Onyx tablets reportedly phone home and send "data" to some servers in China. The manufacturer apparently refuses to publish the source-code modifications to the OS and the open-source apps they are using and they even go as far as violating GPL.
Of course I learned all that after buying this tablet. To ease my mind, I spent some time debloating it and then blocked the outgoing traffic to manufacturer's servers. I'll document the process below.
The bootloader is unlocked (nice!) and rooting the device is relatively straightforward. I followed the instructions in this blog post.
I had to download the firmware UPX file from the following URL (see the instructions by the author of the decryption tool):
http://en-data.onyx-international.cn/api/firmware/update?where={"buildNumber":0,"buildType":"user","deviceMAC":"","lang":"en_US","model":"NoteAir3C","submodel":"","fingerprint":""}
Event though this is (seemingly) a test image, we can still extract the boot image, patch it with Magisk, and boot the device with it (without flashing the image to the device). After booting the device up with the patched image, Magisk will dump the (more up-to-date) boot image, patch it, and write it back to the boot partition.
After rooting the device, I installed AFWall+, an alternative keyboard, and some other basic packages.
Then I configured AFWall+ as follows:
- Only allowed access to my local network:
- Any app (-10)
- Allowed everything:
- adb
- DuckDuckGo
- F-Droid
- Google Play
- Magisk
- Tailscale
- Termux
Then I downloaded UAD
(it can be installed with brew) and uninstalled the following packages:
Suggested by UAD:
- com.android.bluetoothmidiservice
- com.android.dreams.phototable
- com.android.quicksearchbox
- com.google.android.apps.restore
- com.google.android.gms.location.history
- com.qualcomm.embms
- com.qualcomm.qti.uim
The ones I decided to uninstall:
- com.onyx.android.onyxotaservice
- com.onyx.android.production.test
- com.onyx.appmarket
- com.onyx.calculator
- com.onyx.easytransfer
- com.onyx.igetshop
- com.onyx.kime
- com.onyx.latinime
- com.onyx.mail
- com.simplemobiletools.clock
- com.simplemobiletools.gallery
- com.simplemobiletools.musicplayer
- com.simplemobiletools.voicerecorder
- org.chromium.chrome
It's not possible to install or upgrade com.simplemobiletools.* packages from
F-Droid or Google Play. That's probably because they have modified the
source-code of those apps and packaged them themselves. I don't trust them, so I
decided to uninstall those packages and find some alternatives later.
And of course, org.chromium.chrome is their own fork of Chromium which is very
strange given how quickly it might get out of date and become a security risk.
Note
This serves as an additional layer of defense, supplementing the firewall rules.
After that, I connected the tablet to my Tailnet and only allowed it to access certain IP and ports on my network:
- Port 8006 of my Synology NAS to access a WebDav share (I use it for synchronizing notes)
- My AdGuard container (port 53)
- Anything outside of my network (
autogroup:internet:*)
Then I enabled USB Debugging, got shell access and ran the following:
# list settings by running settings list NAMESPACE where namespace can be one of global, system, and secure
settings put global private_dns_mode=off # this makes it easier to override the DNS server on my routerFor some reason, after connecting to Tailscale, my router couldn't override the DNS settings anymore. So I had to assign a static IP address to my device and set the DNS server address there. I used the following command to verify the settings:
dumpsys connectivity | grep DnsAddresses # verifyNote
It was still cumbersome to set the IP address manually every time I wanted to connect to a new network. I ended up configuring a global nameserver in Tailescale admin panel and enabled the override local DNS option.
And these are the rules I defined in AdGuard:
||*.cn^$important
||onyx-international.cn^$important
||boox.com^$important
||codekk.com^$important
||effect.snssdk.com^$important
On my router, I defined the following rules to override the DNS:
# DNAT
rule 1 {
description "AdGuard Override (Boox)"
type destination
protocol tcp_udp
log disable
inbound-interface switch0.xx # the interface the tablet is connected to
source {
address 1.2.3.4 # the ip address of the tablet
}
destination {
address !10.10.10.10 # anything but the ip address of the AdGuard server
port 53
}
inside-address {
address 10.10.10.10 # the ip address of the AdGuard server
}
}
# NAT
rule 2 {
description "AdGuard Masquerade (Boox)"
type masquerade
protocol tcp_udp
log disable
outbound-interface switch0.xx # the interface the tablet is connected to
destination {
address 10.10.10.10 # the ip address of the AdGuard server
port 53
}
source {
address 1.2.3.4 # the ip address of the tablet
}
}
Then I ran into another issue with Tailscale not starting up automatically on
boot. So I enabled auto start for Tailscale and other apps I needed in App
Manager (Apps > App Management) and then I installed
Termux:Boot from F-Droid and created
a file in ~/.termux/boot/start-tailscale with the following contents:
#!/data/data/com.termux/files/usr/bin/sh
am broadcast -n com.tailscale.ipn/.IPNReceiver -a com.tailscale.ipn.CONNECT_VPN
And to change the ntp server, I created another file named set-settings with
the following contents:
#!/data/data/com.termux/files/usr/bin/sh
# run pkg install tsu first
sudo settings put global ntp_server 0.pool.ntp.org
sudo settings put global ntp_server_2 1.pool.ntp.org
I was still curious to see what exactly is being sent. So I installed Proxyman, installed its certificate to the user store, and used this module to add it to the system certificate store. After that, I was able to decrypt the HTTPS traffic in Proxyman. Well... I looked at the traffic for a few minutes and didn't spot anything like the contents of the notes but it certainly sends some metadata to the servers and checks for updates/some kind of config. It's certainly better to keep the firewall rules in place.