Tuesday, October 4, 2016

nRF51822: secure DFU OTA via BLE

Secure Device Firmware Update Over the Air via Bluetooth Low Energy


secure DFU OTA via BLE

How to update your firmware without physical touch it? Maybe you could not reach your Sensor or Beacon? But is there a secure way without open your Hardware to the public?
secure Device Firmware Update Over the Air via Bluetooth Low Energy
To use secure DFU OTA your firmware for your BLE hardware have to be encrypted. And you need a bootloader with a Bluetooth Service that can decrypt the transfered data (firmware). in the case of the nordic SDK 12.0.0.0 the bootloader use eliptic curve cryptography (curve_secp256r1, micro-ecc from Kenneth MacKay). For the encryption a private key is used and for the decryption the public key. So the secure bootloader have to know the public key.




Building the APP and the secure Bootloader

To setup your secure DFU OTO via BLE you first have to generate the private/public key. You can use the nrfutil from nordic. But to use the tool you need python and pip (pip installs python packages).
On ubuntu you can use this to install and upgrade:

    sudo apt-get install python-pip
    pip install --upgrade pip

and install nrfutil (for me only the sudo install works, and ignored all warnings):

    sudo pip install nrfutil

Generate Private Key with nrfutil

Next step: generate the private and public keys with nrfutil:

    nrfutil keys generate my_secret_private_key.pem
and output the public key code for the bootloader:


        nrfutil keys display --key pk --format code my_secret_private_key.pem
    /** @brief Public key used to verify DFU images */
    __ALIGN(4) const uint8_t pk[64] =
    {
    ....
    };
copy the output to dfu_public_key.c in your secure bootloader directory.



Before you can build your bootloader firmware you have to check the used RAM, unfortunately the bootloader need at least 32kB (i.e. more then 16kB) so not all nRF51822 chip variants can be used. And with the SDK 12.0.0.0 the secure bootloader only works with the S130 Softdevice (i.e. S132 for nRF52832).




the bootloader need at least 32kB RAM

Beside the nordic SDK 12.0.0 you need the micro-ecc library:

        git clone https://github.com/kmackay/micro-ecc micro-ecc
 and in the linker-file the memory settings could look like this:

MEMORY
{
  FLASH (rx) : ORIGIN = 0x35C00, LENGTH = 0xA000
  RAM (rwx) :  ORIGIN = 0x200025E0, LENGTH = 0x5A20
  NOINIT (rwx) :  ORIGIN = 0x20007F80, LENGTH = 0x80
  BOOTLOADER_SETTINGS (rw) : ORIGIN = 0x0003FC00, LENGTH = 0x0400
  UICR_BOOTLOADER (r) : ORIGIN = 0x10001014, LENGTH = 0x04
}
If you have build your secure bottloader hexfile (i.e. dfu_secure.hex). Flash it on your nRF51822 with the S130 Softdevice hexfile (i.e. s130_nrf51_2.0.1_softdevice.hex).

flash the secure bootloade with the S130 softdevice

Nex step is to prepare your firmware for secure DFU OTA via BLE. Agin we use nrfutil with the firmware hexfile (if you not using the debug mode you have to set the firmware version):

nrfutil pkg generate --debug-mode --application dfu_app.hex --key-file ../my_secret_private_key.pem app_package.zip

|===============================================================|
|##      ##    ###    ########  ##    ## #### ##    ##  ######  |
|##  ##  ##   ## ##   ##     ## ###   ##  ##  ###   ## ##    ## |
|##  ##  ##  ##   ##  ##     ## ####  ##  ##  ####  ## ##       |
|##  ##  ## ##     ## ########  ## ## ##  ##  ## ## ## ##   ####|
|##  ##  ## ######### ##   ##   ##  ####  ##  ##  #### ##    ## |
|##  ##  ## ##     ## ##    ##  ##   ###  ##  ##   ### ##    ## |
| ###  ###  ##     ## ##     ## ##    ## #### ##    ##  ######  |
|===============================================================|
|You are generating a package with the debug bit enabled in the |
|init packet. This is only compatible with a debug bootloader   |
|and is not suitable for production.                            |
|===============================================================|

Zip created at app_package.zip



update your firmware securely over the air with bluetooth low energy

Now lets update our firmware secure over the air. Copy the zipfile to your mobile phone (i use android) and start the nRF Connect app. After scanning for bluetooth devices the app should find your device with the running bootloader and the DfuTarg bluetooth service (BLE only).



Discover the DfuTarg Service on your nRF51822 with running bootloader

Next connect to DFUTARG Service. The DFU Icon appears.

Select the Distribution packet (ZIP) with encrypted firmware

choose your prepared ZIP-File

Start the DFU

watch the transfer

transfer reach 100%

Firmware is transfered and started, DFUTARG Service will be disconnected

After the transfer your new firmware will be started automatically. But this in case means that the bootloader will by stopped an the bluetooth service (DfuTarg) will not longer be available.

 An other way is to use the DFU tool inside the nRF Toolbox app:





using the DFU from nRF Toolbox

select you ZIP-File and your secure DfuTarg bootloader device.

start secure DFU OTA via BLE

watch the transfer

transfer is ended, and DFU service will be disconnected


successfully and securely updated your firmware



you can also update the bootloader the softdevice and/or the firmware
In my case the multiple packages don't work, because they don't fit in to the memory of the nRF51822.

For a practical demonstration you can watch the video:

https://youtu.be/T80kzxu7M04
Posted by at 3 comments:
Subscribe to: Posts (Atom)