/mota

A Shelly device firmware updater based on zeroconf (or bonjour) discovery for local networks using their built-in Over-The-Air update interface. It is suited for network setups where IoT devices do not have internet connectivity.

Primary LanguageGo

🛵 Mass Over-The-Air updater for Shelly devices

build status

🛵 mota is a mass Shelly device firmware updater based on zeroconf (or bonjour) discovery for local networks using the built-in Over-The-Air (OTA) update interface. It is particularly suited for network setups using VLANs where IoT devices do not have internet connectivity.

Background

Shelly devices periodically ping the Shelly Cloud to check for firmware updates, but due to the vulnerable nature of their chipset (typically ESP8266 or ESP32), a multitude of security vulnerabilities exist 1 2. MongooseOS, the IoT framework that powers Shelly devices, is also not free of vulnerabilities 3, although at this time they are not as severe as the chipset ones.

Although Allterco Robotics, the makers of Shelly devices, frequently releases updates to their devices (unlike many other vendors), it is still considered best practice to keep your IoT devices away from the internet.

If you're planning on isolating your IoT network from the internet, then mota brings you managed updates at the local network level either interactively or in bulk.

Installation

Download a binary release or, alternatively, install via go:

❯ go get -u github.com/ruimarinho/mota
❯ go install github.com/ruimarinho/mota

You can also use Docker (Linux only, as Host mode networking is not available on Windows or macOS):

docker run --rm --net=host ruimarinho/mota

macOS

Using Homebrew:

brew tap ruimarinho/tap
brew install mota

Usage

❯ mota

If local devices are found and new firmware versions are available for your devices, you will be prompted to interactively choose which devices to update.

Sometimes Shellies appear to ignore OTA requests and may require multiple attempts to finally update to the requested version. At this time, it is my belief this is an issue with the OTA routines on the OS that powers Shellies.

CLI

❯ mota -help

Usage of mota:
      --beta            Use beta firmwares if available
      --domain string   Set the search domain for the local network. (default "local")
  -f, --force           Force upgrades without asking for confirmation
      --host strings    Use host/IP address(es) instead of device discovery (can be specified multiple times or be comma-separated)
  -p, --http-port int   HTTP port to listen for OTA requests. If not specified, a random port is chosen.
      --verbose         Enable verbose mode.
  -v, --version         Show version information
  -w, --wait int        Duration in [s] to run discovery. (default 60)

Authentication

If you have setup web access authentication (you should!), mota can automatically read and parse the standard ~/.netrc (macOS/Linux) and %HOME%/_netrc (Windows) files. Create this file on your home folder and add your Shelly information in the following format:

machine <shelly_IP_1>
login <username_1>
password <password_1>

machine <shelly_IP_2>
login <username_2>
password <password_2>

Updating Specific Hosts

If you'd like to skip bonjour discovery, you may specify one or more devices to check individually:

mota --host=192.168.100.10 --host=192.168.100.30

Beta Firmwares

You may enable support for beta firmwares (if available):

mota --beta

License

MIT

References

1 Proof of Concept of ESP32/8266 Wi-Fi vulnerabilties (CVE-2019-12586, CVE-2019-12587, CVE-2019-12588)

2 Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction

3 Cesanta Mongoose OS Security Vulnerabilities