bluealsa v4.1.1 — `/usr/libexec/bluetooth/bluealsa` (A2DP source)
- Agent: `/usr/bin/bluetooth_agent_app` (PocketBook GUI agent)
- AVRCP: `/usr/bin/avrcp_dbus_manager`
- Vendor script: `/lib/modules/bt_ctrl.sh` (on, off, start, stop)

### BT Panel Architecture
- `settings.app` loads BT panel internally via `class_id: "bluetooth"`
- `bt_configurator.app` — standalone BT settings app
- Uses `libbluetooth_ui.so` (UI) + `libbluetooth_manager.so` (D-Bus BlueZ interface)
- Key functions: `BluetoothManager::SetPowered(bool)`, `IsBluetoothEnabled`
- Reference: `bluetooth_module.cpp` compiled into settings.app

### Feature Gating
1. **`device_has_bluetooth()`** in `libhwconfig.so` at offset 0xF028
- 28-byte function: loads flag from struct offset 0x344, compares with 0
- Returns 0 for PB740-2 with brand=default/CIS
- All `device_has_*` functions follow identical pattern (different struct offsets)
2. **`IsBluetoothEnabled`** in `libbluetooth_manager.so` and `libbluetooth_ui.so`
- Secondary check, likely checks BlueZ adapter presence
3. **`custom_enabler`** in settings.json: `["have_bt:", "have_bt:1"]`
- Reads from `/var/run/settings.cfg`
- Two-condition format: key exists + value=1

### Patching device_has_bluetooth
- Function at file offset 0xF028 (in .text section)
- Patch: `MOV R0, #1; BX LR` = `01 00 A0 E3 1E FF 2F E1` (8 bytes)
- Pad remaining 20 bytes with NOPs (`00 00 A0 E1`)
- Deploy via bind-mount: `mount -o bind /mnt/secure/lib/libhwconfig.so /ebrmain/cramfs/lib/libhwconfig.so`
- **NOTE**: This patch alone does NOT fix the BT toggle — `IsBluetoothEnabled` is the actual toggle gate

## Localization/Region System
- Regions in dragon.tar: `demos_740-2_WW.d.tgz`, `demos_740-2_CIS.d.tgz`, `demos_740-2_RU.d.tgz`
- These contain ONLY setup wizard images (PNG slides) — NO device.cfg variants
- `brand=default` in device.cfg maps to locale based on `partner` field
- `partner=default` → CIS, `partner=bookland` → ?
- No EU variant exists in the firmware
- Localization packages do NOT affect Bluetooth feature availability

## Pbjb (Jailbreak/Services) Architecture
- Installs to `/mnt/secure/` (separate partition, survives updates)
- Init scripts in `/mnt/secure/etc/init.d/` (run by custom rcS)
- Settings injected via `/mnt/ext1/system/config/settings/settings.json`
- `services-installer.sh`: prepends "Rooted device settings" submenu to settings.json
- **Firmware 6.8 breaks pbjb**: settings.json override no longer takes effect
- SSH/USBNet/init scripts still work (low-level components)
- Settings UI integration is what's broken

## D-Bus Configuration
- `/etc/dbus-1/system.d/bluetooth.conf` — allows root, reader, sreader
- `bluealsa.conf` — separate bluealsa D-Bus policy
- `sudo` is restricted: only allows specific commands for user `reader`
- `bluetooth_agent_app` CAN launch as reader via `sudo -u reader`

## Key File Locations Summary
| File | Purpose | Writable? |
|------|---------|-----------|
| /ebrmain/config/device.cfg | Device identity (brand, model) | No (cramfs) |
| /ebrmain/config/settings/settings.json | Settings menu template | No (cramfs) |
| /mnt/ext1/system/config/settings/settings.json | User settings override | Yes |
| /var/run/settings.cfg | Runtime feature flags | Yes (tmpfs) |
| /var/run/device.cfg | Runtime device identity | Yes (tmpfs) |
| /mnt/secure/device.cfg | Pbjb device config override | Yes |
| /mnt/ext1/system/config/rootsettings.cfg | Pbjb service flags | Yes |
| /mnt/ext1/system/config/global.cfg | User preferences | Yes |

## CRC32 Hash Known Values
| File | Have BT | CRC32 Hash |
|------|---------|------------|
| settings.cfg | 0 | `#01fb3e1b` |
| settings.cfg | 1 | `#6776102f` |
| rootsettings.cfg (original) | N/A | `#2355e950` |
| rootsettings.cfg (+bt=1) | N/A | `#8c0c26d7` |

## Feature Struct Layout (libhwconfig.so)

All `device_has_*()` functions read from a shared feature struct at runtime.
Each function loads a pointer from GOT, dereferences it, then reads a byte
at a specific offset. The struct is populated at boot from device.cfg files.

| Offset | Feature | Expected | Function |
|--------|---------|----------|----------|
| 0x130 | touchpanel | 1 (TRUE) | device_has_touchpanel |
| 0x160 | slider | ? | device_has_slider |
| 0x16c | gyroscope | ? | device_has_gyroscope |
| 0x178 | extcard | ? | device_has_extcard |
| 0x2d0 | audio | 1 (TRUE) | device_has_audio |
| 0x2e0 | usb | ? | device_has_usb |
| 0x2e4 | usbhost | 0 (FALSE) | device_has_usbhost |
| 0x2e8 | frontlight | 1 (TRUE) | device_has_frontlight |
| 0x334 | lightsensor | ? | device_has_lightsensor |
| **0x344** | **bluetooth** | **0 (FALSE)** | **device_has_bluetooth** |
| 0x348 | wifi | 1 (TRUE) | device_has_wifi |
| 0x354 | gsm | 0 (FALSE) | device_has_gsm |

### Function Code Pattern
All functions are 28 bytes ARM: LDR from GOT; LDR deref; LDR byte; CMP; MOVNE; BX LR.
Patch: replace first 8 bytes with \`01 00 A0 E3 1E FF 2F E1\` (MOV R0,#1; BX LR).
Only fixes device_has_bluetooth — BT toggle gated by IsBluetoothEnabled.

## Firmware 6.8 Breaking Changes

### What broke
- User settings.json overrides no longer take effect
- Pbjb and Bluetooth settings entries filtered out despite correct file content
- Files ARE read (strace confirmed) but entries silently rejected

### What still works
- Init scripts, bind mounts, CRC32-correct settings.cfg writes
- BT hardware + BlueZ full stack via init scripts

### Hypothesis
Firmware 6.8 added JSON validation/signature check. Only firmware-template
entries accepted. User additions silently filtered.

## Boot Flow

Kernel -> /sbin/init -> /mnt/secure/rcS (runs init.d/*.sh) -> ./pocketbook
-> explorer.app -> settings.app

## Remaining Paths
1. Live memory patch: modify feature struct byte at +0x344 in running process
2. IsBluetoothEnabled LD_PRELOAD shim for libbluetooth_manager.so
3. Firmware downgrade to 6.5 (restores settings.json override)
4. Alternate config injection via /mnt/secure/device.cfg


## Firmware Version Comparison

| Feature | 5.20.1155 | 6.5.2917 | 6.8.4521 |
|---------|-----------|----------|----------|
| device_has_bluetooth() | NOT PRESENT | ? | Present (returns 0) |
| IsBluetoothEnabled() | NOT PRESENT | ? | Present |
| BT gating | have_bt only | ? | have_bt + device_has_bluetooth + IsBluetoothEnabled |
| SH_BLUETOOTH shortcut | NOT PRESENT | ? | Present |
| shortcults_bt.json | NOT PRESENT | ? | Present |
| Pbjb settings override | ? | Working | BROKEN |
| BT libraries/tools | Full | Full | Full |

### Key Discovery
Firmware 5.20 has NO compiled C++ checks for Bluetooth beyond settings.cfg:have_bt.
The BT panel toggle was controlled SOLELY by the have_bt flag in settings.cfg.
This means on 5.20, setting have_bt=1 (with CRC32) would fully enable BT UI.

Firmware 6.8 added device_has_bluetooth() in libhwconfig.so AND IsBluetoothEnabled()
in libbluetooth_*.so as additional gates, AND broke pbjb settings.json override.
This triple-lock makes BT UI impossible to enable without binary patching.

## Strategy
1. Downgrade to 6.5 (already on device): likely restores pbjb + simpler BT gating
2. Downgrade to 5.20: simplest BT gating (have_bt only) but risk of driver issues


and
changelog.md
# InkPad 3 Pro (U740-2) Firmware Changelog

## 6.8.4521 — 2025-01-27 *(current)*
- FLAC audio support
- Ukrainian TTS voice
- BT headset disconnect fixes during music playback
- LCP DRM profile 2.x

## 6.8.3558 — 2024-05-14
- Dropbox new auth schema
- CBZ dark mode fixes, EPUB cover/position fixes
- Browser dark mode page inversion

## 6.8.2462 — 2023-11-02
- **DARKmode** added
- **Configurable Control Panel** — Bluetooth shortcut now available
- Notes filtering, morphological dictionaries, text suggestions
- **Auto-reconnect BT headphones after startup**
- BT LE uHID device pairing fixes
- BT headphones reconnect after sleep fix
- **Likely broke pbjb settings.json override**

## 6.7.1702 — (Jan 2023?)
- Improved BT audio codecs (MPEG, LDAC, AAC, SBC)
- Reading gestures, translation notes, Photo Frame app

## 6.5.2917 — 2022-07-26
- AZW/AZW3 support, more dictionaries, sleep logo
- Armenian/Georgian/Ukrainian etc UI languages
- Faster PDF engine (Pdfium), EPUB3 fixes
- **No `device_has_bluetooth()` function — BT gated by have_bt only**

## 6.5.1381 — 2021-12-22
- **"Stabile Bluetooth-Verbindung mit Bluetooth-Audiogeräten"**
- Faster boot, Dropbox sync fixes

## 6.5.768 — 2021-10-18
- Photo Frame app, LCP book renewal/return
- PDF Quick engine (Pdfium), scroll mode for fixed layout
- Pinch-to-zoom dictionary, FB2 footnote fixes

## 6.4.330 — 2021-06-30
- New keyboard UI with long-press characters
- OTF/TTC font support, Chinese pinyin input
- TTS voice download from reader UI
- No BT changes

## 6.3.691 — 2021-03-31
- LCP DRM support, PDF contrast/brightness/gamma
- EPUB processing speed/quality improvements
- Onleihe app, series support in shop
- No BT changes

## Key Technical Facts
- **`device_has_bluetooth()` function**: NOT in 6.5; ADDED in 6.8
- **`IsBluetoothEnabled()` function**: NOT in 6.5; ADDED in 6.8
- **Pbjb settings.json override**: Works in 6.5; BROKEN in 6.8
- **BT in 6.5**: Gated ONLY by `have_bt:1` in settings.cfg (CRC32-protected)
- **BT in 6.8**: Triple-gated by `have_bt` + `device_has_bluetooth()` + `IsBluetoothEnabled()`
- **Downgrade path**: 6.8 → 6.5 = restored pbjb + simple BT unlocking


## 5.20.1155 — 2019-07-30 *(earliest)*
- FB2 hyphenation, footnote UI, font hinting fixes
- DjVu/CBR/CBZ cover scanner
- Touchscreen disable during reading
- Browser autocomplete, M4B audiobook fixes
- **No BT changes** — BT hardware present, no compiled C++ BT checks

[x3oo]

so i went to downgraded to 6.7 because bluetooth isnt locked up so hard,
also you can replace explorer with koreader

[datyoma]

I hope you are using Ghidra MCP already? It really helps LLMs to navigate firmware.

Try simply editing /etc/hwconfig (it's likely an 8-byte binary file, but could be also a plain-text integer) - this integer should go down by one according to my research, e.g. 0xBA03<zeroes> -> 0xAA03<zeroes> (0x3B=59, 0x3A=58; the A in the middle just indicates the format); PB-740-2 devices with BT enabled are 45, 58 and 73, whereas those with BT disabled are 46, 59, and 74. Ask Claude to figure out init_hwconfig_ext mechanics (libhwconfig.so), there are built-in device capability tables inside that library.

[datyoma]

Try reducing the first byte of /etc/hwconfig by 16, e.g. 0xBA -> 0xAA. (This file is traditionally 8 bytes, and these days last 6 of those are zeroes; but it could also be a plain-text integer in newer devices, if so, even better, just reduce it by one.)

Ask Claude to explain the internals of init_hwconfig_ext in libhwconfig.so (I hope you are using Ghidra MCP already?) - device capability tables are located there.