“Derek” posted up a comment yesterday:

I have a EKEN M001, which will not unlock the screen by pressing MENU.

I have tried reseting the EKEN M001 by pressing the Reset button on the back ofthe MID, but te screen stays unlocked.

The top of the screen says: “Demo Version” when the GUI appears, does this need a Operating System update. If so, hpw can this be done.

Short Answer

I think your tablet has failed its internal licensing check. Try to return it to the retailer that you bought it from. If you now connect it to the internet, it will “phone home” to a company in Shenzhen, China.

EDIT: Before you give up try connecting to the internet for a while and leave it connected. It seems like sometimes “phoning home” will verify that it’s a legit install and then the message will go away.

Long Answer

This is a coincidence, because just yesterday I was looking at the decompiled Eken libraries posted to slatedroid by ‘bushing’. Hidden in there is licensing code that verifies the Eken is running on genuine hardware. I think it works like this:

  • The Eken has a serial number loaded into its CPU (a WMT system parameter in the SoC.)
  • The serial number maps to the hardware (MAC) address of the onboard wireless adapter.
  • At startup, the Eken loads the serial number and compares it with the serial number it calculates from the wireless adapter.
  • If they do not match, it locks and throws up “Demo Purpose Only” (possibly “Demo version has expired” on the latest firmware.) It will also continually try to “phone home” with some details about the device (see below.)

I think all of this is to prevent someone putting their firmware into another device, unlicensed. The code is obfuscated (intentionally hidden in the source) in the hope that a casual shanzhai observer will miss it.

From looking around the internet, it looks like quite a few devices are turning up brand new with “Demo Purpose Only”. The only easy thing to do is to return it to the retailer that you bought it from.

It is possible some retailers are selling fake or refurbished units (maybe they swapped the WiFi unit or the CPU daughterboard out.) In other cases like this, it looks like units may be shipping from Eken with invalid serial numbers (poor quality control?) Finally, in cases like this it seems that temporary problems with the WiFi may trigger this behaviour for a while, then it fixes itself.

Eken Phone Home

I found it quite surprising that the unit tries to phone home if it thinks its license is invalid. It phones home with 3 details:

  • A username & password which is decoded from the file /data/wmtpref/custkey (in the firmware itself.)
  • The MAC address of the wireless adapter

… the very odd thing is that the unit does not phone home to Eken. It phones home to a company called Aiteer, who are also based in Shenzhen but do not seem to have any published relationship with Eken. Aiteer’s web site doesn’t say anything about software development, but I can only guess that they did the firmware development for Eken and possibly related MID/tablet devices using the WM8505 chipset.

Other Thoughts

It’s odd that the firmware locks the user out and tries to phone home, because if the user is locked out then it’s unlikely that they’re going to be able to connect to the internet. Maybe I missed a detail in my reverse-engineering, and the lockout only kicks in every few minutes or something.

Although “phoning home” is pretty common, software phoning home without the knowledge or consent of the user is less common and is often regarded as unethical. I’m glad that in this case no personal information is being sent back, but clearly we’re at the mercy of the manufacturers in this regard. Unlike mainstream manufacturers, companies like Eken have no corporate presence outside of their factory in China – in other countries, the laws that protect consumers are effectively powerless. If you hypothetically did find out that an unscrupulous shanzhai was stealing your personal details, there is no real recourse you could take.

The license check code was obfuscated in the library (libui.so in this case) so that a casual observer would not see it. For example, nothing unusual showed up when I ran ‘strings’ the other day. However, a tiny bit more reverse-engineering shows up a helper method calling base64_decode to decode each of the string constants related to the license check.

The code used to decode the username & password from the customer key, as well as the code used to calculate the serial number, are both trivially simple and anyone with some C programming knowledge can decipher them from the decompiled dump in an hour or two. For this reason, I think that the manufacturers only put in this protection to avoid casual copying of their firmware into another product – anyone serious about ripping them off could spend a couple of hours and generate their own serial numbers, and disable the “phone home” feature, without needing to modify the binary code at all.

Because the serial number is tied to the MAC, I don’t think anyone will be able to replace the WiFi module at all – even though you own the product.

It bothers me a lot that Eken are going to lengths to protect the tiny amount of proprietary code in their product, while not doing anything to fulfill either the legal obligations or the spirit of the substantial open source parts of the product. It bothers me doubly so now that they’ve locked out the root serial console in the latest (1.7.4) firmware release. How do they think that this helps their product?

32 thoughts on “Eken M001 Protection, Phone Home & “Demo Purpose Only”

  1. Hi

    I installed it and work fine with youtube but the annoying message appeared in the middle of device with black background ” Demo Version has been expired ” . So when i open videos or youtube files i can see them well this message come in front of videos.

    plz help me to delete this message or at least return it to previous setting.
    previously the message ” Demo purpose only ” appeared in the top left corner but now in the middle with black background

    thanks in advanced

    Regatds

  2. Hey Angelus,

    Sorry mate – like it says in the blog post this is baked into Eken’s version of Android. Your device has failed its licensing check – either it’s a knockoff or their QA screwed up. Either way, if I were you I’d try to send it back to the place you bought it from.

    I think the difference between the message in the corner and in the centre may be one of two things though – either it’s the difference between 1.7.2 and 1.7.4, or it may be that’s what happens after it has successfully “phoned home” – so if you stop it connecting to the net then that might help. If it’s the second one then let me know, there might be a way to stop that happening.

    Good luck,

    Angus

  3. Hello Angus,

    The difference is certainly between 1.7.2 and 1.7.4. I haven’t experienced any kind of lock-out and the tablet is usable even with the big box saying “Demo version has expired”. I’m pretty sure I have a genuine Eken M001 so I’ll try to contact them and make them fix the problem, since it’s their fault. Any help regarding bypassing this serial number checking would be greatly appreciated, though, because I doubt the guys at Eken will help (they barely answer anything).

    Thanks

  4. By the way, the second case you mention about temporary problems with the wifi card relates to a different piece of hardware, a Moonse M70003, so maybe they’ve found a way to bypass the check or the check is crappy and works at random.

  5. Djiraan,

    Thanks for reporting back.

    It would certainly be possible to write a piece of software that generated the right serial number and poked it into the CPUs onboard list of properties, but it’s also a bit unethical – even though there are legitimate uses you are then obviously bypassing a copy protection mechanism.(*)

    I posted the link about the M70003 because I think it’s possible that Aiteer, or some other middleware company, have licensed this software to more manufacturers than just Eken. Legit or not, the licensing system still has a fundamental flaw – if the wireless adapter doesn’t appear for any reason (mechanical failure, electrical failure, temporary driver problem) then the licensing check will fail. I don’t know which models are legit or not, really.

    It is possible that a shanzai manufacturer could have slipped a little shim app into the firmware that writes back a “correct” serial number, though.

    Good luck getting it fixed. I’d expect the original reseller is your best bet.

    – Angus

  6. Hey guys, please help! I accidentally set the password pattern one night while I was drunk lol believe it or not. And I can not remember what I set it to s d now I can not unlock it for the life of me! How do I unlock it or erase thebossseord I set? Thanks!

  7. Solution for Demo version has expired.Change your date settings to past years.Demo version has expired pop up go away but still show demo purpose only top left corner.But when u turn on your wireless updated your date automatically so just turn off your wireless and change date before turn back on your M7003 or EKEN devices.

  8. hey agnus, I was wondering what you might be able to tell me about this code. It’s very greek to me. I found a site that shows how to spoof a mac address on an android phone, I’m wondering if you are able to decipher what it allows as a valid mac address so that I might try to spoof it. This “protection” that they put in is both illegal and annoying.
    Anyway, here is the site: http://androidforums.com/tips-tricks-incredible/78668-how-spoof-mac-address.html
    I’m determined to get this thing off my device.
    Thanks for taking time out of your day to help me!

  9. Spoofing the MAC address won’t work unless you have a serial number loaded that matches the MAC.

    I’m sorry but I’m not interested in helping you. Even though I sympathize with all the people wrongly affected, the correct course of action is getting a refund and spending your money on a tablet with better QA. A program to remove the message is tantamount to a crack, even though it’s a poorly executed copy protection system it is still a copy protection system, and they are well within their rights to have it. I don’t like it any better than you do, though.

    Sorry I can’t be of more assistance.

    – Angus

  10. I have a M7003 and had the “Demo Purpose Only” update to 1.7.4 and get this “Demo Version Expired” that is a lot worst:
    This is ridiculous!
    I tried the method changing the date but didnt work at all!
    Now I’ll be glad to go back to the first problem.
    Any idea ?
    Saler dont answer!

    Thank you very much

  11. They are not within their rights to do it. They are breaking the GPL.
    And the date thing only worked for me if I set the date back by one year and then kept the wireless off. The new solution i’

  12. eric – yes, it seems like they stepped up the copy protection in 1.7.4. Maybe just roll back to 1..2?

    goat – sorry but you’re wrong. Although Eken _are_ currently violating GPL, this copy protection mechanism is in the Android source and Android is not GPL licensed – they’re allowed to change it however they want.

    There is light on the horizon, though. I got told by a VIA representative this morning that there will be a proper GPL source release, which will eventually let the community put together a proper free Android distribution for the tablet. Without Eken’s modifications.

  13. I have few days trying to roll back to 1.7.2 but cannot as I dont have any script modified for the hard keys
    I try to modify myself the Eken M001 scriptcmd (the script folder is the same as M001 1.7.2) with some modifications for the M7003 :
    setenv hibernation_ui yes
    setenv touchirq gpio5
    setenv battvoltlist 6830,7086,7310,7503,7575,7636,7720,7861,7953,8018,8190
    setenv gpiostate 1
    setenv kpadid wms8088b_14
    setenv gpiostate 3
    setenv panelres.x 800
    setenv panelres.y 480
    setenv basevolt 3300

    but I am stuck as the tablet dont launch the script.
    I have 3 days working on it and nothing.
    It looks all is the same as M001 but something is wrong when I use mkimage for windows and create sriptcmd no result on using it
    It looks I have a problem with “notepad++” oe “e” that dont work for that!
    I really dont know anymore.

    Any Idea to help me

  14. I finally get my M001 working!
    It was trying to connect some crappy license server which was not working (!) and therefore didn’t get a license:
    http://152.104.165.12/customer_req_api.asp?user=EKEN&pwd=009EKEN&systemid=0000000000 [wlan-id] did response only with “Error:No enough android license now!”. Today I try to surf there with firefox browser and found that they had finally got that server up, and it responded “OK:dfjdshgfkadgfkjsdaf” [some license key data]. Even after that it required me to update firmware to Vestinious to device redo license check. After that it finally worked!

    So my advice is to fix this problem is to first check with any internet browser that license server is up and have licenses. Only after that you should flash a new firmware (and flash again and again and again) to make it work.

  15. I bought one last night from a guy on Cragslist , he had a WiFi client on him & showed me the MID got online after I woke up I turned the Android on and it said the Demo has Expired , I hit menu & now in Red it say’s “Demo Purpose Only” what can I do , the guy shut his phone off & i,m out $140.00 for the slate :( QC

    • Charlie, try updating to a more recent firmware for your model. Reports of “Demo Purpose Only” seem to have disappeared lately, I think maybe (if you’re lucky) it’s been turned off in the newer firmwares.

Leave a Reply

Your email address will not be published. Required fields are marked *