Skip to content

Validate XOR checksum on all incoming BLE commands#39

Closed
skialpine wants to merge 1 commit intodecentespresso:mainfrom
skialpine:validate-all-checksums
Closed

Validate XOR checksum on all incoming BLE commands#39
skialpine wants to merge 1 commit intodecentespresso:mainfrom
skialpine:validate-all-checksums

Conversation

@skialpine
Copy link
Copy Markdown

@skialpine skialpine commented Mar 24, 2026
edited
Loading

This is untested, but rather then just report a bug I thought I would propose a fix.

Summary

  • Move validateChecksum() call to the top of the BLE command dispatcher in onWrite()
  • All incoming commands are now rejected if the XOR checksum doesn't match
  • Remove the tare-only log-only validation (which logged but didn't actually reject bad packets)

Problem

The existing code has validateChecksum() and calculateChecksum() methods, but they were only used for the tare command (0x0F) — and even then, the result was only logged, not enforced. The tare executed regardless of checksum validity.

All other commands — including power off (0x0A/0x02), system reset (0x1F), and calibration (0x1A) — were processed without any checksum verification.

Fix

A single validateChecksum() check at the top of the data[0] == 0x03 block, with early return on failure. This protects all commands with one check.

Risk

Low. BLE already has link-layer CRC, so corrupted packets reaching the application are rare. This is defense-in-depth using the existing validation function. The only behavioral change is that corrupted packets are now silently dropped instead of executed.

Testing

Found while writing unit tests for Decenza scale protocol parsing. Cross-referenced the openscale firmware to verify checksum behavior.

@skialpine
Validate XOR checksum on all incoming BLE commands
dcdd462 
Previously only the tare command (0x0F) called validateChecksum(),
and even then it only logged the result without rejecting bad packets.
All other commands (power off, calibration, system reset, timer, LED,
etc.) were processed without any checksum verification.

Move the checksum validation to the top of the command dispatcher so
all incoming commands are rejected if the XOR checksum doesn't match.
This prevents corrupted BLE packets from triggering unintended actions
like powering off the scale or starting calibration mid-shot.

BLE has its own link-layer CRC so corruption is rare, but this is a
low-cost defense-in-depth measure using the existing validateChecksum()
function.
@skialpine skialpine mentioned this pull request Mar 24, 2026
Closed
@tadelv
Copy link
Copy Markdown
Collaborator

tadelv commented Mar 25, 2026

Thanks for the PR @skialpine ! Looks neat.
Have you tested this with any app other than Decenza as well?

@skialpine
Copy link
Copy Markdown
Author

skialpine commented Mar 25, 2026

This is untested as I had issues building the firmware, but as I said above rather than just post an issue I thought I would propose a solution.

@tadelv tadelv requested a review from Sofronio March 30, 2026 09:49
@tadelv
Copy link
Copy Markdown
Collaborator

tadelv commented Apr 1, 2026

@Sofronio please take a look. I'm worried this would potentially break other client apps that do not care about the checksum byte, not including it in the payload.

@skialpine thanks again - but I have my reservations as written above. From what I remember, the checksum byte is not really used and should be ignored on both sides - a discrepancy between the documentation and reality. But I could be wrong.

@skialpine
Copy link
Copy Markdown
Author

skialpine commented Apr 1, 2026

You are correct, this would break clients that do not send checksums. I will look at how important it is and get back to you.

@skialpine skialpine closed this Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sofronio Sofronio Awaiting requested review from Sofronio

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skialpine @tadelv