JAndrassy/ESP_ATModPublic

forked fromJiriBilek/ESP_ATMod

NotificationsYou must be signed in to change notification settings
Fork0
Star0

ESP8266 AT Firmware (Command Processor) With TLS 1.2 Capability

License

LGPL-3.0 license

0 stars 11 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 54 Commits
ESP_ATMod		ESP_ATMod
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
platformio.ini		platformio.ini

Repository files navigation

ESP 8266 AT Firmware - modified for TLS 1.2

This firmware comes as anArduino esp8266 sketch.

This file refers to version 0.5.0 of the firmware.

Purpose

The AT firmware provided by Espressif comes with basic TLS ciphersuites only. Especially, the lack of GCM-based ciphersuites makes the SSL part of the Espressif's firmware unusable on more and more web sites. This firmware addresses this issue.

The goal was to enable all modern ciphersuites implemented in BearSSL library included in esp8266/Arduino project including with some server authentication (server certificate checking).

The firmware fits into 1024 KB flash and can be run even on ESP-01 module with 8 Mbit flash.

Description

The firmware does not (and likely will not) implement the whole set of AT commands defined in Espressif's documentation.

The major differences are:

Only TCP mode (with or without TLS) is supported, no UDP.
In multiplex mode (AT+CIPMUX=1), 5 simultaneous connections are available. Due to memory constraints, there can be only one TLS (SSL) connection at a time with standard buffer size, more concurrent TLS connections can be made with a reduced buffer size (AT+CIPSSLSIZE). When the buffer size is 512 bytes, all 5 concurrent connections can be TLS.

New features:

Implemented TLS security with state-of-the-art ciphersuites: certificate fingerprint checking or certificate chain verification.
Implemented TLS MFLN check (RFC 3546), setting TLS receive buffer size, checking MFLN status of a connection.

Status

The firmware is still in work-in-progress state. It has been tested and is running on my devices but there might be deviations from the expected behaviour.

My testing environment uses theWifiEsp library and also the newerWiFiEspAT library.

The Future

Next development will be focused on

More complete AT command implementation.

Installation

There are two options for compiling and flashing this library.

Arduino IDE

First you have to installArduino IDE and thecore for the ESP8266 chip. Next get all source files from this repository, place them in a folder namedESP_ATMod and compile and upload to your ESP module.

After flashing, the module will open serial connection on RX and TX pins with 115200 Bd, 8 bits, no parity. You can talk with the module using a serial terminal of your choice.

IMPORTANT NOTE: From the firmware version 0.4.0 on, you need to use the Arduino Core for 8266 version 3.0+.

PlatformIO

An alternative to using the Arduino IDE is to use PlatformIO.

InstallPlatformIO
Make sure that your device is in flashing mode
In your favourite terminal and from the root of this repository, runthe following command to build and upload the sketch to the device:
```
platformio run --target upload
```

This has been configured and tested for the ESP-01 Black.

Add certificates

Certificates are stored in the ESP's filesystem with LittleFS. To add a certificate follow the following steps.

IMPORTANT: the certifcate must be in .pem format.

Copy the certificate you want to the data directory in ESP_ATMod
Install theLittleFS Filesystem Uploader
Select Tools > ESP8266 LittleFS Data Upload menu item. This should start uploading the files into ESP8266 flash file system. When done, IDE status bar will display LittleFS Image Uploaded message. Might take a few minutes for large file system sizes.
Now upload the ESP_ATMod sketch to the ESP.
The certificate(s) you uploaded are now loaded and ready to use (you can check them withAT+CIPSSLCERT).
(Optional) You may delete the .gitkeep file in the data directory. It is only there to push and pull the data directory in git. Not deleting the .gitkeep file won't do any harm.

AT Command List

In the following table, the list of supported AT commands is given. In the comment, only a difference between this implementation and the original Espressif's AT command firmware is given. The commands are implemented according to the Espressif's documentation, including the command order. Please refer to theEspressif's documentation for further information.

AT commands with _DEF and _CUR have (as in the standard AT firmware) an undocumented version without _DEF/CUR for backward compatibility (and forward too since AT 2 doesn't use _DEF/CUR). The command without _DEF/CUR behaves as _CUR for query and as _DEF for set (stores the parameters to the flash).

Command	Description
Basic AT Commands
AT	Test AT startup.
AT+RST	Restart a module.
AT+GMR	Check version information.
ATE	Configure AT commands echoing.
AT+RESTORE	Restore factory default settings of the module.
AT+UART_CUR	Current UART configuration, not saved in flash.
AT+UART_DEF	Default UART configuration, saved in flash.
AT+SYSRAM	Query current remaining heap size and minimum heap size.
Wi-Fi AT Commands
AT+CWMODE	Set the Wi-Fi mode (Station/SoftAP/Station+SoftAP).
AT+CWJAP_CUR	Connect to an AP, parameter <pci_en> not implemented
AT+CWJAP_DEF	Connect to AP, saved to flash. Parameter <pci_en> not implemented
AT+CWLAPOPT	Set the configuration for the command AT+CWLAP.
AT+CWLAP	List available APs.
AT+CWQAP	Disconnect from an AP.
AT+CWSAP_CUR	Start SoftAP, parameter <ecn> is not used. WPA_WPA2_PSK is used, if <pwd> is not empty.
AT+CWSAP_DEF	Connect to AP, saved to flash. Parameter <ecn> is not used. WPA_WPA2_PSK is used, if <pwd> is not empty.
AT+CWDHCP_CUR	Enable/disable DHCP - SoftAP DHCP server enabling is not immplemented.
AT+CWDHCP_DEF	Enable/disable DHCP saved to flash - SoftAP DHCP server enabling is not immplemented.
AT+CWAUTOCONN	Connect to an AP automatically when powered on.
AT+CIPSTAMAC_CUR	Sets or prints the MAC Address of the ESP8266 Station. Only query is implemented.
AT+CIPSTAMAC_DEF	Sets or prints the MAC Address of the ESP8266 Station stored in flash. Only query is implemented.
AT+CIPAPMAC_CUR	Sets or prints the MAC Address of the ESP8266 SoftAP. Only query is implemented.
AT+CIPAPMAC_DEF	Sets or prints the MAC Address of the ESP8266 SoftAP stored in flash. Only query is implemented.
AT+CIPSTA_CUR	Query/Set the IP address of an ESP station.
AT+CIPSTA_DEF	Set and/or print current IP address, gateway and network mask, stored in flash.
AT+CIPAP_CUR	Query/Set the current IP address of the SoftAP.
AT+CIPAP_DEF	Set and/or print SoftAP IP address, gateway and network mask, stored in flash.
AT+CWHOSTNAME	Query/Set the host name of an ESP Station.
TCP/IP AT Commands
AT+CIPSTATUS	Obtain the TCP/UDP/SSL connection status and information.
AT+CIPDOMAIN	Resolve a Domain Name.
AT+CIPSTART	Establish TCP connection, or SSL connection. Only one TLS connection at a time.
AT+CIPSSLSIZE	Change the size of the receiver buffer (512, 1024, 2048 or 4096 bytes)
AT+CIPSEND	Send data in the normal transmission mode or Wi-Fi passthrough mode.
AT+CIPCLOSEMODE	Set the Close Mode of TCP Connection.
AT+CIPCLOSE	Close TCP/SSL connection.
AT+CIFSR	Obtain the local IP address and MAC address.
AT+CIPMUX	Enable/disable the multiple connections mode. Max. 5 conections, only one of them can be TLS
AT+CIPSNTPCFG	Query/Set the time zone and SNTP server.
AT+CIPSNTPTIME	Query the SNTP time.
AT+CIPDINFO	Set +IPD message mode.
AT+CIPRECVMODE	Query/Set socket receiving mode.
AT+CIPRECVDATA	Obtain socket data in passive receiving mode.
AT+CIPRECVLEN	Obtain socket data length in passive receiving mode.
AT+CIPDNS_CUR	Query/Set DNS server information.
AT+CIPDNS_DEF	Default DNS setting, stored in flash
AT+CIPSERVER	Deletes/Creates TCP Server
AT+CIPSERVERMAXCONN	Set the maximum connections allowed by server
AT+CIPSTO	Sets the TCP Server Timeout
New commands
AT+SYSCPUFREQ	Set or query the current CPU frequency.
AT+RFMODE	Set the physical wifi mode.
AT+CIPSSLAUTH	Set and query the TLS authentication mode.
AT+CIPSSLFP	Load or print the TLS server certificate fingerprint.
AT+CIPSSLCERTMAX	Query or set the maximum amount of certificates that can be loaded.
AT+CIPSSLCERT	Load, query or delete TLS CA certificate.
AT+CIPSSLMFLN	Check if the site supports Maximum Fragment Length Negotiation (MFLN).
AT+CIPSSLSTA	Prints the MFLN status of a connection.
AT+SNTPTIME	Get SNTP time.
New Ethernet AT Commands
AT+CIPETHMAC_CUR	Sets or prints the MAC Address of the Ethernet interface.
AT+CIPETHMAC_DEF	Sets or prints the MAC Address of the Ethernet interface stored in flash. Save to flash is not implemented.
AT+CIPETH_CUR	Query/Set the IP address of the Ethernet interface.
AT+CIPETH_DEF	Set and/or print current IP address, gateway and network mask, stored in flash.
AT+CEHOSTNAME	Query/Set the host name of the Ethernet interface.

Changed Commands

AT+CIPSSLSIZE - Set the TLS Receiver Buffer Size

Sets the TLS receiver buffer size. The size can be 512, 1024, 2048, 4096 or 16384 (default) bytes according toRFC3546. The value is used for all subsequent TLS connections, the opened connections are not affected.

Command:

AT+CIPSSLSIZE=512

Answer:

OK

AT+CIPRECVMODE, AT+CIPRECVDATA, AT+CIPRECVLEN in SSL mode

Commands

AT+CIPRECVMODE (Set TCP or SSL Receive Mode)
AT+CIPRECVDATA (Get TCP or SSL Data in Passive Receive Mode)
AT+CIPRECVLEN (Get TCP or SSL Data Length in Passive Receive Mode)

Works in SSL mode in the same way as in TCP mode.

AT+CIPSERVER, AT+CIPSERVERMAXCONN and AT+CIPSTO

The standard AT firmware supports only one server. This firmware support up to 5 server with same AT+CIPCIPSERVER command.

In standard AT firmware 1.7 executingAT+CIPSERVER=1,<port> again even if the port is different prints no change and OK. Here it starts a new server. "no change" is returned only if maximum count of servers is reached.

In standard AT firmware 1.7 executing AT+CIPSERVER=0 stops the one server. Here it stops the first one. ExecutingAT+CIPSERVER=0,<port> stops the server listening on<port>.

CIPSERVERMAXCONN and CIPSTO are global settings, They apply to all servers.

AT+CWDHCP

In standard AT firmware AT_CWDHCP enables/disables the DHCP client for STA (mode 0) and starts or stops the DHCP server for SoftAP (mode 1). In ESP_ATMod the SoftAP DHCP server is always enabled. The AT+CWDHCP command is not implemented for SoftAP.

For Ethernet support, the AT+CWDHCP command is enhanced. The Ethernet DHCP client is enabled/disabled with mode 3. For AT+CWDHCP?, state of the Ethernet DHCP client is returned in third bit.

New Commands

AT+SYSCPUFREQ - Set or query the Current CPU Frequency

Sets and queries the CPU freqency. The only valid values are 80 and 160 Mhz.

Query:

Command:

AT+SYSCPUFREQ?

Answer:

+SYSCPUFREQ=80OK

Set:

Command:

AT+SYSCPUFREQ=<freq>

Answer:

OK

The value freq may be 80 or 160.

AT+RFMODE - Get and Change the Physical Wifi Mode

Sets and queries the physical wifi mode.

Query:

Command:

AT+RFMODE?

Answer:

+RFMODE=1OK

Set:

Command:

AT+RFMODE=<mode>

Answer:

OK

The allowed values of <mode> are:

Mode	Description
1	IEEE 802.11b
2	IEEE 802.11g
3	IEEE 802.11n

AT+CIPSSLAUTH - Set and Query the TLS Authentication Mode

Set or queries the selected TLS authentication mode. The default is no authentication. Try to avoid this because it is insecure and prone to MITM attack.

Query:

Command:

AT+CIPSSLAUTH?

Answer:

+CIPSSLAUTH=0OK

Set:

Command:

AT+CIPSSLAUTH=<mode>

Answer:

OK

The allowed values of <mode> are:

Mode	Description
0	No authentication. Default. Insecure
1	Server certificate fingerprint checking
2	Certificate chain checking

Switching to mode 1 succeeds only when the certificate SHA-1 fingerprint is preloaded (see AT+CIPSSLFP).

Switching to mode 2 succeeds only when the CA certificate preloaded (see AT+CIPSSLCERT).

AT+CIPSSLFP - Load or Print TLS Server Certificate SHA-1 Fingerprint

Load or print the saved server certificate fingerprint. The fingerprint is based on SHA-1 hash and is exactly 20 bytes long. When connecting, the TLS engine checks the fingerprint of the received certificate against the saved value. It ensures the device is connecting to the expected server. After a successful connection, the fingerprint is checked and is no longer needed for this connection.

The SHA-1 certificate fingerprint for a site can be obtained e.g. in browser while examining the server certificate.

Query:

Command:

AT+CIPSSLFP?

Answer:

+CIPSSLFP:"4F:D5:B1:C9:B2:8C:CF:D2:D5:9C:84:5D:76:F6:F7:A1:D0:A2:FA:3D"OK

Set:

Command:

AT+CIPSSLFP="4F:D5:B1:C9:B2:8C:CF:D2:D5:9C:84:5D:76:F6:F7:A1:D0:A2:FA:3D"

AT+CIPSSLFP="4FD5B1C9B28CCFD2D59C845D76F6F7A1D0A2FA3D"

Answer:

OK

The fingerprint consists of exactly 20 bytes. They are set as hex values and may be divided with ':'.

AT+CIPSSLCERTMAX - Query or set maximum certificates to load

Currently maximum 5 certificates at a time can be loaded. With this command the amount of certificates to load with LittleFS can be adjusted.

Query amount to load:

Command:

AT+CIPSSLCERTMAX?

Answer:

+CIPSSLCERTMAX:5OK

Set amount to load:

Command:

AT+CIPSSLCERTMAX=6

Answer:

+CIPSSLCERTMAX:6OK

AT+CIPSSLCERT - Load, Query or Delete TLS CA Certificate

Load, query or delete CA certificate for TLS certificate chain verification. Currently maximum 5 certificates at a time can be loaded. The certificates must be in PEM structure. After a successful connection, the certificate is checked and is no longer needed for this connection.

Query the first certificate:

Command:

AT+CIPSSLCERT?

Answer:

+CIPSSLCERT:no certERROR

+CIPSSLCERT,1:DST Root CA X3+CIPSSLCERT,2:DST Root CA X3OK

Query specific certificate:

Command:

AT+CIPSSLCERT?2

Answer:

+CIPSSLCERT,2:DST Root CA X3OK

Set:

Command:

AT+CIPSSLCERT

Answer:

OK>

You can now send the certificate (PEM encoding), no echo is given. After the last line (-----END CERTIFICATE-----), the certificate is parsed and loaded. The certificate should be sent with \n notation. For exampleisrg-root-x1-cross-signed.pem:

Should be:

The application responds with

Read 1952 bytesOK

or with an error message. In case of a successful loading, the certificate is ready to use and you can turn the certificate checking on (AT+CIPSSLAUTH=2).

The limit for the PEM certificate is 4096 characters total.

Delete a certificate:

Command:

AT+CIPSSLCERT=DELETE,1

Answer:

+CIPSSLCERT,1:deletedOK

The certificate is deleted from the memory.

AT+CIPSSLMFLN - Checks if the given site supports the MFLN TLS Extension

The Maximum Fragment Length Negotiation extension is useful for lowering the RAM usage by reducing receiver buffer size on TLS connections. Newer TLS implementations support this extension but it would be wise to check the capability before changing a TLS buffer size and making a connection. As the server won't change this feature on the fly, you should test the MFLN capability only once.

Command:

AT+CIPSSLMFLN="site",port,size

The valid sizes are 512, 1024, 2048 and 4096.

AT+CIPSSLMFLN="www.github.com",443,512

Answer:

+CIPSSLMFLN:TRUEOK

AT+CIPSSLSTA - Checks the status of the MFLN negotiation

This command checks the MFLN status on an opened TLS connection.

Command:

AT+CIPSSLSTA[=linkID]

ThelinkID value is mandatory when the multiplexing is on (AT+CIPMUX=1). It should be not entered when the multiplexing is turned off.

AT+CIPSSLSTA=0

Answer:

+CIPSSLSTA:1OK

The returned value of 1 means there was a MFLN negotiation. It holds even with the default receiver buffer size set.

AT+SYSTIME - Returns the current time UTC

This command returns the current time as unix time (number of seconds since January 1st, 1970). The time zone is fixed to GMT (UTC). The time is obtained by querying NTP servers automatically, after connecting to the internet. Before connecting to the internet or in case of an error in communication with NTP servers, the time is unknown. This situation should be temporary.

Command:

AT+SYSTIME?

Answer:

+SYSTIME:1607438042OK

If the current time is unknown, an error message is returned.

AT+CIPETH, AT+CIPETHMAC, AT+CEHOSTNAME

These commands support use of the Ethernet interface as in standard AT firmware version 2 and newer.

These commands for the Ethernet interface are analogous to AT+CIPSTA, AT+CIPSTAMAC and AT+CWHOSTNAME commands.

About

ESP8266 AT Firmware (Command Processor) With TLS 1.2 Capability

Releases

No releases published

Packages

No packages published

Languages

C++92.6%
C7.4%

Movatterモバイル変換

License

JAndrassy/ESP_ATMod

Folders and files

Latest commit

History

Repository files navigation

ESP 8266 AT Firmware - modified for TLS 1.2

Purpose

Description

Status

The Future

Installation

Arduino IDE

PlatformIO

Add certificates

AT Command List

Changed Commands

AT+CIPSSLSIZE - Set the TLS Receiver Buffer Size

AT+CIPRECVMODE, AT+CIPRECVDATA, AT+CIPRECVLEN in SSL mode

AT+CIPSERVER, AT+CIPSERVERMAXCONN and AT+CIPSTO

AT+CWDHCP

New Commands

AT+SYSCPUFREQ - Set or query the Current CPU Frequency

AT+RFMODE - Get and Change the Physical Wifi Mode

AT+CIPSSLAUTH - Set and Query the TLS Authentication Mode

AT+CIPSSLFP - Load or Print TLS Server Certificate SHA-1 Fingerprint

AT+CIPSSLCERTMAX - Query or set maximum certificates to load

AT+CIPSSLCERT - Load, Query or Delete TLS CA Certificate

AT+CIPSSLMFLN - Checks if the given site supports the MFLN TLS Extension

AT+CIPSSLSTA - Checks the status of the MFLN negotiation

AT+SYSTIME - Returns the current time UTC

AT+CIPETH, AT+CIPETHMAC, AT+CEHOSTNAME

About

Resources

License

Stars

Watchers

Forks

Releases

Packages0

Languages

Packages