This is a short guide to spark some commotion. What makes it possible is built-in and not disabled support for USB HID.
I’m not going to go into specifics of how to format USB drive, and why installing APK from the internet on your phone is a bad idea if you don’t know what you doing. Everything described is for experiments only and you accept all responsibility for breaking things.
Thanks to the opensource nature of the Android for making this possible.
What is needed
Option 1
Bluetooth Keyboard
Any USB keyboard, can be wireless but with dongle. I’ve tried Logitech - works.
Any USB keyboard, can be wireless but with dongle. I’ve tried logitech - works.
Computer where you can download apk files.
USB Drive formatted in fat32 to transfer the apk files
Short list of useful keyboard shortcuts - these are standard Android shorcuts. You can look them up.
Shortcut
Action
META+N
Open Notifications
TAB
Cycle through UI elements
ENTER
Select UI Element
META+BACKSPACE
Go to Previous Screen (Go Back or Return)
META
Go to HOME screen (start default launcher)
How to
Option 1
Bluetooth keyboard and USB Stick
Connect the USB keyboard of your choice to the USB-A port (same where you plug in USB drive).
On the keyboard, press Meta (WIN, MENU) + N - notification bar will appear.
Use TAB to select GEAR icon (settings).
Hit Enter - you will open settings this way.
With your finger, you can now tap on the screen and select Bluetooth and make sure it is on (right top corner)
Your Bluetooth keyboard now can be paired with android. Turn on pairing mode on the keyboard and swipe down in bluetooth devices to select your keyboard to pair with. After completing the pairing - disconnect USB keyboard.
Connect the USB Drive with F-Droid Repository APK
Go to settings again and select storage.
If USB Drive is recognized, it will appear in the available storage list - select it.
Select your F-Droid.apk
System will complain about security and installing apk from unknown sources - allow the installation.
After F-Droid is installed - hit OPEN and don’t close it.
Following is the list of apps I recommend installing before you can close the F-Droid.
Pie Launcher is needed to access installed apps - you would have to make it a default launcher for this, so when you press META - you can access the app menu. From there you can start FAB app - this is you default UI for making the snapmaker make something wonderful.
File manager - just nice to have if you want to get files in and out, like screen recordings. I used ScreenCam for this (you have to manually give it permissions for it to function).
You can use APK Extractor to get apk files - I tried installing FAB on my phone but it crashed. You can digg into APK Source code…
(On your computer) Download the apk file for f-droid to the USB stick
(Now to the snapmaker) Plug in USB wired keyboard
Hit Winkey (or command on Mac keyboard)+N to show notifications
Click the gear to get into settings
Click about phone
Tap the build number 7 times to enable developer options
Go back into settings (winkey+backspace)
Go to developer options and enable “install apps from unknown sources” there.
Winkey+N for notifications again and drag it down to expand
Unplug the keyboard
Plug in the USB drive
A notification will show to explore the drive, click it
Find f-droid APK and install it
Click open after the app is installed
Unplug USB stick and plug in keyboard again
Let repositories update
Install pie launcher from f-droid
Press winkey+home and set pie launcher as the default
Launch f-droid and install VirtualSoftKeys (no spaces when searching)
Set up the permissions for VirtualSoftKeys, you’ll need to use winkey+backspace on the keyboard to go back to the soft keys app
Now you can unplug the keyboard
Go home with soft keys (drag up from the bottom of the screen)
Launch settings app
Go to languages and input
Go to physical keyboard
Enable “show virtual keyboard”
And now you’re set, clicking into text fields will bring up the keyboard like a normal android device, and you can swipe up from the bottom to access the navigation buttons.
List of 3rd party applications that work
F-Droid - Alternative to google play. Google play service are not availible yet for this device.
Pie Launcher - Launcher to access all the apps installed.
do you know what the single greatest thing about this is?
i installed a VNC server and i can control my printer remotely from my phone or pc. i no longer really need octoprint, but playing with it the last few days has been incredibly fun…
Question: I think @jbot suspected that they got malware on their touchscreen-Android. And of course the security level of the Android is desasterous - prone to being attacked. However - I wonder: How would such an attack happen, if your Snapmaker is behind a firewall? And every internet router nowadays has a firewall, unless you disable it. So, even if the Android exposes vulnerabilities to the network: How to exploit them? The touchscreen itself will only actively connect to the Snapmaker sites for updates. So how would malware get to the device behind a firewall?
Firewall only as good as the person who sets it up. There is still a number of attacks directed to a particular firmware bug, that doesn’t care what firewall is there. Like recent d-link story - if you own any d-link device - disconnect and replace it with a good brand.
But this is hard’er to do. Good old - I go check out sketchy websites type of thing is still a king. Especially when you work in the environment with admin rights not protected (like windows with default user used having the admin rights to the system) - in this case it just a matter of time. The only border between infected and not infected - is how careful you are. But this is a time variable. It will happen. In this case, the bad stuff is already behind the firewall. The worst case was I think when you didn’t even have to open anything, it was just a link to a file on your desktop in windows. You literally just needed to look at it and it would elevate the privilages in the system to admin and infect the PC. Big story, still searchable I belive. Bad actor didn’t have to do anything “illegal” to make that link. Using pirated software… Another popular thing to get infected by. Say you got yourself copy of a photoshop, from “high sea”, that thing brought a trojan horse that scans your internal network from behind firewall, finds an old unpatched android, thinking it’s a phone with bank apps - imagine the rest.
Plus all the traffic masquerading technics and going through ports 433 (HTTPS) or 80 (HTTP), sometimes 22 (SSH) if it’s for some reason open. These are usually open on firewalls, you just need something on the inside that is vulnerable to a particular request.
Getting into old Android devices - this is why I mentioned in the beginning - not to install random APK from the internet. And I only use F-Droid (or couple other sources) for my APKs. But you don’t have to. Snapmaker device responds to pings, I didn’t run full Wireshark on it, but I bet there is a ton of interesting stuff that goes through.
VLANs - divide and conquer - everyone should have a router with vlan capability and separate their network for safe/notsafe devices…
All you say is right to some extent, but IMHO does not apply to the Android screen of the Snapmaker. You just do not surf the web with your printer’s touchscreen, you do not read your email there, you do not install apps at random. That the device is open/answers to ping is true in your home network, but not with respect to the internet. The normal, stateful firewall will just not accept a ping from the internet to traverse into your home network, and even if, all higher level protocols will be blocked from the outside. So unless the device itself initiates a connection to the outside, there’s just no route to your device for attackers.
All this breaks down of course if you have an infected device in your home network that spreads its malware, or if you indeed install actively some stupid software to the touchscreen. Or, taking your D-Link example, your firewall is crap. But this might be a problem even for an up-to-date Android.
So don’t get me wrong - I’d love to have the touchscreen on a decent security level, but admittedly I do not freak out that it does not. I do let it connect to the internet to get software updates from Snapmaker.
I may indeed put it on a dedicated VLAN - that’s to protect it from my other devices and vice versa. But as of now, I could not find the energy for that
But in the end my question was: Is there a specific, targeted scenario which you think the Touchscreen is prone to and that is likely to happen, even if you do not do stupid things?
The device is free to access the internet whenever it wants. I can initiate a firmware update check myself but I’ve no idea if it accesses the internet at any other time.
I initially connected it on the isolated ‘Guest’ wifi side of my router, but, of course, it was unable to communicate with my PC and Luban. Now the SM machine is on the same network as my PC and all other trusted devices, so it has access to my PC and the outside world via that route too.
I hope the freak out part isn’t coming from me, I don’t Freaking out isn’t good for mental health.
But being chill about it and being prepared are two different things…
Gosh, now I sound like a member of a prep community. I’m not, I promise. I just did a ton of IT work.
To answer this question in a way that would make practical sense - we would have to go and comb through known vulnarablilities at cve.org and similar. Emphasis on known. Most of those indeed not aplicable here because they are targeting phone specific environment (but we do have sms app). And need a specifically crafted file.
But there are some that exploit built in functions.
That is actually a good idea - you can distribute a firmware compiled with malicious code - that could go through regular safety checks but would pull something in later on and do the bad thing.
I admit that I am still not fully convinced that we have a huge issue here - All the interactions that make the touchscreen prone to get malware are not happening, unless you actively do funny things on the device or have another compromised device in your network. I attach my touchscreen controller to my network not via WiFi, but via USB-to-Ethernet adapter (copper cable), and this adapter has a traffic LED. Whenever I stand beside my machine, I can see how very little traffic is happening.
Still to get away from gut feelings and get some hard data, I consider switching on firewall/traffic logging for the touchscreen and see where it calls home to… If I have success here, I’ll share results!
And again, do not get me wrong: I do think it makes sense to take precautions, but honestly I do not see a reason currently not to allow the touchscreen internet access. Perhaps, when my traffic analysis was good, I’ll narrow down the access to a few addresses on the internet for Updates. Problem usually is (at least with my firewall) that I cannot base the rule on a hostname, but only on IP, and IPs tend to change - especially in cloud times.
it took the age of bitcoin to think that computer crunching isn’t free. for a threat surface on a device the first thought is how bad does the world want or need control of a device and how much the world is willing to pay in time, energy and money to get it. i wouldn’t put a hole in my network to expose the SM webserver to the outside world, so it would take a lot of effort to find it. then do what? since this couldn’t pay for itself in anyway you would think the attack is for personal reasons of revenge more than a state actor.
the android device has the same issue as any other interactive computer. you should be mindful of what you click and download, but that’s about it. no email, no social, no sms, it would be the user that starts the malware.
now about exposing a web server. once you’ve exposed your web server to the world the world will notice. every time ive exposed a local web server to the net, i would have a few days of not much. then for months i would get a LOT of attention from bots from china and russia. since my systems were REST systems i just sent back an OK for everything i didn’t understand. but still the traffic was awful and cost me bandwidth. nobody ever DID anything to my systems but i still paid for their attempts.
OK, did switch on some logging on my firewall to see what the touchscreen does. Here’s what I figured out:
On boot:
It asks DNS for connectivitycheck.gstatic.com and establishes a port 80 TCP web connection → Standard Andoid check for internet connectivity
It asks DNS for www.google.com and establishes a port 443 TCP https connection → Not sure for what - may be second connectivity check or looking for updates
It asks DNS for asia.pool.ntp.org and establishes a UDP port 123 connection → NTP to get current time.
It asks DNS for xtrapath2.xtrageo.xtracloud.cn and establishes a port 80 TCP web connection → This is owned by Qualcomm (manufacturer of the SoC the touchscreen runs on and who provided the Android base system most likely) - so another check for system updates?
It asks DNS for izattime.qcomgeo2.com and does another NTP → Again time - why? Again owned by Quallcomm.
And that’s it. After this it sits quiet. Doing nothing. For now more than 15 minutes. I guess I’ve never seen a network participant so quiet
When I click on “Check for Updates” it gets DNS entry for api.snapmaker.com and establishes a TCP 443 https connection.
Nothing strikes me as problematic.
To @wilsonrobertt 's point on exposing a web server: I 100% agree, but even if the touchscreen exposes a server (and it does! That’s what we use to send files to etc.), it is a local thing. To have this visible from the internet, you’d need to actively configure a NAT rule. Even if you’d switch off your firewall, the local server would not be accessible from the internet, unless your home network uses public IPs (which only people will do that understand enough of IT and networking to know not to run without firewall ).
.