Native Android app that turns a phone into a standalone field gateway and full Reticulum Transport Node. Bridges Meshtastic mesh (BLE), Iridium satellite (9603N SBD + 9704 IMT), APRS, cellular SMS, and MQTT -- with end-to-end encryption, semantic compression, and intelligent routing. The phone IS the gateway. No companion app, no server dependency, no internet required. Setup Guide Step 1: Grant Permissions On first launch, MeshSat requests permissions for Bluetooth, Location, SMS, and Notifications. All are required for full functionality: Bluetooth -- connects to Meshtastic radios (BLE) and satellite modems (HC-05 SPP) Location -- required for BLE scanning on Android 12+, GPS position for map and beaconing SMS -- enables the cellular SMS gateway transport Notifications -- foreground service notification (Android 13+ requirement) Foreground service types (Android 14+): connectedDevice and location are declared in the manifest Step 2: Pair Your Radio Open Settings and pair your Meshtastic radio via Bluetooth. The app scans for BLE devices advertising the Meshtastic service UUID. Tap your device to connect. Full radio configuration is available in the Radio Config tab (7 sub-tabs: Identity, LoRa, Channels, Position, Bluetooth, Network, Admin). For satellite modems (RockBLOCK 9603N/9704), pair the HC-05 Bluetooth SPP adapter first via Android Bluetooth settings, then select it in MeshSat Settings. Step 3: Connect to Hub (Optional) If you use MeshSat Hub for fleet management: On the Hub web UI, generate a QR provisioning code for your device In MeshSat, go to Settings > Hub and scan the QR code The app auto-configures Hub URL, credentials, and mTLS certificates Alternatively, paste the Hub URL and mTLS client certificate PEM manually in Settings > Hub Step 4: Configure Access Rules Go to Rules to set up message routing between transports. Rules use Cisco ASA-style implicit deny with per-rule source/destination interface filtering, keyword/sender/node matching, object groups, failover groups, and rate limiting. Step 5: Send a Test Message Open the Comms tab and send a test message to a Meshtastic node. If access rules route to a satellite interface, verify delivery in the Delivery Ledger (Rules > DLQ tab). Check the Dashboard sparklines for real-time activity. Transports Transport Connection Protocol MTU Meshtastic Bluetooth LE Official protobuf (15 portnums) 237B Iridium 9603N HC-05 Bluetooth SPP AT/SBD (19200 baud) 340B Iridium 9704 HC-05 Bluetooth SPP JSPR (230400 baud, 100KB msgs) 100KB APRS KISS TNC + APRS-IS AX.25 / APRS-IS TCP 256B SMS Native Android AES-GCM encrypted, MSVQ-SC compressed 160B MQTT WiFi/cellular Eclipse Paho (mTLS) -- Architecture Phone (MeshSat Android) | +-- BLE ----------------> Meshtastic radio (15 portnums, full radio config) | +-- Bluetooth SPP ------> HC-05 --> RockBLOCK 9603N (Iridium SBD) | +-> HC-05 --> RockBLOCK 9704 (Iridium IMT/JSPR) | +-- KISS TNC -----------> APRS radio (smart beaconing, directed messaging) +-- APRS-IS TCP --------> APRS internet gateway | +-- Native SMS ---------> Cellular (AES-GCM + MSVQ-SC compression) | +-- MQTT (mTLS) --------> MeshSat Hub (telemetry, commands, credentials) | +-- Reticulum TCP (TLS)-> reticulum.meshsat.net (Transport Node mesh) | +-- Dispatcher ---------> Per-interface workers, fan-out, dedup, TTL +-- AccessEvaluator ----> Cisco ASA-style ACL rules, keyword/sender filters +-- FailoverResolver ---> Priority-based transport failover groups +-- InterfaceManager ---> 5-state machine, exponential backoff reconnect +-- TransformPipeline --> compress -> encrypt -> base64 (per-interface) +-- BurstQueue ---------> TLV-pack multiple messages into one SBD (max 340B) +-- PassScheduler ------> 4-mode satellite scheduling (Idle/PreWake/Active/PostPass) +-- CreditTracker ------> Per-message Iridium cost tracking ($0.05/MO) +-- HealthScorer -------> Composite 0-100 per interface (signal/success/latency/cost) Android vs Bridge Parity Capability Bridge (Pi/Linux) Android Meshtastic Serial/USB BLE Iridium 9603N SBD UART/USB HC-05 Bluetooth SPP Iridium 9704 IMT FTDI USB HC-05 Bluetooth SPP Cellular SMS USB AT modem Native Android SMS ZigBee USB dongle (Z-Stack ZNP) -- APRS Direwolf KISS TNC KISS TNC + APRS-IS TAK gateway (CoT XML server) Full server + client Receive-only (Hub broadcast) Webhooks Outbound HTTP -- HeMB bonding (RLNC) Production (multi-bearer) -- Dead Man Switch Yes Yes Geofence Monitor Yes Yes Hub client (mTLS + 8 commands) Yes Yes Reticulum Transport Node 10 interfaces 10+ interfaces Multi-instance transports Yes Yes (TransportRegistry) Delivery ledger + DLQ Yes Yes (10 status states) Access rules + object groups Yes Yes QR key bundles Yes Yes (meshsat://key/ URI) Master key envelope encryption Yes Yes (EncryptedSharedPreferences) Ed25519 audit log chain Yes Yes Config export/import (YAML) Yes Yes (Bridge-compatible) Satellite pass predictor (SGP4) Yes Yes (Canvas bezier arcs) Iridium credit tracking Yes Yes Web dashboard Vue.js SPA (13 views) Jetpack Compose (14 screens) REST API 280+ endpoints 14 endpoints (localhost:6051) Runs without infrastructure Needs Pi + power Phone only Reticulum Transport Node MeshSat Android is a full Reticulum Transport Node -- not just a client. It relays packets between all interfaces, maintains a forwarding table with cost-aware routing, and announces itself to the mesh. Ed25519 signing + X25519 encryption identity 10+ Reticulum interfaces: Meshtastic BLE, Iridium 9603, Iridium 9704, SMS, MQTT, TCP (HDLC), BLE peripheral (GATT server), Tor (SOCKS5), WireGuard Cross-interface relay with announce propagation and hop counting 3-packet ECDH link handshake with AES-256-GCM encrypted links Path table with cost-aware forwarding and path request/response TLS + mTLS for authenticated TCP tunnel to Hub Meshtastic Integration Full radio configuration via BLE (not just messaging): 15 portnums: text, position, telemetry, routing ACK/NAK, waypoint, neighborinfo, traceroute, store-forward, range test, detection sensor, paxcounter, reply, nodeinfo, admin, private 7 config tabs: Identity, LoRa (region/preset/TX power/hop limit), Channels (8 with PSK), Position (GPS/broadcast interval), Bluetooth, Network (WiFi), Admin (reboot/shutdown/factory reset) Official protobuf bindings from meshtastic/protobufs via protobuf-javalite Single-parse dispatch via MeshtasticProtocol.parseFromRadioFull() — one protobuf parse per frame, then adapter maps to internal types Security & Encryption Crypto AES-256-GCM per-conversation encryption for SMS MSVQ-SC lossy semantic compression (~92% savings) -- ONNX Runtime INT8 encoder (TX), pure Kotlin codebook decoder (RX) Ed25519 hash-chain audit log -- append-only, tamper-evident, viewable in the Audit screen with chain verification ECDSA-P256 signed birth messages for Hub device verification Master Key Envelope Device-level at-rest encryption using Android's EncryptedSharedPreferences (AndroidX Security). All sensitive keys and credentials are wrapped with HKDF + AES-256-GCM key wrapping backed by the Android Keystore hardware. QR Key Bundles with TOFU Pinning Cross-platform channel key exchange via meshsat://key/ URI scheme. Scan a QR code from the Bridge or another Android device to import AES-256-GCM conversation keys for each channel (mesh, iridium, sms, etc.) in a single operation. Starting in v2.8.5, KeyBundleImporter supports TOFU (Trust On First Use) pinning against the bridge's Ed25519 signing key: Bundle v2 format embeds the 32-byte Ed25519 signing pubkey inside the signed payload. Signature covers everything except the signature bytes themselves, so the pubkey cannot be swapped without invalidating the signature. First import from a new bridge hash → pubkey is pinned in the bridge_trust Room table, status NEW_TRUSTED. Subsequent imports → signature verified against the stored pubkey, status EXISTING_TRUSTED. A mismatch (key rotation or impersonation) is rejected and the user sees a KeyMismatch warning with an explicit re-pin option. Bundle v1 (legacy) still imports for backward compat with older bridges, flagged as UNVERIFIED_V1 with a user-visible warning. See MESHSAT-495 for the full design.