You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
sqozz 97c46b1741 Update README.md 1 year ago
data Add PoC 1 year ago
.gitignore Add PoC 1 year ago
README.md Update README.md 1 year ago
esp-ota-firmware-template.ino Rename project 1 year ago
le_x3_11_2018.pem Add PoC 1 year ago

README.md

This firmware is intended to run on a NodeMCU with a relatively recent version of Arduino and its according ESP8266 core with BearSSL support (introduced in 2.4.2).

It can be used against any server implementing the ESPhttpUpdate-“protocol” from the Arduino ESP8266 project. This template is developed against the esp-ota-update-server written in python which sits behind an nginx webserver for encryption with TLS1.2.

It also uses tzapu’s WiFiManager to avoid exposing wifi access data in public hosted firmware binaries.

The CA certificate store needs to be fetched and generated at the inital setup. You can either use ESP8266 cores script to fetch the whole mozilla database (not tested) or create your own store which only trusts certain CAs. For my use, I rely on certificates issues by https://letsencrypt.org. To extract their CA you can use openssl against your domain which will host the firmware later on. I use letsencrypt.org here as example since it works too:

openssl s_client -showcerts -servername letsencrypt.org -connect letsencrypt.org:443 </dev/null

Grab the according certificate and paste it into a text file. I used le_x3_11_2018.pem.

cat le_x3_11_2018.pem | openssl x509 -inform PEM -outform DER -out data/ca_le.der
ar q data/certs.ar data/ca_le.der

The firmware will check on bootup if at least one CA is uploaded and will report the amount over serial. The WiFiManger will only start up if a password for its configuration wlan is supplied - again, to avoid leakage over publicly hosted binaries, this password is stored out-of-band in the ESPs SPIFF flash storage and needs to be uploaded over USB once.

Make sure to not include extra trailing characters since the firmware reads this file byte by byte:

echo -n "ChangeMe!2§" > data/config_password.txt