Doc changes & security fixes

daemon/src/wifi.rs

@@ -1,3 +1,4 @@
+use std::net::IpAddr;
 use std::path::Path;
 use std::sync::Arc;
 use std::time::Duration;
@@ -244,6 +245,7 @@ impl WifiClient {
         let resolv = self
             .dns_servers
             .iter()
+            .filter(|s| s.parse::<IpAddr>().is_ok())
             .map(|s| format!("nameserver {s}"))
             .collect::<Vec<_>>()
             .join("\n")

doc/configuration.md

@@ -21,4 +21,26 @@ Through web UI you can set:
   - *Low Battery*, which will alert when the device's battery is low. Notifications may not be supported for all devices—you can check if your device is supported by looking at whether the battery level indicator is functioning on the System Information section of the Rayhunter UI.
 - With **Analyzer Heuristic Settings** you can switch on or off built-in [Rayhunter heuristics](heuristics.md). Some heuristics are experimental or can trigger a lot of false positive warnings in some networks (our tests have shown that some heuristics have different behavior in US or European networks). In that case you can decide whether you would like to have the heuristics that trigger a lot of false positives on or off. Please note that we are constantly improving and adding new heuristics, so a new release may reduce false positives in existing heuristics as well.
 
+## WiFi Client Mode
+
+On the **Orbic** and **Moxee**, Rayhunter can connect the device to an existing WiFi network while keeping the hotspot running. This gives the device internet access for [notifications](https://docs.ntfy.sh/) and lets you reach the web UI from any device on that network.
+
+- **Enable WiFi** turns WiFi client mode on or off. Disabling it does not erase saved credentials.
+- **Scan** searches for nearby networks. Select one from the dropdown, or type an SSID manually.
+- **Password** is required for WPA/WPA2 networks. The password is stored separately from `config.toml` (in `wpa_sta.conf` on the device) and is never exposed through the API.
+- **DNS Servers** lets you override the DNS servers used when connected. Defaults to `8.8.8.8` and `1.1.1.1` if not set.
+
+After saving, the connection status will show **connecting**, **connected** (with the assigned IP address), or **failed** (with an error message). If the connection fails, check that the SSID and password are correct and that the network is in range.
+
+You can also configure WiFi during installation:
+
+```sh
+./installer orbic --admin-password 'mypassword' --wifi-ssid 'MyNetwork' --wifi-password 'networkpass'
+```
+
+## Device Security
+
+- **Restrict outbound traffic** limits what the device can send over the network. When enabled, only DNS, DHCP, and HTTPS traffic is allowed; everything else is blocked. This is enabled by default and prevents the device from phoning home to the carrier over cellular. If you need to allow additional ports (for example, port 80 for HTTP or port 22 for SSH), add them to the **Additional allowed ports** list.
+- **Block OTA update daemons** prevents Verizon's `dmclient` and `upgrade` services from running and checking for updates. This is a runtime-only change that reverts on reboot. If you disable this option after it was enabled, a reboot is required for the daemons to start again.
+
 If you prefer editing `config.toml` file, you need to obtain a shell on your [Orbic](./orbic.md#obtaining-a-shell) or [TP-Link](./tplink-m7350.md#obtaining-a-shell) device and edit the file manually. You can view the [default configuration file on GitHub](https://github.com/EFForg/rayhunter/blob/main/dist/config.toml.in).

doc/faq.md

@@ -50,6 +50,14 @@ reboot
 See `/data/usb/boot_hsusb_composition` for a list of USB modes and Android USB gadget settings.
 
 
+### How do I connect my Orbic to an existing WiFi network?
+
+The Orbic (and Moxee) can connect to a nearby WiFi network while still running its own hotspot. This gives the device internet access for ntfy notifications and lets you reach the web UI from your home network. See [WiFi Client Mode](./configuration.md#wifi-client-mode) in the configuration guide for setup instructions. You can also pass `--wifi-ssid` and `--wifi-password` to the installer.
+
+### WiFi client mode is connected but I can't reach the internet
+
+Check that the **DNS Servers** field in the config has valid entries (the default is `8.8.8.8` and `1.1.1.1`). If your home network and the device hotspot use the same subnet (for example, both are on `192.168.1.x`), try restarting the daemon by saving the config again from the web UI.
+
 ### How do I disable the WiFi hotspot on the Orbic RC400L?
 
 To disable both WiFi bands, [first obtain a shell](./orbic.md#shell), then:

doc/installing-from-release.md

@@ -44,6 +44,9 @@ Make sure you've got one of Rayhunter's [supported devices](./supported-devices.
    # Note: the arguments --admin-username 'myusername' and --admin-ip 'mydeviceip'
    #       may be required if different from the default.
 
+   # Optionally configure WiFi client mode during install (Orbic and Moxee only):
+   ./installer orbic --admin-password 'mypassword' --wifi-ssid 'MyNetwork' --wifi-password 'networkpass'
+
    # Or install over USB if you want ADB and a root shell (not recommended for most users)
    ./installer orbic-usb
 

doc/orbic.md

@@ -22,6 +22,10 @@ pay more than 30 USD for such a device (without shipping).
 | Wifi 5Ghz | a/ac/ax |
 | Wifi 6 | 🮱 |
 
+## WiFi client mode
+
+The Orbic's QCA6174 radio supports running the hotspot and connecting to an external WiFi network at the same time. See [WiFi Client Mode](./configuration.md#wifi-client-mode) for setup.
+
 ## Two kinds of installers
 
 The orbic's installation routine underwent many different changes:

doc/using-rayhunter.md

@@ -19,6 +19,8 @@ You can access this UI in one of two ways:
   On the **Orbic**, you can find the WiFi network password by going to the Orbic's menu > 2.4 GHz WIFI Info > Enter > find the 8-character password next to the lock 🔒 icon.
   On the **TP-Link**, you can find the WiFi network password by going to the TP-Link's menu > Advanced > Wireless > Basic Settings.
 
+  If [WiFi client mode](./configuration.md#wifi-client-mode) is enabled (Orbic and Moxee only), you can also reach the web UI from any device on that network at `http://<device-ip>:8080`.
+
 * **Connect over USB (Orbic):** Connect your device to your laptop via USB. Run `adb forward tcp:8080 tcp:8080`, then visit <http://localhost:8080>.
     * For this you will need to install the Android Debug Bridge (ADB) on your computer, you can copy the version that was downloaded inside the `releases/platform-tools/` folder to somewhere else in your path or you can install it manually.
     * You can find instructions for doing so on your platform [here](https://www.xda-developers.com/install-adb-windows-macos-linux/#how-to-set-up-adb-on-your-computer), (don't worry about instructions for installing it on a phone/device yet).

lib/src/lib.rs

@@ -43,11 +43,17 @@ pub enum Device {
     Moxee,
 }
 
+fn escape_wpa_value(s: &str) -> String {
+    s.replace('\\', "\\\\")
+        .replace('"', "\\\"")
+        .replace(['\n', '\r'], "")
+}
+
 /// Generate a wpa_supplicant configuration file from an SSID and password.
-/// Escapes backslashes and double quotes in both fields.
+/// Escapes backslashes and double quotes, strips newlines from both fields.
 pub fn format_wpa_conf(ssid: &str, password: &str) -> String {
-    let ssid = ssid.replace('\\', "\\\\").replace('"', "\\\"");
-    let password = password.replace('\\', "\\\\").replace('"', "\\\"");
+    let ssid = escape_wpa_value(ssid);
+    let password = escape_wpa_value(password);
     format!(
         "ctrl_interface=/var/run/wpa_supplicant\nnetwork={{\n    ssid=\"{ssid}\"\n    psk=\"{password}\"\n    key_mgmt=WPA-PSK\n}}\n"
     )
@@ -93,6 +99,16 @@ mod tests {
         assert!(conf.contains("psk=\"pass\\\\word\""));
     }
 
+    #[test]
+    fn test_format_wpa_conf_strips_newlines() {
+        let conf = format_wpa_conf("legit", "pass\n}\nnetwork={\n    ssid=\"evil\"");
+        assert_eq!(
+            conf.lines().count(),
+            format_wpa_conf("legit", "clean").lines().count(),
+            "newlines in password must not inject extra config lines"
+        );
+    }
+
     #[test]
     fn test_read_ssid_from_wpa_conf() {
         let dir = tempfile::tempdir().unwrap();