HTTP Bootloader for ATmega328

Go To Last Post
16 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hello everyone,

I have developed HTTP bootloader for ATmega328. I have developed this bootloader for my master thesis. This bootloader uploads to microcontroller via web browser. It needs Wiznet 5100 Ethernet controller. It uploads raw format firmware program.

I have tested on Arduino Uno and Wiznet 5100 Ethernet shield for Arduino.

 

Download

 

Thanks for replies,
Ercan

Last Edited: Thu. Aug 8, 2019 - 04:11 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Good luck with your masters degree.

What security is included with your bootloader, as an online upload would be a hackers delight!

 

Jim

 

 

FF = PI > S.E.T

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ki0bk wrote:

What security is included with your bootloader, as an online upload would be a hackers delight!

 

That will be their PhD project.  ;-)

--Mike

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Security is always seems to be last instead of the first requirement!

 

 

FF = PI > S.E.T

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks for replies.

 

Security may be provided by a firewall. ATmega328p has 4 KiB for bootloader and no more space for extra options.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

    Leaving security aside, (one would use it on a local network where security is not an issue) how it enters the bootloader? It relies on the application firmware? Otherwise you would need to have it close by and press the reset button, which makes its usability questionable versus a USB connection. Don't understand me wrong, it is still a nice project.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

As they say the S in the acronym IoT stands for security.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

@ #7: Still missing a "d" in there :)

 

@OP:

There are a gazillion projects on github / gitlab, and the "README" is really uninformative.

In your post here you say:

ercanersoy wrote:
I have developed HTTP bootloader for ATmega328.
which is more information than in the README on github / gitlab:

 

https://github.com/ercanersoy/Mi... wrote:

Micro Boot 0.1

Engilish (US): English documentation of this software is in
"documentation/en-US" directory.

 

Assuming prior knowledge in the first readme is a very bad habit I see in lots of projects on github.

And even if you click through and go to

https://gitlab.com/ercanersoy/micro-boot/blob/master/documentation/en-US/README

then it does not even say it is a http bootloader for atmega328.

 

Also: quoting that it has only been tested in Firefox does not give me much confidence, nor does it makes me curious about the rest of the project.

If it had been tested in the majority of mainstream browsers I would already have had more confidence in the project.

 

Apart from that, I have absolutely 0.0 interest in http bootloaders.

As generic development platforms I bought some "arduno nano's" and "arduino micro's" (Pico's?) and one of those boards have omitted the default 6 pin programmer connector.

It seems they want you to use the "bootloader" instead, and to be able to use the bootloader you have to connect a pcb with USB <-> RS232 translation logic. What advantage does that have above connecting my trusty USBasp?

 

ercanersoy wrote:
Security may be provided by a firewall. ATmega328p has 4 KiB for bootloader and no more space for extra options.

ATmega328 only has 32kB total flash. Using 4kB of that for a bootloader seems redicilous.

Devices like the ESP8266 where you have a few MB of flash to work with are much more suited for this kind of thing.

On those you can do MicroPython with REPL in a web browser.

 

Curious though: Is the WizzNet 5100 driver shared between the bootloader code and the main application, or does the application have a separate copy of that code?

The whole "documentation" folder is empty except for a meaningless "README".

 

Is this still a work in progress, or is it already finished?

If you add full documention of this project to github / gitlab it would be a nice addition on your CV to link to those projects.

Companies like good documentation, and from what I can see this project lacks severely in documentation.

It should at least have an overview of the whole project and a quickly accesible block diagram of which parts are where and how they fit together.

Why http instead of UDP or raw TCP/IP sockets? Those might make the bootlaoder code simpler / smaller, and leave room for some AES or SSH.

I also dislke the idea of dragging in a whole web browser jutst to upload some code. I much prefer a command line utility I can integrate in a makefile, but that is a personal observation.

 

I really like the way Cornell University approaches things.

Their students are required to make a project, and make a web page with documentation of their project.

Over the years they have accumulated hundreds of projects all nicely documented.

https://people.ece.cornell.edu/land/courses/ece4760//FinalProjects/

 

That is far more usefull than dumping some code on github. On github it just drowns in the flood of other unremarkable projects.

Good documentation is key to interesting others in your project.

No sensible person is going to spend a day browsing through source code without having prior knowledge whether that code even has some overlap to what they are interested in.

Doing magic with a USD 7 Logic Analyser: https://www.avrfreaks.net/comment/2421756#comment-2421756

Bunch of old projects with AVR's: http://www.hoevendesign.com

Last Edited: Tue. Jan 22, 2019 - 03:05 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ercanersoy wrote:
I have developed HTTP bootloader for ATmega328

Thanks for your interesting project. Very instructive. Security-topic discussed here is practically insignificant for hobby use.

Last Edited: Tue. Jan 22, 2019 - 04:11 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks for replies.

 

Micro Boot is completed project.

 

I will add more documention on READMEs.

 

Micro Boot security can be provided by a firewall or access point.

 

Micro Boot have designed for end users.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ercanersoy wrote:
Micro Boot security can be provided by a firewall or access point.
How do you figure?  Does your bootloader provide 1) encryption?  2) authentication?  3) fallback in case of failure or bug in app code?

 

The only way I would ever possibly consider using your code for anything except a blinky test is if the target were behind a firewall which I controlled, on a network which I controlled, containing only machines which I controlled, and then via an SSH tunnel to a trusted machine within.  Even then your bootloader still seems to fail to provide 2) and 3).

 

At the absolute best, I would consider using pieces of your bootloader to provide connectivity for a bootloader which does provide at least authentication and preferably encryption, perhaps based on AVR231.

 

Nevertheless, neat project.  Hope you did well on your thesis project.

"Experience is what enables you to recognise a mistake the second time you make it."

"Good judgement comes from experience.  Experience comes from bad judgement."

"Wisdom is always wont to arrive late, and to be a little approximate on first possession."

"When you hear hoofbeats, think horses, not unicorns."

"Fast.  Cheap.  Good.  Pick two."

"We see a lot of arses on handlebars around here." - [J Ekdahl]

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I must be missing something but isn't the intention of this to be used in some kind of "home network" so why would security be a big issue? As OP says, the big old nasty outside world is hopefully stopped from intrusion at the firewall (and routing) in your own router. Within your home the network things should be secure. Or are people envisioning a usage where the uploader is in New Zealand and the device is installed in Iceland or something?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Home security never gets compromised. And WiFi is perfectly secure.  Right? ;-)

"Experience is what enables you to recognise a mistake the second time you make it."

"Good judgement comes from experience.  Experience comes from bad judgement."

"Wisdom is always wont to arrive late, and to be a little approximate on first possession."

"When you hear hoofbeats, think horses, not unicorns."

"Fast.  Cheap.  Good.  Pick two."

"We see a lot of arses on handlebars around here." - [J Ekdahl]

 

Last Edited: Tue. Jan 22, 2019 - 01:50 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
As OP says, the big old nasty outside world is hopefully stopped from intrusion at the firewall (and routing) in your own router. Within your home the network things should be secure.

 

Besides that our unknown Mr.Hacker don't know from afar when where what which user will update small microcontrollers. Hacking time and effort should stand in reasonable proportion to the hacker benefit. In this case this is excluded from afar. But OK, if you have a vicious neighbor he knows everything about you and AVR controllers and your projects and and and ... then lack of bootloader security could be a risk. Then maybe he could change the data of your weather sensor. Terribly!  wink

 

So, the security objection is completely ridiculous here.  Bootloader encryption and authentication is important for industrial products but these industrial controls usually do not use a Mega328...  

 

Keep things as simple as possible! Do not make the world unnecessarily complicated! Ask first about the application and the location. Ask yourself what could happen in the worst case. Only then ask what you need.

 

 

angelu wrote:
how it enters the bootloader? It relies on the application firmware? 

 

Maybe OP can answer this much more useful question?

Last Edited: Wed. Jan 23, 2019 - 08:02 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have updated and expanded documentation.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have changed name and the bootloader's page.