This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

LAUNCHXL-CC3235SF: Secure OTA on CC3235SF

Part Number: LAUNCHXL-CC3235SF
Other Parts Discussed in Thread: UNIFLASH, CC3235SF

Hi,

   I am using LAUNCHXL-CC3235SF with SDK simplelink_cc32xx_sdk_5_20_00_06, I have implemented custom code for OTA, I have some query on the OTA part.

1) Is it possible to update only the mcuflashimg.bin?

2) To achieve secure OTA is it root certificate has to be updated along with mcuflashimg.bin?

Thanks,

Nagaraj

  • Our OTA library is based on a tar file (created by uniflash or CCS) as the container for the updated files.

    The content can be one file but for a secure file such as the mcu Image (as you requested in 1) - you will need to add at least the root ca certificate that verifies it (even if the certificate is already on the file system). Of course you can also use the tar file with multiple files (e.g. SP + MCU image + user files).

    At least in CCS you can select for each file if he will be included in the OTA image (i.e. in the TAR file).

    With uniflash, If you just want the MCU image - create an empty uniflash project and only add the MCU image (with the root ca that verifies it) for the generating the OTA image.

    Regarding question 2. The root CA that verifies the secure OTA image (by default named "dummy_ota_vendor_cert.der") needs to be installed on the file system before the OTA update. 

  • Hi Kobi,

               Thanks for reply, is it possible to do ota single user files on device from server and is it required to add cert file/key for user files?

    I am trying to build the cloud_ota demo but i am to build error  "Fatal Error[Ms007]: could not open file "ti/net/ota/iar/Release/ota.a" C:\ti\simplelink_cc32xx_sdk_5_20_00_06\examples\rtos\CC3235SF_LAUNCHXL\demos\cloud_ota\freertos\iar\ti_utils_build_linker.cmd.genlibs 35"

    Thanks,

    Nagaraj

  • you can do ota for a user file and it will require the certificate only if the file is defined as secure.

    You will need to compile the ota library for iar - with you "cloud vendor" settings in "otauser.h".

    see ota documentation: www.ti.com/.../swra510

  • Hi Kobi,

               I have downloaded latest simplelink_cc32xx_sdk_6_10_00_05, In this SDK ota.a lib was available in "C:\ti\simplelink_cc32xx_sdk_6_10_00_05\source\ti\net\ota\iar\Release".For testing the OTA demo I try to use build the mqtt_client demo, Code was getting hanged at  configASSERT( ( pxTimer->xTimerPeriodInTicks > 0 ) ); in prvProcessReceivedCommands function.

     Where Can I modified code so that I can predefined custom URL in code so that I can download the OTA image from custom URL on Button pressed. 

    Thanks,

    Nagaraj

  • Hi Kobi,

              I wanted to download the OTA file other than gitHub and Dropbox, I have set to #define OTA_SERVER_TYPE      OTA_FILE_DOWNLOAD in otauser.h and set the custom url link to download the .tar file to the  g_OtaTarFileURL variable, I was able to connect with custom server without certificates but not able to download the .tar files. Please find the below log while running the cloud OTA App.

    ********************************************************************************
    OTA APP Application - Version 0.10.00.03
    ********************************************************************************

    SimpleLinkInitCallback: started in role 0
    Host Driver Version: 3.0.1.71
    Build Version 4.13.0.2.31.3.7.0.1.3.1.0.26
    STA connected to AP IMPLANTAIRE1, BSSID is 40:3f:8c:f4:85:16
    IPv4 acquired: IP = 192.168.11.156
    Gateway = 192.168.11.1
    Pinging GW...!
    Ping done. Success rate: 66%

    HandlePingComplete: PingCounter=1
    Pinging GW...!
    Ping done. Success rate: 100%

    HandlePingComplete: PingCounter=2
    Pinging GW...!
    Ping done. Success rate: 100%

    HandlePingComplete: OTA Command arrived
    OtaInit: statistics = 0, 0, 0
    OtaInit: call Ota_init
    OtaRunStep: WARNING Ota_run, Status=20008, continue fornext OTA retry

    OtaRunStep: WARNING Ota_run, Status=20008, continue fornext OTA retry

    OtaRunStep: WARNING Ota_run, Status=20008, continue fornext OTA retry

    OtaRunStep: WARNING Ota_run, Status=20008, continue fornext OTA retry


    OtaRunStep: FATAL ERROR from Ota_run -21003 !!!!!!!!!!!!!!!!!!!!!!!!!!!

    Test failed: State = 6, Event = 17
    Event handler failed..!!

    Thanks,

    Nagaraj

  • Please enable the OTA lib logs (uncomment "#define SL_ENABLE_OTA_DEBUG_TRACES" in otauser.h) to see the more details on the error.

    Note that stating with SDK 6.10, we offer a new method of OTA shown within the MQTT client example.

    Check the readme of the application  - the integration of specific ota server is done within the application code. Check the reference code of the Dropbox and Github (under ifmod/ folder) and update according to your server (the ota lib is still needed but just for the OTA TAR parsing).

  • Hi Kobi,

                Thanks for reply, It is working fine after downloading the latest SDK 6.10 example code, I have one doubt how can I secure the  "dummy-root-ca-cert", "dummy-trusted-cert", "dummy_ota_vendor_cert.der" and our certificates files created during provisioning the device?

    Thanks,

    Nagaraj

  • What do you mean by securing the certificate files?

    Don't use our dummy certificates in a real product - they are not secure since the keys are open. 

    Also, the public certificate typically can be non-secure.

    But you create these files with the security flags as for other secure files (see chapter 7 in the programmer's guide)

  • Hi kobi,

                We have requirement to connect device AWS IOT, certificates are provisioned from the server, writing certificates to "/cert/ca.pem", "/cert/cert.pem" and "/cert/key.pem" , is it default this are secured or we should open this files with secure flags?

    Client certificates which are downloaded from server has to secure in file system.

    Thanks,

    Nagaraj

  • You should create the files as secured. Certificates (and keys) files are considered just user files - so there is no default security involved other than what the user configures.