OpenSprinkler Forums OpenSprinkler Unified Firmware Is the API working on firmware 2.1.3?

  • This topic has 14 replies, 8 voices, and was last updated 5 years ago by Ray.
Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #36482

    Claudio
    Participant

    If I try the url http://ospi:8080/jo?pw=mypassword I get a {“fwv”:213} response, not the json with all the variables. Other command as/jc?pw=mypassword return {“result”:2} (unauthorized). I am sure the password is correct. What I am doing wrong?

    #36495

    Jared
    Participant

    I’m also seeing a problem. It seems like it isn’t able to authenticate the password. I’m trying to update the script url: http://{ipaddress}/cu?pw={password}&jsp={newscripturl}, and I get the same {“result”:2} response.  If I go into Options->Advanced and select “Ignore Password”, then it works.

    I’m using OpenSprinkler hardware rev 2.3.

    #36498

    Brian
    Participant

    Have you tried with the password MD5 hashed?

    #36499

    Claudio
    Participant

    With the password MD5 hashed it works as expected. Thanks. It makes sense, you don’t want to send your password in clear

    #36500

    Brian
    Participant

    The MD5 password hashing feature was added in 2.1.3, and appears to be required now (cleartext passwords will no longer work). Ray has a brief writeup on the change in the 2.1.3 firmware release announcement.

    #36559

    Jared
    Participant

    That makes sense, thanks! I guess I missed the post, is the user manual going to be updated as well?

    #36562

    Samer
    Keymaster

    Yes, the user manual will be updated however schedules have been very busy and keeping up is difficult.

    With that said, I apologize for the documentation falling out of sync with the software but we will remedy this ASAP.

    Thank you!

    #36565

    John
    Participant

    Note that the MD5 hash must be in LOWER CASE.

    That is:
    3EC21257E0DF5194E94A1F0FEF3F654F
    is not:
    3ec21257e0df5194e94a1f0fef3f654f

    for the purposes of successful API pw= authentication.

    #36979

    CrackerStealth
    Participant

    Can I get clarification on the MD5 password hashing with the API. Is it ONLY added and supported in 2.1.3 and up or was it possible to send MD5 password hashes in 2.1.0, 2.1.1 and 2.1.2 with the API, but not required?

    #36983

    Samer
    Keymaster

    So, firmware prior to 2.1.3 did not correctly store 32 character strings (the length of an MD5 hash) and therefore was not really supported.

    #36985

    CrackerStealth
    Participant

    I should be more specific, let’s say I have firmware 2.1.0, 2.1.1 or 2.1.2 on my OpenSprinkler and I try to access an api endpoint like so: http://<op>/jc?pw=a6d82bced638de3def1e9bbb4983225c (where the password for the device is “opendoor” and “a6d82bced638de3def1e9bbb4983225c” is the password MD5 hash for opendoor); is the data for the endpoint returned, or is an error returned?

    I’m too lazy to downgrade my firmware and find out for myself.

     

    #36987

    Samer
    Keymaster

    Oh, okay I understand now. Yes, it give a password invalid error on prior firmwares.

    #36989

    Ray
    Keymaster

    It depends on the specific command. For the /jc command, if the password is correct, it returns JSON data of controller variables. If the password is incorrect, it will return an error code. For other commands (such as /cc) which are GET commands to change controller variables, it always returns an error code (with 1 indicating it has succeeded and any number other than 1 indicating an error). The list of error code is in the source code:
    https://github.com/OpenSprinkler/OpenSprinklerGen2/blob/master/server.cpp#L74

    #41554

    lucadealfaro
    Participant

    Btw, to be precise, it doesn’t make sense to say “md5 hashed”. How is the hash encoded?
    It would be more precise to specify: the hexadecimal representation of the md5 hash.
    A hash is a binary number and it can be represented in many formats (base64, octal, etc).

    #41591

    Ray
    Keymaster

    Well, typically when we refer to MD5 we mean hex coded. This is pretty common and I’ve never seen MD5 presented in binary or octal. I think to say ‘the API requires md5 hash of the plain text password’ is pretty accurate.

Viewing 15 posts - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.

OpenSprinkler Forums OpenSprinkler Unified Firmware Is the API working on firmware 2.1.3?