add some script to manage default passwords

These script can set and restore the password from the BlueTooth pincode as will be done in production. ve-is-password-set-by-default reports if there was a password set in the factory or none at all as before this change. This check is based on the release date of the installer firmware.
victronenergy · Apr 7, 2024 · 7a10483 · 7a10483
1 parent d415d56
commit 7a10483
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 1 deletion.
diff --git a/meta-bsp/recipes-bsp/machine-runtime-conf/files/ve-is-password-set-by-default b/meta-bsp/recipes-bsp/machine-runtime-conf/files/ve-is-password-set-by-default
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+if [ "$1" = "-h" ]; then
+	echo "usage: $0"
+	echo
+	echo "After April 2024 all product are shipped with the BlueTooth PIN as"
+	echo "default password, this wasn't the case before that."
+	echo
+	echo "Returns if the product left the factory with the PIN as password,"
+	echo "which can e.g. be used to restore a product to its default factory state."
+	echo
+	echo "example:"
+	echo
+	echo "  if ve-is-password-set-by-default; then"
+	echo "     There was a unique password set by default and it should be restored for factory default"
+	echo "  else:"
+	echo "     The product left the factory without a default unique password, and the user is"
+	echo "     expected to set one first if a password is required or disable the password check."
+fi
+
+installer_version="$(sed -n '3p' /data/venus/installer-version 2>/dev/null)"
+
+if [ ${installer_version:-0} -ge 20240405000000 ]; then
+    exit 0
+else
+    exit 1
+fi
+
diff --git a/meta-bsp/recipes-bsp/machine-runtime-conf/files/ve-password-as-in-factory b/meta-bsp/recipes-bsp/machine-runtime-conf/files/ve-password-as-in-factory
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+if [ "$1" = "-h" ]; then
+	echo "usage: $0"
+	echo
+	echo "Simple helper to set a password back to how it was after it left the factory"
+	echo "if there is currently none set. If it left the factory without a default password,"
+	echo "this script does nothing, since there is no default password already. If it left"
+	echo "the factory with the BlueTooth PIN code as password that will be restored"
+	echo
+	echo "The intended usage is that after running a factory default script, i.o.w removing"
+	echo "most of /data, this script will be called to restore the default password to"
+	echo "factory default. Which migh be the PIN code or none at all."
+fi
+
+if [ ! -f /data/conf/vncpassword.txt ]; then
+    installer_version="$(sed -n '3p' /data/venus/installer-version 2>/dev/null)"
+
+    if ./ve-is-password-set-by-default; then
+        ./ve-set-passwd-to-pincode
+    fi
+fi
+
diff --git a/meta-bsp/recipes-bsp/machine-runtime-conf/files/ve-set-passwd-to-pincode b/meta-bsp/recipes-bsp/machine-runtime-conf/files/ve-set-passwd-to-pincode
@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+
+import argparse
+import bcrypt
+import glob
+import os
+import subprocess
+
+from datetime import datetime
+
+parser = argparse.ArgumentParser(
+		description='Set the default password to the BlueTooth pincode as read from the EEPROM.',
+		epilog='Victron Energy B.V.'
+	)
+parser.add_argument('--allow-default', action='store_true', help='Assume a default 000000 pincode if reading from the EEPROM failed');
+
+args = parser.parse_args()
+
+pin = "000000"
+try:
+	pin = subprocess.check_output(['/opt/victronenergy/venus-eeprom/eeprom', '--show', 'bluetooth-pin'], encoding="utf-8").strip()
+except:
+	if not args.allow_default:
+		print("Reading the pincode from the EEPROM failed, giving up!", file=sys.stderr)
+		os.exit(1)
+	pass
+
+# Check randomness, since this might run during boot.
+hash = bcrypt.hashpw(pin.encode('utf-8'), bcrypt.gensalt(prefix=b"2a", rounds=8))
+
+# syncs -> make sure it is actually on the storage medium, so it is still there if power is cut.
+passwd_file = "/data/conf/vncpassword.txt"
+with open(passwd_file + ".tmp", "w") as f:
+	f.write(hash.decode('utf-8'))
+	f.flush()
+	os.fsync(f.fileno())
+
+os.rename(passwd_file + ".tmp", passwd_file);
+
+dst_dir = os.path.dirname(passwd_file)
+fd = os.open(dst_dir, 0)
+os.fsync(fd)
+os.close(fd)
+
diff --git a/meta-bsp/recipes-bsp/machine-runtime-conf/machine-runtime-conf_0.3.bb b/meta-bsp/recipes-bsp/machine-runtime-conf/machine-runtime-conf_0.3.bb
@@ -16,6 +16,9 @@ SRC_URI += " \
     file://product-id \
     file://product-name \
     file://machine-conf.sh \
+    file://ve-is-password-set-by-default \
+    file://ve-password-as-in-factory \
+    file://ve-set-passwd-to-pincode \
 "
 SRC_URI:append:ccgx = " file://get-unique-id.c"
 SRC_URI:append:sunxi = "\
@@ -26,7 +29,7 @@ SRC_URI:append:sunxi = "\
 
 inherit update-rc.d
 
-RDEPENDS:${PN} += "bash"
+RDEPENDS:${PN} += "bash python3-core"
 
 INITSCRIPT_NAME = "machine-conf.sh"
 INITSCRIPT_PARAMS = "start 90 S ."
@@ -79,6 +82,9 @@ do_install:append() {
 
     install -d ${D}/${base_sbindir}
     install -m 755 ${WORKDIR}/get-unique-id ${D}/${base_sbindir}
+    install -m 755 ${WORKDIR}/ve-is-password-set-by-default ${D}/${base_sbindir}
+    install -m 755 ${WORKDIR}/ve-password-as-in-factory ${D}/${base_sbindir}
+    install -m 755 ${WORKDIR}/ve-set-passwd-to-pincode ${D}/${base_sbindir}
 
     install -d ${D}/${bindir}
     install -m 755 ${WORKDIR}/bad-unique-id ${D}/${bindir}