Implement OTA release compatibility checking system

Implement a comprehensive solution for validating a firmware before an
OTA updated is committed.  WLED metadata such as version and release
is moved to a data structure located at near the start of the firmware
binary, where it can be identified and validated.

Co-authored-by: netmindz <[email protected]>

Author: 2 people

tools/cdata.js

@@ -388,12 +388,6 @@ const char PAGE_dmxmap[] PROGMEM = R"=====()=====";
       name: "PAGE_update",
       method: "gzip",
       filter: "html-minify",
-      mangle: (str) =>
-        str
-          .replace(
-            /function GetV().*\<\/script\>/gms,
-            "</script><script src=\"/settings/s.js?p=9\"></script>"
-          )
     },
     {
       file: "welcome.htm",

wled00/data/update.htm

@@ -17,7 +17,26 @@
 			}
 			window.open(getURL("/update?revert"),"_self");
 		}
-		function GetV() {/*injected values here*/}
+		function GetV() {
+			// Fetch device info via JSON API instead of compiling it in
+			fetch('/json/info')
+				.then(response => response.json())
+				.then(data => {
+					document.querySelector('.installed-version').textContent = `${data.brand} ${data.ver} (${data.vid})`;
+					document.querySelector('.release-name').textContent = data.release;
+					// TODO - assemble update URL
+					// TODO - can this be done at build time?
+					if (data.arch == "esp8266") {
+						toggle('rev');
+					}
+				})
+				.catch(error => {
+					console.log('Could not fetch device info:', error);
+					// Fallback to compiled-in value if API call fails
+					document.querySelector('.installed-version').textContent = 'Unknown';
+					document.querySelector('.release-name').textContent = 'Unknown';
+				});
+		}
 	</script>
 	<style>
 		@import url("style.css");
@@ -27,11 +46,15 @@
 <body onload="GetV()">
 	<h2>WLED Software Update</h2>
 	<form method='POST' action='./update' id='upd' enctype='multipart/form-data' onsubmit="toggle('upd')">
-		Installed version: <span class="sip">WLED ##VERSION##</span><br>
+		Installed version: <span class="sip installed-version">Loading...</span><br>
+		Release: <span class="sip release-name">Loading...</span><br>
 		Download the latest binary: <a href="https://github.com/wled-dev/WLED/releases" target="_blank" 
 		style="vertical-align: text-bottom; display: inline-flex;">
 		<img src="https://img.shields.io/github/release/wled-dev/WLED.svg?style=flat-square"></a><br>
+		<input type="hidden" name="skipValidation" value="" id="sV">
 		<input type='file' name='update' required><br> <!--should have accept='.bin', but it prevents file upload from android app-->
+		<input type='checkbox' onchange="sV.value=checked?1:''" id="skipValidation">
+		<label for='skipValidation'>Ignore firmware validation</label><br>
 		<button type="submit">Update!</button><br>
 		<hr class="sml">
 		<button id="rev" type="button" onclick="cR()">Revert update</button><br>

wled00/dmx_input.cpp

@@ -55,8 +55,8 @@ static dmx_config_t createConfig()
   config.software_version_id = VERSION;
   strcpy(config.device_label, "WLED_MM");
 
-  const std::string versionString = "WLED_V" + std::to_string(VERSION);
-  strncpy(config.software_version_label, versionString.c_str(), 32);
+  const std::string dmxWledVersionString = "WLED_V" + std::to_string(VERSION);
+  strncpy(config.software_version_label, dmxWledVersionString.c_str(), 32);
   config.software_version_label[32] = '\0'; // zero termination in case versionString string was longer than 32 chars
 
   config.personalities[0].description = "SINGLE_RGB";

wled00/e131.cpp

@@ -414,7 +414,7 @@ void prepareArtnetPollReply(ArtPollReply *reply) {
 
   reply->reply_port = ARTNET_DEFAULT_PORT;
 
-  char * numberEnd = versionString;
+  char * numberEnd = (char*) versionString; // strtol promises not to try to edit this.
   reply->reply_version_h = (uint8_t)strtol(numberEnd, &numberEnd, 10);
   numberEnd++;
   reply->reply_version_l = (uint8_t)strtol(numberEnd, &numberEnd, 10);

wled00/ota_update.cpp

@@ -0,0 +1,257 @@
+#include "ota_update.h"
+#include "wled.h"
+
+#ifdef ESP32
+#include <esp_app_format.h>
+#include <esp_ota_ops.h>
+#endif
+
+// Platform-specific metadata locations
+#ifdef ESP32
+constexpr size_t METADATA_OFFSET = 256;          // ESP32: metadata appears after Espressif metadata
+#define UPDATE_ERROR errorString
+#elif defined(ESP8266)
+constexpr size_t METADATA_OFFSET = 0x1000;     // ESP8266: metadata appears at 4KB offset
+#define UPDATE_ERROR getErrorString
+#endif
+constexpr size_t METADATA_SEARCH_RANGE = 512;  // bytes
+
+
+/**
+ * Check if OTA should be allowed based on release compatibility using custom description
+ * @param binaryData Pointer to binary file data (not modified)
+ * @param dataSize Size of binary data in bytes
+ * @param errorMessage Buffer to store error message if validation fails 
+ * @param errorMessageLen Maximum length of error message buffer
+ * @return true if OTA should proceed, false if it should be blocked
+ */
+
+static bool validateOTA(const uint8_t* binaryData, size_t dataSize, char* errorMessage, size_t errorMessageLen) {
+  // Clear error message
+  if (errorMessage && errorMessageLen > 0) {
+    errorMessage[0] = '\0';
+  }
+
+  // Try to extract WLED structure directly from binary data
+  wled_custom_desc_t extractedDesc;
+  bool hasDesc = findWledMetadata(binaryData, dataSize, &extractedDesc);
+
+  if (hasDesc) {
+    return shouldAllowOTA(extractedDesc, errorMessage, errorMessageLen);
+  } else {
+    // No custom description - this could be a legacy binary
+    if (errorMessage && errorMessageLen > 0) {
+      strncpy_P(errorMessage, PSTR("This firmware file is missing compatibility metadata."), errorMessageLen - 1);
+      errorMessage[errorMessageLen - 1] = '\0';
+    }
+    return false;
+  }
+}
+
+struct UpdateContext {
+  // State flags
+  // FUTURE: the flags could be replaced by a state machine
+  bool replySent = false;
+  bool needsRestart = false;
+  bool updateStarted = false;
+  bool uploadComplete = false;
+  bool releaseCheckPassed = false;
+  String errorMessage;
+
+  // Buffer to hold block data across posts, if needed
+  std::vector<uint8_t> releaseMetadataBuffer;  
+};
+
+
+static void endOTA(AsyncWebServerRequest *request) {
+  UpdateContext* context = reinterpret_cast<UpdateContext*>(request->_tempObject);
+  request->_tempObject = nullptr;
+
+  DEBUG_PRINTF_P(PSTR("EndOTA %x --> %x (%d)\n"), (uintptr_t)request,(uintptr_t) context, context ? context->uploadComplete : 0);
+  if (context) {
+    if (context->updateStarted) {  // We initialized the update
+      // We use Update.end() because not all forms of Update() support an abort.
+      // If the upload is incomplete, Update.end(false) should error out.
+      if (Update.end(context->uploadComplete)) {
+        // Update successful!
+        #ifndef ESP8266
+        bootloopCheckOTA(); // let the bootloop-checker know there was an OTA update
+        #endif
+        doReboot = true;
+        context->needsRestart = false;
+      }
+    }
+
+    if (context->needsRestart) {
+      strip.resume();
+      UsermodManager::onUpdateBegin(false);
+      #if WLED_WATCHDOG_TIMEOUT > 0
+      WLED::instance().enableWatchdog();
+      #endif
+    }
+    delete context;
+  }
+};
+
+static bool beginOTA(AsyncWebServerRequest *request, UpdateContext* context)
+{
+  #ifdef ESP8266
+  Update.runAsync(true);
+  #endif  
+
+  if (Update.isRunning()) {
+      request->send(503);
+      setOTAReplied(request);
+      return false;
+  }
+
+  #if WLED_WATCHDOG_TIMEOUT > 0
+  WLED::instance().disableWatchdog();
+  #endif
+  UsermodManager::onUpdateBegin(true); // notify usermods that update is about to begin (some may require task de-init)
+  
+  strip.suspend();
+  backupConfig(); // backup current config in case the update ends badly
+  strip.resetSegments();  // free as much memory as you can
+  context->needsRestart = true;
+
+  DEBUG_PRINTF_P(PSTR("OTA Update Start, %x --> %x\n"), (uintptr_t)request,(uintptr_t) context);
+
+  auto skipValidationParam = request->getParam("skipValidation", true);
+  if (skipValidationParam && (skipValidationParam->value() == "1")) {
+    context->releaseCheckPassed = true;
+    DEBUG_PRINTLN(F("OTA validation skipped by user"));
+  }
+  
+  // Begin update with the firmware size from content length
+  size_t updateSize = request->contentLength() > 0 ? request->contentLength() : ((ESP.getFreeSketchSpace() - 0x1000) & 0xFFFFF000);
+  if (!Update.begin(updateSize)) {    
+    context->errorMessage = Update.UPDATE_ERROR();
+    DEBUG_PRINTF_P(PSTR("OTA Failed to begin: %s\n"), context->errorMessage.c_str());
+    return false;
+  }
+  
+  context->updateStarted = true;
+  return true;
+}
+
+// Create an OTA context object on an AsyncWebServerRequest
+// Returns true if successful, false on failure.
+bool initOTA(AsyncWebServerRequest *request) {
+  // Allocate update context
+  UpdateContext* context = new (std::nothrow) UpdateContext {};  
+  if (context) {
+    request->_tempObject = context;
+    request->onDisconnect([=]() { endOTA(request); });  // ensures we restart on failure
+  };
+
+  DEBUG_PRINTF_P(PSTR("OTA Update init, %x --> %x\n"), (uintptr_t)request,(uintptr_t) context);
+  return (context != nullptr);
+}
+
+void setOTAReplied(AsyncWebServerRequest *request) {
+  UpdateContext* context = reinterpret_cast<UpdateContext*>(request->_tempObject);
+  if (!context) return;
+  context->replySent = true;
+};
+
+// Returns pointer to error message, or nullptr if OTA was successful.
+std::pair<bool, String> getOTAResult(AsyncWebServerRequest* request) {
+  UpdateContext* context = reinterpret_cast<UpdateContext*>(request->_tempObject);
+  if (!context) return { true, F("OTA context unexpectedly missing") };
+  if (context->replySent) return { false, {} };
+  if (context->errorMessage.length()) return { true, context->errorMessage };
+
+  if (context->updateStarted) {
+    // Release the OTA context now.
+    endOTA(request);
+    if (Update.hasError()) {
+      return { true, Update.UPDATE_ERROR() };
+    } else {
+      return { true, {} };
+    }
+  }
+
+  // Should never happen
+  return { true, F("Internal software failure") };
+}
+
+
+
+void handleOTAData(AsyncWebServerRequest *request, size_t index, uint8_t *data, size_t len, bool isFinal)
+{
+  UpdateContext* context = reinterpret_cast<UpdateContext*>(request->_tempObject);
+  if (!context) return;
+
+  //DEBUG_PRINTF_P(PSTR("HandleOTAData: %d %d %d\n"), index, len, isFinal);
+
+  if (context->replySent || (context->errorMessage.length())) return;
+
+  if (index == 0) {
+    if (!beginOTA(request, context)) return;
+  }
+
+  // Perform validation if we haven't done it yet and we have reached the metadata offset
+  if (!context->releaseCheckPassed && (index+len) > METADATA_OFFSET) {
+    // Current chunk contains the metadata offset
+    size_t availableDataAfterOffset = (index + len) - METADATA_OFFSET;
+
+    DEBUG_PRINTF_P(PSTR("OTA metadata check: %d in buffer, %d received, %d available\n"), context->releaseMetadataBuffer.size(), len, availableDataAfterOffset);
+
+    if (availableDataAfterOffset >= METADATA_SEARCH_RANGE) {
+      // We have enough data to validate, one way or another
+      const uint8_t* search_data = data;
+      size_t search_len = len;
+      
+      // If we have saved data, use that instead
+      if (context->releaseMetadataBuffer.size()) {
+        // Add this data
+        context->releaseMetadataBuffer.insert(context->releaseMetadataBuffer.end(), data, data+len);
+        search_data = context->releaseMetadataBuffer.data();
+        search_len = context->releaseMetadataBuffer.size();
+      }
+
+      // Do the checking
+      char errorMessage[128];
+      bool OTA_ok = validateOTA(search_data, search_len, errorMessage, sizeof(errorMessage));
+      
+      // Release buffer if there was one
+      context->releaseMetadataBuffer = decltype(context->releaseMetadataBuffer){};
+      
+      if (!OTA_ok) {
+        DEBUG_PRINTF_P(PSTR("OTA declined: %s\n"), errorMessage);
+        context->errorMessage = errorMessage;
+        context->errorMessage += F(" Enable 'Ignore firmware validation' to proceed anyway.");
+        return;
+      } else {
+        DEBUG_PRINTLN(F("OTA allowed: Release compatibility check passed"));
+        context->releaseCheckPassed = true;
+      }        
+    } else {
+      // Store the data we just got for next pass
+      context->releaseMetadataBuffer.insert(context->releaseMetadataBuffer.end(), data, data+len);
+    }
+  }
+
+  // Check if validation was still pending (shouldn't happen normally)
+  // This is done before writing the last chunk, so endOTA can abort 
+  if (isFinal && !context->releaseCheckPassed) {
+    DEBUG_PRINTLN(F("OTA failed: Validation never completed"));
+    // Don't write the last chunk to the updater: this will trip an error later
+    context->errorMessage = F("Release check data never arrived?");
+    return;
+  }
+
+  // Write chunk data to OTA update (only if release check passed or still pending)
+  if (!Update.hasError()) {
+    if (Update.write(data, len) != len) {
+      DEBUG_PRINTF_P(PSTR("OTA write failed on chunk %zu: %s\n"), index, Update.UPDATE_ERROR());
+    }
+  }
+
+  if(isFinal) {
+    DEBUG_PRINTLN(F("OTA Update End"));
+    // Upload complete
+    context->uploadComplete = true;
+  }
+}

wled00/ota_update.h

@@ -0,0 +1,52 @@
+//  WLED OTA update interface
+
+#include <Arduino.h>
+#ifdef ESP8266
+  #include <Updater.h>
+#else
+   #include <Update.h>
+#endif
+
+#pragma once
+
+// Platform-specific metadata locations
+#ifdef ESP32
+#define BUILD_METADATA_SECTION ".rodata_custom_desc"
+#elif defined(ESP8266)
+#define BUILD_METADATA_SECTION ".ver_number"
+#endif
+
+
+class AsyncWebServerRequest;
+
+/**
+ *  Create an OTA context object on an AsyncWebServerRequest
+ * @param request Pointer to web request object
+ * @return true if allocation was successful, false if not
+ */
+bool initOTA(AsyncWebServerRequest *request);
+
+/**
+ *  Indicate to the OTA subsystem that a reply has already been generated
+ * @param request Pointer to web request object
+ */
+void setOTAReplied(AsyncWebServerRequest *request);
+
+/**
+ *  Retrieve the OTA result.
+ * @param request Pointer to web request object
+ * @return bool indicating if a reply is necessary; string with error message if the update failed.
+ */
+std::pair<bool, String> getOTAResult(AsyncWebServerRequest *request);
+
+/**
+ *  Process a block of OTA data.  This is a passthrough of an ArUploadHandlerFunction.
+ * Requires that initOTA be called on the handler object before any work will be done.
+ * @param request Pointer to web request object
+ * @param index Offset in to uploaded file
+ * @param data New data bytes
+ * @param len Length of new data bytes
+ * @param isFinal Indicates that this is the last block
+ * @return bool indicating if a reply is necessary; string with error message if the update failed.
+ */
+void handleOTAData(AsyncWebServerRequest *request, size_t index, uint8_t *data, size_t len, bool isFinal);