Merge pull request #596 from Foundation-Devices/SFT-5260

mjg-foundation · web-flow · commit 0253300f3a04 · 2025-12-01T19:46:42.000-06:00
SFT-5620: Check magic bytes correctly.
diff --git a/extmod/foundation-rust/include/foundation.h b/extmod/foundation-rust/include/foundation.h
@@ -20,6 +20,10 @@
 
 #define VERSION_LEN 8
 
+#define FIRMWARE_MAGIC_MONO 1346458451
+
+#define FIRMWARE_MAGIC_COLOR 1397965136
+
 /**
  * Maximum size of an encoded Uniform Resource.
  *
@@ -183,6 +187,7 @@ typedef enum {
 
 typedef struct {
   char version[VERSION_LEN];
+  uint32_t magic;
   bool signed_by_user;
 } FirmwareResult_HeaderOk_Body;
 
diff --git a/extmod/foundation-rust/src/firmware.rs b/extmod/foundation-rust/src/firmware.rs
@@ -9,6 +9,15 @@ use secp256k1::PublicKey;
 
 pub const VERSION_LEN: usize = 8;
 
+// These are defined here as cbindgen does not support generating C
+// definitions for items outside of this crate.
+//
+// Note: keep in sync. with:
+//
+//  - ports/stm32/boards/Passport/include/fwheader.h
+pub const FIRMWARE_MAGIC_MONO: u32 = 0x50415353;
+pub const FIRMWARE_MAGIC_COLOR: u32 = 0x53534150;
+
 /// The result of the firmware update verification.
 /// cbindgen:rename-all=ScreamingSnakeCase
 /// cbindgen:prefix-with-name
@@ -18,6 +27,7 @@ pub enum FirmwareResult {
     /// The firmware validation succeed.
     HeaderOk {
         version: [c_char; VERSION_LEN],
+        magic: u32,
         signed_by_user: bool,
     },
     /// The header format is not valid.
@@ -143,6 +153,7 @@ pub extern "C" fn verify_update_header(
 
             *result = FirmwareResult::HeaderOk {
                 version,
+                magic: header.information.magic,
                 signed_by_user: header.is_signed_by_user(),
             };
         }
@@ -208,5 +219,13 @@ mod tests {
     #[test]
     fn sanity_test() {
         assert_eq!(VERSION_LEN, foundation_firmware::VERSION_LEN);
+        assert_eq!(
+            FIRMWARE_MAGIC_MONO,
+            foundation_firmware::Information::MAGIC_MONO
+        );
+        assert_eq!(
+            FIRMWARE_MAGIC_COLOR,
+            foundation_firmware::Information::MAGIC_COLOR
+        );
     }
 }
diff --git a/ports/stm32/boards/Passport/modpassport.c b/ports/stm32/boards/Passport/modpassport.c
@@ -19,6 +19,12 @@
 #include "se-config.h"
 #include "se.h"
 
+#if defined(SCREEN_MODE_MONO)
+#define FIRMWARE_MAGIC FIRMWARE_MAGIC_MONO
+#elif defined(SCREEN_MODE_COLOR)
+#define FIRMWARE_MAGIC FIRMWARE_MAGIC_COLOR
+#endif
+
 /// package: passport
 
 STATIC MP_DEFINE_EXCEPTION(InvalidFirmwareUpdate, Exception);
@@ -86,24 +92,29 @@ STATIC mp_obj_t mod_passport_verify_update_header(mp_obj_t header) {
                                              header_info.len,
                                              firmware_timestamp,
                                              &result);
-
     switch (result.tag) {
         case FIRMWARE_RESULT_HEADER_OK:
+            if (result.HEADER_OK.magic != FIRMWARE_MAGIC) {
+                mp_raise_msg(&mp_type_InvalidFirmwareUpdate,
+                             MP_ERROR_TEXT("The firmware is not for this device model."));
+            }
+
             tuple[0] = mp_obj_new_str_copy(&mp_type_str,
                                            (const uint8_t*)result.HEADER_OK.version,
                                            strlen((const char*)result.HEADER_OK.version));
             tuple[1] = result.HEADER_OK.signed_by_user ? mp_const_true : mp_const_false;
             return mp_obj_new_tuple(2, tuple);
         case FIRMWARE_RESULT_INVALID_HEADER:
             mp_raise_msg(&mp_type_InvalidFirmwareUpdate,
-                         MP_ERROR_TEXT("Invalid firmware header"));
+                         MP_ERROR_TEXT("Invalid firmware header."));
+            break;
         case FIRMWARE_RESULT_UNKNOWN_MAGIC:
             mp_raise_msg(&mp_type_InvalidFirmwareUpdate,
-                         MP_ERROR_TEXT("Unknown firmware magic bytes"));
+                         MP_ERROR_TEXT("Unknown firmware magic bytes."));
             break;
         case FIRMWARE_RESULT_INVALID_TIMESTAMP:
             mp_raise_msg(&mp_type_InvalidFirmwareUpdate,
-                         MP_ERROR_TEXT("Invalid firmware timestamp"));
+                         MP_ERROR_TEXT("Invalid firmware timestamp."));
             break;
         case FIRMWARE_RESULT_TOO_SMALL:
             mp_raise_msg_varg(&mp_type_InvalidFirmwareUpdate,
