Category: How To

Signal “desktop” on an Android Tablet

I’m all in on Android. I actually like Apple products just fine too, I’m composing this post on a M1 Macbook Pro. In the past I’ve toyed with lots of Apple hardware, like the 2nd generation iPod Touch. When Google released the G1 I was hooked, a phone with a keyboard? It’s like a tiny computer in your pocket that can also make phone calls.  Since then I’ve been through a lot of Android devices, both phones and tablets.

Privacy is also important to me, and Signal is a great match for my messaging needs. It has always bothered me that while you can get a very nice desktop experience linking your “primary device” (aka your phone) to your laptop, it wasn’t really possible to run Signal on an Android tablet as a linked device. The folks at Signal enabled the iPad as a linked device, but no love for Android tablets yet.

Recently I came across a solution. Molly.im. This allows my tablet to run a version of the Signal client (Molly) and be a linked device. While I almost never am far from my phone, sometimes I’m doing something on my tablet and switching devices is a pain. I also use the Note to Self to move data between devices (links, photos, files).

Molly is a fork of the Signal client code for Android. From a security point of view, it’s using the same Signal protocol – so your data is encrypted end to end. You do have to decide to ‘trust’ that the Molly code hasn’t been compromised in some way and will leak your data. This ‘trust’ is the same trust you are giving the folks that work on the Signal client code (or the desktop application). While it is a little uncomfortable to trust yet another group of people developing some code, we do this all the time with all of the apps we run on our devices. For me, this small risk is well worth the utility of having a linked Signal client on my tablet.

Avoid Device Linking

While it may be tempting to link your Signal account to your desktop device for convenience, keep in mind that this extends your trust to an additional and potentially less secure operating system.

If your threat model calls for it, avoid linking your Signal account to a desktop device to reduce your attack surface.

The good news for me, is my threat model doesn’t cause me to be concerned about having my devices linked and spreading my private communication across multiple devices that I own. Still, this is a decision everyone should think through.

Getting setup with Molly is very easy. You start by installing F-Droid, an alternative app store for Android. This is an apk download and install, you’ll likely need to approve/enable the installation of ‘side-loaded’ content on your device.

Once you have F-Droid installed, open the app. Let it do the first time setup where it will update the various repositories. This process will probably prompt you for some additional permissions, you’ll probably want to permit them as you do want this new ‘app store’ to install more apps, and alert you when there are updates. It’s always good to pause and think about the permissions being asked for, but F-Droid is a well known application.

Now we need to configure the Molly application repository. While F-Droid comes with a built in ‘store’ of content, it also supports adding additional content sources. Go to the Molly webpage, and click on the Molly F-Droid repository. This will configure F-Droid so that it can see the Molly application. There are two versions of Molly, the FOSS one removes some of the Google integration and may be less compatible with the original Signal app – let’s pick the non-FOSS version.

At this point, it should be just like installing any application – but instead of using the Google Play store, you’re going to use F-Droid to install Molly.

Molly can act as a primary Signal installation, or as a linked device. Assuming you were able to install Molly on your device, let’s walk through the simple steps to get you linked to your existing Signal account.

When you launch Molly for the first time you will be prompted to choose additional database encryption. This is a security trade off, being asked each time to unlock the database may be annoying, but it will give you better security if your device is compromised.

Next we see the normal Signal launch screen.

We can just hit “Continue” here to move to the next screen.

This is where you can choose how many Android capabilities you want to grant the Molly app. I’ll leave this up to personal choice, I didn’t give it permission to my Contacts, but granted the others. Both Signal and Molly are good about using very limited permissions.

Next is the registration screen. While we could set this device up as a primary Signal device and link a phone number, we don’t want to do that in this case. Do not enter a phone number here. The “Link to existing device” option in the lower left is what we want to do. This will make this device act just like the ‘desktop’ version of Signal.

Here we get to give this device a name. Pressing the “Link” button will display a QR-Code we can scan from our primary device and connect the two. The Signal documentation talks about linked devices, but with Molly we bypass the limitation of multiple mobile devices.

That’s it, now enjoy Signal on your tablet via Molly.

pOwn your IoT – OpenBeken

If you buy something, you expect to own it – this means being able to decide what it’s doing or not doing. If you can’t open it, you don’t own it. I think this is really important when we consider IoT devices that you add to your home. You should have 100% control over your light switches, not be reliant on some company to allow you to manage them.

In the past I’ve used Tasmota to replace the firmware in some commodity devices with good success. I wanted a new light switch and found the Martin Jerry S01 switch, so I ordered one. Unfortunately when it arrived, I opened it up and discovered the control module was no longer an ESP 8266 – but a Tyua CB3S device.

Some searching turned up the OpenBeken project. This is an open firmware that supports a number of Tuya devices. It appears to be possibly inspired by Tasmota which I found attractive, but the fact that there was a way to run open firmware on this device was the big draw.

Let me back up a little. Opening the MJ-S01 is quite easy. I used a putty spatula (thin metal blade) to pry the side clips. There are 4 clips, two per side.

Once you’ve got the clips released, you can easily remove the switch plate. There is a metal grounding plate you’ll have to un-hook from the switch plate. There is a cable with a 3 pin connector to separate the switch plate from the base, this is optional but makes it easier to work with the switch plate that has the controller.

I went further and removed the screws holding the circuit board to the switch plate in order to see the other side where the CB3S is attached. In the picture above you can see the blue circuit board in the middle. You don’t need to do this extra disassembly as the row of 6 pads exposes the right pins we want to work with.

In order to flash new firmware, I need to find and connect 4 pins: 3.3v, GND, TX, and RX. To identify these I referenced the Tuya documentation on this module which listed the pin outs on the module. Using my multi-meter to check connectivity, I was able to map the pin outs on the module to the pads on the circuit board.

Now it’s a simple matter of heating up the soldering iron and hooking up some wires to these pads.

A bit ugly, but it works. Now I can test that I’ve got things correct by hooking up just 3.3v and GND. Success! When I power on the device this way I get the expected blinking LED, and I can long-press the button to enter setup mode. Getting the stock firmware into AP (access point) mode – I see the expected “Smart_XXXX” access point become available to my laptop WiFi.

Next we get to experience the adventure of setting up the application on Windows. I’m going to gloss over this because it’s both a bit complicated and also my experience is likely to be different than yours. We are trying to get the GUI based flash tool installed. I needed to install some .net framework, and tell Windows it was ok to run this un-trusted application. I was lucky that my USB<->serial dongle was recognized by Windows and showed up as COM6.

Assuming you are able to run the app, get your serial connection sorted out, and provide 3.3v power to the device – we are very close to being able to get things going. One note: I connected the TX of my serial device to the RX of the CB3S board, and RX to TX. Crossing the connection seemed to work for me.

There is quite a bit to unpack from the image above. First you can see that my Serial UART was correctly detected and setup as COM6. I expect your configuration here will be different, and I hope it works easily for you but USB serial devices and windows can be frustrating.

The second key thing is to pick the right “chip type”. The CB3S contains a BK7231N, thus I selected that from the list of supported chips. I suggest you then “Download latest from Web” which in my case upgraded me from version 606 to version 670.

At this point everything seemed OK, but I wanted to proceed cautiously. The CB3S apparently enters programming state upon power on. I had this all hooked up, and tried “Do firmware backup (read) only”. This just worked for me, and I was greeted with the screen capture I took above showing “Reading success!” – so I knew now that I had at least all of the right connections made. The other thing that reading the firmware did was give the tool something to parse and discover the Tuya settings, this data appeared in a second dialog box and provided a JSON payload for me to save away.

Now we need to be brave and flash the latest version of the open firmware. This time it seemed to get stuck trying to enter programming mode and I needed to very (very) briefly disconnect/reconnect power to reset it. This worked great and I held my breath while it flashed.

I had not checked off the box “Automatically configure OBK on flash write” so once it was flashed, I then did a second operation of “Write only OBK config” to write the discovered values (that JSON payload). I didn’t need to configure anything, the tool had already initialized the values internally after the firmware backup step.

In theory, I have the original firmware downloaded to my machine in case I want to revert. If you care about this, maybe track down that file and save it. I personally don’t think I’d ever go back.

One more power cycle, and I’m very happy to see a WiFi access point appear named “OpenBK76231N_XXXXX”. Connecting my laptop to this I’m able to visit the IP address of the gateway (http://192.168.4.1) and am greeted by a very Tasmota looking web page to configure the device.

Now I can remove my patch wires from the solder pads, re-assemble the device and test that things still work end-to-end (they do). While there are similarities to Tasmota, things are quite different. There isn’t a built in timer facility which I was hoping for, but it turns out that via some simple scripting I can program in a timer schedule. You can even change the built in web UI via scripting which is pretty cool.

There is also very nice Home Assistant integration built in. The CB3S controller appears to be more snappy than the Tasmota ESP-8266 based devices I have, so while this device wasn’t what I expected when I ordered it – with a bit of work it seems I’m in a pretty good place.

Footnote: There is a forum which seems fairly active on the OpenBK firmware and various supported devices.

Generating SSH key pairs

Despite having had some excitement recently, SSH continues to be both the utility and a protocol that I use heavily every day. I will also have to shout out to mosh which is a must have overlay, if you aren’t using it – stop reading this now and go get mosh.

Not often, but every once in a while I find myself needing to generate a new key pair for use with SSH. GitHub has one of the best articles on doing this, but it’s not quite what I want. I find myself having to re-think the small differences I want to make each time, clearly time to write up what I do so I can just visit this post when I need to generate a key.

Yup, that’s it. In the directory you run this there will be two files generated. The private key is basename, and the public key is basename.pub. I’m also a fan of the .ssh/config file which you may want to adopt, this makes it easy to have different keys for different systems.

Breaking down the creation command. We are generating a key using the Ed25519 algorithm, most modern systems will support this. Next up we see that we are adding a comment, I find this useful to identify what the public key is for. Last is the filename(s) we want the output written to.

You’ll see that comments often have no whitespace in them, if you want to be risk adverse avoid using spaces and use dashes or something.