Skip to content

Conversation

@lucasssvaz
Copy link
Member

@lucasssvaz lucasssvaz commented Sep 18, 2025

Description of Change

This pull request updates the espota.py tool to add support for authenticating with devices that use an older, insecure MD5-based challenge/response protocol, improving compatibility with legacy firmware. The main changes include introducing a new --md5-target option, updating the authentication flow to handle both MD5 and SHA256 mechanisms, and adjusting the argument parsing and function signatures accordingly.

It will first try with SHA authentication and if it fails it will try again with MD5 for backwards compatibility.

Authentication protocol updates:

  • Added a new --md5-target (-m) command-line flag to indicate that the target device uses MD5-based authentication, for compatibility with old firmware.
  • Modified the serve function and its call sites to accept an additional md5_target argument, controlling which authentication protocol is used. [1] [2]
  • Updated the authentication logic in serve to:
    • Receive the correct nonce length depending on protocol (37 bytes for MD5, 69 for SHA256).
    • Generate the client nonce and challenge/response using MD5 or SHA256 as appropriate.
    • Expect the correct response length from the device (32 bytes for MD5, 64 for SHA256).

Test Scenarios

Tested with ESP32-C6

Related links

Closes #11855

@lucasssvaz lucasssvaz self-assigned this Sep 18, 2025
@lucasssvaz lucasssvaz added Area: Libraries Issue is related to Library support. Area: Tools & Build System Issue is related to tools and/or the build system labels Sep 18, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Sep 18, 2025

Messages
📖 🎉 Good Job! All checks are passing!

👋 Hello lucasssvaz, we appreciate your contribution to this project!


📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

Click to see more instructions ...


This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...


We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against 70c2825

@lucasssvaz lucasssvaz marked this pull request as draft September 19, 2025 02:56
@lucasssvaz lucasssvaz marked this pull request as ready for review September 19, 2025 12:30
@lucasssvaz lucasssvaz added the Status: Review needed Issue or PR is awaiting review label Sep 19, 2025
@me-no-dev
Copy link
Member

Did you test this with ArduinoOTA example? Given that there are no changes to platform.txt and that you have changed the argument name, it will not work.

@lucasssvaz
Copy link
Member Author

Did you test this with ArduinoOTA example? Given that there are no changes to platform.txt and that you have changed the argument name, it will not work.

Yeah, it works fine. As described in the PR it will first try to use the new authentication and if it fails fallback to the old one.

@P-R-O-C-H-Y P-R-O-C-H-Y added Status: Pending Merge Pull Request is ready to be merged and removed Status: Review needed Issue or PR is awaiting review labels Sep 23, 2025
@me-no-dev me-no-dev merged commit b9e597c into master Sep 24, 2025
13 checks passed
@me-no-dev me-no-dev deleted the fix/ota_legacy branch September 24, 2025 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Area: Libraries Issue is related to Library support. Area: Tools & Build System Issue is related to tools and/or the build system Status: Pending Merge Pull Request is ready to be merged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OTA upload failes after updated board from 3.3.0 to 3.3.1

3 participants