• You all may be used to this, but it took me completely by surprise.

    As I was progressing on my Thermostat project (currently updating the e-paper display from essentially hard coded data), I began to explore how my home server would send commands and data updates to my device. In this, I found the node.js BLE examples and then suddenly realized that I didn't need to create an 'API' - the fact that the Espruino code essentially runs as an open console interface means that if I want to update any data, I can simply send a javascript command to assign a value to it!

    Need to update the forecast? Just send this over the 0x0002 characteristic :

    "\x03\x10forecast = ['Mostly cloudy, with','a high near 70.    ','S wind around 7 mph','Chance of rain 20% '];\n";
    

    Now I do have to admit this is a HUGE security exposure, but it sure is easy!

  • :) yep - that's intentional, it makes it really easy to get stuff going.

    There's a bit of info about improving BLE security here: http://www.espruino.com/BLE+Security

    Just adding a PIN code would go a long way towards stopping someone messing with it.

    But if you want better security while stuff using the BLE UART, you could move the REPL out the way, use Bluetooth.on('data', ...) and then parse the JSON with JSON.parse - so then you know nobody can send random code to you.

  • Thanks for the tips. I'll check them out. As you say

    it makes it really easy to get stuff going.

  • I tried to use passkey in a simple case:

    NRF.setSecurity({passkey:"123456", mitm:1, display:1});
    
    var  on = false;
    setInterval(function() {
      on = !on;
      LED1.write(on);
    }, 500);
    

    I expected to get a prompt from the IDE when I tried to reconnect, but it reconnected without issue. I did notice this comment:

    As of Espruino 2v02 (or 'cutting edge' builds), you can set a static Passkey for Espruino:

    I'm currently using 2v01.56 and I don't see any builds that are greater than 2v01. What am I missing?

  • I'm currently using 2v01.56

    Current cutting edge builds are the right ones. A release will be 2v01 for instance, and then cutting edge builds before 2v02 will be 2v01.xyz.

    It might be that you still need a newer cutting edge build though - on older builds it'll just be ignored.

  • Ok, thanks.
    Am I using the setSecurity correctly, though?
    ie, should I expect the IDE to require a prompt after I load that code and try to reconnect?
    Since I have my own build of the Espruino code, I don't want to be arbitrary when I update it...

  • Yes, that code looks spot on.

    I forgot to add that perhaps if your PC has already paired with the device, that pairing could be stored in memory and so it may not ask you for a passcode. You could try connecting with another device?

  • Thanks. Looks like I'll update my build later today.

    I forgot to add that perhaps if your PC has already paired with the device, that pairing could be stored in memory and so it may not ask you for a passcode. You could try connecting with another device?

    Good point, I'll keep that in mind.

  • FYI, using 2v01.102 and the code in #4 I was able to connect with 4 different devices without a passcode and I'm pretty sure that one of the devices (old Samsung Note 3) had never connected to this Espruino board before. I'm going to let this pass for a while as I have other things to pursue at the moment. This was just a head's up.

  • Thanks - that's a strange one. I'll have to have a play.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Interesting discovery controlling my Thermostat project.

Posted by Avatar for TomWS @TomWS

Actions