https://wiki.asteroidos.org/api.php?action=feedcontributions&feedformat=atom&user=Kevin+KoflerAsteroidOS - User contributions [en]2026-06-16T18:02:28ZUser contributionsMediaWiki 1.39.8https://wiki.asteroidos.org/index.php?title=IP_Connection&diff=688IP Connection2025-08-10T18:33:09Z<p>Kevin Kofler: /* Paranoid Kernels */ Fix a small grammar error / typo I made.</p>
<hr />
<div>Configuring an IP connection on your watch has to be done manually until a GUI settings option is available. On watches that support WLAN, you can enable Wi-Fi and configure the connection using <code>connmanctl</code> like described below. Forwarding IP requests to a connected PC via USB is another option, explained in the second paragraph.<br />
<br />
By default, there is no <code>root</code> or <code>ceres</code> password, and no firewall rules. (However, on some watches, the kernel has the <code>CONFIG_ANDROID_PARANOID_NETWORK</code> kernel option enabled, see below.) A password can be set using the passwd command.<br />
<br />
= IP over WLAN (WiFi) =<br />
Connect to your watch using <code>ssh root@192.168.2.15</code> or <code>adb shell</code>.<br />
<br />
<pre><br />
# connmanctl<br />
connmanctl> enable wifi<br />
connmanctl> scan wifi<br />
connmanctl> services<br />
connmanctl> agent on<br />
connmanctl> connect wifi_CODE-FOR-YOUR-SSID<br />
connmanctl> quit<br />
</pre><br />
<br />
Check whether an IP address has been assigned to the watch using <code>ip a show dev wlan0</code> or <code>ifconfig wlan0</code>.<br />
<br />
Note that activated WLAN consumes additional power. Currently, it is recommended to disable the function after use. <code>connmanctl disable wifi</code> is used to disable Wi-Fi and power off WLAN temporarily. <code>connmanctl enable wifi</code> activates WLAN again and connects to the last used Wi-Fi network.<br />
<br />
Some more documentation on connman can be found on [https://wiki.archlinux.org/index.php/ConnMan#Connecting_to_a_protected_access_point ArchWiki].<br />
<br />
= IP over USB =<br />
It is possible to allow your watch to be able to use your Linux computer's internet connection via a USB connection. You will need:<br />
<br />
# A Linux computer with RNDIS support loaded and enabled<br />
# The ability to change network configurations on that computer<br />
# A network connection<br />
<br />
This works by using the RNDIS driver to allow the USB device to appear to be a network interface. RNDIS stands for "Remote Network Driver Interface Specification" and was a proprietary protocol from Microsoft. It is supported in Linux by the <code>rndis_host</code> driver. This driver may either be compiled into the kernel, or more typically provided as an optional module. If you're not sure, you can try this <code>lsmod</code> to see if it's loaded on your computer.<br />
<br />
<pre><br />
lsmod | grep ndis<br />
rndis_host 24576 0<br />
cdc_ether 24576 1 rndis_host<br />
usbnet 61440 2 rndis_host,cdc_ether<br />
</pre><br />
<br />
If it isn't you might be able to use <code>modprobe rndis_host</code> (with root privileges) to install the module.<br />
<br />
Once the <code>rndis_host</code> is installed and running, you can enable Network Address Translation (NAT) to allow your Linux computer to share it's internet IP address with the watch. To configure a NAT '''on your computer''' (Note: Replace eth0 with the name of the interface that connects your computer to the Internet) with:<br />
<br />
<pre>echo 1 > /proc/sys/net/ipv4/ip_forward</pre><br />
<pre>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</pre><br />
<br />
Here again, you might need root privileges for those commands, depending on how your computer is configured.<br />
<br />
Configure a default gateway and DNS '''on the watch''' with the following commands ran via [[SSH]] as the root user:<br />
<br />
<pre>route add default gw 192.168.2.1</pre><br />
<pre>echo "nameserver 8.8.8.8" >> /etc/resolv.conf</pre><br />
<br />
Note that this assumes that your computer's IP address on RNDIS is 192.168.2.1, which is the default, but if you have multiple watches, or have plugged and unplugged the same watch a few times, it might be different. To make sure, on the watch, you can type <code>who</code> and it will reply with something like this:<br />
<br />
<code><br />
root pts/0 00:01 Jun 9 08:06:24 192.168.2.2<br />
</code><br />
<br />
In this particular case, the address shown is 192.168.2.2, so the first command listed above would be <code>route add default gw 192.168.2.2</code>.<br />
<br />
= Paranoid Kernels =<br />
On some watch models (e.g., <code>lenok</code>), the kernel shipped with AsteroidOS is compiled with the Android-specific <code>CONFIG_ANDROID_PARANOID_NETWORK</code> kernel option enabled. That option enforces non-standard restrictions on networking, based on hardcoded group IDs (GIDs):<br />
* GID 3003 is the <code>inet</code> group, allowing to create <code>AF_INET</code> and <code>AF_INET6</code> sockets,<br />
* GID 3004 is the <code>net_raw</code> group, allowing to create raw INET sockets.<br />
<br />
Only <code>root</code> and members of the groups with those magic GIDs are allowed to perform the described actions. In particular, by default, the <code>ceres</code> user is '''not'''.<br />
<br />
Therefore, in order to be able to access the network as <code>ceres</code> (e.g., for <code>asteroid-weatherfetch</code> to work), SSH into your watch as <code>root</code> (or use <code>adb shell</code>) and run the following 2 commands:<br />
<pre><br />
groupadd -g 3003 -U root,ceres inet<br />
groupadd -g 3004 -U root,ceres net_raw<br />
</pre><br />
These create the two magic groups with the same name and GID as on Android and add both <code>root</code> and <code>ceres</code> to them. Then reboot your watch, because only newly started sessions will pick up the new group memberships.</div>Kevin Koflerhttps://wiki.asteroidos.org/index.php?title=IP_Connection&diff=687IP Connection2025-08-10T00:53:23Z<p>Kevin Kofler: Document CONFIG_ANDROID_PARANOID_NETWORK restrictions.</p>
<hr />
<div>Configuring an IP connection on your watch has to be done manually until a GUI settings option is available. On watches that support WLAN, you can enable Wi-Fi and configure the connection using <code>connmanctl</code> like described below. Forwarding IP requests to a connected PC via USB is another option, explained in the second paragraph.<br />
<br />
By default, there is no <code>root</code> or <code>ceres</code> password, and no firewall rules. (However, on some watches, the kernel has the <code>CONFIG_ANDROID_PARANOID_NETWORK</code> kernel option enabled, see below.) A password can be set using the passwd command.<br />
<br />
= IP over WLAN (WiFi) =<br />
Connect to your watch using <code>ssh root@192.168.2.15</code> or <code>adb shell</code>.<br />
<br />
<pre><br />
# connmanctl<br />
connmanctl> enable wifi<br />
connmanctl> scan wifi<br />
connmanctl> services<br />
connmanctl> agent on<br />
connmanctl> connect wifi_CODE-FOR-YOUR-SSID<br />
connmanctl> quit<br />
</pre><br />
<br />
Check whether an IP address has been assigned to the watch using <code>ip a show dev wlan0</code> or <code>ifconfig wlan0</code>.<br />
<br />
Note that activated WLAN consumes additional power. Currently, it is recommended to disable the function after use. <code>connmanctl disable wifi</code> is used to disable Wi-Fi and power off WLAN temporarily. <code>connmanctl enable wifi</code> activates WLAN again and connects to the last used Wi-Fi network.<br />
<br />
Some more documentation on connman can be found on [https://wiki.archlinux.org/index.php/ConnMan#Connecting_to_a_protected_access_point ArchWiki].<br />
<br />
= IP over USB =<br />
It is possible to allow your watch to be able to use your Linux computer's internet connection via a USB connection. You will need:<br />
<br />
# A Linux computer with RNDIS support loaded and enabled<br />
# The ability to change network configurations on that computer<br />
# A network connection<br />
<br />
This works by using the RNDIS driver to allow the USB device to appear to be a network interface. RNDIS stands for "Remote Network Driver Interface Specification" and was a proprietary protocol from Microsoft. It is supported in Linux by the <code>rndis_host</code> driver. This driver may either be compiled into the kernel, or more typically provided as an optional module. If you're not sure, you can try this <code>lsmod</code> to see if it's loaded on your computer.<br />
<br />
<pre><br />
lsmod | grep ndis<br />
rndis_host 24576 0<br />
cdc_ether 24576 1 rndis_host<br />
usbnet 61440 2 rndis_host,cdc_ether<br />
</pre><br />
<br />
If it isn't you might be able to use <code>modprobe rndis_host</code> (with root privileges) to install the module.<br />
<br />
Once the <code>rndis_host</code> is installed and running, you can enable Network Address Translation (NAT) to allow your Linux computer to share it's internet IP address with the watch. To configure a NAT '''on your computer''' (Note: Replace eth0 with the name of the interface that connects your computer to the Internet) with:<br />
<br />
<pre>echo 1 > /proc/sys/net/ipv4/ip_forward</pre><br />
<pre>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</pre><br />
<br />
Here again, you might need root privileges for those commands, depending on how your computer is configured.<br />
<br />
Configure a default gateway and DNS '''on the watch''' with the following commands ran via [[SSH]] as the root user:<br />
<br />
<pre>route add default gw 192.168.2.1</pre><br />
<pre>echo "nameserver 8.8.8.8" >> /etc/resolv.conf</pre><br />
<br />
Note that this assumes that your computer's IP address on RNDIS is 192.168.2.1, which is the default, but if you have multiple watches, or have plugged and unplugged the same watch a few times, it might be different. To make sure, on the watch, you can type <code>who</code> and it will reply with something like this:<br />
<br />
<code><br />
root pts/0 00:01 Jun 9 08:06:24 192.168.2.2<br />
</code><br />
<br />
In this particular case, the address shown is 192.168.2.2, so the first command listed above would be <code>route add default gw 192.168.2.2</code>.<br />
<br />
= Paranoid Kernels =<br />
On some watch models (e.g., <code>lenok</code>), the kernel shipped with AsteroidOS is compiled with the Android-specific <code>CONFIG_ANDROID_PARANOID_NETWORK</code> kernel option enabled. That option enforces non-standard restrictions on networking, based on hardcoded group IDs (GIDs):<br />
* GID 3003 is the <code>inet</code> group, allowing to create <code>AF_INET</code> and <code>AF_INET6</code> sockets,<br />
* GID 3004 is the <code>net_raw</code> group, allowing to create raw INET sockets.<br />
<br />
Only <code>root</code> and members of the groups with those magic GIDs are allowed to perform the described actions. In particular, by default, the <code>ceres</code> user is '''not'''.<br />
<br />
Therefore, in order to be able to access the network as <code>ceres</code> (e.g., for <code>asteroid-weatherfetch</code> to work), SSH into your watch as <code>root</code> (or use <code>adb shell</code>) and run the following 2 commands:<br />
<pre><br />
groupadd -g 3003 -U root,ceres inet<br />
groupadd -g 3004 -U root,ceres net_raw<br />
</pre><br />
These create the two magic groups with the same name and GID as on Android and adds both <code>root</code> and <code>ceres</code> to them. Then reboot your watch, because only newly started sessions will pick up the new group memberships.</div>Kevin Kofler