CC3220SF: Need help troubleshooting OTA failure

Katie Elliott19

Part Number: CC3220SF
Other Parts Discussed in Thread: UNIFLASH,

Hello,

I am having new issues with OTA and I need help understanding the cause. We've had OTA working for a while, but haven't tested it recently, and likely we've caused a regression. I have the following errors:

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=1/5, return only WARNNING
OtaRun: WARNING Status=20006,
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: ERROR Socket Connect, status=-456
CdnClient_ConnectServer: ERROR HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectServer, Status=-20304

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=2/5, return only WARNNING
OtaRun: WARNING Status=20006,
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: ERROR Socket Connect, status=-456
CdnClient_ConnectServer: ERROR HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectServer, Status=-20304

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=3/5, return only WARNNING
OtaRun: WARNING Status=20006,
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: ERROR Socket Connect, status=-456
CdnClient_ConnectServer: ERROR HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectServer, Status=-20304

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=5/5, MAX_CONSECUTIVE_OTA_ERRORS!!!
OtaRun: FATAL ERROR -21003 !!!!!

CdnClient_ConnectServer, Status=-20304 -> OTA_HTTP_CLIENT_ERROR_CONNECT_SL_CONNECT seems to indicate an issue with the connection

However HttpClient_Connect: ERROR Socket Connect, status=-456 -> SL_ERROR_BSD_ESECBADCAFILE seems to indicate an issue with the certificates.

Do you have any insight into what exactly is wrong with the CA file? The OTA image is essentially the same as the flashed image, so it seems like the CA file should match, but it's possible I've got something wrong in creating the files after recently having lost my Uniflash configuration settings.

Right now we're just using the TI dummy certificates

Thanks,

Katie

over 4 years ago

0 Kobi Leibovitch over 4 years ago

TI__Guru 63006 points

-456 means that either the certificate format is wrong (less likely) or the file wasn't found (i.e. wrong path or file name).

Make sure the Dropbox server's root CA (Digcert High Assurance CA) is programmed in flash and that the otauser.h points to the right path+file name.

Br,

Kobi

0 Katie Elliott19 over 4 years ago in reply to Kobi Leibovitch

Intellectual 650 points

Ok that makes sense, and it IS missing. Unfortunately, we can't seem to find our original copy of the file to be able to add it. However, I do have a separate project in Uniflash that has those included in the file system (but that project seems to be broken for other reasons.) It appears Uniflash is grabbing that file from somewhere on my system given that I don't have to reload it every time. Do you know where Uniflash saves a local copy of the User Files we've added?

Thanks,

Katie

0 Katie Elliott19 over 4 years ago in reply to Katie Elliott19

Intellectual 650 points

Ok, I was able to get our files (and save them somewhere safe) by hovering over the files and doing Get.

But I am still not successful. Here are my new errors:

OTA_init: sizeof CdnClient=576, sizeof OtaArchive=4956
OTA_init: sizeof OtaLib_t=7736, sizeof OTA_memBlock=7800
OTA_init: OTA lib version = OTA_LIB_2.0.0.7
OtaArchive_Init: OTA archive version = OTA_ARCHIVE_2.0.0.4
OtaPingGateway initiated
Exit AOWifiMgr::ConnectingToOtaServer
Enter AOWifiMgr::OtaRunning
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: WARNING Socket Connect, status=-468, Ignored...
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: CdnClient_ReqOtaDir, VendorDir=OTA_CC3220SF
CdnDropbox_SendReqDir: uri=/2/files/list_folder
HttpClient_RecvSkipHdr: http error code HTTP/1.1 409
CdnDropbox_ParseRespDir: ERROR HttpClient_RecvSkipHdr, status=-20310
OTA_run: ERROR CdnClient_ReqOtaDir, Status=-20310

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=1/5, return only WARNNING
OtaRun: WARNING Status=20004,
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: WARNING Socket Connect, status=-468, Ignored...
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: CdnClient_ReqOtaDir, VendorDir=OTA_CC3220SF
CdnDropbox_SendReqDir: uri=/2/files/list_folder
HttpClient_RecvSkipHdr: http error code HTTP/1.1 409
CdnDropbox_ParseRespDir: ERROR HttpClient_RecvSkipHdr, status=-20310
OTA_run: ERROR CdnClient_ReqOtaDir, Status=-20310

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=2/5, return only WARNNING
OtaRun: WARNING Status=20004,
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: WARNING Socket Connect, status=-468, Ignored...
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: CdnClient_ReqOtaDir, VendorDir=OTA_CC3220SF
CdnDropbox_SendReqDir: uri=/2/files/list_folder
HttpClient_RecvSkipHdr: http error code HTTP/1.1 409
CdnDropbox_ParseRespDir: ERROR HttpClient_RecvSkipHdr, status=-20310
OTA_run: ERROR CdnClient_ReqOtaDir, Status=-20310

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=3/5, return only WARNNING
OtaRun: WARNING Status=20004,
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: WARNING Socket Connect, status=-468, Ignored...
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: CdnClient_ReqOtaDir, VendorDir=OTA_CC3220SF
CdnDropbox_SendReqDir: uri=/2/files/list_folder
HttpClient_RecvSkipHdr: http error code HTTP/1.1 409
CdnDropbox_ParseRespDir: ERROR HttpClient_RecvSkipHdr, status=-20310
OTA_run: ERROR CdnClient_ReqOtaDir, Status=-20310

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=4/5, return only WARNNING
OtaRun: WARNING Status=20004,
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: WARNING Socket Connect, status=-468, Ignored...
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: CdnClient_ReqOtaDir, VendorDir=OTA_CC3220SF
CdnDropbox_SendReqDir: uri=/2/files/list_folder
HttpClient_RecvSkipHdr: http error code HTTP/1.1 409
CdnDropbox_ParseRespDir: ERROR HttpClient_RecvSkipHdr, status=-20310
OTA_run: ERROR CdnClient_ReqOtaDir, Status=-20310

HttpClient_Connect: WARNING Socket Connect, status=-468 -> SL_ERROR_BSD_ESECUNKNOWNROOTCA

OTA_run: ERROR CdnClient_ReqOtaDir, Status=-20310 -> OTA_HTTP_CLIENT_ERROR_RESP_STATUS_NOT_OK

Thanks,

Katie

0 Kobi Leibovitch over 4 years ago in reply to Katie Elliott19

TI__Guru 63006 points

The -468 is a warning that means the root CA can't be verified by the certificate catalog (i guess you are using the dummy playground catalog so the DigiCert certificate is not recognized). Anyway this is a warning only and the connection is still open.

The problem is that you got HTTP Error 409, trying read the folder list.

Did you open a new Dropbox App? if so make sure your token is set with "no expiration" and that the read permissions are enabled.

Try to generate a new token and use it in your otauser.h (changing otauser.h requires that you rebuild your lib and app).

Br,

Kobi

0 Katie Elliott19 over 4 years ago in reply to Kobi Leibovitch

Intellectual 650 points

You're correct that we're still using the dummy playground catalog for now.

We tried with a new Dropbox token and get the same errors. We can't think of anything that has changed on the Dropbox side.

Besides the token, what type of changes on the Dropbox side could cause these errors? We don't think we changed anything (besides the token), but SOMETHING must have changed.

Thanks,

Katie

0 Kobi Leibovitch over 4 years ago in reply to Katie Elliott19

TI__Guru 63006 points

Dropbox enhanced their security protocols.

They are using short term tokens and disable all the access permission by default (when you create a new dropbox app) - so if you created a new app to access your content, you need to make sure that the token is generate with "no expiration" and that the permissions (2nd tab) for reading content and metadata are enabled.

Br,

Kobi

0 Katie Elliott19 over 4 years ago in reply to Katie Elliott19

Intellectual 650 points

Ok, a subfolder was deleted. (No one claims responsibility.) So now we're back to our original issue, and have the following new errors:

OTA_run: Call CdnClient_ConnectFileServer, url = [xxx]
HttpClient_Connect: IP_ADDR=162.125.1.14
HttpClient_Connect: ERROR Socket Connect, status=-688
CdnClient_ConnectFileServer: ERROR on HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectFileServer, Status=-20304

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=4/5, return only WARNNING
OtaRun: WARNING Status=20006,
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
HttpClient_Connect: WARNING Socket Connect, status=-468, Ignored...
OTA_run: CdnClient_ReqOtaDir, VendorDir=OTA_CC3220SF
CdnDropbox_SendReqDir: uri=/2/files/list_folder
RespLen is 784, ProcessedSize is: 779
the entire JSON pRespBuf is: (null)
OtaDir FileName=/OTA_CC3220SF/20210114142048_CC3220SF_ota.tar, FileSize=368640
OTA_run: CdnClient_ReqOtaDir, NumDirFiles=1
OTA_run: CdnClient_GetNextDirFile
OTA_run: CdnClient_GetNextDirFile: file=/OTA_CC3220SF/20210114142048_CC3220SF_ota.tar, size=368640
OtaArchive_Init: OTA archive version = OTA_ARCHIVE_2.0.0.4
_ReadOtaVersionFile: file ota.dat, status=SL_ERROR_FS_FILE_NOT_EXISTS
OtaArchive_CheckVersion: can't open version file, sign it as old version
OtaArchive_CheckVersion: accept the new version = 20210114142048_CC3220SF_ota.tar
OtaRun: status from Ota_run: OTA_RUN_STATUS_CHECK_NEWER_VERSION, accept and continue
_ReadOtaVersionFile: file ota.dat, status=SL_ERROR_FS_FILE_NOT_EXISTS
OtaRun: CurrentVersion=00000000000000, NewVersion=20210114142048
OTA_run: Call CdnClient_ReqFileUrl, filename = /OTA_CC3220SF/20210114142048_CC3220SF_ota.tar
CdnDropbox_SendReqFileUrl: uri=/2/files/get_temporary_link
HTTP request is:
POST /2/files/get_temporary_link HTTP/1.1
host: api.dropboxapi.com
Authorization: Bearer O33Upy6Y3FwAAAAAAAAAAXOzDDehc7Bv3a-8BTDE2y87fmigAlTqoRCuPgynxCMx
Content-Type: Application/Json
Content-Length: 68

{"path": "/OTA_CC3220SF/20210114142048_CC3220SF_ota.tar"}

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=5/5, MAX_CONSECUTIVE_OTA_ERRORS!!!
OtaRun: FATAL ERROR -21003 !!!!!

I see that -688 SL_ERROR_BSD_ESEC_ASN_NO_SIGNER_E still seems to indicate a bad cert, but we're struggling to understand which one and what's wrong with them.

Thanks,

Katie

0 Kobi Leibovitch over 4 years ago in reply to Katie Elliott19

TI__Guru 63006 points

-688 means the root CA you are using doesn't complies with the server's CA.

You can add the following code to the socket event handler:

void SimpleLinkSockEventHandler(SlSockEvent_t *pSock)
{

    if (pSock->Event == SL_SOCKET_ASYNC_EVENT)
    {
        switch (pSock->SocketAsyncEvent.SockAsyncData.Type)
        {
        case SL_SSL_NOTIFICATION_WRONG_ROOT_CA:
            /* on socket error Restart OTA */
            LOG_MESSAGE("SL_SOCKET_ASYNC_EVENT: ERROR - WRONG ROOT CA\n\r");
            LOG_MESSAGE("Please install the following Root Certificate:\n\r");
            LOG_MESSAGE(" %s\n\r",
                        pSock->SocketAsyncEvent.SockAsyncData.pExtraInfo);
            break;
        default:
            /* on socket error Restart OTA */
            LOG_MESSAGE("SL_SOCKET_ASYNC_EVENT socket event %d \n\r",
                        pSock->Event);
        }
    }

It will print the root CA certificate that the server requires (for verification).

Br,

Kobi

0 Katie Elliott19 over 4 years ago in reply to Kobi Leibovitch

Intellectual 650 points

Strange, we are not even getting into the SimpleLinkSockEventHandler. Is that an indication of something being wrong?

We do suspect an issue on the Dropbox side because we have some devices running old code that worked previously, but upgrades fail on those devices now. We have no expiration on the token and read access enabled.

Thanks,

Katie

0 Kobi Leibovitch over 4 years ago in reply to Katie Elliott19

TI__Guru 63006 points

Are you still getting the -688 error code? This would come together with the SimpleLinkSockEventHandler.

If you have other error, the event handler would not be invoked (the root ca cert gets reported only when it is missing).

0 Katie Elliott19 over 4 years ago in reply to Kobi Leibovitch

Intellectual 650 points

You're right, we'd lost our Dropbox token again, and I didn't know about it. (Dropbox makes it easy to click on something to see what it does which causes real changes without warning).

We now get into the SimpleLinkSockEventHandler, which tells us we're missing the following:

OTA_run: Call CdnClient_ConnectFileServer, url = content.dropboxapi.com/<etc>
HttpClient_Connect: IP_ADDR=<etc>
SL_SOCKET_ASYNC_EVENT: ERROR - WRONG ROOT CA
Please install the following Root Certificate:
DigiCert Global Root CA
HttpClient_Connect: ERROR Socket Connect, status=-688
CdnClient_ConnectFileServer: ERROR on HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectFileServer, Status=-20304

Does that mean we have the wrong files in the Trusted Root-Certificate Catalog when we build our image? We are using:

<sdk install dir>\tools\cc32xx_tools\certificate-playground\certcatalogPlayGround20160911.lst
<sdk install dir>\tools\cc32xx_tools\certificate-playground\certcatalogPlayGround20160911.lst.signed_3220.bin

This is based on SWRA510b Figure 3-3, though the paths in the SDK are not exactly as listed.

Thanks,

Katie

0 Kobi Leibovitch over 4 years ago in reply to Katie Elliott19

TI__Guru 63006 points

No, the catalog is not the problem.

Due to resources limitation, our catalog doesn't include the entire root CA certificates but only their digests. You will need to store the actual root ca (i.e. "DigiCert Global Root CA") in the file system and set a socket option with it (so during the connection this root CA will be used to verify the server certificate. In order to verify the server's certificate the root CA must be the right one). When using our OTA library you only need to set the OTA_SERVER_ROOT_CA_CERT definition in otauser.h (the library will set the socket option accordingly) and rebuild the lib and the app.

Since you are using the "playground" catalog you will get a warning (since the dummy catalog doesn't include digest of valid root ca certificates) during the connection setup but the it will be ignored (by the library) and the connection will be established.

Br,

Kobi

0 Katie Elliott19 over 4 years ago in reply to Kobi Leibovitch

Intellectual 650 points

Ok, we originally had

#define OTA_SERVER_ROOT_CA_CERT "digicerthighassuranceevrootca.crt"

which had worked fine for the past year and is included in the file system. When we change that to

#define OTA_SERVER_ROOT_CA_CERT "DigiCertGlobalRootCA.crt"

and include it in the file system, it seems to want our original cert:

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=4/5, return only WARNNING
OtaRun: WARNING Status=20006,
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
Exit AOWifiMgr::OtaRunning
Enter AOWifiMgr::OtaRunning
OTA_run: call CdnClient_ConnectServer OTA server=api.dropboxapi.com
CdnClient_ConnectServer: HttpClient_Connect api.dropboxapi.com
HttpClient_Connect: IP_ADDR=162.125.1.19
SL_SOCKET_ASYNC_EVENT: ERROR - WRONG ROOT CA
Please install the following Root Certificate:
DigiCert High Assurance EV Root CA
HttpClient_Connect: ERROR Socket Connect, status=-688
CdnClient_ConnectServer: ERROR HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectServer, Status=-20304

Thanks,

Katie

0 Kobi Leibovitch over 4 years ago in reply to Katie Elliott19

TI__Guru 63006 points

It seems that you find a new issue.

In the OTA process, the library actually connects to 2 servers. It first connects to the Dropbox CDN server, where it uses the token to get access to your app folders and find the (TAR) file to download. Once the tar file is found the library requests its URL (iwithin the Dropbox' file server).

The library then opens a second (HTTPS) connection to the file system to load the file.

Until now both servers (the CDN and File) always used the same certificate (DigiCertGlobalRootCA.crt).

It seems that now the file server uses a different one.

We will add a fix in one of the next SDKs, but in the meanwhile you can try the following fix (for the "ota" library):

1. store the 2 root ca certificates in the file system: "DigiCertGlobalRootCA.crt" and "digicerthighassuranceevrootca.crt"

2. in "otauser.h" - add a second definition as follows:

#define OTA_SERVER_ROOT_CA_CERT "digicerthighassuranceevrootca.crt"
#define OTA_FILE_SERVER_ROOT_CA_CERT "DigiCertGlobalRootCA.crt"

3. in "OtaHttpClient.c" - update the definition of HttpClient_Connect() so it will get the certificate as a parameter (currently it always uses the OTA_SERVER_ROOT_CA_CERT ). The header file should be updated accordingly:

int16_t HttpClient_Connect(uint8_t *ServerName, int32_t IpAddr, int32_t Port, int32_t Secured, char *rootCaCert, int32_t NonBlocking)

{

...

update (line110) :

Status = sl_SetSockOpt(SockId, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, rootCaCert, strlen(rootCaCert));

...

}

4. in "CdnClient.c": update the CdnClient_ConnectServer() and CdnClient_ConnecFiletServer()

int16_t CdnClient_ConnectServer(CdnClient_t *pCdnClient, Ota_optServerInfo *pOtaServerInfo)

{

...

update (line 57) :

pCdnClient->ServerSockId = HttpClient_Connect(pOtaServerInfo->ServerName, pOtaServerInfo->IpAddress, SOCKET_PORT_DEFAULT, pOtaServerInfo->SecuredConnection, OTA_SERVER_ROOT_CA_CERT, SOCKET_BLOCKING);

...

}

int16_t CdnClient_ConnectFileServer(CdnClient_t *pCdnClient, uint8_t *pFileUrl, int32_t SecuredConnection)
{

...

update (line 150):

pCdnClient->FileSockId = HttpClient_Connect(ServerNameBuf, 0, pCdnClient->PortNum, SecuredConnection, OTA_FILE_SERVER_ROOT_CA_CERT, SOCKET_BLOCKING);

...

}

Br,

Kobi

0 Katie Elliott19 over 4 years ago in reply to Kobi Leibovitch

Intellectual 650 points

That worked!

Thanks for working through so many questions with us and responding quickly.

-Katie

Wi-Fi

Wi-Fi forum

CC3220SF: Need help troubleshooting OTA failure