Add bootloader SHA256 hash to JSON info (cherry-pick from main)

Co-authored-by: netmindz <442066+netmindz@users.noreply.github.com>

wled00/json.cpp

@@ -1,4 +1,5 @@
 #include "wled.h"
+#include "ota_update.h"
 
 #include "palettes.h"
 
@@ -755,6 +756,9 @@ void serializeInfo(JsonObject root)
   root[F("resetReason1")] = (int)rtc_get_reset_reason(1);
   #endif
   root[F("lwip")] = 0; //deprecated
+  #ifndef WLED_DISABLE_OTA
+  root[F("bootloaderSHA256")] = getBootloaderSHA256Hex();
+  #endif
 #else
   root[F("arch")] = "esp8266";
   root[F("core")] = ESP.getCoreVersion();

wled00/ota_update.cpp

@@ -3,12 +3,15 @@
 
 #ifdef ESP32
 #include <esp_ota_ops.h>
+#include <esp_spi_flash.h>
+#include <mbedtls/sha256.h>
 #endif
 
 // Platform-specific metadata locations
 #ifdef ESP32
 constexpr size_t METADATA_OFFSET = 256;          // ESP32: metadata appears after Espressif metadata
 #define UPDATE_ERROR errorString
+const size_t BOOTLOADER_OFFSET = 0x1000;
 #elif defined(ESP8266)
 constexpr size_t METADATA_OFFSET = 0x1000;     // ESP8266: metadata appears at 4KB offset
 #define UPDATE_ERROR getErrorString
@@ -253,4 +256,54 @@ void handleOTAData(AsyncWebServerRequest *request, size_t index, uint8_t *data,
     // Upload complete
     context->uploadComplete = true;
   }
-}
+}
+
+#if defined(ARDUINO_ARCH_ESP32) && !defined(WLED_DISABLE_OTA)
+static String bootloaderSHA256HexCache = "";
+
+// Calculate and cache the bootloader SHA256 digest as hex string
+void calculateBootloaderSHA256() {
+  if (!bootloaderSHA256HexCache.isEmpty()) return;
+
+  // Bootloader is at fixed offset 0x1000 (4KB) and is typically 32KB
+  const uint32_t bootloaderSize = 0x8000; // 32KB, typical bootloader size
+
+  // Calculate SHA256
+  uint8_t sha256[32];
+  mbedtls_sha256_context ctx;
+  mbedtls_sha256_init(&ctx);
+  mbedtls_sha256_starts(&ctx, 0); // 0 = SHA256 (not SHA224)
+
+  const size_t chunkSize = 256;
+  uint8_t buffer[chunkSize];
+
+  for (uint32_t offset = 0; offset < bootloaderSize; offset += chunkSize) {
+    size_t readSize = min((size_t)(bootloaderSize - offset), chunkSize);
+    if (spi_flash_read(BOOTLOADER_OFFSET + offset, buffer, readSize) == ESP_OK) {
+      mbedtls_sha256_update(&ctx, buffer, readSize);
+    }
+  }
+
+  mbedtls_sha256_finish(&ctx, sha256);
+  mbedtls_sha256_free(&ctx);
+
+  // Convert to hex string and cache it
+  char hex[65];
+  for (int i = 0; i < 32; i++) {
+    sprintf(hex + (i * 2), "%02x", sha256[i]);
+  }
+  hex[64] = '\0';
+  bootloaderSHA256HexCache = hex;
+}
+
+// Get bootloader SHA256 as hex string
+String getBootloaderSHA256Hex() {
+  calculateBootloaderSHA256();
+  return bootloaderSHA256HexCache;
+}
+
+// Invalidate cached bootloader SHA256 (call after bootloader update)
+void invalidateBootloaderSHA256Cache() {
+  bootloaderSHA256HexCache = "";
+}
+#endif

wled00/ota_update.h

@@ -50,3 +50,23 @@ std::pair<bool, String> getOTAResult(AsyncWebServerRequest *request);
  * @return bool indicating if a reply is necessary; string with error message if the update failed.
  */
 void handleOTAData(AsyncWebServerRequest *request, size_t index, uint8_t *data, size_t len, bool isFinal);
+
+#if defined(ARDUINO_ARCH_ESP32) && !defined(WLED_DISABLE_OTA)
+/**
+ * Calculate and cache the bootloader SHA256 digest
+ * Reads the bootloader from flash at offset 0x1000 and computes SHA256 hash
+ */
+void calculateBootloaderSHA256();
+
+/**
+ * Get bootloader SHA256 as hex string
+ * @return String containing 64-character hex representation of SHA256 hash
+ */
+String getBootloaderSHA256Hex();
+
+/**
+ * Invalidate cached bootloader SHA256 (call after bootloader update)
+ * Forces recalculation on next call to calculateBootloaderSHA256 or getBootloaderSHA256Hex
+ */
+void invalidateBootloaderSHA256Cache();
+#endif