Resurrect a Nokia N900

Some Chapters have been split off to their own pages:
Applications and Tweaking.

The legendary N900. I was surprised that a sufficient number is still being sold on various auctioning platforms, and they can be had cheaply - definitely under 100€, though mine was quite a bit cheaper, and in really good condition: no scratches, the sliding mechanism and keyboard work perfectly, the battery is still OK.

N900_xterm

I was impressed at how small the device is:
11cm X 6cm X 1.85cm
Thick as a brick though.
Compare this to my current Oneplus 3 - not the largest Android device out there with a 5.5" screen:
15.3cm X 7.5cm X 0.74cm

I guess because of the keyboard I imagined it larger. In fact the keys are tiny, but their shape and responsiveness is very well designed: I can type fairly fast with two large thumbs and almost no mistakes at all.

I will not deal with describing the user interface or step-by-step instructions - most Linux users will be familiar with four virtual desktops, maximised/minimised windows, an application switcher, an application menu etc.

The Goal

Leste and Maemo 5

The development of Maemo Leste seems to be gaining momentum and until it becomes fully usable I will dual-boot it with the original Maemo 5: Maemo Leste can be booted from the Micro SD card, Maemo 5 remains installed internally.

This article will deal with the original Maemo 5. I have another article about Maemo Leste on this device which is only a stub at this moment. But I urge you to take a good look at the Memo Leste subforum - development is active, people are interested.

Make it Usable and Reasonably Safe

Even though this is a real GNU/Linux phone there's an obvious and strong counterargument to using it: a 10 year old operating system might not be safe on the 'net. Although I would say it's still much safer than running a 10 year old Android system. Let's just say I'm taking some risks, but have also taken some countermeasures.

There's a lot of community software, updates and tweaks available on maemo.org. These will have to be installed to make the operating system reasonably safe and usable.

It might not be possible to browse the WWW safely.

But in addition to phone capabilities I want to be able, and reasonably safe, to:

  • Use email
  • Get & update feeds for Podcasts
  • Sync Contacts/Calendars
  • Listen to internet radio, audiobooks, podcasts

I will be working on the assumption that the biggest security and privacy threat comes from the outside (and not from inside the phone, i.e. installed apps and even the OS itself, like on Android). To be reasonably safe from threats there should be

  • no way to inject code and execute it. In my opinion the vast majority of this type of threat comes through a modern web browser via javascript. There is no way of running an absolutely up-to-date modern web browser on this device, so I will work on the assumption that the outdated modern browsers won't be running at all - this means no javascript on this device, and very little web browsing with "dumb" browsers like lynx or Netsurf.
  • secure and encrypted internet connections everywhere. With some effort this is possible for my requirements.
  • a firewall. No ports should be open to connection attempts.

I also think that mobile telephony and messaging haven't changed much in the last decade-and-a-half and that it is not less secure to use an older phone for that.

Updating the Firmware

That's the name of the wiki article I am starting with. It's better to start with a clean slate, although my phone's OS is on the very latest version already (21.2011.38-1). Possibly a factory reset would have been enough.

I took the lazy approach to flash both eMMC content and rootfs. It works, downloads the appropriate images, tells you what to do, and flashes them correctly. I flashed both "Vanilla" (eMMC) and "Combined" (rootfs).

In case that shouldn't work anymore at some point, there's some alternate sources for images here, here and here.

Software Updates

It is understood that my N900 is now on the latest official OS version - from 2011 - and will never ever receive an official software update anymore. I can ignore the SSU article. However, the community of Maemo users have been taking good care of themselves and a few community-driven projects exist.

At the very end of the firmware flashing article are two recommendations:

  • go to this page and click on this link from within the phone's browser, to update the software catalogs (apt repositories, really). They replace the now defunct Nokia mirrors, which can be disabled now.

  • enable Community SSU (Seamless Software Update). See next chapter:

CSSU Thumb

After trawling the forums for some time I realised that during the past 5 (!) years, most people who are still active, provide updates to software or even new software, are using systems that default to CSSU testing or even CSSU Thumb (which is based on Testing).
And apparently nobody seems to be in the situation of jumping from the latest vanilla firmware (1.3) straight into a "fully updated" CSSU testing/thumb scenario?
At least I think those are the reasons why many things didn't work so well for me at first.

This is how I succesfully got into CSSU thumb after failing thrice following these instructions:

  • Make sure Nokia and Extras repos are enabled
  • Install the rootsh package
  • As root, run apt-get update; apt-get upgrade
  • Reboot
  • Click on this - this will most likely result in a notification "could not install community-ssu-enabler"
  • In a terminal, as root: apt-get install community-ssu-enabler. Ignore the invalid certificates.
  • In your Application Menu, Click on "Community SSU". This will do some things in a terminal first, then in HAM. You get new updates. Install them all. That will take a long time, and you have to click "I agree" every now and then. In the end the device will reboot.
  • Run another apt-get update; apt-get upgrade. That will take a while.
  • Reboot

Keep in mind: HAM does not perform a full apt-get upgrade when updating all packages!

Anyhow, the kernel version should be this now:

$ uname -rvm
2.6.28.10-cssu3 #1 PREEMPT Sat Jul 28 18:05:05 EDT 2012 armv7l
$ apt-cache showpkg kernel-cssu
Package: kernel-cssu
Versions: 
1:2.6.28-10cssu3 (/var/lib/apt/lists/maemo.merlin1991.at_cssu_community-thumb_dists_fremantle_free_binary-armel_Packages) (/var/lib/dpkg/status)
 Description Language: 
                 File: /var/lib/apt/lists/maemo.merlin1991.at_cssu_community-thumb_dists_fremantle_free_binary-armel_Packages
<snip>

Other than that it is not clearly visible that you are using CSSU Thumb now, but there's a clearly perceptible difference; many apps are snappier (or less laggy anyhow).

Essentially, the whole system is now upgraded to CSSU-testing, with CSSU-thumb.

Extras-testing

It seems that there's interesting - and sufficiently stable - software that never made it out of the extras-testing repository. To enable it, first read this, then do this. After HAM did its thing, run another apt-get update; apt-get upgrade.
I do not disable this anymore.

There's a nice list of applications in Extras-testing.

Gain root Privileges

Simply install the rootsh package which allows you to execute sudo gainroot in a terminal.

I was asked to enter a root password when I installed the OpenSSH server - not sure what would have happened here if I hadn't done that earlier. Probably a similar dialog would have popped up.

Secure Encrypted Connections

openssl is outdated on the N900 and many sites reject connections because the TLS version is too old (must be at least 1.2 usually). It is possible to fix this, but this will not work for all applications, most notably the MicroB browser. Some certificates, libraries and utilities should also be upgraded, while some (newer) programs exist that have newer openssl versions compiled in.

Here's what I found out can be done:

  • Enable CSSU-devel by clicking on this link. Make sure the .install file opens in HAM, the repository is added and enabled, and the software catalogue updated afterwards. Or add the repositories manually, the apt-get way.
  • Upgrade the packages in this post.
  • Perform the actions described here.
  • Install the wget version from here.

Disable CSSU-devel again now, and reboot.

Nothing much to notice, but some SSL errors should be gone now. Test: try to wget something from an HTTPS site. Wikipedia.org is sufficiently picky.

Enable SSH Connections

This will enable me to run command line stuff from the comfort of my desktop computer's larger screen and full size keyboard. A very important step (and the only reason I waited until now is because I had such difficulties upgrading to CSSU thumb).

Install openssh-server (from extras). Alternatively you can also install dropbear. It's in the previously-mentioned extras-devel, or you can follow these instructions.

Via WLAN

Usage.

What this means is that when your N900 is connected to your router via WLAN, it should also have an IP address. I ask my router for a Wireless Client List, and get Nokia-N900 - 192.168.0.12:

$ ssh user@192.168.0.12

If you haven't set up a user password yet this won't work; you can ssh in as root, but that's not recommended. So, one last time from the N900's terminal:

$ root
# passwd user

Enter a user password. Now you can ssh as user.

Password login is still pretty unsafe; SSH can be hardened in the usual ways, esp. with key login, but really it just shouldn't be running permanently.

Important!!! Caveat & Solution

The SSH server is running all the time now (autostart at boot), it even respawns itself when killed. This is way too insecure. Fortunately, there's a nice little utility called openssh-status-widget that disables the autostarting/respawning and adds a nice button to your status menu that starts and stops the SSH daemon with a single click.

Via USB Cable only

https://talk.maemo.org/showthread.php?t=48992

This is not very convenient but sufficiently secure, because connections are only made over a USB cable (although sshd is still autostarted at boot; this should be disabled - see the first half of this post for a solution).

A little convenience can be added with two miniscripts:

sh
#!/bin/sh ifup usb0 /etc/init.d/ssh start

and

sh
#!/bin/sh ifdown usb0 /etc/init.d/ssh stop

Store them as e.g. /usr/bin/startssh and /usr/bin/stopssh on your phone. On your desktop computer, an alias is enough:

sh
alias n900='sudo ifconfig usb0 192.168.2.14 netmask 255.255.255.0 up; ssh root@192.168.2.15'

You still have to execute the following on your phone before starting the ssh session:

$ root
# sshstart

And stop it when finished:

# sshstop

Caveat

apt cannot reach the network anymore while usb0 is up. Maybe this is fixable.

Firewall

Mostly following this arch wiki article. It seems that more than a decade later and on a different operating system, iptables works as advertised!

# apt-get install iptables
(...)
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
# iptables -N TCP
# iptables -N UDP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -P INPUT DROP

At this point you should have locked yourself out if you did this over SSH. Good, that means it's working. Continue from your N900's terminal.

Etc., until we come to this point of the tutorial. The command iptables-save -f /etc/iptables/iptables.rules gives an error (unknown option '-f'), so we just do it manually:

# mkdir /etc/iptables
# iptables-save > /etc/iptables/iptables.rules
# nano /etc/iptables/iptables.rules

The last command just to take a look that everything is as it should be. The commands look slightly different than our manual input; compare to the Archwiki example file and this.

The Archwiki article then goes on adding more rules. Since we do have IPv6 on this device, some of them could be important, so please read on. But for now, reboot and see if everything works:

  • you can still use the internet
  • you still cannot SSH into the device.

...Nope. Those rules are not automatically applied. Check with iptables -nvL --line-numbers. This is what we need to do:

# iptables-restore < /etc/iptables/iptables.rules

Now, no new (!) SSH connections are possible anymore. The WWW should still work normally.

Let's add this rule:

# iptables -A TCP -p tcp --dport 22 -j ACCEPT

Now it should be possible to SSH into the machine again.

Apply iptable rules at bootup

Upstart, an almost forgotten init system...
But it's simple enough.
Create the file /etc/event.d/rc-local with the following content:

start on MOUNTS_OK
console output
exec /etc/rc.local

Your /etc/rc.local could look like this:

sh
#!/bin/sh echo "[/etc/rc.local]" /usr/sbin/iptables-restore < /etc/iptables/iptables.rules

Make sure /etc/rc.local is executable! And you can add more things you want executed at boot. Also see here.

### Open port 22 only when SSH is required, and close it again afterwards

Warning: hackish!

Replace the case-esac block in /etc/init.d/ssh with this:

sh
case "$1" in start) check_for_no_start check_privsep_dir echo -n "Starting OpenBSD Secure Shell server: sshd" start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS #### iptables line added here: iptables -A TCP -p tcp --dport 22 -j ACCEPT echo "." ;; stop) echo -n "Stopping OpenBSD Secure Shell server: sshd" start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid #### iptables line added here: iptables -D TCP -p tcp --dport 22 -j ACCEPT echo "." ;; reload|force-reload) check_for_no_start check_config echo -n "Reloading OpenBSD Secure Shell server's configuration" start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd echo "." ;; restart) check_privsep_dir check_config echo -n "Restarting OpenBSD Secure Shell server: sshd" start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid check_for_no_start start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS #### iptables line added here: iptables -A TCP -p tcp --dport 22 -j ACCEPT echo "." ;; *) echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}" exit 1 esac

openssh-status-widget

A nifty little button in your status area that starts and stops the SSH daemon on demand. It will also automatically stop it after a timeout and disable autostarting/respawning. Since the widget uses /etc/init.d/ssh to start/stop the SSH daemon, the above modifications tie in nicely with its functionality.

Install from extras-testing or extras-devel. Also see this forum thread.

Necessary settings, Uninstalling stuff

Here's a command line to uninstall tons of useless stuff; including the boot animation:

apt-get purge ap-installer amazon-installer foreca-installer dtg-installer tutorial-home-applet osso-systemui-splashscreen sharing-service-flickr sharing-service-ovi chinese-font google-search-widget tutorial-home-applet ovi-promotion-widget osso-tutorial* cherry adobe-flashplayer camel-as-provider-0 as-config-applet* as-daemon-0 as-utils camelisync facebook* hildon-startup-progress hildon-welcome-default-logo microb-geolocation rtcom-accounts-plugin-gtalk rtcom-accounts-plugin-nokiachat osso-accounts-plugin-skype rtcom-abook-skype-plugin 

It might be best to start with that, and then clean up afterwards:

I removed all shortcuts to dead Nokia sites, Youtube, Google, everything. Both on the desktops and inside the browser (there's an option to select multiple bookmarks & delete them). This is an extremely outdated Mozilla-based browser - I should just uninstall it, but I have the bad feeling that I won't be able to avoid using it sometimes. I uninstalled the Flash plugin, disabled javascript completely, disallowed cookies and storing of passwords.

Next, open HAM (Hildon Application Manager) and uninstall cruft & bloatware. I always enjoy this.
And install some themes ;-)

Notes (please read)

Some Chapters have been split off to their own pages:
Applications and Tweaking.

Abbreviations, terms

  • HAM - the graphical Hildon Application Manager
  • Update vs. Upgrade - in Debianspeak, "update" just updates the software catalogues, and "upgrade" actually upgrades all software packages. However, HAM uses the terms "refresh" and "update" instead.

In this article, I (try to) use the proper terms depending on context, i.e. if I use HAM, I speak of updates, if I use apt-get on the command line, I speak of upgrades.

When I write

Install package package

This actually means apt-get install package in a root terminal.