Manual firmware update?

Hi folks,

Just about to pull the trigger on one of these, just having a sparky work out how it’ll be installed in my wall (the junction box is inside my apartment, but in a corridor, so working out how to avoid anything sticking out of the wall).

The IoTaWatt will be connected to a wifi network broadcast from a Raspberry Pi, which will host a InfluxDB instance for the data to feed through to, however it will not bridge an internet connection through to anything connected wirelessly to the Pi.
Is it possible to download firmware updates from the website on the Pi, and then upload them to the IoTaWatt via the web interface, or via ssh? Or when I wish to update the IoTaWatt, will I need to temporarily connect it to my primary wifi network?

Thanks in advance!

It is possible to upload and install a firmware release from a browser.

Other considerations are that IoTaWatt should have access to a time server as the clock can drift up to several seconds per day otherwise. Also, you will not be able to use graph+ to look at the data in the IoTaWatt data because it will not be able to access the CDN with various JavaScript modules.

While IoTaWatt can run fine for a few days if the internet is not available, I don’t recommend running it perpetually that way.

I do have a time server running on the Pi just for these sorts of things. I found the same sort of slip with some ESP32s I have running on this network a little while ago.

Other than the time slip and Graph+, are there other issues likely to arise without an internet connection?

This network is twofold in purpose:

  • hides away IOT devices that aren’t secure and/or are prone to becoming parts of botnets (such as my air conditioner that transmits passwords in plaintext http headers, or the TV that will accept binaries for anywhere without questioning it)
  • gives a central point of communication for IOT devices what would be staying when I move out, like the air conditioner, light switches, smart outlets, and soon, the IoTaWatt. Just making it so any new owners don’t need to spend a pile of time getting access to the data and convenience I installed these devices to provide, so they don’t go to waste

Home Assistant OS, which I’ve set up on the Pi as the dashboard and control hub, doesn’t give me any way to VLAN it up as far as I’ve found yet, though if I find a way to do it then this all becomes moot as I’d just let the IoTaWatt through

Just the firmware updates, which you can do manually.

IoTaWatt uses time(n) for NTP. So you would need to direct that to your time server. There is no mechanism to change the server name.

I can’t guarantee absolute security, but with respect to becoming part of a botnet, the firmware update is signed with a private key that is air-gapped from the internet. I keep the signing device locked away and use it only to sign release blobs. The public key of course is in the open-source firmware. I think it’s pretty secure and the firmware does not have any other OTA update capability. There is always the underlying ESP8266/arduino core, but it also is open source and compiled with the firmware release.

Access to the device, while not TLS uses digest authentication when passwords are enabled. The password is never sent to IoTaWatt, instead a one-way digest is stored. It’s not perfect, and is based on md5 so not the best, but pretty good.

I don’t know how your influx or HA fits into the topology, but seems like you need to cross that boundary somehow. I would suggest just running an nginx reverse proxy to make the IoTaWatt use TLS to the internet if possible.

I’m not actually too worried about the security side with IoTaWatt. Large scale appliance makers that just are tacking in shiny features that involve the internet tend to not think about security, and rarely will spend any time, money or effort supporting the products that are already out there when they could be investing in new products for people to buy instead, but open source projects like IoTaWatt:

  • have reviewable code so security flaws are often quickly found and disclosed by the open source community, and are also auditable for the same reason
  • tend to be on a scale that word of mouth matters, so inherent shortcomings have a bigger reputation impact
  • often have more tech savvy users who engage with the project to help improve it for long periods of time, avoiding stagnation (at least once they get a bit of following)
    So I have a lot more trust in the quality of your code than most of my other internet connected gadgets :stuck_out_tongue:

Your frequent, positive presence supporting users in this forum only increases that.

The only reason I’m putting the IoTaWatt on that network is so that if I sell up in the next few years, which is getting more likely, it will not need complete (or partial) configuration by the next owners to continue delivering on its purpose, and I’d rather it not go to waste just because it isn’t of particular interest to them. This really is one of those things that a lot of people wouldn’t see much value in as a theoretical, but if it’s already generating the data then it quickly becomes apparent how valuable it is, so I feel leaving a low barrier for entry just makes it more likely it will be used if that eventuates.

The nginx idea does sound like something I could rig in through, I’ll look a bit at that and see what I can do. If I can make it zero maintenance, so it won’t stop working if I’m gone, then it’s totally in :slight_smile:

Speaking of your positive support :smirk:
And I’m not even an actual customer yet!

Thanks a tonne for your time!