You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just received my RM2 and am looking forward to get hacking!
The first excuse came up quicker than expected, however. I have a very long and complicated WiFi password which contains the backtick character which does not appear on the RM2 keyboard. I have other devices without regular input methods for which I usually just copy a known-good wpa_supplicant or NetworkManager config file, but it appears that the RM2 maintains it's own network list in /home/root/.config/remarkable/xochitl.conf in the section [wifinetworks].
The encoding scheme seems a bit odd. Some parts are obvious, including that the key is the SSID (with uri encoding, if necessary) and that @Variant() declares an array or hash. It also appears that the characters are largely encoded in 2 byte words, including two null bytes as some sort of delimiter. Given that most of the characters are ASCII, we can largely drop the leading null byte also. My first instinct was just to enter my password with the backtick substituted for a different chackter, then just edit this file using vim from the CLI and put the backtick back. This did not work however. I tried it escaped, unescaped, and as a hex character, but it was unable to connect regardless.
So I looked into the encoding a bit further. There are a few anomalies from the simple understanding above. First, it appears that most ASCII values are only printed as hex if they are themselves in the hex range (In the example above, the password is abcdefghijklmnopqrstuvwxyz0123456789 and you can see that a == \0\x61 while g == \0g). If I substitute a bunch of special characters in the password, it gets encoded with most being plain (like the g) with a handful just being an escaped version (eg \0\\ for \). So one of my variants seemingly should have worked.
With that all of the knowledge so far, I wanted to understand the data better, so I made a script to try to decode it for analysis. (This script is written in Perl and should require no dependencies on almost any Unix-like system, not including the RM2 itself):
#!/usr/bin/perl
my $old = shift || undef;
if ($old) {
my ($ssid, $vars) = $old =~ m/([^=]+)=\@Variant\(([^\)]*)\)/;
eval {
require URI::Escape;
$ssid = URI::Escape::uri_unescape($ssid);
};
my (@v) = $vars =~ m/(?:(?:\\0\\0)(.+?)(?:(?=\\0\\0)|$))/g;
print("SSID = $ssid\n");
my $i = 0;
#print("$_".( $i++%2 == 0 ? ' = ' : "\n" )) foreach (@v);
my $key;
foreach my $var (@v) {
my $tmp = '';
foreach (split(/\\/, $var)) {
next unless ($_);
$_ =~ s/^0//g;
if (my ($hex) = $_ =~ m/^x([0-9a-f]{1,2})/) {
$tmp .= chr(hex($hex));
} else {
$tmp .= $_;
}
}
# These two conditions are required in order to get sensible key value pairs
if ($tmp eq 'n') {
print STDERR "Skipping '\\n'\n";
next();
}
if ($tmp eq chr(1)) {
print STDERR "Skipping '\\x1'\n";
next();
}
if (!defined($key)) {
$key = "$tmp ($var)";
} else {
print("$key => '$tmp' ($var)\n");
$key = undef;
}
}
}
It takes an existing entry like the one above and tries to decode it to key-value pairs. I would then hope to create a script which can take the same string and produce the same encoded string in reverse. Here's what it produces so far:
There are still a few outstanding questions before I can reproduce an encoded string. First, there are a couple of patterns I need to ignore to get a sensible list of key-value pairs, as commented. Without those, the pairs get offset and the password value ends up dangling as a key with no value.
Other than that, there is a mysterious leading H in the password value. This is where I'm stuck at the moment. I wrote another script which converts the raw ASCII password into this odd encoding, but even if I restart xochitl, the connection does not work. The best I can think to do right now is to just brute force that check-bit. Since it still appears to be one byte, that means it's only going to be 255 options, but it will still take a while.
So, this post is largely to ask for help to see if anyone has encountered this encoding scheme, but also just a fun exploration of the device.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello all,
I just received my RM2 and am looking forward to get hacking!
The first excuse came up quicker than expected, however. I have a very long and complicated WiFi password which contains the backtick character which does not appear on the RM2 keyboard. I have other devices without regular input methods for which I usually just copy a known-good wpa_supplicant or NetworkManager config file, but it appears that the RM2 maintains it's own network list in
/home/root/.config/remarkable/xochitl.conf
in the section[wifinetworks]
.The encoding scheme seems a bit odd. Some parts are obvious, including that the key is the SSID (with uri encoding, if necessary) and that
@Variant()
declares an array or hash. It also appears that the characters are largely encoded in 2 byte words, including two null bytes as some sort of delimiter. Given that most of the characters are ASCII, we can largely drop the leading null byte also. My first instinct was just to enter my password with the backtick substituted for a different chackter, then just edit this file usingvim
from the CLI and put the backtick back. This did not work however. I tried it escaped, unescaped, and as a hex character, but it was unable to connect regardless.So I looked into the encoding a bit further. There are a few anomalies from the simple understanding above. First, it appears that most ASCII values are only printed as hex if they are themselves in the hex range (In the example above, the password is
abcdefghijklmnopqrstuvwxyz0123456789
and you can see thata
==\0\x61
whileg
==\0g
). If I substitute a bunch of special characters in the password, it gets encoded with most being plain (like theg
) with a handful just being an escaped version (eg\0\\
for\
). So one of my variants seemingly should have worked.With that all of the knowledge so far, I wanted to understand the data better, so I made a script to try to decode it for analysis. (This script is written in Perl and should require no dependencies on almost any Unix-like system, not including the RM2 itself):
It takes an existing entry like the one above and tries to decode it to key-value pairs. I would then hope to create a script which can take the same string and produce the same encoded string in reverse. Here's what it produces so far:
There are still a few outstanding questions before I can reproduce an encoded string. First, there are a couple of patterns I need to ignore to get a sensible list of key-value pairs, as commented. Without those, the pairs get offset and the password value ends up dangling as a key with no value.
Other than that, there is a mysterious leading
H
in the password value. This is where I'm stuck at the moment. I wrote another script which converts the raw ASCII password into this odd encoding, but even if I restartxochitl
, the connection does not work. The best I can think to do right now is to just brute force that check-bit. Since it still appears to be one byte, that means it's only going to be 255 options, but it will still take a while.So, this post is largely to ask for help to see if anyone has encountered this encoding scheme, but also just a fun exploration of the device.
Beta Was this translation helpful? Give feedback.
All reactions