Constant updates, skip option

Protoncek · January 26, 2024, 12:20pm

Yes., i know, there’s been done quite a lot regarding BT proxy lately. I do have three proxy nodes around my house (for my 13 xiaomi thermo(hygro sensors), but, no, this one is only esp8266 in a power outlet. So, one switch and one binary sensor (and a few sensors i always have, like wifi signal, IP, uptime…)

orange-assistant · January 26, 2024, 12:42pm

You are aware that they are the same? The esphome dashboard updates is the base for the esphome nodes version and they have the exact same release schedule because of that. That will be one major release per month plus bug fix releases.

So you should still get each and every update notification for the esphome add-on when turning off the esphome dashboard integration which is in charge to check your esphome nodes against the add-on version (and creating the notifications for each of your out of date node).

The esphome dashboard integration

Lucky you it’s not 2021.9 or prior…

still technically not a security bug you might be safer with a more recent version (like 2023.12.0 or later

github.com/esphome/esphome

Security improvement: Support wifi ap_timeout=0s (disable)

esphome:dev ← fornellas:enable_disable_ap_timeout

opened 01:02AM - 04 Dec 23 UTC

fornellas

+1 -1

# What does this implement/fix? In the scenario wher one does: ``` wi…fi: ap: {} captive_portal: ota: ``` There's a security risk: - First boot Captive portals starts up. - User connects to Captive Portal and sets credentials. - Reboot, ESPHome connects to Wifi, all secure. - ESPHome can't connect to Wifi (poor signal quality, credentials changed etc) at any "random" time in the future. - Captive portal starts up. - Any attacker can get 100% control of the device, including uploading a rogue firmware to attack the next network the device connects to. This is possible, because there's no password set for either `ap` or `ota`, and setting these passwords would be a good mitigation. There's an alternative to setting passwords however: require physical access to the device to enable the captive portal. There are multiple possibilities here: - Pressing a button. - Power off / on X number of times (eg: similar to [what Athom does](https://github.com/athom-tech/athom-configs/blob/main/athom-rgbct-light.yaml)). - Pressing the reset button (and `on_boot` checks reset cause). In order for any of these to be possible, it is required to disable `ap_timeout`, but it is not possible ATM. Trying to set it to 2^32 = 4294966296s yields: ``` src/main.cpp: In function 'void setup()': src/main.cpp:226:34: warning: conversion from 'long long unsigned int' to 'uint32_t' {aka 'long unsigned int'} changes value from '4294966296000' to '4293967296' [-Woverflow] wifi_component->set_ap_timeout(4294966296000ULL); ``` This PR pushes a tiny change, to make the semantics of `ap_timeout: 0s` to mean "never automatically start the AP". After this PR, this config: ``` wifi: ap: ap_timeout: 0s captive_portal: ota: ``` will be possible, enabling no password to be set, and physical access to the device in order to gain access to it. ## Types of changes - [ ] Bugfix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Other **Related issue or feature (if applicable):** fixes <link to issue> **Pull request in [esphome-docs](https://github.com/esphome/esphome-docs) with documentation (if applicable):** esphome/esphome-docs#<esphome-docs PR number goes here> https://github.com/esphome/esphome-docs/pull/3431 ## Test Environment - [x] ESP32 - [ ] ESP32 IDF - [ ] ESP8266 - [ ] RP2040 - [ ] BK72xx - [ ] RTL87xx ## Example entry for `config.yaml`:  ```yaml # Example config.yaml esphome: name: "esphome_ld2410" on_boot: priority: 600.0 then: - script.execute: fast_boot_factory_reset_script esp32: board: esp32-c3-devkitm-1 globals: - id: fast_boot type: int restore_value: yes initial_value: '0' - id: factory_reset_boot_count_trigger type: int initial_value: '3' logger: script: - id: fast_boot_factory_reset_script then: - if: condition: lambda: return ( id(fast_boot) >= id(factory_reset_boot_count_trigger) ); then: - lambda: |- ESP_LOGD("Fast Boot Factory Reset", "Performing factotry reset"); id(fast_boot) = 0; fast_boot->loop(); global_preferences->sync(); - switch.turn_on: factory_reset_switch - lambda: |- if(id(fast_boot) > 0) ESP_LOGD("Fast Boot Factory Reset", "Quick reboot %d/%d, do it %d more times to factory reset", id(fast_boot), id(factory_reset_boot_count_trigger), id(factory_reset_boot_count_trigger) - id(fast_boot)); id(fast_boot) += 1; fast_boot->loop(); global_preferences->sync(); - delay: 10s - lambda: |- id(fast_boot) = 0; fast_boot->loop(); global_preferences->sync(); wifi: id: wifi_component ap: ap_timeout: 0s reboot_timeout: 0s captive_portal: switch: - platform: factory_reset id: factory_reset_switch name: "ESPHome: Factory reset" ``` ## Checklist: - [x] The code change is tested and works locally. - [ ] Tests have been added to verify that the new code works (under `tests/` folder). If user exposed functionality or configuration variables are added/changed: - [x] Documentation added/updated in [esphome-docs](https://github.com/esphome/esphome-docs).

Still as mentioned before you might also just loose API improvements on the way which would later could lead to weird things requiring debugging from your side.

Some people (including users in this forum) run stone old buggy Tasmota versions like 5 or 6 and are happy with it (because it switches the light ) - still it contains security vulnerabilities which could be exploited remotely.

The fine difference between a dumb and a smart switch is that the later is connected and while feature upgrades are not necessary you should at least install necessary security fixes.

Protoncek · January 26, 2024, 1:26pm

Yeah, well… i’m usually more “wanna the latest and greatest” kinda guy, but esp nodes are an exception. HA, addons, hacs stuff… those i update regularly.
To be honest, most of my esp nodes do have pretty “decent” version, mostly because i’m constantly hacking, messing, improving… with HA and modules… always wanting something more, better…

Regarding “unauthorized OTA update”: hm… all my nodes are local. So, a hacker will have to break into my local network first in order to reach them. And if he/she does, then nodes will be last on the list to worry about…

j1234 · February 3, 2024, 7:07pm

Note that you should always take precautions with networking, even for devices within your network. If your wifi is using WEP2, which almost everyone is, your password can be obtained in about 12hrs using a RPI or laptop from outside your house. Useful if you’d like to share your neighbour’s wifi…

Protoncek · February 3, 2024, 7:30pm

“WEP2”… do you mean WPA2? I don’t use wep2, i use wpa2. My router does support wpa3, but sadly many of wifi devices doesn’t.
But, ket’s say that someone would camp in front of my house with pi. It makes me wonder…why on earth would he/she wanna do that? I don’t have anything worthed to be stolen, hacked…

FelixKa · February 3, 2024, 7:42pm

Is that a new method you are referring to?
I tried the common methods to test my network security (eg. hashcat against some packet captures) and threw some GPU at it as well but most nontrivial passwords (i.e. non-dictionary complex passwords) couldn’t be cracked within a reasonable time, I found.
I’m inclined to not believe the 12h on a Raspberry Pi figure. But if you happen to have any sources backing that up, that would be interesting to know.

odwide · February 3, 2024, 8:24pm

Same here. That would be possible only if using an extremely weak password. Even with significant processing power, a WPA2 password of at least 12 characters and good entropy is not crackable in any feasible time.

The typical way to attack WPA2 is:

Spoof the MAC address of an authenticated device.
Send a deathentication frame to the AP as coming from that MAC. That’ll force the real device to re-authenticate.
Capture the handshale data.
Rinse and repeat to capture a bunch more handshakes.
Go home and brute force the key at your leisure.

Good luck if the target network has a good password.

WPA3 has management frame protection to prevent deathentication attacks and many other shenanigans, but it’s not as widely used yet.

j1234 · February 3, 2024, 9:05pm

Yes, sorry, it relies on people using guessable passwords that appear on one of the many online password lists and brute forced on a much more powerful computer at a later date.

orange-assistant · February 7, 2024, 10:21am

WEP is luckily long gone and a WEP2 was never released for good reason

After it became clear that the overall WEP algorithm was deficient (and not just the IV and key sizes) and would require even more fixes, both the WEP2 name and original algorithm were dropped.

No, no one is WEP2 - really! It never was released!

Absolute oversized. A esp32 (typically with battery pack thrown into the bushes ) is enough to capture some handshakes (after some forced de-authing) which are then send later to the clouds to crack it

The 12hrs figure given is just imagination without any base or just totally made up. Depending on the pre shared key it can be somewhere from seconds (8 digit weak password from 4.8k most used WPA password list) to somewhere technically not crackable (within an acceptable time frame) complex passphrase

darrendavid · May 16, 2024, 7:53pm

Picking up this thread assuming I understand the original intention - is there a way to flag an ESPhome device to “always skip updates”?

arrows · May 16, 2024, 8:27pm

Yes, you can have a device skip updates by setting its update sensor to “disabled”.

darrendavid · May 16, 2024, 9:05pm

Bingo, thank you! Would you mind sharing the YAML snippet for that? I’m having difficulty tracking it down in the docs.

petro · May 16, 2024, 9:11pm

there’s no yaml… go to the update sensor in the UI and disable it.

arrows · May 16, 2024, 9:18pm

petro is correct. Use the UI and toggle the “Enabled” selector off.

darrendavid · May 16, 2024, 9:42pm

Beautiful. Thank you!

bryanw · May 27, 2024, 3:40pm

Thank you @petro and @arrows.

A recent ESPHome update to 5.2 broke OTA updates for my Athom presence sensors as the new update is too large. Error returned is:

ERROR Error binary size: Error: ESP does not have enough space
to store OTA file. Please try flashing a minimal firmware (remove everything
except ota)

Two folks mentioned this already at ESPHome’s Github page… links are at the bottom of my post.

Apparently the Athom Presense sensor may have 2MB flash but is only being detected as 1MB. Not sure if that’s true, but if so then changing the board type in the yaml config to a board supporting 2MB or 4MB may work. Or, could try installing a minimal firmware then the update would fit. But I decided not to bother with tweaking it.

I really don’t think these sensors need to update 2-3 times each month (so many ESPHome updates…) so I followed the steps above to disable the update notification. Thank you for the suggestion!

github.com/esphome/issues

Error binary size: at Athom presense sensors

opened 03:32PM - 23 May 24 UTC

MarkuBu

### The problem I have several Athom presense sensors. Since the update to ESPH…ome 2024.5.1 or .2 I can't update the firmware. Latest installed version is 2024.5.0 Maybe I missed .1, so I'm not sure if .1 or .2 caused the issue at first ### Which version of ESPHome has the issue? 2024.5.2 ### What type of installation are you using? Home Assistant Add-on ### Which version of Home Assistant has the issue? 2024.5.4 ### What platform are you using? ESP8266 ### Board Athom presense sensor PS01 ### Component causing the issue _No response_ ### Example YAML snippet _No response_ ### Anything in the logs that might be useful for us? ```txt INFO ESPHome 2024.5.2 INFO Reading configuration /config/esphome/athom-presence-sensor-f9a20d.yaml... INFO Detected timezone 'Europe/Oslo' INFO Generating C++ source... INFO Compiling app... Processing athom-presence-sensor-f9a20d (board: esp8285; framework: arduino; platform: platformio/[email protected]) -------------------------------------------------------------------------------- HARDWARE: ESP8266 80MHz, 80KB RAM, 1MB Flash Dependency Graph |-- ESPAsyncTCP-esphome @ 2.0.0 |-- ESPAsyncWebServer-esphome @ 3.2.0 |-- DNSServer @ 1.1.1 |-- ESP8266WiFi @ 1.0 |-- ESP8266mDNS @ 1.2 |-- noise-c @ 0.1.4 |-- Wire @ 1.0 |-- ArduinoJson @ 6.18.5 RAM: [===== ] 49.1% (used 40240 bytes from 81920 bytes) Flash: [====== ] 59.4% (used 608089 bytes from 1023984 bytes) ========================= [SUCCESS] Took 5.94 seconds ========================= INFO Successfully compiled program. INFO Connecting to 192.168.178.68 INFO Uploading /data/build/athom-presence-sensor-f9a20d/.pioenvs/athom-presence-sensor-f9a20d/firmware.bin (612240 bytes) INFO Compressed to 414758 bytes ERROR Error binary size: Error: ESP does not have enough space to store OTA file. Please try flashing a minimal firmware (remove everything except ota) ``` ### Additional information _No response_

github.com/esphome/issues

OTA stops working after upgrade to 2024.5.0

opened 02:55PM - 16 May 24 UTC

andreas-bulling

### The problem Since the upgrade to the latest ESPHome I suddenly cannot flash… one of my Shelly devices OTA anymore. It has a 8266 chip with 1MB of flash. I see ``` INFO ESPHome 2024.5.0 INFO Reading configuration /config/esphome/entrance.yaml... INFO Generating C++ source... INFO Compiling app... Processing entrance (board: esp01_1m; framework: arduino; platform: platformio/[email protected]) -------------------------------------------------------------------------------- HARDWARE: ESP8266 80MHz, 80KB RAM, 1MB Flash Dependency Graph |-- ESPAsyncTCP-esphome @ 2.0.0 |-- ESPAsyncWebServer-esphome @ 3.2.0 |-- DNSServer @ 1.1.1 |-- ESP8266WiFi @ 1.0 |-- ESP8266mDNS @ 1.2 |-- noise-c @ 0.1.4 RAM: [===== ] 51.1% (used 41900 bytes from 81920 bytes) Flash: [====== ] 59.7% (used 611149 bytes from 1023984 bytes) ========================= [SUCCESS] Took 1.09 seconds ========================= INFO Successfully compiled program. INFO Connecting to 192.168.1.106 INFO Uploading /data/build/entrance/.pioenvs/entrance/firmware.bin (615296 bytes) INFO Compressed to 418344 bytes ERROR Error binary size: Error: ESP does not have enough space to store OTA file. Please try flashing a minimal firmware (remove everything except ota) ``` ### Which version of ESPHome has the issue? 2024.5.0 ### What type of installation are you using? Home Assistant Add-on ### Which version of Home Assistant has the issue? latest ### What platform are you using? ESP8266 ### Board shelly ### Component causing the issue _No response_ ### Example YAML snippet _No response_ ### Anything in the logs that might be useful for us? _No response_ ### Additional information _No response_

bkbartk · May 27, 2024, 6:17pm

I use this one a lot,
to disable update. disable “Enabled” and click… “Update”

or am I the only one who thinks this is funny and confusing at the same time?

gianlucaf81 · June 25, 2024, 8:10am

While I have the utmost respect for the ESPHome maintainers and their hard work, I believe there might be room for improvement in the current notification system. The current approach of sending numerous notifications to Home Assistant may not be the most effective or user-friendly solution.
The script/automation shared above does address this issue, but it also removes the update status from the ESPHome component interface, which could be valuable information to retain.
If I may humbly suggest, perhaps a more balanced approach would be to have a single notification in Home Assistant indicating that one or more devices require updates. This could be complemented by maintaining the detailed update status within the ESPHome component interface, allowing users to have a comprehensive overview when needed.

orange-assistant · June 30, 2024, 10:19am

This is actually not the current approach. This was the old default. Starting with ESPHome 2024.6.0 update entities are disabled by default as (judging by this thread) many users have troubles disabling a entity themselves

juicejuice · November 12, 2024, 6:05am

The solution to disable update entities is good, the better solution would be to allow a multi-select skip or skip-all option for the updates. It’s nice to see the update notifications but also nice to dismiss them all at once.