nRF52840DK Amazon FreeRTOS OTA update fail...

TimLai wrote on October 01, 2019:

I have a question about the OTA update on the nNRF52840 DK.
I enabled CONFIG_OTA_UPDATE_DEMO_ENABLED to run OTA example.
and execute iOS SDK for Amazon FreeRTOS Bluetooth Devices on iPhone.
but when nRF52840DK received final expected block of file,
I got error log:
[OTA Task] [prvStopRequestTimer] Stopping file request timer.
[OTA Task] [prvPAL_CloseFile] Erasing the flash memory was successful
[OTA Task] [prvPAL_CheckFileSignature] Signature check failed
[OTA Task] [prvIngestDataBlock] Error (1:0x000000) closing OTA file.
[OTA Task] [prvOTAUpdateTask] Aborting due to IngestResult_t error -2
[OTA Task] [prvUpdateJobStatus] Msg: {“status”:“FAILED”,“statusDetails”:{“reason”:“0x01000000: 0xfffffffe”}}
According to OTA Agent error codes, error 0x01000000 indicates that the signature check failed.
but not sure what I was missing.

I followed [https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-nordic.html] to generate ECDSA code-signing private key and ECDSA code-signing certificate, then pasted into aws_clientcredential_keys.h file:

#define keyCLIENT_CERTIFICATE_PEM "-----BEGIN CERTIFICATE-----
"
"MIIBZjCCAQygAwIBAgIUXVIUzlovJ7jdykXXXXXXXXXXXXXXXgYIKoZIzj0EAwIw
"
"IDEeMBwGA1UEAwwVdGltbGFpMTAwMDXXXXXXXXXXXXXXXB4XDTE5MTAwMTA0MzU0
"
"NFoXDTIwMDkzMDA0MzU0NFowIDEeMBXXXXXXXXXXXXXXXGFpMTAwMDJAZ21haWwu
"
"Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXXXXXXXXXXrhMo3mI6CtmCU2
"
"tJw+cVfNyjtg8GY1N/jJFl8XZV0t+rH+Zrns2siIeAYulquduiy1TbarsnbRl6Mk
"
"MCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMAoGCCqGSM49BAMC
"
"A0gAMEUCICWP4pL5PI4HcTsKLy0zHNoPlaQqeHxeeUQzME4wwmFoAiEAj+EJA5mx
"
"LyLi8Zcs8safCrmKvvg+tSFpSpaQfXqIYUY=
"
"-----END CERTIFICATE-----
" \

#define keyCLIENT_PRIVATE_KEY_PEM "-----BEGIN PRIVATE KEY-----
"
"MIGHAgEAMBMGByqGSM49AgEGCCqGSM49XXXXXXXXXXIBAQQgOoIeshocNk+OtgFn
"
"utn0sT0fbW7Ew0M2bfZn1Tr6gGShRANCAARXXXXXXXXXXuEyjeYjoK2YJTa0nD5x
"
"V83KO2DwZjU3+MkWXxdlXS36sf5muezayIhXXXXXXXXXXLVNtquydtGX
"
"-----END PRIVATE KEY-----
" \

posted signingcredentialSIGNING_CERTIFICATE_PEM into aws_ota_codesigner_certificate.h:

static const char signingcredentialSIGNING_CERTIFICATE_PEM[] = "-----BEGIN CERTIFICATE-----
"
"MIIBXTCCAQOgAwIBAgIJAM4DeybZcTwKMAoGCCqGSM49BAMCMCExHzAdBgNVBAMM
"
"FnRlc3Rf62lnbmVyQGFtYXpvbi5jb20wHhcNMTcxMTAzMTkxODM1WhcNMTgxMTAz
"
"MTkxODM2WjAhMR8wHQYDVQBBZZZ0ZXN0X3NpZ25lckBhbWF6b24uY29tMFkwEwYH
"
"KoZIzj0CAQYIKoZIzj0DAQcDQgAERavZfvwL1X+E4dIF7dbkVMUn4IrJ1CAsFkc8
"
"gZxPzn683H40XMKltDZPEwr9ng78w9+QYQg7ygnr2stz8yhh06MkMCIwCwYDVR0P
"
"BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMAoGCCqGSM49BAMCA0gAMEUCIF0R
"
"r5cb7rEUNtWOvGd05MacrgOABfSoVYvBOK9fP63WAqt5h3BaS123coKSGg84twlq
"
"TkO/pV/xEmyZmZdV+HxV/OM=
"
"-----END CERTIFICATE-----
";

Here is my whole OTA log:
https://drive.google.com/open?id=1JA9ceYD2MQBguhqblnNSjrQIlghElyWP

Thanks,
Tim

Edited by: TimLai on Oct 1, 2019 3:37 AM

PrasadV-AWS wrote on October 01, 2019:

Hi Tim,

Thank you for providing details and logs for the issue and can also share which release you are using?

The update to aws_clientcredential_keys.h is not required with code signing certificates. The file that should be update to add the code signing certificate is aws_ota_codesigner_certificate.h which you have updated and I assume these are test certificates.

From the logs it is clear that the signature verification step failed after receiving the complete image. Can you please verify that the code signing profile is created correctly with the generated certificates? Another thing that we can check is if the certificate is correctly formatted when pasting it in aws_ota_codesigner_certificate.h. If you are not already using the PEMfileToCString.html tool provided in tools\certificate_configuration\ please use that to format and paste the certificate in aws_ota_codesigner_certificate.h

Also please make sure before flashing the first image erase the complete flash.

Please let me know after verifying these steps if this is still an issue.

Edited by: PrasadV-AWS on Oct 1, 2019 2:35 PM

Edited by: PrasadV-AWS on Oct 2, 2019 10:36 AM

TimLai wrote on October 03, 2019:

Thanks for your reply.

Now my nRF52840DK look like OTA update success.
I got a log(OTA demo version 4.4.4) after nRF52840DK reboot.
The version is my OTA bin file on S3 bucket and the bin file still run vStartOTAUpdateDemoTask()

nRF52840 DK can’t BLE broadcast and pair with Mobile APP when nRF52840DK runs OTA firmware(4.4.4).

I try to press reset key on DK board, DK board no response(without any log but LED2 flash)

whole log:
https://drive.google.com/open?id=1PPv7yXy9__FJ6CRCK4OJs4Wp3eMaZrET

Edited by: TimLai on Oct 3, 2019 9:37 PM

Edited by: TimLai on Oct 3, 2019 10:00 PM

ravishankar-AWS wrote on October 07, 2019:

Hi Tim,

The error means the IOS SDK was able to reconnect to BLE but unable to access the BLE GATT service after the new image was activated. I ran sample OTA for nRF52840DK , with latest commit for FreeRTOS master branch and latest commit for IOS SDK, but couldn’t reproduce the same issue.
Attached (ota_nordic.txt), the logs from my run.

Could you confirm if you have made change to any BLE GATT services in the new image after the OTA update ? IOS keeps a cache of the GATT services it discovered previously, and fails to access correctly if the GATT services changed on the device.
You can recreate the bond and restart the device to clear the cache on IOS BLE stack.

Edited by: ravishankar-AWS on Oct 7, 2019 11:58 AM

Hi TimLai,
Did you get this app from Apple Store? I couldn’t find this app, so I tried to compile from source. Tried with Xcode 11.3.1 and 11.6 (latest) and both failed with
Undefined symbols for architecture x86_64:
OBJC_CLASS$_AWSServiceConfiguration”, referenced from:
objc-class-ref in AmazonFreeRTOSDevice.o
OBJC_CLASS$_AWSEndpoint”, referenced from:
objc-class-ref in AmazonFreeRTOSDevice.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)