CC3230SF: Wi-Fi forum

Ammar Nasir

Part Number: CC3230SF
Other Parts Discussed in Thread: CC3220SF, UNIFLASH, CC3235SF

Tool/software:

Hi Ti,

I am posting in the forums regardging errors I am facing while building a custom catalog as my current requirentments require the use of ISRG root X1 to connect Hive mq tls but the current TI playground is too outdated and as such With the old Playground catalog we hit -468 (SL_ERROR_BSD_ESEC_UNKNOWN_ROOT_CA) to our MQTT broker.

based on some previous forums and having a spare launch pad with mcuCC3220SF as such decided to use that with uniflash 6.0.

Setup

Device: CC3220SF LaunchPad (Secure), HW rev 49, MAC e4:15:f6:66:e1:8c.
OS/Tools: Windows 10, UniFlash v6.x (Advanced View)
SDK: SimpleLink CC32xx SDK 7.10.00.13
Service Pack loaded in UniFlash project: sp_3.22.0.1_2.7.0.0_2.2.0.7.bin
Goal: Update the Vendor Certificate Catalog to trust ISRG Root X1 (for MQTT/TLS to HiveMQ Cloud), and bind device(s) to our root.

What I followed (docs & forum references)

SWRU547A – Vendor Device Authentication With SimpleLink Wi-Fi
E2E thread (CC3235MODSF)

Exact steps (commands used)

1) ISRG Root X1 in DER

openssl x509 -in isrgrootx1.pem -outform der -out isrgrootx1.der

2) Create Vendor Root CA (public cert + private key)

cd C:\Certs\W8\root
openssl req -x509 -sha256 -days 3650 -newkey rsa:2048 -nodes ^
-keyout vendor_rootCA.key ^
-out vendor_rootCA.crt ^
-subj "/CN=innowave-root-ca"

REM Export formats you used later
openssl x509 -in vendor_rootCA.crt -outform der -out vendor_rootCA.der
openssl x509 -in vendor_rootCA.crt -outform pem -out vendor_rootCA_cert.pem
openssl rsa -in vendor_rootCA.key -out vendor_rootCA_key.pem ^ REM (private key in PEM)

3) Create App-Signing cert

cd C:\Certs\W8\app_signing
openssl req -newkey rsa:2048 -sha256 -nodes ^
-keyout app_signing.key ^
-out app_signing.csr ^
-subj "/CN=innowave-app-signing"

openssl x509 -req -CA ..\root\vendor_rootCA.crt -CAkey ..\root\vendor_rootCA.key ^
-in app_signing.csr -out app_signing.crt -days 3650 -CAcreateserial

REM Export formats you need
openssl x509 -in app_signing.crt -outform der -out app_signing.der
openssl x509 -in app_signing.crt -outform pem -out app_signing.pem

4) Build + sign the Vendor Catalog (ISRG Root X1)

cd C:\ti\uniflash_6.0.0\simplelink\imagecreator\bin

SLImageCreator.exe tools make_cert_catalog ^
--cert_folder "C:\Certs\W8\catalog\KnownCAs" ^
--out_file "C:\Certs\W8\catalog\vendor_catalog.lst"

SLImageCreator.exe tools sign ^
--file "C:\Certs\W8\catalog\vendor_catalog.lst" ^
--priv "C:\Certs\W8\root\vendor_rootCA_key.pem" ^
--out_file "C:\Certs\W8\catalog\vendor_catalog.lst.signed.bin" ^
--fmt BINARY_SHA1

5) Create OTP artifacts

SLImageCreator.exe tools meta ^
--cert "C:\Certs\W8\root\vendor_rootCA_cert.pem" ^
--out_file "C:\Certs\W8\otp\vendor_otp.meta" ^
--mac "000000000000"

SLImageCreator.exe tools sign ^
--file "C:\Certs\W8\otp\vendor_otp.meta" ^
--priv "C:\Certs\W8\root\vendor_rootCA_key.pem" ^
--out_file "C:\Certs\W8\otp\vendor_otp.meta.sig" ^
--fmt BINARY_SHA1

SLImageCreator.exe tools inf ^
--algo 1 ^
--sign1 "C:\Certs\W8\otp\vendor_otp.meta.sig" ^
--sign2 "C:\Certs\W8\otp\vendor_otp.meta.sig" ^
--meta "C:\Certs\W8\otp\vendor_otp.meta" ^
--out_file "C:\Certs\W8\otp\vendor_otp.inf"

NOTE: Tool printed "Warning: second file is not supported in meta section, ignored"

Config file (cfg.json) doesn't exist, using defaults

This error kept happening

Itteration as I faced errors

C:\ti\uniflash_6.0.0\simplelink\imagecreator\bin>openssl dgst -sha1 ^ -sign "C:\Certs\W8\root\vendor_rootCA_key.pem" ^ -out "C:\Certs\W8\image\mcuflashimg.sig" ^ "C:\Users\Innowave\Downloads\skymirr_V22\mqtt_client_CC3220SF_LAUNCHXL_freertos_ticlang\Debug\mqtt_client_CC3220SF_LAUNCHXL_freertos_ticlang.bin"

C:\ti\uniflash_6.0.0\simplelink\imagecreator\bin>C:\ti\uniflash_6.0.0\simplelink\imagecreator\bin>openssl dgst -sha1 ^ -sign "C:\Certs\W8\root\vendor_rootCA_key.pem" ^ -out "C:\Certs\W8\image\mcuflashimg.sig" ^ "C:\Users\Innowave\Downloads\skymirr_V22\mqtt_client_CC3220SF_LAUNCHXL_freertos_ticlang\Debug\mqtt_client_CC3220SF_LAUNCHXL_freertos_ticlang.bin"

openssl dgst -sha1 ^

-sign "C:\Certs\W8\app_signing\app_signing.key" ^

-out "C:\Certs\W8\image\mcuflashimg.sig" ^

MCU Image used it was renamed in UNIFLASH

"C:\Users\Innowave\Downloads\skymirr_V22\mqtt_client_CC3220SF_LAUNCHXL_freertos_ticlang\Debug\mqtt_client_CC3220SF_LAUNCHXL_freertos_ticlang.bin"

Screenshots

Using vendor key and root

Observation on change gen sig bin

Setup info of cert files

Please let me know if you need files as I will just regenerate anything needed when the error is resolved

As the next step after this would be to do a test connection before proceeding to burn in our main MCU in addition if there is an update on the latest playground please do let me know as this will resolve all my issue if the ISRG root X1 is in it

Thank you,

Ammar

7 days ago

0 Ammar Nasir 7 days ago

Prodigy 10 points

Shlomi Itzhak I believe you're an expert in this topic and your help would be really appreciated in regards to the catalog and the error being face any and all help is appreciated.

0 AB 6 days ago

TI__Mastermind 23196 points

Ive assigned this thread to an expert and they will answer shortly

0 Brandon Liu 6 days ago

TI__Prodigy 680 points

Hi Ammar,

I'll take a closer look. Will send you something by Thursday.

0 Brandon Liu 5 days ago

TI__Prodigy 680 points

Hi Ammar,

I think I busted my CC3220SF but I got it working on my CC3235SF. The swru547a document that you followed applies to CC32xxSF, which includes both CC3220SF and CC3235SF. The one thing to note would be the different algorithms and SHA's used in the SLImageCreator which I think you generally followed properly. I will explain my process and hopefully it helps you in some way, and at the end of the summary, I will note things that we have done differently so that you can dig a little more into those details.

Private Key and Certificate Generation:

* openssl genrsa -out txn_key.key 2048

* openssl req -new -sha256 -key txn_key.key -out txn.csr (be sure to fill out the details being asked for, especially the org name which I made match with my certificate names - txn in this case)

* openssl x509 -req -sha256 -days 365 -in txn.csr -signkey txn_key.key -out txn.crt

* openssl x509 -in txn.crt -outform der -out txn.der (make sure the .der extension is what you are storing in your catalog)

* openssl rsa -in txn_key.key -outform pem -out txn_key.pem

* openssl x509 -in txn.crt -outform pem -out txn.pem

By now, I have something like this:

Recall that the certificates in my catalog folder are in .der format.

Generating Catalog and OTP Files:

C:\ti\uniflash_8.2.0\simplelink\imagecreator\bin>SLImageCreator.exe tools make_cert_catalog --cert_folder "C:\my_path\temp_folder_for_scratchwork\test_vendor_catalog" --out_file "C:\my_path\temp_folder_for_scratchwork\certificate_Catalog.lst"

C:\ti\uniflash_8.2.0\simplelink\imagecreator\bin>SLImageCreator.exe tools sign --file "C:\my_path\temp_folder_for_scratchwork\certificate_Catalog.lst" --priv "C:\my_path\temp_folder_for_scratchwork\txn_key.pem" --out_file "C:\my_path\temp_folder_for_scratchwork\certificate_Catalog.lst.signed.bin" --fmt "BINARY_SHA2"

C:\ti\uniflash_8.2.0\simplelink\imagecreator\bin>SLImageCreator.exe tools meta --cert "C:\my_path\temp_folder_for_scratchwork\txn.pem" --out_file "C:\my_path\temp_folder_for_scratchwork\vendor_otp.meta" --mac "000000000000"

C:\ti\uniflash_8.2.0\simplelink\imagecreator\bin>SLImageCreator.exe tools sign --file "C:\my_path\temp_folder_for_scratchwork\vendor_otp.meta" --priv "C:\my_path\temp_folder_for_scratchwork\txn_key.pem" --out_file "C:\my_path\temp_folder_for_scratchwork\vendor_otp.meta.sig" --fmt "BINARY_SHA2"

C:\ti\uniflash_8.2.0\simplelink\imagecreator\bin>SLImageCreator.exe tools inf --algo 2 --sign1 "C:\my_path\temp_folder_for_scratchwork\vendor_otp.meta.sig" --meta "C:\my_path\temp_folder_for_scratchwork\vendor_otp.meta" --out_file "C:\my_path\temp_folder_for_scratchwork\vendor_otp.inf"

Notice how I am using SHA2 and algo 2 because I did this on a CC3235SF device; you should be using SHA1 and algo 1 (which looks like you are doing correctly). The file extensions matter in this case so make sure you are aware of that in terms of what to use for signage and certificates.

I now have generated the following files and am ready to move on:

I never ended up using txn.pub at all, you can ignore that.

I am then using the portable_CC3235SF_LAUNCHXL_tirtos7_ticlang example and ensuring that I am including the isrgrootx1.der and txn.der in the userFiles there and going to the image.syscfg and ensuring the following:

I must note that I am not explicitly using either of the above mentioned .der files in my project code, they are just there in my userFiles folder.

I then built the project and this will be the SLI found in MCU+Image/syscfg of the project folder.

I am including the following image anyway even though you did this step properly:

I then chose the service pack associated with the SDK I used for my project.

This is what my userFiles looks like:

I must say that when I added mcuflashimg.bin, I also checked public write (which you did not), and instead of the .pem extension for the certificate file, I used the .der extension.

With all of that done, I finally connected to my device in Uniflash, and clicked Burn and Program Image.

Notable differences between our processes:

* Potentially key and certificate generation

* File extension formats used

* Tinkering with image.syscfg in the project folder

I hope this helps.

0 Ammar Nasir 2 days ago in reply to Brandon Liu

Prodigy 10 points

Hi David,

Thanks for your explanation earlier. I wanted to give you a complete walkthrough of everything I did, since I followed your flow but still ran into failures. This reply includes my logs, the build iterations, and the final errors I faced.

Device & Environment

Device: CC3220SF LaunchPad (Secure, HW rev 49, MAC e4:15:f6:66:e1:8c)
SDK: SimpleLink CC32xx SDK 7.10.00.13
Service Pack: sp_3.22.0.1_2.7.0.0_2.2.0.7.bin
OS: Windows 10
Tools tried: UniFlash 6.0.0 and UniFlash 8.2.0

Vendor Key and Certificate
I generated the vendor key + self-signed cert with CA:TRUE (without this, CSR-based attempts flagged index errors):

C:\Certs\t14>openssl genrsa -out "%ROOT%\inno_key.key" 2048
C:\Certs\t14>openssl req -x509 -sha256 -days 3650 ^
-key "%ROOT%\inno_key.key" ^
-subj "/O=Innowave/CN=inno" ^
-addext "basicConstraints=critical,CA:TRUE" ^
-addext "keyUsage=critical, keyCertSign, cRLSign" ^
-out "%ROOT%\inno.crt"

C:\Certs\t14>openssl x509 -in "%ROOT%\inno.crt" -noout -text | findstr /c:"CA:TRUE"
CA:TRUE
CA:TRUE

Then converted into all formats needed:
openssl x509 -in "%ROOT%\inno.crt" -outform pem -out "%ROOT%\inno.pem"
openssl rsa -in "%ROOT%\inno_key.key" -outform pem -out "%ROOT%\inno_key.pem"
openssl x509 -in "%ROOT%\inno.crt" -outform der -out "%ROOT%\inno.der"

Catalog + OTP Files
"%IC%" tools make_cert_catalog --cert_folder "%ROOT%\test_vendor_catalog" --out_file "%ROOT%\certificate_Catalog.lst"

"%IC%" tools sign --file "%ROOT%\certificate_Catalog.lst" --priv "%ROOT%\inno_key.pem" --out_file "%ROOT%\certificate_Catalog.lst.signed.bin" --fmt BINARY_SHA1

"%IC%" tools meta --cert "%ROOT%\inno.pem" --out_file "%ROOT%\vendor_otp.meta" --mac 000000000000

"%IC%" tools sign --file "%ROOT%\vendor_otp.meta" --priv "%ROOT%\inno_key.pem" --out_file "%ROOT%\vendor_otp.meta.sig" --fmt BINARY_SHA1

"%IC%" tools inf --algo 1 --sign1 "%ROOT%\vendor_otp.meta.sig" --meta "%ROOT%\vendor_otp.meta" --out_file "%ROOT%\vendor_otp.inf"

Build Iterations

UniFlash 6.0.0 (MCU+Image build): build stopped at 49%.
At this point I switched to the Debug binary (mqtt_client_CC3220SF_LAUNCHXL_freertos_ticlang.bin).
UniFlash 8.2.0 (MCU+Image build): build stopped at 64%.
Even though it failed mid-way, I was able to get the .bin file from the MCU+Image output.

Error logs:

[UniFlash 6.0.0]
...
49% complete

[UniFlash 8.2.0]
...
64% complete

Signing the Image
I signed both the Debug bin (from the UniFlash 6 iteration) and the MCU+Image bin (from the UniFlash 8 iteration) manually with my vendor key.

Example:
set "APP=C:\Users\Innowave\Downloads\skymirr_V22\mqtt_client_CC3220SF\MCU+Image\mqtt_client_CC3220SF.bin"
openssl dgst -sha1 -sign "%ROOT%\inno_key.pem" -out "%ROOT%\mcuflashimg.sig" "%APP%"

In UniFlash Advanced view, I attached the .bin together with its .sig.
For the “certificate file name,” where your example used txn.der, I added my inno.der.

Final Outcome
Despite trying both Debug and MCU+Image bins (signed with SHA1), and carefully following your flow, I still ended up thrown the same error during image programming.

Key Differences

I had to enforce CA:TRUE when creating the vendor cert, otherwise UniFlash flagged index errors.
Builds consistently stopped at 49% (UniFlash 6) and 64% (UniFlash 8).
I worked around this by signing either the Debug or MCU+Image bin manually, but both ultimately failed at the programming stage with the same error.
I tried to adhere to your method and only diverged where the tool forced me (CA:TRUE) and where the builds stopped (49% / 64%), which is why I used Debug vs MCU+Image .bin accordingly.

below are some screenshots for you to to understand the process better

I am getting more confused if possible is it possible to get a more detailed guide as I am not sure what is going wrong

Thanks,
Ammar

0 Brandon Liu 1 day ago in reply to Ammar Nasir

TI__Prodigy 680 points

Hi Ammar,

I'm sorry to hear that it's still not working for you. I'll get another CC3220SF to work with tomorrow and update you by Thursday. I'll also generate certificates and keys using your method to see if I am also running into errors. This is probably an obvious question but you put your "inno.der" in the test_vendor_catalog folder? I'm also curious to know what happens if you use the private key file name instead of the signature file name when adding MCU Image to userfiles on Uniflash.

Thanks,

Brandon Liu