inkpad hacked

[x3oo]

so i made a quick summary on whats possible, its probably 98% correct:
learnings are probably transferable on different devices

# InkPad 3 Pro — Complete Enhancement Guide

Device: PB740-2 (U740-2), firmware 6.7.1702 (recommended). Works on 6.3–6.7.
Chipset: Allwinner B288 (Cortex-A7, VFPv4). Panel: ED078KH4U2_TC (7.8" Carta, 1872×1404).

## Overview

Goal: unlock Bluetooth + audio player + direct KOReader boot + REAGL fast display.

Result: BT pairing (audio/keyboard), PB_AudioBooks app, KOReader at ~6s boot, 2.1× display speed, 740MB RAM saved.

## Prerequisites

1. Install [pbjb Services](https://github.com/ezdiy/pbjb) on device (gives root SSH)
2. Verify: `ssh pb` works
3. Download KOReader zip (pocketbook-a7-o3 build)

## Step 1 — SSH Key Auth (one-time)

```sh
ssh pb 'mkdir -p /mnt/secure/etc/dropbear'
scp ~/.ssh/id_rsa.pub pb:/mnt/secure/etc/dropbear/authorized_keys
```

## Step 2 — Grab libhwconfig.so

```sh
scp pb:/ebrmain/cramfs/lib/libhwconfig.so /tmp/libhwconfig.so
```

## Step 3 — Patch libhwconfig.so

Requires ARM binutils (`apt-get download binutils-arm-linux-gnueabi`). On your PC:

```sh
# Find offsets
arm-linux-gnueabi-objdump -T /tmp/libhwconfig.so | grep device_has_bluetooth
arm-linux-gnueabi-objdump -T /tmp/libhwconfig.so | grep device_bluetooth
arm-linux-gnueabi-objdump -T /tmp/libhwconfig.so | grep device_has_audio
arm-linux-gnueabi-objdump -T /tmp/libhwconfig.so | grep device_audio
```

Patch (offsets for fw 6.7; verify with objdump):

```python
import struct
with open('/tmp/libhwconfig_patched.so', 'wb') as out:
data = open('/tmp/libhwconfig.so', 'rb').read()
out.write(data)
with open('/tmp/libhwconfig_patched.so', 'r+b') as f:
# device_has_bluetooth @0x90c0: MOV R0,#1; BX LR
f.seek(0x90c0); f.write(struct.pack('<I', 0xe3a00001))
f.seek(0x90c4); f.write(struct.pack('<I', 0xe12fff1e))
# device_bluetooth @0x90ac: MOV R0,#6; BX LR (BLUETOOTH_RTL8761)
f.seek(0x90ac); f.write(struct.pack('<I', 0xe3a00006))
f.seek(0x90b0); f.write(struct.pack('<I', 0xe12fff1e))
# device_has_audio @0x8f68: MOV R0,#1; BX LR
f.seek(0x8f68); f.write(struct.pack('<I', 0xe3a00001))
f.seek(0x8f6c); f.write(struct.pack('<I', 0xe12fff1e))
# device_audio @0x8f54: MOV R0,#5; BX LR (AUDIO_ALOOP_WITH_SPEAKER)
f.seek(0x8f54); f.write(struct.pack('<I', 0xe3a00005))
f.seek(0x8f58); f.write(struct.pack('<I', 0xe12fff1e))
```

## Step 4 — Deploy Patched libhwconfig + Device Config

```sh
ssh pb 'mkdir -p /mnt/secure/lib /mnt/secure/config'
scp /tmp/libhwconfig_patched.so pb:/mnt/secure/lib/

# Create modified device.cfg (use_audio_player=1)
ssh pb '
cp /ebrmain/config/device.cfg.gen /mnt/secure/config/device.cfg
sed -i "s/use_audio_player=0/use_audio_player=1/" /mnt/secure/config/device.cfg
grep use_audio /mnt/secure/config/device.cfg # verify
'
```

## Step 5 — Init Scripts

Create `/mnt/secure/etc/init.d/02-hwconfig-patch.sh`:

```sh
#!/bin/sh
# Patch libhwconfig.so + device.cfg + apps.json
mount -o bind /mnt/secure/lib/libhwconfig_patched.so /ebrmain/cramfs/lib/libhwconfig.so 2>/dev/null
mount -o bind /mnt/secure/config/device.cfg /ebrmain/config/device.cfg.gen 2>/dev/null
mount -o bind /ebrmain/cramfs/config/desktop/apps/apps.json.has_audio /ebrmain/cramfs/config/desktop/apps/apps.json 2>/dev/null
```

Create `/mnt/secure/etc/init.d/85-bt.sh.bg`:

```sh
#!/bin/sh
# BT init — nohup survives rcS shell exit
nohup sh -c '
echo 1 > /sys/devices/soc/bt.6/enable
sleep 2
/sbin/rtk_hciattach -n -s 115200 /dev/ttyS2 rtk_h5 &
sleep 2
hciconfig hci0 up
/usr/libexec/bluetooth/bluetoothd -n &
sleep 1
/usr/libexec/bluetooth/bluealsa &
' >/dev/null 2>&1 &
```

```sh
chmod 755 /mnt/secure/etc/init.d/02-hwconfig-patch.sh
chmod 755 /mnt/secure/etc/init.d/85-bt.sh.bg
```

## Step 6 — REAGL Mode 8 (2.1× Display Speed)

Add to `/mnt/secure/etc/init.d/03-koreader.sh` (before bind-mounts):

```sh
# Activate REAGL waveform mode
if [ -x /mnt/ext1/applications/koreader/luajit ]; then
/mnt/ext1/applications/koreader/luajit -e '
ffi = require("ffi")
ffi.cdef[[int open(const char*,int); int close(int); int ioctl(int, unsigned long, ...);]]
require("ffi/mxcfb_pocketbook_h")
ffi.cdef[[struct mxcfb_waveform_modes { int mode_count; int modes[16]; };]]
wm = ffi.new("struct mxcfb_waveform_modes")
wm.mode_count = 11
for i = 0, 10 do wm.modes[i] = 8 end
wm.modes[14] = 8
fd = ffi.C.open("/dev/fb0", 2)
ffi.C.ioctl(fd, 0x4024462B, wm)
ffi.C.close(fd)
' 2>/dev/null
fi
```

Verify after boot: `cat /sys/devices/platform/sw-epdc.0/waveform_info | grep mode.8`

## Step 7 — KOReader Direct Boot

Install KOReader to `/mnt/ext1/applications/koreader/`. From the repo:

```sh
scp plugins/pocketbook-tools.koplugin/boot_enable.sh pb:/tmp/
ssh pb 'sh /tmp/boot_enable.sh'
```

This generates `03-koreader.sh` with REAGL included. Reboot to test.

## Step 8 — CPU Governor (Performance)

Create `/mnt/secure/etc/init.d/00-cpufreq.sh`:

```sh
#!/bin/sh
echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
echo performance > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor
```

## Step 9 — First Reboot & Verification

```sh
ssh pb '/sbin/reboot'
# Wait 30s
ssh pb '
echo "=== BT ===" && hciconfig -a | head -3
echo "=== BT services ===" && pidof bluetoothd bluealsa
echo "=== Settings ===" && grep "have_bt\|have_mplayer\|is_brand_fixed" /var/run/settings.cfg
echo "=== REAGL ===" && cat /sys/devices/platform/sw-epdc.0/waveform_info | grep -c "mode 8"
echo "=== KOReader ===" && pidof reader.lua
'
```

## Step 10 — Pair BT Devices

For audio devices (Redmi Buds, most earbuds with NoInputNoOutput):

```sh
ssh pb '
echo -e "agent NoInputNoOutput\ndefault-agent\npairable on\ndiscoverable on" | bluetoothctl
'
# Then pair from phone/device, or:
ssh pb 'echo -e "pair XX:XX:XX:XX:XX:XX\ntrust XX:XX:XX:XX:XX:XX" | bluetoothctl'
```

Keyboard pairing:
```sh
ssh pb '
echo -e "agent KeyboardDisplay\ndefault-agent\npairable on\ndiscoverable on" | bluetoothctl
'
```


## Step 11 — Audio Playback (MP3)

BT device must be connected. Uses D-Bus bluealsa PCM (bypasses broken ALSA plugin).

```sh
# On PC: cross-compile mp3dec (one-time)
docker run --rm -v /tmp/pbmp3:/work:rw pbdev bash -c "
apt-get update -qq && apt-get install -y -qq libasound2-dev
cd /work && arm-linux-gnueabi-gcc -static -O2 -o mp3dec mp3dec.c -lm
" && scp /tmp/pbmp3/mp3dec pb:/mnt/ext1/bench/pocketbook-a7-o3/

# On device: player script
ssh pb "cat > /mnt/secure/bin/pbplay << 'SH'
#!/bin/sh
DEV=\"\${2:-54:84:50:12:FA:9D}\"
FIFO=/tmp/ba_\$\$; rm -f \$FIFO; mkfifo \$FIFO
dbus-send --system --dest=org.bluealsa --print-reply \
\"/org/bluealsa/hci0/dev_\$DEV/a2dpsrc/sink\" \
org.bluealsa.PCM1.Open < \$FIFO > /dev/null 2>&1 &
sleep 2
for f in /proc/\$!/fd/*; do [ -p \"\$f\" ] && exec cat > \"\$f\"; done
SH
chmod +x /mnt/secure/bin/pbplay"

# Play:
ssh pb '/mnt/ext1/bench/pocketbook-a7-o3/mp3dec "file.mp3" | /mnt/secure/bin/pbplay'
```
## Safety Escape

To boot into normal PocketBook UI (e.g., for Settings):
- Hold any button during boot (>3 presses) → normal boot
- Or: `touch /mnt/ext1/NO_KOREADER_BOOT && reboot`

To restore KOReader boot: `rm /mnt/ext1/NO_KOREADER_BOOT && reboot`

## Recovery

If device won't boot: USB cable + `ssh pb '/mnt/secure/bin/recover.sh; reboot'`

## What You Get

| Feature | Before | After |
|---------|--------|-------|
| Bluetooth | Locked (CIS variant) | Working (pairing + audio/keyboard) |
| Audio player | Hidden | PB_AudioBooks in launcher |
| Boot time | 35s+ (explorer) | ~6s (KOReader) |
| Free RAM | ~250MB | ~740MB |
| Display speed | GC16 (576 frames) | REAGL (270 frames), 2.1× |
| CPU governor | interactive (laggy) | performance (instant ramp) |
| E-ink flashes | Every 6 pages | REAGL: no flash (just ghost-compensated partial) |

## Limitations

- BT UI locked on firmware 6.8+ (additional C++ checks). Stay on 6.7.
- No A2DP source — device sends audio to BT speaker, can't receive phone audio.
- Kernel lacks BNEP — no BT tethering.
- `monitor.app` suspend handling still required — don't kill PocketBook display server.