Update 2022-01-29: The methods described below also work for the most current firmware version at the time of this writing, i.e. v3.2 (20211130)

Update 2022-03-04: Most of this guide still holds true for the Boox Note Air 2, although the EDL mode requires a different loader and UFS storage mode. I’ve added this to the paragraphs below.

I recently bought a Onyx Boox Note Air E-Ink tablet, and I’m quite satisfied with it. However, the device notoriously phones home to servers in China, which I don’t like. I tried to find a way to disable this, and I ended up with a fully rooted device that doesn’t phone home anymore. Here are some methods to access various parts of the system. All of them have been tested with a Boox Note Air 1 running firmware version v3.0 and v3.1.

Decrypt firmware updates

Onyx publishes encrypted firmware updates on their website. Luckily, the encryption scheme has already been reversed, and there is a tool available called decryptBooxUpdateUpx that can help you with decrypting it.

  • Install decryptBooxUpdateUpx
  • Download firmware update from boox.com, save it as update.upx
  • Decrypt update:
    python DeBooxUpx.py NoteAir update.upx
    
  • Unzip the resulting zip file: unzip update.zip

The zip file contains the following files:

  • abl.elf: Android bootloader
  • boot.img: Kernel image
  • compatibility.zip: Unknown
  • META-INF: Stuff for update mechanism
  • persist.img: persist partition
  • pmic.elf: Unknown
  • rpm.mbn: Unknown
  • system.*: Partial update for system partition
  • vendor.*: Partial update for vendor partition
  • xbl.elf: Extensible Bootloader

Note for Boox Note Air 2 users: As of now (2022-03-04), Onyx has not yet published a firmware file for the device to the page above. So if you want to retrieve one of the image files, you will need to dump it from your device using EDL mode (see below).

Boot into recovery

There are two methods to boot into recovery. The first one needs a working device, so it doesn’t work for bricked devices:

  • Turn on developer options in settings
  • Reboot into recovery:
    adb reboot recovery
    

The second option also works for (partially) bricked devices:

  • Power off the device, do not connect a USB or power cable
  • Hold down the power button, continue to hold it
  • Wait until the small blue power LED inside the button turns on, and continue to hold for about 7 seconds
  • Release the power button, and press it exactly 5 times
  • After some waiting, you should be greeted with the recovery menu

Within the recovery system, you can navigate to the next menu item by closing the cover shortly, and select an item by pressing the power button. But beware: Button reaction and screen refresh times are rather slow in the recovery, so wait 1-2 seconds after closing the cover until the screen refreshes. Unfortunately, the menu order makes it easy to accidently wipe your device: “Boot to bootloader” is the second option, “Wipe data” the third, so if you don’t wait long enough before the screen refreshes, you may accidentally select the wrong option.

Boot into fastboot mode

Again, there are two options to boot into fastboot mode. The first one again needs a working device:

  • Turn on developer options in settings
  • Reboot into fastboot mode:
    adb reboot fastboot
    

The second option works via the recovery mode:

  • Boot into recovery mode (see above)
  • Select Reboot to bootloader by closing the cover once
  • Wait 1-2 seconds to be sure that you have selected the correct option (refresh times are slow)
  • Hit the power button to boot into fastboot

Since the bootloader should be unlocked by default, you can flash images without wiping your user data, get general device info etc.

Boot into Emergency Download (EDL) 9008 mode

This only works from a running device:

  • Turn on developer options
  • Reboot into EDL mode:
    adb reboot edl
    
  • Download and install the Qualcomm Sahara / Firehose Diag Tools
  • You’ll need a programmer for the device. Try to look for one called prog_emmc_ufs_firehose_Sdm636_ddr.elf
  • Control the device like this:
    python edl.py --loader=prog_emmc_ufs_firehose_Sdm636_ddr.elf <command>
    

    The command help displays all options

With this, you can dump and flash images to the device, read the partition table, etc.:

  • Read partition table:
    python edl.py --loader=prog_emmc_ufs_firehose_Sdm636_ddr.elf printgpt
    
  • Dump single partition (e.g. boot):
    python edl.py --loader=prog_emmc_ufs_firehose_Sdm636_ddr.elf r boot boot.img
    

Note for Boox Note Air 2 users: According to this post on the MobileRead forums you might need a different programmer called 0014d0e100000000_d40eee56f3194665_FHPRG.bin. Also, since the device has UFS storage, the full command for EDL looks like this:

python edl.py --loader 0014d0e100000000_d40eee56f3194665_FHPRG.bin --memory=ufs <command>

Boot into Emergency Download (EDL) 900E mode

This mode also works for bricked devices, however there doesn’t seem to be a loader available to actually do something useful.

  • Power off the device
  • Hold down the power button, continue to hold it
  • The small blue power LED should light up. Continue to hold the power button.
  • At some point, the LED should go off for about 0.5 seconds, and immediately light up again.
  • Your device is now in EDL (900E) mode.

Rebooting from this mode seems to be weird, I had success with holding the power button for extended periods, and at some point the device boots up again in normal mode.

Root

The device can be rooted with Magisk (tested with v22).

  • Prepare a patched boot.img:
    • Install the Magisk app as per their instructions
    • Grab the current kernel boot.img, either from their firmware update file, or by dumping it via EDL (9008) mode - see above.
    • Copy the file to your device.
    • Patch the boot image with Magisk. Note: Although the app says “Ramdisk: No”, I still had success to use it without the extra steps for Magisk in Recovery, as described below.
    • Copy the resulting file (e.g. magisk_patched_Jc7cB.img) off your device
  • Try without flashing first:
    • Reboot into fastboot (see above)
    • Boot into the patched image: fastboot boot magisk_patched_Jc7cB.img
    • The device should boot, and you should be root temporarily, until you turn off the device.
    • Open Magisk and see if it says “Magisk: Installed: 22.0”
  • If everything works, flash the image to the boot partition:
    • Reboot into fastboot (see above)
    • Flash: fastboot flash boot magisk_patched_Jc7cB.img
    • Reboot device: fastboot reboot
    • Open Magisk and see if it says “Magisk: Installed: 22.0”

Because this is a systemless root, you will still be able to update the firmware through their update mechanism. However, you will lose root and have to re-root afterwards.

Disable phoning home to China

The device contacts Boox servers for push updates etc. To disable this, you may install a firewall:

  • Root the device (see above)
  • Install AFWall+
  • Disable network access for all Onyx applications, especially the one with UID 1000. This UID is shared by most of the Onyx applications, so blocking this one is important.

Note that you lose things like note syncing, automatic firmware updates etc. However, you can still apply firmware updates manually:

  • Download update.upx from their website
  • Copy it to the device: adb push update.upx /sdcard/update.upx
  • Open settings, go to firmware update, and check for updates

Note, as above, you will lose root access after the update and have to re-root the device.

Have fun!