No description
Find a file
2018-11-17 22:03:51 +01:00
data Add PoC 2018-11-17 16:59:33 +01:00
.gitignore Add PoC 2018-11-17 16:59:33 +01:00
esp-ota-firmware-template.ino Rename project 2018-11-17 22:03:51 +01:00
le_x3_11_2018.pem Add PoC 2018-11-17 16:59:33 +01:00
README.md Add instructions 2018-11-17 17:32:52 +01:00

This firmware is intended to run on a NodeMCU with a relatively recent version of Arduino and its according ESP8266 core with BearSSL support (introduced in 2.4.2).

It can be used against any server implementing the ESPhttpUpdate-"protocol" from the Arduino ESP8266 project. This template is developed against the esp-ota-update-server written in python which sits behind an nginx webserver for encryption with TLS1.2.

It also uses tzapus WiFiManager to avoid exposing wifi access data in public hosted firmware binaries.

The CA certificate store needs to be fetched and generated at the inital setup. You can either use ESP8266 cores script to fetch the whole mozilla database (not tested) or create your own store which only trusts certain CAs. For my use, I rely on certificates issues by https://letsencrypt.org. To extract their CA you can use openssl against your domain which will host the firmware later on. I use letsencrypt.org here as example since it works too:

openssl s_client -showcerts -servername letsencrypt.org -connect letsencrypt.org:443 </dev/null

Grab the according certificate and paste it into a text file. I used le_x3_11_2018.pem.

cat le_x3_11_2018.pem | openssl x509 -inform PEM -outform DER -out data/ca_le.der
ar q data/certs.ar data/ca_le.der

The firmware will check on bootup if at least one CA is uploaded and will report the ammount over serial. The WiFiManger will only start up if a password for its configuration wlan is supplied - again, to avoid leakage over publicly hosted binaries, this password is stored out-of-band in the ESPs SPIFF flash storage and needs to be uploaded over USB once.

Make sure to not include extra trailing characters since the firmware reads this file byte by byte:

echo -n "ChangeMe!2§" | data/config_password.txt