How to verify esp32 OTA downloaded image using it's own elf hash 256?

Asanga
Posts: 7
Joined: Mon Apr 29, 2024 12:58 am

How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby Asanga » Mon Apr 29, 2024 1:57 am

Hi,

I am using OTA to update ESP32. I can verify the image before downloading by checking it's image header information such as version number, app name, etc. Once finishing the ota download, I got image hash256 using following function.

esp_app_desc_t app_info;
esp_ota_get_partition_description(partition, &app_info)
esp_partition_get_sha256(partition, sha_256);

Then I compared it with image header app_info.app_elf_sha256 and got no matching.

Does any body know verify downloaded image using it's app header has256 information?

Thanks.

eriksl
Posts: 116
Joined: Thu Dec 14, 2023 3:23 pm
Location: Netherlands

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby eriksl » Mon May 20, 2024 10:02 am

This is not very well documented but it seems to be that the image has a SHA256 checksum appended (32 bytes), which is not part of the data when the checksum is calculated (which, if you think about it, is not that strange).

So if you want to compare the checksum of the file that was uploaded with the result of this function, you need to chop off the last 32 bytes of the file and calculate the SHA256 checksum from the remaining data. The result should be the same as the 32 bytes you chopped off.

Asanga
Posts: 7
Joined: Mon Apr 29, 2024 12:58 am

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby Asanga » Wed May 22, 2024 11:15 pm

Thanks eriksl.

I found the function which extract SHA-256 from app image and does the job. It is
  1. esp_err_t bootloader_common_get_sha256_of_partition (uint32_t address, uint32_t size, int type, uint8_t *out_sha_256)
and located in "..\components\bootloader_support\src\bootloader_common.c" file.

eriksl
Posts: 116
Joined: Thu Dec 14, 2023 3:23 pm
Location: Netherlands

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby eriksl » Thu May 23, 2024 8:12 am

What's different to the other version?

Asanga
Posts: 7
Joined: Mon Apr 29, 2024 12:58 am

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby Asanga » Thu May 23, 2024 10:46 pm

I am not getting the question? What versions? Are asking about idf versions?

eriksl
Posts: 116
Joined: Thu Dec 14, 2023 3:23 pm
Location: Netherlands

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby eriksl » Fri May 24, 2024 7:15 am

The difference between the functions, the "normal" one as documented, and the one you're suggesting here. I can't see it immediately.

Asanga
Posts: 7
Joined: Mon Apr 29, 2024 12:58 am

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby Asanga » Mon May 27, 2024 10:48 pm

My bad, I didn't read the document yet :? I think this is explained in there. I should start reading documents.

The idf version I am using is 5.1.2. Thank you for the help.

eriksl
Posts: 116
Joined: Thu Dec 14, 2023 3:23 pm
Location: Netherlands

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby eriksl » Tue May 28, 2024 7:05 am

I mean, what is the difference between esp_partition_get_sha256 (which didn't work for you, because it assumes you do not include the SHA-256 checksum bytes (32) themselves into the checksum) and the one you're suggesting: bootloader_common_get_sha256_of_partition. I think the last one is for internal use by IDF code?

Asanga
Posts: 7
Joined: Mon Apr 29, 2024 12:58 am

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby Asanga » Tue May 28, 2024 11:10 pm

I forgot to remove last 32bytes of the app during HASH256 manual calculation. Later I realized idf esp_partition_get_sha256() does my job when getting hash of the app with considering return codes.

eriksl
Posts: 116
Joined: Thu Dec 14, 2023 3:23 pm
Location: Netherlands

Re: How to verify esp32 OTA downloaded image using it's own elf hash 256?

Postby eriksl » Wed May 29, 2024 7:03 am

Yes, so the other function (bootloader_common_get_sha256_of_partition) doesn't really add something interesting? Because if it does, I'd like to know ;)

Who is online

Users browsing this forum: No registered users and 123 guests