This program will make the ReMarkable Tablet's USB Web Interface available on wifi.

Password authentication and SSL supported, along with the ability to only run when connected to certain wifi networks.

Without additional programs, the USB Web Interface will only be available over wifi while the device is plugged in and the USB Web Interface is enabled/reachable at 10.11.99.1. To ensure the USB Web Interface is always available, use webinterface-onboot.

Drag and drop does not work well on mobile, though it is simple to add an upload button.

It is recommended to install via the toltec package manager.

$ opkg update
$ opkg install webinterface-wifi
$ opkg remove webinterface-wifi

$ wget https://github.com/rM-self-serve/webinterface-wifi/releases/latest/download/install-webint-wf.sh && bash install-webint-wf.sh

$ wget https://github.com/rM-self-serve/webinterface-wifi/releases/latest/download/install-webint-wf.sh && bash install-webint-wf.sh remove

$ systemctl enable --now webinterface-wifi

To view the USB Web Interface, type the remarkable's wifi ip address in the browser. It can be found in the copyrights and licenses tab in the settings. Ex : http://10.0.0.10/

By default, the USB Web Interface runs without authentication or encryption. This means anyone on the same wifi network can access your files. The only way to secure your device on public wifi is by enabling both authentication and encryption.

Obtain an SSL certificate and the corresponding private key, a self signed cert is sufficient. These can be placed at the following paths:

# Certificate default path
/home/root/.local/share/webinterface-wifi/ssl/ssl_cert.pem
# If installed with Toltec
/opt/etc/webinterface-wifi/ssl/ssl_cert.pem

# Private Key default path
/home/root/.local/share/webinterface-wifi/ssl/ssl_priv.rsa 
# If installed with Toltec
/opt/etc/webinterface-wifi/ssl/ssl_priv.rsa 

Or the paths can be specified in config.toml:

[conf]
ssl_cert_path="/etc/ssl/ssl_cert.pem"
ssl_priv_path="/etc/ssl/ssl_priv.rsa"
# ...

Then enable ssl in each network:

[networks.arbitrary_name]
ssl=true
# ...

[undefined_networks]
ssl=true
# ...

An SSL keypair will be included in this repository for testing purposes. This should not be considered secure as someone determined could use the provided private key to decrypt your network traffic. These will need to be downloaded separately.

A login consists of a username and password. The username will not be saved so ensure to remember it along with the password. Since the device is not encrypted, it is important to use a unique password not used elsewhere. Even with login enabled, anyone on the same wifi network can read whatever files are uploaded/downloaded, use SSL to mitigate this vulnerability.

To create a login, run the following command and enter a username and password:

$ webinterface-wifi create-login
User: myuser
Password: 
Retype Password: 

# Login file default path
/home/root/.local/share/webinterface-wifi/auth/login.pass 
# If installed with Toltec
/opt/etc/webinterface-wifi/auth/login.pass 

This will create a login file at the default path so that it does not need to be specified in config.toml.

To specify in config.toml:

[conf]
login_path="/etc/auth/login.pass"
# ...

The password is not stored in plaintext.

Each wifi network can have settings defined in the config:

[networks.home]
router_ssid="Home's Wifi Name"
ssl=false
login_enforced=false
listen_ip="auto"
listen_port=80

[networks.coffeshop]
router_ssid="Coffeshop's Wifi Name"
ssl=true
login_enforced=true
listen_ip="auto"
listen_port=443
http_redirect_port=80

When the wifi network with the matching SSID connects, these settings will be applied.

If the connected network is not defined (and is not filtered), it will run with the settings of the [undefined_networks] field:

[undefined_networks]
ssl=false
login_enforced=false
listen_ip="auto"
listen_port=80

If you would like your webinterface to be available on your home wifi network but not the airport, you can configure network filtering.

The more secure option, this feature ensures the webinterface will only be available on defined networks.

[conf]
network_filter="allowlist"

[networks.home]
router_ssid="Home Wifi Name"
# ...

[allowlist]
networks=[ "home" ]

This option lets you define which networks the webinterface should NOT run on, while running on any network that is not in the list.

[conf]
network_filter="blocklist"

[networks.airport]
router_ssid="Airport Wifi Name"

[blocklist]
networks=[ "airport" ]

[undefined_networks]
# ...

Webinterface-Wifi needs to be explicitly reloaded when the config is edited.

⚠️ An invalid config will stop the daemon from running. Restart it with:

$ systemctl daemon-reload
$ systemctl restart webinterface-wifi

Open in the default config in your editor of choice, defined by the environment variable $EDITOR, or nano if not defined:

$ webinterface-wifi edit

After saving the file, validation will be performed on the config where potential errors will be raised.

# Default Config Path
/home/root/.config/webinterface-wifi/config.toml

You may wish to edit the config and reload the program without restarting the daemon.

$ webinterface-wifi reload       
Config Valid
Config Reloaded

To ensure your modified config is valid and do a mock run to see which network may be currently active.

$ webinterface-wifi validate

$ webinterface-wifi net-info
wifi interface: wlan0 ip: 192.168.1.93
webint ip exists: 10.11.99.1
router ssid: Home Wifi Name

In the definition of a network, the 'listen_ip' field is set to "auto" by default. This will find the ip address of the wifi interface and start the server on it. It can also be configured to run on a static ipv4 ip address. The webinterface will be available on this ip address when the device has wifi.

[networks.home]
listen_ip="0.0.0.0"

[networks.coffeshop]
listen_ip="auto"

[undefined_networks]
listen_ip="169.254.229.31"

If the defined network has enabled SSL, it can enable the redirection of an unencrypted network connection to an encrypted one. Omitting this field will disable redirection.

[networks.home]
http_redirect_port=80

For more information on the config see the spec and examples in the config folder.

• Password authentication on Safari

You will need docker/podman, cargo, and the cargo crate named cross. There are other ways to cross compile for 32 bit arm as well.

cross build --target armv7-unknown-linux-gnueabihf --release

Then copy the binary 'target/armv7-unknown-linux-gnueabihf/release/webinterface-wifi' to the device and enable/start it as a systemd service.

This program will start a reverse proxy on the wifi interface on the port specified. The proxy will start/stop based on if webinterface has the configured ip address and the wifi interface has an ip address. It will automatically be available whenever you connect to a new wifi network.