• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 481 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF: OTA bundle private key error: wrong key file

Sebastian
Prodigy 80 points
Part Number: CC3220SF
Other Parts Discussed in Thread: UNIFLASH

Hello,

I try to implement an OTA update. mcuflashimg.bin is signed and flashed with OTP and vendor catalog over UART successfully. That works well without any security/certificate problems.
When I'm trying to flash via OTA the procedure fails with OtaArchive status=-20199. I think it is because the OTA is created without security/private key. When I try to create the OTA with the vendor private key, it fails with "Error: Create Basic OTA Error: Wrong key file".

I'm using

SImpleLink SDK 6.10

UniFlash 8.6

mcu image key/certificate

Creating the OTA

Which key should I use? 

Thanks!

Sebastian

  • 0
    TI__Guru 63006 points

    Please read the OTA documentation (specifically see chapter 3.2 in <SDK_ROOT_FOLDER>/docs/simplelink_mcu_sdk/Over_The_Air_Update_Guide.html).

    The secure image certificate can only use ECC key (secp256r1 elliptic curve private key) as the full image authenticity is being verified using the CC32xx Crypto Utils  where RSA is not supported - see more details in chapter 17 of "the programmer's guide" (code can be found in <SDK>/source/ti/net/ota/source/ota_archive.c).

    To enable this you will also need to program the certificate to the CC32xx file system (name it "dummy_ota_vendor_cert.der" or change the definition "ota_archive,c") before you are trying to load the image.

    For development you can use the example key-pair in the "<SDK>/tools/cc32xx_tools/ota-example-cert/". For production, you will need to create your key-pair based on the support elliptic curve.

  • 0 in reply to Kobi Leibovitch
    Prodigy 80 points

    Thanks Kobi,

    I will check the Holiday tomorrow.

  • 0 in reply to Kobi Leibovitch
    Prodigy 80 points

    Hi Kobi for testing purposes I used the dummy ota key and cert, added the cert to the vendor cert catalog. The dummy ota cert is included in the Userfiles and otaArchive.c OTA_CERTIFICATE_NAME is adapted to the ota cert. The device is flashed via Uniflash to update the cert catalog.
    The ota image is created successfully. The ota update itself still fails with -20199.
    Is it necessary to sign the ota certificate by the vendor key?

  • 0 in reply to Sebastian
    TI__Guru 63006 points

    No. the OTA cetificate must be self-signed (root).

    if you've changed the  OTA_CERTIFICATE_NAME - you will need to rebuild the ota library (before building the app). 

    Please also uncomment the "#define SL_ENABLE_OTA_DEBUG_TRACES" in "otauser.h" before building the OTA library - which will add some logs. 

  • 0 in reply to Kobi Leibovitch
    Prodigy 80 points

    I did both. However, I noticed that the debug information is only displayed in the console when the image is flashed, not during JTAG debugging. I've made progress now and was able to trace it back to outdated and invalid server data and an error in the code that didn't stop the process despite the absence of a .tar file. With the dummy OTA key/cert, it worked now! However, I'm struggling with my own key/cert. OTA fails with -12291. Here's how I generated the key:

    openssl ecparam -name secp256k1 -genkey -noout -out ota_key.pem

    And I generated the certificate with CN = ota_cert:

    openssl req -extensions v3_ca -key ota_key.pem -new -x509 -days 3650 -out ota_cert -outform DER -nodes

    Do you have any hints?

    Thanks alot for your help!

  • +1 in reply to Sebastian
    TI__Guru 63006 points

    try to use secp256r1 instead of the secp256k1 .

    openssl ecparam -name secp256r1 -genkey -noout -outform DER -out key.der

  • 0 in reply to Kobi Leibovitch
    Prodigy 80 points

    ahh such a crap! Sweat smile Thats it! Now it works! Thank you for your time and patience!

    regards
    Sebastian