"Derek" posted up a comment yesterday:

I have a EKEN M001, which will not unlock the screen by pressing MENU.

I have tried reseting the EKEN M001 by pressing the Reset button on the back ofthe MID, but te screen stays unlocked.

The top of the screen says: “Demo Version� when the GUI appears, does this need a Operating System update. If so, hpw can this be done.

Short Answer

I think your tablet has failed its internal licensing check. Try to return it to the retailer that you bought it from. If you now connect it to the internet, it will "phone home" to a company in Shenzhen, China.

EDIT: Before you give up try connecting to the internet for a while and leave it connected. It seems like sometimes "phoning home" will verify that it's a legit install and then the message will go away.

Long Answer

This is a coincidence, because just yesterday I was looking at the decompiled Eken libraries posted to slatedroid by 'bushing'. Hidden in there is licensing code that verifies the Eken is running on genuine hardware. I think it works like this:

  • The Eken has a serial number loaded into its CPU (a WMT system parameter in the SoC.)
  • The serial number maps to the hardware (MAC) address of the onboard wireless adapter.
  • At startup, the Eken loads the serial number and compares it with the serial number it calculates from the wireless adapter.
  • If they do not match, it locks and throws up "Demo Purpose Only" (possibly "Demo version has expired" on the latest firmware.) It will also continually try to "phone home" with some details about the device (see below.)

I think all of this is to prevent someone putting their firmware into another device, unlicensed. The code is obfuscated (intentionally hidden in the source) in the hope that a casual shanzhai observer will miss it.

From looking around the internet, it looks like quite a few devices are turning up brand new with "Demo Purpose Only". The only easy thing to do is to return it to the retailer that you bought it from.

It is possible some retailers are selling fake or refurbished units (maybe they swapped the WiFi unit or the CPU daughterboard out.) In other cases like this, it looks like units may be shipping from Eken with invalid serial numbers (poor quality control?) Finally, in cases like this it seems that temporary problems with the WiFi may trigger this behaviour for a while, then it fixes itself.

Eken Phone Home

I found it quite surprising that the unit tries to phone home if it thinks its license is invalid. It phones home with 3 details:

  • A username & password which is decoded from the file /data/wmtpref/custkey (in the firmware itself.)
  • The MAC address of the wireless adapter
</p>

... the very odd thing is that the unit does not phone home to Eken. It phones home to a company called Aiteer, who are also based in Shenzhen but do not seem to have any published relationship with Eken. Aiteer's web site doesn't say anything about software development, but I can only guess that they did the firmware development for Eken and possibly related MID/tablet devices using the WM8505 chipset.

Other Thoughts

It's odd that the firmware locks the user out and tries to phone home, because if the user is locked out then it's unlikely that they're going to be able to connect to the internet. Maybe I missed a detail in my reverse-engineering, and the lockout only kicks in every few minutes or something.

Although "phoning home" is pretty common, software phoning home without the knowledge or consent of the user is less common and is often regarded as unethical. I'm glad that in this case no personal information is being sent back, but clearly we're at the mercy of the manufacturers in this regard. Unlike mainstream manufacturers, companies like Eken have no corporate presence outside of their factory in China - in other countries, the laws that protect consumers are effectively powerless. If you hypothetically did find out that an unscrupulous shanzhai was stealing your personal details, there is no real recourse you could take.

The license check code was obfuscated in the library (libui.so in this case) so that a casual observer would not see it. For example, nothing unusual showed up when I ran 'strings' the other day. However, a tiny bit more reverse-engineering shows up a helper method calling base64_decode to decode each of the string constants related to the license check.

The code used to decode the username & password from the customer key, as well as the code used to calculate the serial number, are both trivially simple and anyone with some C programming knowledge can decipher them from the decompiled dump in an hour or two. For this reason, I think that the manufacturers only put in this protection to avoid casual copying of their firmware into another product - anyone serious about ripping them off could spend a couple of hours and generate their own serial numbers, and disable the "phone home" feature, without needing to modify the binary code at all.

Because the serial number is tied to the MAC, I don't think anyone will be able to replace the WiFi module at all - even though you own the product.

It bothers me a lot that Eken are going to lengths to protect the tiny amount of proprietary code in their product, while not doing anything to fulfill either the legal obligations or the spirit of the substantial open source parts of the product. It bothers me doubly so now that they've locked out the root serial console in the latest (1.7.4) firmware release. How do they think that this helps their product?

Thoughts on “Eken M001 Protection, Phone Home & "Demo Purpose Only"