Blackbox testing should not be concerned with any details of how the public API is implemented. It is only concerned with testing the behaviour inferrable from the publically visible information.
Whitebox testing is using your knowledge of implementation details to make calls to the public API that triggers certain behaviour of the implementation.
For example, if you have a sort method, you can test it using unsorted data (blackbox testing). If you know it is implemented using quicksort, you can add test cases that cover the different boundary cases for splitting the data into sortable partitions, explicitly testing that boundary checking logic (whitebox testing).
Likewise, if you have a public API that is returning an interface, blackbox testing will only assume that there is one implementation of that, as you don’t know if there are more than one implementation. With whitebox testing, you can see where other implementations are returned, and call the public API to ensure that you are covering those different implementations in your tests.
In your case: what calls do you need to make to the public API to have the package-protected members called? What effects does that have on information accessible to the public API?