• State Resolved
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 1197 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF: OTA PROCESS FAILING DUE TO SIGNATURE VERIFICATION.

Saikat Laha
Prodigy 110 points
Part Number: CC3220SF
Other Parts Discussed in Thread: UNIFLASH

OtaArchive_RunParseTar: FileType=0, FileName=ota.sign, FileSize=72<\r><\n>
[_BundleCmdSignatureFile_Parse] signature verification failed!<\r><\n>
OtaArchive_RunParseTar: ERROR in _BundleCmdSignatureFile_Parse, Status=-14<\r><\n>
OTA_run: SECURITY ALERT OtaArchive_RunParse, Status=-20199<\r><\n>

  • 0
    TI__Guru 63006 points

    Hi Saikat,

    This means the OTA image signature verification is failing.

    Please verify that you when you are creating the image you use the right "OTA Private Key File", i.e the key that corresponds to the certificate file that exists on your file system and is pointed by OTA_CERTIFICATE_NAME (defined in OtaArchive, by default this points to "dummy_ota_vendor_cert.der").

    Note that if this is your first time using the mechanism, you can use the example key pair in "tools\cc32xx_tools\ota-example-cert\".

    Once this passes you will need to create and use your own ECC key-pair using the specific curve as defined in chapter 4 of http://www.ti.com/lit/ug/swpu332a/swpu332a.pdf.

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Prodigy 110 points

    Hi,

    I tried with the dummy_ota_vendor_cert.der certificate as vendor certificate and dummy_ota_vendor_key to sign the ota image which is included in ota-example-cert and they both belong to the same sdk version i.e 2.10.00.04 but still the signature verification is failing.

    do we need to include .txt file in ota.tar file for the signature verification purpose.

    can you please provide me some kind of document to create the tar file with the procedure to attach a vendor certificate and signature that will help me to understand where i am failing or where i have to make changes to make the signature verification work properly.

  • 0 in reply to Saikat Laha
    TI__Guru 63006 points

    The Unfilash/ImageCreator will build the signed image for you, it basically calculates the SHA256 digest for each of the files in the TAR, then stores the values in the metadat file (ota.cmd), it will then uses the private key to sign the "ota.cmd" and create the "ota.sign" file within the TAR file. 

    When the TAR is received, the public key is used to verify the "ota.cmd" signature and then we calc the digest for each of the written files and verify them against the "ota.cmd" content.

    This is very simple process which was verified on many platforms. Have you made any manual changes to ota.tar content or the library?

    Seems like the ota.cmd verification fails in your case and it is usually related to some wrong configuration of the public or private file.

    Have you copied the "dummy_ota_vendor_cert.der" to the root folder of the device?

    Can you print the received "OTA.cmd" when you get it and compare it to the original content (in the TAR) as was created by Uniflash?

    Br,

    Kobi  

  • 0 in reply to Kobi Leibovitch
    Prodigy 110 points

    Hi,

    yes, I made changes to the OTA.tar directory as the tar file which I created using uniflash was not following the directory hierarchy as mentioned in the document for creating an OTA update.

    yes I copied dummy_ota_vendor_cert.der in the root while flashing the image into the device.

    in OTA.tar file do we need to include:

    1. ota_vendor_cert.der 

    2. field.txt

    3. vendor key that is used to sign the file.

    after signing the image do we need to activate the image or something.

    Is there some document which will provide me step by step guide for creating ota.tar file because after the signature verification failed I am not getting the steps that Iam missing or getting wrong while creating the tar file.

  • 0 in reply to Saikat Laha
    TI__Guru 63006 points

    The uniflash is supposed to create the image according to document.

    Please specify what was wrong and what have you changed.

    You should change anything in a signed OTA image (and you don't need to activate anything). If you signed  the OTA image using "dummy_ota_vendor_key.der", then you'll need "dummy_ota_vendor_cert.der" to verify it.

    What are you using for the MCU image (mcuflashimg.bin) signing? If you are using the Playground certificates, you should use a playground (dummy) key (not the dummy_ota ones).

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    TI__Guru 63006 points

    I don't know what is field.txt.

    The "dummy_ota_vendor_cert.der" should already be flashed to the device so you can remove it from the OTA image.

    The "vendor key that is used to sign the file" should be part of the OTA image (Which file are you referring here?)  

  • 0 in reply to Kobi Leibovitch
    Prodigy 110 points

    As you said "vendor key" should be a part of OTA image does that mean it will only be used for signing the OTA image?

    In my case I am signing  mcuflashimg.bin  with key  dummy-trusted-ca-cert.key , certificate is dummy-trusted-ca-cert  and OTA.tar file with  dummy-ota-vendor.key.

    I got the correct hierarchy of OTA.tar file when I generated the OTA.tar file using the latest uniflash version 5.3.

  • 0 in reply to Saikat Laha
    TI__Guru 63006 points

    That was a typo!

    "vendor key" should NOT be part of the OTA image.