The exploit struck me as exceptionally nasty given screen mirroring[1] is one of Supernote's attractive features.

Am I correct in understanding that the public debug key firmware signing faux pas was plugged in Chauvet 3.21.31 [2], while the unsolicited/unauthenticated P2P file transfer hole was plugged in the most recent Chauvet 3.23.32 [3]?

The changelog doesn't list any updates released circa December 2024 despite disclosure timeline noting that Supernote "...plan[ned] to address the issues in the December update."

[1] https://support.supernote.com/en_US/Tools-Features/1791924-s...

[2] https://support.supernote.com/en_US/change-log/changelog-for...

  [System] Enhanced security for system upgrade verification.

  [Supernote Linking] Enhanced the security of transferring files through the Supernote Linking feature.

I wondered at first if this would be CCP spyware, but it looks more like an honest mistake, given Ratta show all their code in cleartext.

I love my Supernote, it is a really well-designed alternative to the Remarkable.

Nice work! The race condition was clever.

This may be slightly off topic here, but can anyone attest to how easy (or difficult) it is to sync notes off a SuperNote to some other service? I like the idea of these E-Ink tablets, but was turned off from the Kindle Scribe as it seems there's no way easy, consistent way to push those notes out of the Amazon Kindle ecosystem.

on a separate note - Supernote makes absolutely amazing devices. I have x5 and unfortunately can't justify getting Nomad (x5 v2) since my older device runs just wonderfully

> Note that after a hotplug event, the user DOES get a prompt about an update. However, it is an opt-OUT prompt, meaning the update will install in 30 seconds unless "abort" is clicked.

I agree that calling it "0-click" is not a lie, but I also think it's a little bit dishonest.

Great Research!