add release cert support
parent
08d12a7380
commit
16547a133a
|
@ -55,10 +55,18 @@ int main() {
|
|||
SHA_hash(&_app_start[1], len-4, digest);
|
||||
|
||||
// verify RSA signature
|
||||
if (!RSA_verify(&rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
|
||||
fail();
|
||||
if (RSA_verify(&release_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
|
||||
goto good;
|
||||
}
|
||||
|
||||
// allow debug cert for now
|
||||
if (RSA_verify(&debug_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
|
||||
goto good;
|
||||
}
|
||||
|
||||
// here is a failure
|
||||
fail();
|
||||
good:
|
||||
// jump to flash
|
||||
((void(*)()) _app_start[1])();
|
||||
return 0;
|
||||
|
|
|
@ -38,7 +38,7 @@ obj/gitversion.h:
|
|||
endif
|
||||
|
||||
obj/cert.h: ../crypto/getcertheader.py
|
||||
../crypto/getcertheader.py $(CERT).pub > $@
|
||||
../crypto/getcertheader.py ../certs/debug.pub ../certs/release.pub > $@
|
||||
|
||||
obj/bootstub.$(PROJ_NAME).o: bootstub.c early.h obj/cert.h
|
||||
$(CC) $(CFLAGS) -o $@ -c $<
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
#!/usr/bin/env python
|
||||
import sys
|
||||
import usb1
|
||||
import struct
|
||||
from hexdump import hexdump
|
||||
|
@ -31,9 +32,11 @@ elif stat[4] == "\x09":
|
|||
dostat()
|
||||
hexdump(dev.controlRead(0x21, DFU_GETSTATUS, 0, 0, 6))
|
||||
|
||||
# Read Unprotect
|
||||
#dev.controlWrite(0x21, DFU_DNLOAD, 0, 0, "\x92")
|
||||
#hexdump(dev.controlRead(0x21, DFU_GETSTATUS, 0, 0, 6))
|
||||
if len(sys.argv) > 1 and sys.argv[1] == "--unprotect":
|
||||
# Read Unprotect
|
||||
dev.controlWrite(0x21, DFU_DNLOAD, 0, 0, "\x92")
|
||||
dostat()
|
||||
exit(0)
|
||||
|
||||
# Set Address Pointer
|
||||
dev.controlWrite(0x21, DFU_DNLOAD, 0, 0, "\x21" + struct.pack("I", 0x1fffc000))
|
||||
|
@ -45,6 +48,7 @@ dostat()
|
|||
|
||||
# Dump
|
||||
val = dev.controlRead(0xA1, DFU_UPLOAD, 2, 0, 0x10)
|
||||
print "OLD:",
|
||||
hexdump(val)
|
||||
|
||||
# Abort
|
||||
|
@ -55,10 +59,17 @@ dostat()
|
|||
dev.controlWrite(0x21, DFU_DNLOAD, 0, 0, "\x21" + struct.pack("I", 0x1fffc000))
|
||||
dostat()
|
||||
|
||||
#val = val[0:8] + "\xfe\x7f\x01\x80"*2
|
||||
val = val[0:8] + "\xff\x7f\x00\x80"*2
|
||||
if len(sys.argv) > 1 and sys.argv[1] == "--lock":
|
||||
val = "\xef\xaa\x10\x55"*2 + "\xfe\x7f\x01\x80"*2
|
||||
else:
|
||||
val = "\xef\xaa\x10\x55"*2 + "\xff\x7f\x00\x80"*2
|
||||
print "NEW:",
|
||||
hexdump(val)
|
||||
|
||||
# Program
|
||||
dev.controlWrite(0x21, DFU_DNLOAD, 2, 0, val)
|
||||
dostat()
|
||||
|
||||
# triggers reboot
|
||||
dat = dev.controlRead(0x21, DFU_GETSTATUS, 0, 0, 6)
|
||||
hexdump(dat)
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ proxy: proxy.o tcp_ota.o
|
|||
proxy.o: proxy.c
|
||||
|
||||
cert.h:
|
||||
../crypto/getcertheader.py $(CERT).pub > cert.h
|
||||
../crypto/getcertheader.py ../certs/debugesp.pub ../certs/releaseesp.pub > cert.h
|
||||
|
||||
tcp_ota.o: tcp_ota.c cert.h
|
||||
|
||||
|
|
|
@ -322,7 +322,7 @@ LOCAL void ICACHE_FLASH_ATTR ota_rx_cb(void *arg, char *data, uint16_t len) {
|
|||
os_sprintf(buf, "%d: %02x %02x %02x %02x", ota_firmware_size-RSANUMBYTES, digest[0], digest[1], digest[2], digest[3]);
|
||||
espconn_send(conn, buf, strlen(buf));*/
|
||||
|
||||
if (!RSA_verify(&rsa_key, rsa, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
|
||||
if (!RSA_verify(&debugesp_rsa_key, rsa, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
|
||||
espconn_send(conn, "Signature check FAILED. OTA fail.......\r\n", 41);
|
||||
} else {
|
||||
// We've flashed all of the firmware now, reboot into the new firmware.
|
||||
|
|
|
@ -29,15 +29,18 @@ def to_c_uint32(x):
|
|||
x /= (2**32)
|
||||
return "{"+'U,'.join(map(str, nums))+"U}"
|
||||
|
||||
rsa = RSA.importKey(open(sys.argv[1]).read())
|
||||
rr = pow(2**1024, 2, rsa.n)
|
||||
n0inv = 2**32 - modinv(rsa.n, 2**32)
|
||||
for fn in sys.argv[1:]:
|
||||
rsa = RSA.importKey(open(fn).read())
|
||||
rr = pow(2**1024, 2, rsa.n)
|
||||
n0inv = 2**32 - modinv(rsa.n, 2**32)
|
||||
|
||||
print 'RSAPublicKey rsa_key = {.len = 0x20,'
|
||||
print ' .n0inv = %dU,' % n0inv
|
||||
print ' .n = %s,' % to_c_uint32(rsa.n)
|
||||
print ' .rr = %s,' % to_c_uint32(rr)
|
||||
print ' .exponent = %d,' % rsa.e
|
||||
print '};'
|
||||
cname = fn.split("/")[-1].split(".")[0] + "_rsa_key"
|
||||
|
||||
print 'RSAPublicKey '+cname+' = {.len = 0x20,'
|
||||
print ' .n0inv = %dU,' % n0inv
|
||||
print ' .n = %s,' % to_c_uint32(rsa.n)
|
||||
print ' .rr = %s,' % to_c_uint32(rr)
|
||||
print ' .exponent = %d,' % rsa.e
|
||||
print '};'
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue