Garage Door Opener – Signing Over-the-Air updates
The garage door opener has been running pretty well for the past couple of months, but I still have some work to do. I haven’t built out the configuration interface yet, and it turns out that if Home Assistant restarts, it forgets the last open state, so with out opening and closing the door again, I don’t know the state of the door.
This means I need to update the firmware.
The ESP8266 has facilities to do Over-the-Air (OTA) updates, however it doesn’t verify that the uploaded binary has been compiled by the person the device thinks it has. The easiest way to do this is to create a digest hash of the file and sign it. Then the device can verify the hash and check the signature matches.
There is an issue to implement this on the ESP8266 Github page, so I thought I would have a look at implementing something.
The first step is to be able to compare a hash. I decided to use the AxTLS library, as it has already been used for the SSL encryption on the device. After a google search, I found this page that outlines has to verify a SHA1 + RSA signature.
I simply pulled the sha1.c file (renamed it sha1.cpp), and created a sha1.h file that defines the functions in the cpp file. Next I created a test file, and hashed it using openssl:
openssl dgst -sha1 -binary -out hash data.txt
I then uploaded the files to the ESP8266 SPIFFS filesystem, and wrote some quick POC code.
The computed hash matches the supplied hash. Step 1 complete!
The next step will be to generate a signed digest, and decrypt that.