Download OTA workaround

Author: theelims

docs/buildprocess.md

@@ -168,6 +168,10 @@ The script will download a public certificate store from Mozilla (`board_ssl_cer
 
      To enable SSL the feature `FT_NTP=1` must be enabled as well.
 
+!!! bug
+
+    At the moment there is a bug with the certificate bundle when using the firmware download e.g. from Github. By using the build flag `-D DOWNLOAD_OTA_SKIP_CERT_VERIFY` you may skip certificate validation to keep OTA working. Only OTA seems affected, not MQTT. Keep in mind, that this voids the main security feature of SSL and allows man-in-the-middle attacks.
+
 ## Vite and LittleFS 32 Character Limit
 
 The static files for the website are build using vite. By default vite adds a unique hash value to all filenames for improved caching performance. However, LittleFS on the ESP32 is limited to filenames with 32 characters. This restricts the number of characters available for the user to name svelte files. To give a little bit more headroom a vite-plugin removes all hash values, as they offer no benefit on an ESP32. However, have the 32 character limit in mind when naming files. Excessively long names may still cause some issues when building the LittleFS binary.

interface/src/lib/components/GithubUpdateDialog.svelte

@@ -39,11 +39,11 @@
 		} else if ($telemetry.download_ota.status == 'finished') {
 			message = 'Restarting ...';
 			progress = 0;
-			// Reload page after 5 sec
+			// Reload page after 20 sec
 			timerId = setTimeout(() => {
 				modals.closeAll();
 				location.reload();
-			}, 5000);
+			}, 20000);
 		}
 	});
 
@@ -52,9 +52,6 @@
 			// prevents modal from closing
 			return false;
 		} else {
-			$telemetry.download_ota.status = 'idle';
-			$telemetry.download_ota.error = '';
-			$telemetry.download_ota.progress = 0;
 			return true;
 		}
 	});
@@ -90,7 +87,6 @@
 					disabled={updating}
 					onclick={() => {
 						modals.closeAll();
-						location.reload();
 					}}
 				>
 					<Cancel class="mr-2 h-5 w-5" /><span>Close</span></button

interface/src/routes/system/update/GithubFirmwareManager.svelte

@@ -2,6 +2,7 @@
 	import { user } from '$lib/stores/user';
 	import { page } from '$app/state';
 	import { modals } from 'svelte-modals';
+	import type { ModalComponent } from 'svelte-modals';
 	import { slide } from 'svelte/transition';
 	import { cubicOut } from 'svelte/easing';
 	import ConfirmDialog from '$lib/components/ConfirmDialog.svelte';
@@ -66,8 +67,7 @@
 			}
 		}
 		if (url === '') {
-			// if no asset was found, use the first one
-			modals.open(InfoDialog, {
+			modals.open(InfoDialog as unknown as ModalComponent<any>, {
 				title: 'No matching firmware found',
 				message:
 					'No matching firmware was found for the current device. Upload the firmware manually or build from sources.',
@@ -76,8 +76,7 @@
 			});
 			return;
 		}
-
-		modals.open(ConfirmDialog, {
+		modals.open(ConfirmDialog as unknown as ModalComponent<any>, {
 			title: 'Confirm flashing new firmware to the device',
 			message: 'Are you sure you want to overwrite the existing firmware with a new one?',
 			labels: {
@@ -86,8 +85,8 @@
 			},
 			onConfirm: () => {
 				postGithubDownload(url);
-				modals.open(GithubUpdateDialog, {
-					onConfirm: () => modals.closeAlls()
+				modals.open(GithubUpdateDialog as unknown as ModalComponent<any>, {
+					onConfirm: () => modals.closeAll()
 				});
 			}
 		});
@@ -96,22 +95,28 @@
 
 <SettingsCard collapsible={false}>
 	{#snippet icon()}
-		<Github  class="lex-shrink-0 mr-2 h-6 w-6 self-end rounded-full" />
+		<Github class="lex-shrink-0 mr-2 h-6 w-6 self-end rounded-full" />
 	{/snippet}
 	{#snippet title()}
-		<span >Github Firmware Manager</span>
+		<span>Github Firmware Manager</span>
 	{/snippet}
 	{#await getGithubAPI()}
 		<Spinner />
 	{:then githubReleases}
+		<div class="alert alert-info">
+			<div>
+				<span class="font-bold">Current Firmware Version:</span>
+				v{page.data.features.firmware_version}
+			</div>
+		</div>
 		<div class="relative w-full overflow-visible">
 			<div class="overflow-x-auto" transition:slide|local={{ duration: 300, easing: cubicOut }}>
 				<table class="table w-full table-auto">
 					<thead>
 						<tr class="font-bold">
 							<th align="left">Release</th>
 							<th align="center" class="hidden sm:block">Release Date</th>
-							<th align="center">Experimental</th>
+							<th align="center">Exp.</th>
 							<th align="center">Install</th>
 						</tr>
 					</thead>

interface/vite.config.ts

@@ -18,12 +18,12 @@ const config: UserConfig = {
 		proxy: {
 			// Proxying REST: http://localhost:5173/rest/bar -> http://192.168.1.83/rest/bar
 			'/rest': {
-				target: 'http://192.168.1.110',
+				target: 'http://192.168.1.111',
 				changeOrigin: true
 			},
 			// Proxying websockets ws://localhost:5173/ws -> ws://192.168.1.83/ws
 			'/ws': {
-				target: 'ws://192.168.1.110',
+				target: 'ws://192.168.1.111',
 				changeOrigin: true,
 				ws: true
 			}

lib/framework/DownloadFirmwareService.cpp

@@ -16,6 +16,45 @@
 extern const uint8_t rootca_crt_bundle_start[] asm("_binary_src_certs_x509_crt_bundle_bin_start");
 extern const uint8_t rootca_crt_bundle_end[] asm("_binary_src_certs_x509_crt_bundle_bin_end");
 
+/**
+ * This is github-io.pem
+ */
+const char *githubCACertificate = "-----BEGIN CERTIFICATE-----\n"
+                                  "MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB\n"
+                                  "iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl\n"
+                                  "cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV\n"
+                                  "BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx\n"
+                                  "MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV\n"
+                                  "BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE\n"
+                                  "ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g\n"
+                                  "VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC\n"
+                                  "AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N\n"
+                                  "TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj\n"
+                                  "eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E\n"
+                                  "oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk\n"
+                                  "Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY\n"
+                                  "uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j\n"
+                                  "BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb\n"
+                                  "+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G\n"
+                                  "A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw\n"
+                                  "CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0\n"
+                                  "LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr\n"
+                                  "BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv\n"
+                                  "bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov\n"
+                                  "L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H\n"
+                                  "ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH\n"
+                                  "7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi\n"
+                                  "H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx\n"
+                                  "RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv\n"
+                                  "xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38\n"
+                                  "sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL\n"
+                                  "l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq\n"
+                                  "6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY\n"
+                                  "LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5\n"
+                                  "yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K\n"
+                                  "00u/I5sUKUErmgQfky3xxzlIPK1aEn8=\n"
+                                  "-----END CERTIFICATE-----\n";
+
 static EventSocket *_socket = nullptr;
 static int previousProgress = 0;
 static String *otaURL = nullptr;
@@ -27,7 +66,7 @@ void update_started()
     doc["status"] = "preparing";
     JsonObject jsonObject = doc.as<JsonObject>();
     _socket->emitEvent(EVENT_DOWNLOAD_OTA, jsonObject);
-    ESP_LOGD(SVK_TAG, "HTTP onUpdate started");
+    ESP_LOGD(SVK_TAG, "HTTP Update started");
 }
 
 void update_progress(int currentBytes, int totalBytes)
@@ -44,20 +83,40 @@ void update_progress(int currentBytes, int totalBytes)
     previousProgress = progress;
 }
 
+void update_finished()
+{
+    String output;
+    doc["status"] = "finished";
+    doc["progress"] = 100;
+    JsonObject jsonObject = doc.as<JsonObject>();
+    _socket->emitEvent(EVENT_DOWNLOAD_OTA, jsonObject);
+    ESP_LOGI(SVK_TAG, "HTTP Update successful - Restarting");
+#ifdef SERIAL_INFO
+    Serial.println("HTTP Update successful - Restarting");
+#endif
+
+    vTaskDelay(250 / portTICK_PERIOD_MS);
+}
+
 void updateTask(void *param)
 {
     String url = *((String *)param);
     delete (String *)param; // Clean up the allocated memory
 
     WiFiClientSecure client;
 
+#ifndef DOWNLOAD_OTA_SKIP_CERT_VERIFY
+
 #if ESP_ARDUINO_VERSION_MAJOR == 3
     client.setCACertBundle(rootca_crt_bundle_start, rootca_crt_bundle_end - rootca_crt_bundle_start);
 #else
     client.setCACertBundle(rootca_crt_bundle_start);
 #endif
 
-    // client.setInsecure(); // For testing purposes only, remove this line for production code
+#else
+    ESP_LOGW(SVK_TAG, "Skipping SSL certificate verification for OTA update!");
+    client.setInsecure();
+#endif
 
     client.setTimeout(12000);
 
@@ -67,6 +126,7 @@ void updateTask(void *param)
     String output;
     httpUpdate.onStart(update_started);
     httpUpdate.onProgress(update_progress);
+    httpUpdate.onEnd(update_finished);
 
     t_httpUpdate_return ret = httpUpdate.update(client, url.c_str());
     JsonObject jsonObject;
@@ -98,16 +158,6 @@ void updateTask(void *param)
         ESP_LOGE(SVK_TAG, "HTTP Update failed, has same firmware version");
 #ifdef SERIAL_INFO
         Serial.println("HTTP Update failed, has same firmware version");
-#endif
-        break;
-    case HTTP_UPDATE_OK:
-
-        doc["status"] = "finished";
-        _emitEvent = true;
-
-        ESP_LOGI(SVK_TAG, "HTTP Update successful - Restarting");
-#ifdef SERIAL_INFO
-        Serial.println("HTTP Update successful - Restarting");
 #endif
         break;
     }

lib/framework/DownloadFirmwareService.h

@@ -24,7 +24,6 @@
 
 #include <WiFiClientSecure.h>
 #include <HTTPUpdate.h>
-// #include <SSLCertBundle.h>
 
 #define GITHUB_FIRMWARE_PATH "/rest/downloadUpdate"
 #define EVENT_DOWNLOAD_OTA "otastatus"