Where can I find the latest firmware download link? I have a Bond Smart Bridge (BD-1000) currently running v2.22.6 out of the box. I am not using the mobile app (nor do I want to install it on my phone) and I do not have my bridge connected to the internet. The API says there is a command to update (PUT /v2/sys/upgrade) but I cannot find any place to manually download the package so I can host it on my own server.
The Bond team has had to provide the parameters for any command line upgrades in the past.
If you don’t have the app installed and are not willing to do so, you can try to set up by connecting to the WebGUI of the setup access point and seeing how far you can get in the process - but without an account code (which is available in the app when logged in), I am not sure you’ll be able to finish setup and the automatic upgrade to latest public firmware.
Also note, you may be able to get some assistance via customerservice@olibra.io (since you don’t have the app installed and therefore cannot use their in-app Chat support).
Also, all that being said, it would still be a firmware download over the Internet.
Not sure the Bond team publishes the firmware packages anywhere for public download.
I know it goes against your express desire, but it is probably easiest if you connect the Bridge to the internet and the app to get firmware downloads ( and ability to opt into Beta firmwares etc if you so choose)
Thanks. I have my own integration of the device so I can easily do the update and point it to my own server. I would download the image from a different system and transfer it to my isolated network so there is no issue with that.
Doesn’t make a lot of sense to publish an open API for pushing an update if the firmware is only available through a closed app.
It is available over the Internet, but as far as I’ve ever seen, only a direct to-device firmware load (and the URLs currently have to be provided by the Bond team).
@merck / @endy : are there methods to get a firmware package downloaded as a standalone file, and self-serve via the API’s upgrade endpoint?
1 Like
Upgrades can also be performed via the bond-cli command line tool (GitHub - bondhome/bond-cli: Bond Command Line Interface), but the way that works is, it determines the download URL and then sends it over to the Bond Bridge via a REST request, and the Bridge downloads from the internet.
We do respect your air-gapped use-case @MoneyPenny, though we don’t have a tool that provides for sideloading out-of-the-box. Here’s a quick rundown of how you might do this:
- download the bond-cli tool to your PC
- modify the python code at this line to print out the URL here: bond-cli/upgrade.py at 83fe4b6822b17472bb9884c18a750df7a90a2c89 · bondhome/bond-cli · GitHub
- run
bond upgrade master(orbond upgrade beta) to get the URL. The actual upgrade will presumably fail because your Bond unit is blocked from internet access. - now you know the URL of the firmware BIN file that you want to load.
- download that BIN file to an HTTP server on your local network
- again modify the python code around the same line to override the
hostandpathfields. - run the upgrade again. This time the Bridge will look to your local server instead of the public internet.
We do support sideloading of backup/restore, which you may appreciate once you upgrade the FW on your unit. I’ll keep in mind this desire of sideloading firmware and maybe we’ll add it to the cli at some point.
I would appreciate a few words from you about why you air-gap. Purely for security reasons? Mostly concerned about Bond cloud getting hacked? Or is it more about attacks from elsewhere on the public internet? Or attacks from other devices on your LAN or via browser holes? — Your input can help us understand what users want in terms of security flexibility.
2 Likes
Awesome. Thanks for pointing me to the bond-cli code. From that I found the S3 bucket information and could get the JSON manifest (https://s3.amazonaws.com/bond-updates/v2/zermatt/master-zermatt/versions_internal.json) which then let me download the firmware image.
As for my air-gapped network, it’s primarily privacy related. I don’t like things phoning home. Cloud security is a secondary concern. It’s not just Bond specific either. It’s all of the IOT devices on my network. I recognize it’s a trade-off in functionality but the ability to turn a device on or off when I’m not home isn’t all that compelling to me.
The other reason, and not really related to the security, is the hassle of dealing with too many apps. I only buy devices that have an open API which I can integrate into my own solution so I only have a single point to control and monitor everything.
1 Like