• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Rooting Sony's e-reader DPT-RP1 and DPT-CP1

Search This thread

sartrism

Member
Oct 24, 2010
20
12
Cambridge
Update (5/18/2019)

Since the first tool was released, HappyZ has improved many features so I think I can just refer to

* HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
- The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

* HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

You may donate a cup of coffee to him there :) Thanks to all others who contributed a lot.

--
Update (12/02/2018) -- These are outdated.
Finally we manage to root the device! Many thanks to all of your efforts.

Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

For whom have never used python like me (and probably using Windows):
(1) Install Python 3 and add it to PATH.
(2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
(2) pip httpsig pyserial on bash.
(3) Download HappyZ's dpt-tools and unzip.
(4* this issue is fixed by HappZ)
(5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use get-su-bin because of how the script is written.

Some suggestions after rooting (let me know if you have better ideas):

Here is my setup: install "E-ink Launcher" and "Multi action home button" using adb install.
Use adb shell am start -a android.intent.action.MAIN to change the main launcher to your launcher.
Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

Yet more tips:
Some complain fonts are too small after installing generic apps.
adb shell wm density 320 changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
My application is using "Tasker" to execute the above code when specific apps are open and execute wm density reset when the apps are closed.
The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

Enjoy your DPT devices :)

--
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!
 
Last edited:

Droidriven

Senior Member
Jan 27, 2014
14,918
1
5,183
NC
Verizon Samsung Galaxy S III
HTC Thunderbolt
Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

I'd appreciate any help or advice. Thanks!

You must be an iPhone user that isn't familiar with android. Jailbreak in is an Apple thing, not an android thing.

In android it's called "rooting" and it isn't quite the same thing as jailbreaking an Apple device.

This device does not at all seem to be worth the price, especially considering the limitations it has. What a waste of hardware.

I would assume that you could port something from one of those other devices to work on yours but it really depends on how your hardware is designed compared to those devices.

Does your device have a typical bootloader like other android devices?

Is the bootloader unlocked?

If it is locked, can it be unlocked?

Does the device use fastboot or does it have a flash mode that is used with a specific PC flashtool?

If it is unlocked or if you can unlock it and it has a flash mode that can actually be used, you might be able to port a custom recovery from one of the devices you named then use that recovery to somehow root the device. If the device can't install android apps then it would probably involve using adb to root the device.


I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
 
Last edited:

sartrism

Member
Oct 24, 2010
20
12
Cambridge
You must be an iPhone user that isn't familiar with android. Jailbreak in is an Apple thing, not an android thing.

In android it's called "rooting" and it isn't quite the same thing as jailbreaking an Apple device.

This device does not at all seem to be worth the price, especially considering the limitations it has. What a waste of hardware.

I would assume that you could port something from one of those other devices to work on yours but it really depends on how your hardware is designed compared to those devices.

Does your device have a typical bootloader like other android devices?

Is the bootloader unlocked?

If it is locked, can it be unlocked?

Does the device use fastboot or does it have a flash mode that is used with a specific PC flashtool?

If it is unlocked or if you can unlock it and it has a flash mode that can actually be used, you might be able to port a custom recovery from one of the devices you named then use that recovery to somehow root the device. If the device can't install android apps then it would probably involve using adb to root the device.

Thanks for suggesting a general principle! I just use the word jailbreaking not because I'm an iPhone user. What I actually want to do as the first step is not rooting an android system, but revealing it from the current customized linux system. Rooting is the next step if necessary. If the word choice is still not accurate and bothers you, I apologize.

It has apparently no typical bootloader, and neither PC nor adb recognize it as an android device. In fact, direct USB file transfer is blocked so I need to use Sony's designated software. But an android system surely coexists according to the hacker who already rooted it.
 
Last edited:

Droidriven

Senior Member
Jan 27, 2014
14,918
1
5,183
NC
Verizon Samsung Galaxy S III
HTC Thunderbolt
Thanks for suggesting a general principle! I just use the word jailbreaking not because I'm an iPhone user. What I actually want to do as the first step is not rooting an android system, but revealing it from the current customized linux system. Rooting is the next step if necessary. If the word choice is still not accurate and bothers you, I apologize.

It has apparently no typical bootloader, and neither PC nor adb recognize it as an android device. In fact, direct USB file transfer is blocked so I need to use Sony's designated software. But an android system surely coexists according to the hacker who already rooted it.
Without some kind of way to flash or interface with the device there isn't much you can do.

I have a kindle fire HD that didn't come with a typical android system but does have a typical bootloader. The Amazon OS was removed and now it's full blown android but it required a "second" bootloader. You don't have a bootloader so I'm not sure what your options are with that device.



I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
 

MarkBell

Senior Member
Nov 9, 2010
273
55
Murfreesboro, TN, USA
You must be an iPhone user that isn't familiar with android. Jailbreak in is an Apple thing, not an android thing.

In android it's called "rooting" and it isn't quite the same thing as jailbreaking an Apple device.

This device does not at all seem to be worth the price, especially considering the limitations it has. What a waste of hardware.

I would assume that you could port something from one of those other devices to work on yours but it really depends on how your hardware is designed compared to those devices.

Does your device have a typical bootloader like other android devices?

Is the bootloader unlocked?

If it is locked, can it be unlocked?

Does the device use fastboot or does it have a flash mode that is used with a specific PC flashtool?

If it is unlocked or if you can unlock it and it has a flash mode that can actually be used, you might be able to port a custom recovery from one of the devices you named then use that recovery to somehow root the device. If the device can't install android apps then it would probably involve using adb to root the device.


I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
Jailbreaking is the process of modifying any electronic device in order to remove restrictions imposed by a manufacturer (Apple) or operator (to allow the installation of unauthorized software).

Rooting is the act of gaining access to the root account of a device (such as a smartphone or computer).

There is a huge difference between the two. You can't just say that rooting is Android's version of jailbreaking. Not accurate in the least.

https://www.androidpit.com/jailbreak-android

Sent from my SM-G928T using Tapatalk
 
  • Like
Reactions: Droidriven

Droidriven

Senior Member
Jan 27, 2014
14,918
1
5,183
NC
Verizon Samsung Galaxy S III
HTC Thunderbolt
Jailbreaking is the process of modifying any electronic device in order to remove restrictions imposed by a manufacturer (Apple) or operator (to allow the installation of unauthorized software).

Rooting is the act of gaining access to the root account of a device (such as a smartphone or computer).

There is a huge difference between the two. You can't just say that rooting is Android's version of jailbreaking. Not accurate in the least.

https://www.androidpit.com/jailbreak-android

Sent from my SM-G928T using Tapatalk
You're reading too much into what I said.

Basically, what I said was that jailbreaking isn't an android thing, it's an Apple thing(didn't say it was exclusively an Apple thing, just NOT an android thing). It applies to more than just Apple devices but on this website dedicated to mobile platforms, I'm only referring to its application in the mobile device world. For the mobile world it's pretty much only an Apple thing(still not exclusively but mostly so).

Then I said that in the android world it's called rooting(not exclusively an android thing, just NOT an Apple thing). And that jailbreaking and rooting aren't the same thing(this does not say that rooting is android's version of jailbreaking, that would imply that they are the same thing, I'm saying they aren't the same thing)

Basically, explaining what they "aren't", you explained what they "are".

I understand the difference, but thank you.


I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
 
Last edited:
  • Like
Reactions: MarkBell

MarkBell

Senior Member
Nov 9, 2010
273
55
Murfreesboro, TN, USA
You're reading too much into what I said.

Basically, what I said was that jailbreaking isn't an android thing, it's an Apple thing(didn't say it was exclusively an Apple thing, just NOT an android thing). It applies to more than just Apple devices but on this website dedicated to mobile platforms, I'm only referring to its application in the mobile device world. For the mobile world it's pretty much only an Apple thing(still not exclusively but mostly so).

Then I said that in the android world it's called rooting(not exclusively an android thing, just NOT an Apple thing). And that jailbreaking and rooting aren't the same thing(this does not say that rooting is android's version of jailbreaking, that would imply that they are the same thing, I'm saying they aren't the same thing)

Basically, explaining what they "aren't", you explained what they "are".

I understand the difference, but thank you.


I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
I tend to read too deeply into everything. It's the way I am. Lol.

Sent from my SM-G928T using Tapatalk
 
  • Like
Reactions: Droidriven

thisvip

New member
Apr 5, 2013
2
0
Could you please post some information about usb device? Just like PID & VID.
Do it like:
Connect DPT-RP1 to Linux, and then type this command 'lsusb'
P.S. Under Windows or MacOS system, you can find the information from system settings...
 

sartrism

Member
Oct 24, 2010
20
12
Cambridge
It is good to see some people have been interested in this thread.

So far, I realized that the hacker used a hardware hacking method. I actually obtained the hacked system apps from one of his customer. I guess he did sometihng like directly modifying eMMC to root and put "USBDeviceSwitcher.apk" to allow an usual USB connection. Since I don't want to take such risk, I decided to wait until the first firmware to see if there could be an indirect way to penetrate the system files. But if you want to analyze the hacked system, contact me.
 
  • Like
Reactions: Paderico

George Malas

Senior Member
Jan 13, 2016
52
9
It is good to see some people have been interested in this thread.

So far, I realized that the hacker used a hardware hacking method. I actually obtained the hacked system apps from one of his customer. I guess he did sometihng like directly modifying eMMC to root and put "USBDeviceSwitcher.apk" to allow an usual USB connection. Since I don't want to take such risk, I decided to wait until the first firmware to see if there could be an indirect way to penetrate the system files. But if you want to analyze the hacked system, contact me.
Does it have a web browser? Maybe you can utilize for example the Stagefright Exploit + DirtyC0W to get root.
 

mcplectrum

New member
Aug 25, 2017
1
1
I have found out some interesting stuff about the device with the help of the Digital Paper App.

The app is built using electron and there is a file: /Applications/Digital\ Paper\ App.app/Contents/Resources/app.asar
This file contains the electron javascript files, which handle all the communication with the device.
It can be extracted with: sudo asar extract app.asar output
(github_com/electron/asar)
This also requires node to be installed: with e.g. brew install node (changelog_com/posts/install-node-js-with-homebrew-on-os-x)

The app communicates with the device via Restlet-Framework/2.3.7 on port 8443 with tcp (no matter if it is the bluetooth, wifi or usb connection).
This is the only port that is open.

In the file: /Applications/Digital\ Paper\ App.app/Contents/Resources/output/node_modules/mw-error/lib/codeparams.js you can find all the relative paths, which are getting called during e.g. file transfer, firmware update and stuff.

Running the app and placing breakpoints reveals that before you can transfer files and stuff:
'/auth'
'/auth/nonce/'
are called in order to authenticate, which looks e.g. like url digitalpaper.local:8443/auth/nonce/1e9ee24d-6613-433a-9770-76b04333ac95
the last part of the call is the "client_id": "1e9ee24d-6613-433a-9770-76b04333ac95", which is retrieved via the url digitalpaper.local:8443/auth call.
digitalpaper.local:8443/auth/

Important:
In /Applications/Digital\ Paper\ App.app/Contents/Resources/output/lib/config.js
change the line
config.DEVBUILD = false;
to
config.DEVBUILD = true;


After you finished your modifications you have pack the output folder again:
sudo asar pack output app.asar

I did not have time to continue, but the following relative urls look promising (especially recovery_mode):

'/testmode/auth/nonce',
'/testmode/auth',
'/testmode/launch',
'/testmode/recovery_mode',
'/testmode/assets/{}',
 
  • Like
Reactions: jackie099

sartrism

Member
Oct 24, 2010
20
12
Cambridge
I have found out some interesting stuff about the device with the help of the Digital Paper App.

The app is built using electron and there is a file: /Applications/Digital\ Paper\ App.app/Contents/Resources/app.asar
This file contains the electron javascript files, which handle all the communication with the device.
It can be extracted with: sudo asar extract app.asar output
(github_com/electron/asar)
This also requires node to be installed: with e.g. brew install node (changelog_com/posts/install-node-js-with-homebrew-on-os-x)

The app communicates with the device via Restlet-Framework/2.3.7 on port 8443 with tcp (no matter if it is the bluetooth, wifi or usb connection).
This is the only port that is open.

In the file: /Applications/Digital\ Paper\ App.app/Contents/Resources/output/node_modules/mw-error/lib/codeparams.js you can find all the relative paths, which are getting called during e.g. file transfer, firmware update and stuff.

Running the app and placing breakpoints reveals that before you can transfer files and stuff:
'/auth'
'/auth/nonce/'
are called in order to authenticate, which looks e.g. like url digitalpaper.local:8443/auth/nonce/1e9ee24d-6613-433a-9770-76b04333ac95
the last part of the call is the "client_id": "1e9ee24d-6613-433a-9770-76b04333ac95", which is retrieved via the url digitalpaper.local:8443/auth call.
digitalpaper.local:8443/auth/

Important:
In /Applications/Digital\ Paper\ App.app/Contents/Resources/output/lib/config.js
change the line
config.DEVBUILD = false;
to
config.DEVBUILD = true;


After you finished your modifications you have pack the output folder again:
sudo asar pack output app.asar

I did not have time to continue, but the following relative urls look promising (especially recovery_mode):

'/testmode/auth/nonce',
'/testmode/auth',
'/testmode/launch',
'/testmode/recovery_mode',
'/testmode/assets/{}',

Hope you get some result from wifi side. I also realized they use the port 8443 but couldn't get further as you.

For whom trying to hack it, here is the link for the already 'hacked' system apps (including the original files) - that of the famous hacked RP1 video. Inside the subfolder S1, there are also the hacked system apps for DPT-S1 just in case.

https://www.dropbox.com/sh/dvtvokdzrgwjc83/AACXOJA-E56nUpUfiWUOzrM3a?dl=0
 

sartrism

Member
Oct 24, 2010
20
12
Cambridge
Does it have a web browser? Maybe you can utilize for example the Stagefright Exploit + DirtyC0W to get root.

The stock device has no web browser, no sd-card, no usb connection, and no typical system. I think SONY was haunted by some security issues maybe because they thought the major users are lawyers or very important people? lol
 
Last edited:

jess91

Senior Member
Nov 9, 2014
57
0
I am unable to help, but wanted to let you know I am definitely interested in and supportive of this. If this device can be unlocked as suggested in that one youtube video then I would buy it, despite the steep price.
 

Droidriven

Senior Member
Jan 27, 2014
14,918
1
5,183
NC
Verizon Samsung Galaxy S III
HTC Thunderbolt
I am unable to help, but wanted to let you know I am definitely interested in and supportive of this. If this device can be unlocked as suggested in that one youtube video then I would buy it, despite the steep price.
If you're interested and supportive of this then go buy one anyway and apply yourself to going forward figuring out how to get it done. Other than that, you're not supportive, you're just hopeful that someone figures it out and then you'll probably go get one.

DO NOT CONTACT ME VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
 

Paderico

Member
Sep 6, 2017
6
0
Hey guys,

I also recently got the RP1 and am also looking for ways to mod it. Big kudos and thanks to all of you for posting this! This alread is amazing. @sartrism: can you maybe give me a hint how to load the files on the rp1? Sorry if this might be a stupid question but I'm new to adroid and that stuff. :)
 

Paderico

Member
Sep 6, 2017
6
0
Hey guys,

I also recently got the RP1 and am also looking for ways to mod it. Big kudos and thanks to all of you for posting this! This alread is amazing. @sartrism: can you maybe give me a hint how to load the files on the rp1? Sorry if this might be a stupid question but I'm new to adroid and that stuff. :)

Just a little update from my side. I'm currently tryng to recreate the steps @mcplectrum was using. It seems that my RP1 also uses other ports. I tried to wireshark the USB and WiFi connection. By that I saw that often GET /registration/information is called for Host: localhost:58052. Moreover the first call is GET /register/serial_number also on port 5808. This was via USB.
Trying to trigger the /auth/ call via Telnet returns nothing unfortunately. But also the 8080 port is open. Trying to call digitalpaper.local:8443/auth/ returns nothing on firefox.

@mcplectrum: how did you get the client_id and what would one need that for?

I also tried to change the config.DEVBUILD to true but that seemed to change nothing at all.

So to sum up what we know:
The device is using some kind of android structure, the source code seems to use the uboot bootloader, all communication is done by a rest restlet framework. So actually there should be some kind of way to use the restlet framework to PUT or POST the modified files.
The other option would be directly flash the eMMC right? I would take the risk and just load it on my device and see what happens. Any hints on how to do that? :)
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    Update (5/18/2019)

    Since the first tool was released, HappyZ has improved many features so I think I can just refer to

    * HappyZ's rooting guide: https://github.com/HappyZ/dpt-tools/wiki/The-Ultimate-Rooting-Guide
    - The only thing I want to add as Windows user is (because the guide is for Mac/Linux users) it gets much easier if you use Linux terminal like cygwin, and the port name should be something like COM# where # can be found in Device Manager by comparing before/after you attach the device.

    * HappyZ's upgrade guide: https://github.com/HappyZ/dpt-tools/wiki/The-Upgrade-Guide (Recommend to read this before/after you update the new firmware.)

    You may donate a cup of coffee to him there :) Thanks to all others who contributed a lot.

    --
    Update (12/02/2018) -- These are outdated.
    Finally we manage to root the device! Many thanks to all of your efforts.

    Just refer to HappyZ's well written guide: https://github.com/HappyZ/dpt-tools

    For whom have never used python like me (and probably using Windows):
    (1) Install Python 3 and add it to PATH.
    (2) Install MINGW64 and run scripts here instead of Powershell due to xxd issue if you are on Windows.
    (2) pip httpsig pyserial on bash.
    (3) Download HappyZ's dpt-tools and unzip.
    (4* this issue is fixed by HappZ)
    (5) Follow HappyZ's guide. You should execute dpt-tools.py in the folder you unzipped to use get-su-bin because of how the script is written.

    Some suggestions after rooting (let me know if you have better ideas):

    Here is my setup: install "E-ink Launcher" and "Multi action home button" using adb install.
    Use adb shell am start -a android.intent.action.MAIN to change the main launcher to your launcher.
    Then change the setting of Multi Action Home button (say, the height should be large to be visible in the bottom) and assign its function to be Home for click and Back for double-click.
    Whenever you want to use Sony's apps (these are good for pdf markup), just push the home button to open the pop-up menu.
    Otherwise, touch the Multi Action Home Button to access to other Android apps. So far I've never experience any crash.

    Yet more tips:
    Some complain fonts are too small after installing generic apps.
    adb shell wm density 320 changes your DPI by 2 times (160 is a default value.) EDIT: I found 200 is quite enough that does not distort Sony apps too much.
    My application is using "Tasker" to execute the above code when specific apps are open and execute wm density reset when the apps are closed.
    The reason why we cannot change the global DPI is sadly because it makes the default apps by Sony so awkward.
    Alternatively, I could successfully install Xposed to try App Settings but this app crashed.

    You can also install Gboard (but it has no hide button, so prepare with virtual back button) if you need another keyboard.

    Enjoy your DPT devices :)

    --
    Sony recently released a new digital paper device DPT-RP1, apparently using their own linux firmware but underlying on Android 5.1.1. Few weeks ago, some Chinese successfully hacked it to jailbreak for third-party apps (without changing the original firmware), but they don't share any information to sell those hacked devices. I'm willing to pay for it, but it is too risky to send my device to China so I'm trying to root it by myself.

    I don't know much about this world, but I found some information that might be helpful. It uses Marvell A140 IoT Processor a.k.a. PXA1908. There are two Android smartphones (as the same version 5.1.1) with this chip - Samsung Xcover 3 and Samsung Galaxy Grand Prime. Fortunately, they have been both rooted in the past here.

    Is this information really helpful to root my device? If so, is there any way to apply the previous methods to easily jailbreak DPT-RP1? I think the problem here is that it does not look like Android at all, so has no setting menu or developer tools. And not sure how to enter to the recovery mode since it only has two buttons - power/menu.

    I'd appreciate any help or advice. Thanks!
    5
    Hi everyone, and many thanks to the people who are putting lots of efforts into freeing the DPT-RP1 software.

    I am ready to hack my own device. However, I would like first to ask @shankerzhiwu if he/she could explain how the modified firmware was generated? Is there a source for it, that I could compile myself? Or is it just some manual edit of Sony's official firmware?

    Also, I would find it interesting if anyone has a particular tip on creating an OTG cable with the right configuration for this operation. I guess I could do it all by myself by following a tutorial, but I would find it reassuring if someone could share their experience about their own method of manufacturing the cable.

    Again, many thanks to everyone involved.

    About the OTG cable, I have no shortcut available. Pinout of micro usb plugs can be found on https://en.wikipedia.org/wiki/USB_(Physical)#Pinouts . The 7.87 k resistor should be soldered between ID(PIN 4) and GND(PIN 5). Alternately, you can also use a 7.5k resistor. Since such resistor value is beyond OTG standard, you have to do the solder work. For simplicity, a breakout board can be used like www.digikey.com/product-detail/en/sparkfun-electronics/BOB-10031/1568-1192-ND/5673778 . Moreover, you can also choose to only solder the resistor itself without a USB cable. If so, after the gray rect is shown on the screen, the OTG plug can be safely disconnected and a normal USB to micro USB cable can be used to connect the DPT to your computer.

    The detailed steps for entering diagnose mode are :

    1. Power off your DPT.
    2. Connect the OTG cable.
    2. Press and hold the Home button.
    3. With the Home button pressed, press and release the Power button.
    4. Continue holding the Home button. See if anything is shown on the screen.
    4.a. If "Welcome" screen shows, which means that the Home button is not detected pressed when booting, go back to step 1.
    4.b. If nothing is shown on the screen and the power LED is also not flashing, which means that you are too nervous to trigger the power button -- your DPT is not powered on at all, go back to step 3.
    4.c. if nothing is shown on the screen and the power LED keeps flashing, then the Home button can be released.
    5. Wait for about 12 seconds. See if anything is shown on the screen.
    5.a. If the screen flashes blank and the power LED stops flashing and turns off, which means that the id resistor is not soldered well (ill-connected or wrong value)., check your OTG cable and go back to step 2.
    5.b. if a gray rect is shown on the screen, the device is now in diagnose mode
    6. If a USB cable is not soldered with the micro USB plug, you can now unplug it and use a normal micro USB cable to connect the DPT with your computer.
    7. A USB modem device should now be detected on the computer. Use a serial terminal software to access the diagnose tty.
    5
    Rooted DPT-RP1

    I have kicked my DPT-RP1 into diagnose mode.

    The method is plugging an OTG cable whose ID pin is soldered with 7.87 k resistor to GND. Press and hold home button while the device is booting up. Finally you will get a gray rectangle at the center of the screen. On the computer, a USB modem device will be detected and a login tty will be on that tty.

    Now, the question arises that we need to crack the login password. The shadow hash is
    Code:
    $6$HtJrWqxU$gJtuFqZLU/tOwjrXY1dxLgh021mKpNlI4wOn8eEkiD3qj7Tb69.iKNh6KpzE6rotBaCGPH3PjYDKPbmHaaDCw1
    .

    Does anyone have any idea on that hash?

    h97Bo1b.jpg

    q6qSjnO.png

    Hi, all I have ROOTed my DPT-RP1 (in fact., my friend's). Here is a brief guide:

    Before rooting:

    1. Make a usb OTG cable described in the quoted post, aka. an OTG cable whose ID pin is soldered with 7.87 k resistor to GND.
    2. Make sure that you can reproduce the steps described in the quoted post and get a login tty.
    3. Press the reset button with a sim-ejector or so to put the device in normal mode. Don't worry, you won't lose your user data.
    4. Prepare dpt-rp1-py tool (https://github.com/janten/dpt-rp1-py), make sure you can communicate with your DPT with that tool.

    Rooting steps:

    1. Download the modified firmware. Sha256sum is 5b9a10201d1cf29fbb072ebbfed517d22ddc00f014aef3ee816e43c2932e3803.
    2. "Flash" the firmware into the device using `dptrp1 update`.
    3. After flashing, the device will complain that firmware upgrading has failed.
    4. Power off the device, and kick your device into diagnose mode. The password for root is set to `12345`
    5. Now you have FULL control over your own device. Do whatever you want.


    The download link for the modified firmware is https://gofile.io/?c=ezd8UX
    3
    Hi everyone, and many thanks to the people who are putting lots of efforts into freeing the DPT-RP1 software.

    I am ready to hack my own device. However, I would like first to ask @shankerzhiwu if he/she could explain how the modified firmware was generated? Is there a source for it, that I could compile myself? Or is it just some manual edit of Sony's official firmware?

    Also, I would find it interesting if anyone has a particular tip on creating an OTG cable with the right configuration for this operation. I guess I could do it all by myself by following a tutorial, but I would find it reassuring if someone could share their experience about their own method of manufacturing the cable.

    Again, many thanks to everyone involved.

    It is manually modified from official FactoryReset.pkg. You can find it at https://github.com/octavianx/Unpack-and-rebuild-the-DPT-RP1-upgrade-firmware

    By reading the `start_eufwupdater.sh`, you will know why my modified firmware works.

    WARNING: If anyone wants to run `start_eufwupdater.sh` or `start_eufwupdater2.sh` with my modified firmware on his/her own computer, please DO NOT run as root, or the system could be damaged.
    3
    Sorry, but I have no idea how to make such a package. What I can do is only write at most about 230 bytes to an arbitrary file. As a result, the best thing could be to override the file containing the password hash.

    BTW, There is no adbd available and it should be compiled and enabled by yourself.

    Hi, all
    Good news for guys who do not want to make the OTG cable! I made another firmware to remove the detection of the special id resistor. The download link is https://gofile.io/?c=NE6qV8 and the sha256sum is ce57b43fe59364724580908e967fa4d68eab608a457ad3a3a4a249cd009d3b1d.

    Use this firmware ONCE and ONLY ONCE, and the detection of the special id resistor will be removed. To enter diagnose mode, only pressing Home button is needed.

    WARNING: I recommend AGAINST the use of this firmware, because I did not test this firmware on a not-rooted device. If something unexpected happens, the firmware may do harm to your diagnose environment, which means including but not limited to:
    * your DPT may not be able do firmware upgrade anymore, or
    * your DPT may get stuck in diagnose mode and cannot boot normally.