#!/usr/bin/env python3 # # SonOTA - Flashing Sonoff devices with custom firmware via orig OTA mechanism # Copyright (C) 2017 Mirko Vogt <sonota@nanl.de> # # This file is part of SonOTA. # # SonOTA is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # (at your option) any later version. # # SonOTA is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with SonOTA. If not, see <http://www.gnu.org/licenses/>. import argparse import json import logging import os import sys import threading import _thread import ssl from datetime import datetime from hashlib import sha256 from httplib2 import Http from socket import error as socket_error from time import sleep, time from uuid import uuid4 import netifaces # using tornado as it provides support for websockets import tornado.httpserver import tornado.ioloop import tornado.web import tornado.websocket from tornado import gen # the original bootloader expects so called v2 images which start with the # magic byte 0xEA instead of the Arduino ones (v1) starting with 0xE9 # we can convert the ELF binaries into v2 images with an undocumented # '--version' switch to elf2image using esptool.py, e.g.: # esptool.py elf2image --version 2 /tmp/arduino_build_XXXXXX/sonoff.ino.elf DEFAULT_PORT_HTTPS = 8443 DEFAULT_PORT_HTTP = 8080 upgrade_file_user1 = "image_user1-0x01000.bin" upgrade_file_user2 = "image_user2-0x81000.bin" arduino_file = "image_arduino.bin" rootlog = logging.getLogger() rootlog.setLevel(logging.DEBUG) ch = logging.StreamHandler() ch.setLevel(logging.DEBUG) ch.setFormatter(logging.Formatter('%(message)s')) rootlog.addHandler(ch) ch = logging.FileHandler('debug_%d.log' % (time(),)) ch.setLevel(logging.DEBUG) ch.setFormatter(logging.Formatter('%(asctime)s: %(levelname)s: %(message)s')) rootlog.addHandler(ch) log = logging.getLogger(__name__) def logmulti(msg): '''Log multi lines and try and strip out WiFi passwords''' for l in msg.split('\n'): if l.strip(): log.debug(l) def logjson(data, outbound=True): if outbound: direction = '>>' else: direction = '<<' if 'password' in data: # Don't update original dict data = dict(data) data['password'] = '*' * len(data['password']) logmulti("{} {}".format(direction, json.dumps(data, indent=4))) # ----- # A horrible hack to track what has been downloaded in tornado so we don't # exit early seenfiles = [] parser = argparse.ArgumentParser() parser.add_argument("--serving-host", help="The host's ip address which will handle the HTTP(S)/WebSocket requests initiated by the device.\ Normally the ip address of the WiFi interface of the machine this script is running on.") parser.add_argument("--no-prov", help="Do not provision the device with WiFi credentials.\ Only use if your device is already configured (Not recommended, but useful if doing DNS spoofing).", action="store_true") parser.add_argument( "--wifi-ssid", help="The ESSID of the WiFi network the device should eventually connect to.") parser.add_argument("--wifi-password", help="The password of the WiFi (WPA/WPA2)\ network the device should eventually connect to.") parser.add_argument("--no-check-ip", help="Do not check for correct network settings\ applied on your interface(s).", action="store_true") parser.add_argument("--legacy", action="store_true", help="Enable legacy mode for devices with older firmware " "(requires root permission)") parser.add_argument("-s", "--slowstream", action="store_true", help="Serve files slowly, use if getting 404 errors") args = parser.parse_args() if args.legacy: # requires root permission DEFAULT_PORT_HTTPS = 443 if args.no_prov and (args.wifi_ssid or args.wifi_password): parser.error( "arguments --no-prov and --wifi-ssid | --wifi-password are mutually exclusive") if (args.wifi_ssid or args.wifi_password) and not (args.wifi_ssid and args.wifi_password): parser.error( "arguments --wifi-ssid and --wifi-password must always occur together") class OTAUpdate(tornado.web.StaticFileHandler): def should_return_304(self): """Used as a hook to get the retrived URL's, never allow caching. """ log.debug("Sending file: %s" % self.request.path) seenfiles.append(os.path.basename(str(self.request.path))) return False class SlowOTAUpdate(tornado.web.RequestHandler): @gen.coroutine def get(self, path): log.debug("Slow Sending file: %s (This may take several minutes)" % self.request.path) seenfiles.append(os.path.basename(str(self.request.path))) f = open(os.path.join('static', path), 'rb') f.seek(0, 2) length = f.tell() f.seek(0, 0) self.set_header('Content-Length', str(length)) self.set_header('X-Powered-By', 'Express') self.set_header('Transfer-Encoding', '') self.set_header('Content-Disposition', 'attachment; filename="{}"'.format(path)) self.set_header('Accept-Ranges', 'bytes') self.set_header('Cache-Control', 'public, max-age=0') self.set_header('Content-Type', 'application/octet-stream') chunk = f.read(10) self.write(chunk) yield self.flush() yield gen.sleep(0.9) while True: chunk = f.read(1400) if not chunk: break self.write(chunk) yield self.flush() print(" {}% ".format(int(f.tell()*100/length)), end="\r", flush=True) yield gen.sleep(0.3) class DispatchDevice(tornado.web.RequestHandler): def post(self): # telling device where to connect to in order to establish a WebSocket # channel # as the initial request goes to port 443 anyway, we will just continue # on this port log.debug("<< HTTP POST %s" % self.request.path) if not args.serving_host: raise ValueError('args.serving_host is required') data = { "error": 0, "reason": "ok", "IP": args.serving_host, "port": DEFAULT_PORT_HTTPS } log.debug(">> %s" % self.request.path) logjson(data) self.write(data) self.finish() class WebSocketHandler(tornado.websocket.WebSocketHandler): def open(self, *args): log.debug("<< WEBSOCKET OPEN") # the device expects the server to generate and consistently provide # an API key which equals the UUID format # it *must not* be the same apikey which the device uses in its # requests self.uuid = str(uuid4()) self.setup_completed = False self.test = False self.upgrade = False self.stream.set_nodelay(True) self.device_model = "ITA-GZ1-GL" def on_message(self, message): log.debug("<< WEBSOCKET INPUT") dct = json.loads(message) logjson(dct, False) # if dct.has_key("action"): # python2 if "action" in dct: # python3 log.debug("~~~ device sent action request, acknowledging / answering...") if dct['action'] == "register": # ITA-GZ1-GL, PSC-B01-GL, etc. if "model" in dct and dct["model"]: self.device_model = dct["model"] log.info("We are dealing with a {} model.".format(self.device_model)) log.debug("~~~~ register") data = { "error": 0, "deviceid": dct['deviceid'], "apikey": self.uuid, "config": { "hb": 1, "hbInterval": 145 } } logjson(data) self.write_message(data) if dct['action'] == "date": log.debug("~~~~ date") data = { "error": 0, "deviceid": dct['deviceid'], "apikey": self.uuid, "date": datetime.isoformat(datetime.today())[:-3] + 'Z' } logjson(data) self.write_message(data) if dct['action'] == "query": log.debug("~~~~ query") data = { "error": 0, "deviceid": dct['deviceid'], "apikey": self.uuid, "params": 0 } logjson(data) self.write_message(data) if dct['action'] == "update": log.debug("~~~~ update") data = { "error": 0, "deviceid": dct['deviceid'], "apikey": self.uuid } logjson(data) self.write_message(data) self.setup_completed = True # elif dct.has_key("sequence") and dct.has_key("error"): # python2 elif "sequence" in dct and "error" in dct: log.debug( "~~~ device acknowledged our action request (seq {}) " "with error code {}".format( dct['sequence'], dct['error'] # 404 here ) ) if dct['error'] == 404: log.error("*************************************************") log.error("Received a 404 error, try running with " \ "'--slowstream' option.") log.error("*************************************************") log.info("Setting slowstream for following call...") args.slowstream = True self.upgrade = True else: log.warn("## MOEP! Unknown request/answer from device!") if self.setup_completed and not self.test: # switching relais on and off - for fun and profit! data = { "action": "update", "deviceid": dct['deviceid'], "apikey": self.uuid, "userAgent": "app", "sequence": str(int(time() * 1000)), "ts": 0, "params": { "switch": "off" }, "from": "hackepeter" } logjson(data) self.write_message(data) data = { "action": "update", "deviceid": dct['deviceid'], "apikey": self.uuid, "userAgent": "app", "sequence": str(int(time() * 1000)), "ts": 0, "params": { "switch": "on" }, "from": "hackepeter" } logjson(data) self.write_message(data) data = { "action": "update", "deviceid": dct['deviceid'], "apikey": self.uuid, "userAgent": "app", "sequence": str(int(time() * 1000)), "ts": 0, "params": { "switch": "off" }, "from": "hackepeter" } logjson(data) self.write_message(data) data = { "action": "update", "deviceid": dct['deviceid'], "apikey": self.uuid, "userAgent": "app", "sequence": str(int(time() * 1000)), "ts": 0, "params": { "switch": "on" }, "from": "hackepeter" } logjson(data) self.write_message(data) data = { "action": "update", "deviceid": dct['deviceid'], "apikey": self.uuid, "userAgent": "app", "sequence": str(int(time() * 1000)), "ts": 0, "params": { "switch": "off" }, "from": "hackepeter" } logjson(data) self.write_message(data) self.test = True if self.setup_completed and self.test and not self.upgrade: hash_user1 = self.getFirmwareHash(resource_path(os.path.join("static", upgrade_file_user1))) hash_user2 = self.getFirmwareHash(resource_path(os.path.join("static", upgrade_file_user2))) if not args.serving_host: raise ValueError('args.serving_host is required') if hash_user1 and hash_user2: if args.slowstream: udir = 'slowota' else: udir = 'ota' data = { "action": "upgrade", "deviceid": dct['deviceid'], "apikey": self.uuid, "userAgent": "app", "sequence": str(int(time() * 1000)), "ts": 0, "params": { # the device expects two available images, as the original # firmware splits the flash into two halfs and flashes # the inactive partition (ping-pong). # as we don't know which partition is (in)active, we # provide our custom image as user1 as well as user2. # unfortunately this also means that our firmware image # must not exceed FLASH_SIZE / 2 - (bootloader - spiffs) "binList": [ { "downloadUrl": "http://%s:%s/%s/%s" % (args.serving_host, DEFAULT_PORT_HTTP, udir, upgrade_file_user1), # the device expects and checks the sha256 hash of # the transmitted file "digest": hash_user1, "name": "user1.bin" }, { "downloadUrl": "http://%s:%s/%s/%s" % (args.serving_host, DEFAULT_PORT_HTTP, udir, upgrade_file_user2), # the device expects and checks the sha256 hash of # the transmitted file "digest": hash_user2, "name": "user2.bin" } ], # if `model` is set to sth. else (I tried) the websocket # gets closed in the middle of the JSON transmission "model": self.device_model, # the `version` field doesn't seem to have any effect; # nevertheless set it to a ridiculously high number # to always be newer than the existing firmware "version": "23.42.5" } } logjson(data) self.write_message(data) self.upgrade = True def on_close(self): log.debug("~~ websocket close") def getFirmwareHash(self, filePath): hash_user = None try: with open(filePath, "rb") as firmware: hash_user = sha256(firmware.read()).hexdigest() except IOError as e: log.warning(e) return hash_user def make_app(): apps = [ # handling initial dispatch HTTPS POST call to eu-disp.coolkit.cc (r'/dispatch/device', DispatchDevice), # handling actual payload communication on WebSockets (r'/api/ws', WebSocketHandler), (r'/slowota/(.*)', SlowOTAUpdate), (r'/ota/(.*)', OTAUpdate, {'path': resource_path("static/")}), ] return tornado.web.Application(apps) def defaultinterface(): '''The interface the default gateway is on, if there is one.''' try: return netifaces.gateways()['default'][netifaces.AF_INET][1] except: return None lastip4ips = [] def ip4ips(): '''A list of IP4 addresses on this host. This will try and return the default gateway first in the list, and will strip out localhost addresses automatically. ''' global lastip4ips ret = [] defiface = defaultinterface() for iface in netifaces.interfaces(): try: addresses = netifaces.ifaddresses(iface) except ValueError: # You must specify a valid interface name. continue if netifaces.AF_INET not in addresses: # python3 continue for afinet in addresses[netifaces.AF_INET]: addr = afinet['addr'] if addr.startswith('127.'): continue if iface == defiface: ret.insert(0, addr) else: ret.append(addr) if ret != lastip4ips: log.debug('Current IPs: %s', ret) lastip4ips = ret return ret def hassonoffip(): '''True if one of the current system IP's is from the Sonoff''' for addr in ip4ips(): if addr.startswith("10.10.7."): return True return False def hasfinalstageip(): '''True if one of the current system IP's is from the final stage image''' return '192.168.4.2' in ip4ips() def promptforval(msg): while True: val = input('{}: '.format(msg)).strip() if val: return val def resource_path(relative_path): """ Get absolute path to resource, works for dev and for PyInstaller """ try: # PyInstaller creates a temp folder and stores path in _MEIPASS base_path = sys._MEIPASS except Exception: base_path = os.path.dirname(sys.argv[0]) return os.path.join(base_path, relative_path) def checkargs(): # Make sure all of the binary files that are needed are there for fn in [arduino_file, upgrade_file_user1, upgrade_file_user2]: fn = os.path.join('static', fn) fn = resource_path(fn) if not os.path.isfile(fn): log.critical("Required file missing!", fn) sys.exit(1) f = open(fn, 'rb').read() if len(f) < 100000: log.critical("Binary file appears too small!", fn) sys.exit(1) if args.no_prov: # No further config is needed as things are already configured args.no_check_ip = True return # Get the serving IP while not args.serving_host: ips = ip4ips() i = 0 print("Select IP address of the WiFi interface:") for ip in ips: print(" {}: {}".format(i, ip)) i += 1 selection = input('Select IP address [0]: ').strip() if selection == '': args.serving_host = ips[0] else: try: args.serving_host = ips[int(selection)] except: pass # Ensure the given IP is actually what is associated with the host # and not already on a Sonoff WiFi network. if args.serving_host not in ip4ips(): log.info( "** The IP address of <serve_host> ({}) is not assigned to any interface " "on this machine.".format(args.serving_host)) log.info( "** Please change WiFi network to {} and make sure {} is " "being assigned to your WiFi interface before connecting to the " "Sonoff device.".format(args.wifi_ssid, args.serving_host)) sys.exit(1) if hasfinalstageip() or hassonoffip(): log.critical('It looks like you are already on a Sonoff/Final stage WiFi '\ 'network, please change to your normal WiFi network. If this '\ 'has already been done, you may need to modify the IP range of '\ 'your LAN to use this tool safely. If this is what you intended '\ 'run again with --no-prov to skip this step.') sys.exit(1) # Check there is a WiFi config if not args.wifi_ssid: args.wifi_ssid = promptforval("WiFi SSID") if not args.wifi_password: args.wifi_password = promptforval("WiFi Password") print() log.info('Using the following configuration:') log.info('\tServer IP Address: ' + args.serving_host) log.info('\tWiFi SSID: ' + args.wifi_ssid) log.info('\tWiFi Password: ' + '*' * len(args.wifi_password)) def stage1(): '''Accept the Sonoff WebSocket connection, and configure it.''' net_valid = False conn_attempt = 0 if not args.no_check_ip: conn_attempt = 0 # fuzzy-check if machine is connected to ITEAD AP while True: conn_attempt += 1 if hasfinalstageip(): log.info("Appear to have connected to the final stage IP, "\ "moving to next stage.") return if hassonoffip(): break else: if conn_attempt == 1: log.info("** Now connect via WiFi to your Sonoff device.") log.info("** Please change into the ITEAD WiFi " "network (ITEAD-100001XXXX). The default password " "is 12345678.") log.info("To reset the Sonoff to defaults, press " "the button for 7 seconds and the light will " "start flashing rapidly.") log.info("** This application should be kept running " "and will wait until connected to the Sonoff...") sleep(2) print(".", end="", flush=True) continue http = Http(timeout=2) log.debug("~~ Connection attempt") conn_attempt = 0 while True: conn_attempt += 1 log.debug(">> HTTP GET /10.10.7.1/device") try: resp, cont = http.request("http://10.10.7.1/device", "GET") break except socket_error as e: log.debug(e) continue dct = json.loads(cont.decode('utf-8')) logjson(dct, False) if not args.serving_host: raise ValueError('args.serving_host is required') data = { "version": 4, "ssid": args.wifi_ssid, "password": args.wifi_password, "serverName": args.serving_host, "port": DEFAULT_PORT_HTTPS } log.debug(">> HTTP POST /10.10.7.1/ap") logjson(data) resp, cont = http.request( "http://10.10.7.1/ap", "POST", json.dumps(data)) dct = json.loads(cont.decode('utf-8')) logjson(dct, False) log.info("~~ Provisioning completed") def stage2(): log.info("Starting stage2...") app = make_app() if not args.no_check_ip: net_valid = False conn_attempt = 0 # check if machine has <args.serving_host> being assigned on any iface while True: conn_attempt += 1 if args.serving_host in ip4ips(): break else: if conn_attempt == 1: log.info("** The IP address of <serve_host> ({}) is not assigned " "to any interface on this machine.".format(args.serving_host)) log.info( "** Please change WiFi network to {} and make sure {} is " "being assigned to your WiFi interface.".format( args.wifi_ssid, args.serving_host)) log.info("** This application should be kept running " "and will wait until connected to the WiFi...") sleep(2) print(".", end="", flush=True) continue log.info("~~ Starting web server (HTTP port: %s, HTTPS port %s)" % ( DEFAULT_PORT_HTTP, DEFAULT_PORT_HTTPS)) # Ensure ProactorEventLoop not used on windows (not yet release in latest tornado) # https://github.com/python/pyperformance/pull/65/files if sys.platform == 'win32' and sys.version_info[:2] == (3, 8): import asyncio asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy()) if args.legacy: old = make_app() # listening on port 8081 for serving upgrade files for older devices old.listen(8081) # listening on port 8080 for serving upgrade files app.listen(DEFAULT_PORT_HTTP) app_ssl = tornado.httpserver.HTTPServer(app, ssl_options={ "certfile": resource_path("ssl/server.crt"), "keyfile": resource_path("ssl/server.key"), "ssl_version": ssl.PROTOCOL_TLSv1_1, }) # listening on HTTPS port to catch initial POST request to eu-disp.coolkit.cc app_ssl.listen(DEFAULT_PORT_HTTPS) log.info("~~ Waiting for device to connect") stage3thread = threading.Thread(target=stage3, daemon=True) stage3thread.start() tornado.ioloop.IOLoop.instance().start() def stage3(): '''This is just a thread to provide feedback to the user.''' count = 0 while not hasfinalstageip(): if count % 30 == 0: print() log.info("*** IMPORTANT! ***") log.info("** AFTER the first download is COMPLETE, with in a minute or so " 'you should connect to the new SSID "FinalStage" to finish the process.') log.info('** ONLY disconnect when the new "FinalStage" SSID is visible ' 'as an available WiFi network.') log.info('This server should automatically be allocated the IP address: ' '192.168.4.2.') log.info('If you have successfully connected to "FinalStage" and this is ' 'not the IP Address you were allocated, please ensure no other ' 'device has connected, and reboot your Sonoff.') count += 1 sleep(2) print(".", end="", flush=True) count = 0 while True: if not hasfinalstageip(): if 'image_arduino.bin' in seenfiles: # The arduino image has been downloaded, exit break else: print() print() log.info('It appears we have been disconnected from the ' '"FinalStage" SSID, however the final image has not been ' 'downloaded. Reconnect to "FinalStage" when it returns to ' 'continue the process (this may require a power cycle of ' 'your Sonoff device)...') print() while not hasfinalstageip(): print(".", end="", flush=True) sleep(2) if count % 30 == 0: print() print() log.info('The "FinalStage" SSID will disappear when the device has been ' 'fully flashed and image_arduino.bin has been installed.') log.info('If there is no "Sending file: /ota/image_arduino.bin" ' 'log entry, ensure all firewalls have been COMPLETELY disabled ' 'on your system.') count += 1 sleep(2) print(".", end="", flush=True) log.info('No longer on "FinalStage" SSID, all done! Now connect to the ' 'sonoff-#### SSID and configure for your WiFi (it will not be ' 'configured).') _thread.interrupt_main() def main(): checkargs() log.info("Platform: %s" % (sys.platform)) if not args.no_prov: stage1() stage2() if __name__ == '__main__': try: main() except (KeyboardInterrupt, SystemExit): log.info("Quitting.")