- Joined
- Feb 3, 2012
- Messages
- 6,354
- Reaction score
- 5,566
We have had two reports of people in the field having their Eggtimer WiFi-enabled altimeter fire a charge on the pad. In both of those instances, the user had "swiped" the page from a deployment test that they had just conducted (instead of the recommended procedure of closing the page), powered off their altimeter, put the rocket on the pad, restored the "swiped" page, then connected to the altimeter again. Essentially, this is a browser "replay"... the browser is re-sending the last request to the server (your altimeter), and if the conditions are right then the server will repeat the last response (in this case, performing the deployment test). This is is essentially the same as being on a shopping site and clicking on "Pay" twice... since the server is busy handling the first request when you click on the second one, it caches the request and resends it when the server becomes available again. And your credit card gets billed twice.
The technical reason that this happened (besides not closing the page...) was that the 4-digit validation code that was entered into the deployment test page and imbedded in the browser's request was still valid in the altimeter, because the request was the first one that occurred after power-on. Previously, the validation codes were generated with a psudo-random number generator, the codes changed "randomly" but they were always in the same sequence after power-on. Since the user performed these tasks right after power-on, they got the same code, so the "swiped" page request was still valid, and the altimeter honored the request.
Although this is technically not the fault of the code (it did what it was told to do), we have made a change in the firmware to prevent such a browser replay from occurring. We have changed the validation code generation routine so that it is based on the number of milliseconds that the altimeter has been powered on, rather than a psuedo-random number generation. The validation codes no longer repeat on successive power-ups, no longer repeat in the same sequence, and it is extremely unlikely that a cached/swiped page will have the active validation code imbedded in them. We have also highlighted several times in the documentation that the recommended procedure after you have submitted a deployment test or arming page is to CLOSE the page, NOT "swipe" it "closed" (since swiping it does NOT close the page). Firmware updates with this updated code are now on the EggtimerRocketry.com web site under the Support tab, for the Quantum, Proton, and Quasar altimeters.
Although this "bug" is a consequence of going against the recommended operational procedure, we recommend that all users update their firmware regardless.
As usual, thanks for your continued support!
Cris Erving, Eggtimer Rocketry
The technical reason that this happened (besides not closing the page...) was that the 4-digit validation code that was entered into the deployment test page and imbedded in the browser's request was still valid in the altimeter, because the request was the first one that occurred after power-on. Previously, the validation codes were generated with a psudo-random number generator, the codes changed "randomly" but they were always in the same sequence after power-on. Since the user performed these tasks right after power-on, they got the same code, so the "swiped" page request was still valid, and the altimeter honored the request.
Although this is technically not the fault of the code (it did what it was told to do), we have made a change in the firmware to prevent such a browser replay from occurring. We have changed the validation code generation routine so that it is based on the number of milliseconds that the altimeter has been powered on, rather than a psuedo-random number generation. The validation codes no longer repeat on successive power-ups, no longer repeat in the same sequence, and it is extremely unlikely that a cached/swiped page will have the active validation code imbedded in them. We have also highlighted several times in the documentation that the recommended procedure after you have submitted a deployment test or arming page is to CLOSE the page, NOT "swipe" it "closed" (since swiping it does NOT close the page). Firmware updates with this updated code are now on the EggtimerRocketry.com web site under the Support tab, for the Quantum, Proton, and Quasar altimeters.
Although this "bug" is a consequence of going against the recommended operational procedure, we recommend that all users update their firmware regardless.
As usual, thanks for your continued support!
Cris Erving, Eggtimer Rocketry