The exploit struck me as exceptionally nasty given screen mirroring[1] is one of Supernote's attractive features.
Am I correct in understanding that the public debug key firmware signing faux pas was plugged in Chauvet 3.21.31 [2], while the unsolicited/unauthenticated P2P file transfer hole was plugged in the most recent Chauvet 3.23.32 [3]?
The changelog doesn't list any updates released circa December 2024 despite disclosure timeline noting that Supernote "...plan[ned] to address the issues in the December update."
This may be slightly off topic here, but can anyone attest to how easy (or difficult) it is to sync notes off a SuperNote to some other service? I like the idea of these E-Ink tablets, but was turned off from the Kindle Scribe as it seems there's no way easy, consistent way to push those notes out of the Amazon Kindle ecosystem.
Very easy, google drive and other cloud providers supported natively. I sideloaded SyncThing instead. They also have their own cloud that is free to use AFAIK, but I don't use it.
on a separate note - Supernote makes absolutely amazing devices.
I have x5 and unfortunately can't justify getting Nomad (x5 v2) since my older device runs just wonderfully
> Note that after a hotplug event, the user DOES get a prompt about an update. However, it is an opt-OUT prompt, meaning the update will install in 30 seconds unless "abort" is clicked.
I agree that calling it "0-click" is not a lie, but I also think it's a little bit dishonest.
High probability the target interprets prompt as routine automatic update notification and does nothing.
It's not clear what would actually happen, but it also seems plausible that the hotplug event gets triggered by merely (un)plugging a USB-C charger while folio is closed.
The exploit struck me as exceptionally nasty given screen mirroring[1] is one of Supernote's attractive features.
Am I correct in understanding that the public debug key firmware signing faux pas was plugged in Chauvet 3.21.31 [2], while the unsolicited/unauthenticated P2P file transfer hole was plugged in the most recent Chauvet 3.23.32 [3]?
The changelog doesn't list any updates released circa December 2024 despite disclosure timeline noting that Supernote "...plan[ned] to address the issues in the December update."
[1] https://support.supernote.com/en_US/Tools-Features/1791924-s...
[2] https://support.supernote.com/en_US/change-log/changelog-for...
[3] https://support.supernote.com/en_US/change-log/changelog-for...I wondered at first if this would be CCP spyware, but it looks more like an honest mistake, given Ratta show all their code in cleartext.
I love my Supernote, it is a really well-designed alternative to the Remarkable.
Nice work! The race condition was clever.
This may be slightly off topic here, but can anyone attest to how easy (or difficult) it is to sync notes off a SuperNote to some other service? I like the idea of these E-Ink tablets, but was turned off from the Kindle Scribe as it seems there's no way easy, consistent way to push those notes out of the Amazon Kindle ecosystem.
Very easy, google drive and other cloud providers supported natively. I sideloaded SyncThing instead. They also have their own cloud that is free to use AFAIK, but I don't use it.
on a separate note - Supernote makes absolutely amazing devices. I have x5 and unfortunately can't justify getting Nomad (x5 v2) since my older device runs just wonderfully
> Note that after a hotplug event, the user DOES get a prompt about an update. However, it is an opt-OUT prompt, meaning the update will install in 30 seconds unless "abort" is clicked.
I agree that calling it "0-click" is not a lie, but I also think it's a little bit dishonest.
High probability the target interprets prompt as routine automatic update notification and does nothing.
It's not clear what would actually happen, but it also seems plausible that the hotplug event gets triggered by merely (un)plugging a USB-C charger while folio is closed.
I had this literally happen with a popular app from the Google Playstore. They sent an in-app notification and looked 100% like a routine update.
Great Research!