Remove authentication requirement on api/firmware/latest
Posted: August 19th, 2023, 8:11 pm
Right now it's difficult for Linux users to update the firmware because there's no update utility for Linux.
Per this thread, it's not hard to manually fetch the firmware, upload it to your USB stick, and do an update, but the process of getting the list of latest firmware files from the API requires either registering for a developer key or running the update utility on some other machine (or VM) and doing a MITM attack against yourself. This makes it obnoxious to get the files, and makes it difficult to help less technical users get the files.
If the route didn't require authentication it would be trivial for the community to come up with simple instructions or a script to do firmware updates, and I can't imagine there's much need for that route to be authenticated.
Alternatively, if making just one API route unauthenticated is problematic, just some page on the C2 website that provides a machine readable list of the lastest firmware files would achieve the same purpose.
Per this thread, it's not hard to manually fetch the firmware, upload it to your USB stick, and do an update, but the process of getting the list of latest firmware files from the API requires either registering for a developer key or running the update utility on some other machine (or VM) and doing a MITM attack against yourself. This makes it obnoxious to get the files, and makes it difficult to help less technical users get the files.
If the
Code: Select all
api/firmware/latestAlternatively, if making just one API route unauthenticated is problematic, just some page on the C2 website that provides a machine readable list of the lastest firmware files would achieve the same purpose.