Working with ble_peripheral_server_fota

Before starting to create a secure Bluetooth Low Energy FOTA application, you must have a provisioned RSL15 Evaluation and Development Board and the BLE Explorer utility.

This section is divided into four steps: of generating the application's firmware image, the signing process, making FOTA image, and testing.

Step 1: Generate the application’s firmware image

To generate the firmware image, perform these steps:

  1. Import the secure_bootloader and build with the bl_D_Secure configuration option. After building successfully, secure_bootloader.hex is generated under the bl_D_Secure folder.
  2. Import the FOTA project. Navigate to File > Import > General > Existing Projects into Workspace, set the Select root directory: option with the path to the source code <cmsis_pack_root>/ONSemiconductor/<device>/<version>/firmware/source/lib/fota, mark the checkbox Copy projects into workspace, and click Finish. The project appears in the left side of the Project Explorer view. Build the project with the Release_Secure configuration option. After building successfully, libfota.a, fota.bin and fota.hex are generated under the Release_Secure folder and replace the libfota.a and the fota.bin files in your CMSIS-Pack installation at <cmsis_pack_root>/ONSemiconductor/<device>/<version>/lib/Release_Secure.
  3. Import the ble_peripheral_server_fota, update the configurations, and build, using these steps:
    1. Add –defsym and __cert_size=900 in the Linker flags in miscellaneous of Cross ARM C Linker.

      NOTE: The __cert_size of 900 is calculated from the content certificate size, which is 868, + 32 bytes of padding. This is the minimum size required.
      If you want to use key certificates, you must add an additional 840 to __cert_size for each key certificate being used. For example, if you want to use one key certificate, then __cert_size = 868 (content certificate) + 32 (byte padding) + 840 (key1 certificate size) = 1740.

    2. Change the path of libfota.a to use the Secure FOTA library ${cmsis_pack_root}/ONSemiconductor/<device>/<version>/lib/Release_Secure/libfota.a (see the "Updating Secure Configuration" figure).

      Figure: Updating Secure Configuration

    3. Delete the fota.bin and libfota.a files under RTE > Device > RSL15, and copy the fota.bin and libfota.a files from <cmsis_pack_root>/ONSemiconductor/<device>/<version>/lib/Release_Secure.
    4. Delete Command in Post-build steps (see the "Deleting Command in Post-Build Steps" figure).

      Figure: Deleting Command in Post-Build Steps

    5. Build the ble_peripheral_server_fota. After building successfully, ble_peripheral_server_fota.hex is generated under the Release folder.

Step 2: Sign the Application's Firmware Image

This step assumes your RSL15 workspace has a directory containing RSLSec which has sub-directories of assets/keys/hbk0 and assets/keys/hbk1. You should have your own hbk0 and hbk1 keys. To sign the firmware image, run a command prompt and go to the directory where RSLSec is located. Then do the following:

  1. Generate RSA keys and certificate.
    1. Create RSA keys to be used when creating the three-certificate RoT chain:

      rslsec trust make hbk1 ./assets/keys/hbk1_key_1
      rslsec trust make hbk1 ./assets/keys/hbk1_key_2

    2. Create the key certificate:

      mkdir .\assets\cert\hbk1 rslsec trust cert key --out ./assets/cert/hbk1/key_1.crt --hbk hbk1 --keypair ./assets/keys/hbk1/hbk1.prv.pem --pwd ./assets/keys/hbk1/hbk1.pwd --pubkey ./assets/keys/hbk1_key_1/hbk1_key_1.pub.pem

      rslsec trust cert key --out ./assets/cert/hbk1/key_2.crt --hbk hbk1 --keypair ./assets/keys/hbk1_key_1/hbk1_key_1.prv.pem --pwd ./assets/keys/hbk1_key_1/hbk1_key_1.pwd --pubkey ./assets/keys/hbk1_key_2/hbk1_key_2.pub.pem

  2. Create the content certificate for the secure_bootloader application.
    1. Create the content certificate:

      rslsec trust cert content --out ./assets/cert/hbk1/content.crt --keypair ./assets/keys/hbk1_key_2/hbk1_key_2.prv.pem --pwd ./assets/keys/hbk1_key_2/hbk1_key_2.pwd --image ../secure_bootloader/bl_D_Secure/secure_bootloader.hex --key1 --key2 --target RSL15

    2. Pack the signed secure bootloader image with the certificates:

      mkdir .\assets\apps\RSL15\hbk1 rslsec trust pack --out ./assets/apps/RSL15/hbk1/signed_secure_bootloader.hex --key1 ./assets/cert/hbk1/key_1.crt --key2 ./assets/cert/hbk1/key_2.crt --content ./assets/cert/hbk1/content.crt --image ../secure_bootloader/bl_D_Secure/secure_bootloader.hex --target RSL15 --firstKeyAddress 0 --secondKeyAddress 0 --contentAddress 0

      The signed_secure_bootloader.hex file is created in the directory.

  3. Create the content certificate for the FOTA.
    1. Create the content certificate:

      rslsec trust cert content --out ./assets/cert/hbk1/content.crt --keypair ./assets/keys/hbk1_key_2/hbk1_key_2.prv.pem --pwd ./assets/keys/hbk1_key_2/hbk1_key_2.pwd --image ../fota/Release_Secure/fota.hextarget RSL15

    2. Pack the signed secure FOTA image with the certificates:

      rslsec trust pack --out ./assets/apps/RSL15/hbk1/signed_fota.hex --bin ./assets/apps/RSL15/hbk1/signed_fota.bin --content ./assets/cert/hbk1/content.crt --image ../fota/Release_Secure/fota.hex --target RSL15 --contentAddress 0 --config 0

      The signed_fota.hex and signed_fota.bin files are created in the directory.

  4. Create the content certificate for the ble_peripheral_server_fota application.
    1. Create the content certificate:

      rslsec trust cert content --out ./assets/cert/hbk1/content.crt --keypair ./assets/keys/hbk1_key_2/hbk1_key_2.prv.pem --pwd ./assets/keys/hbk1_key_2/hbk1_key_2.pwd --image ../ble_peripheral_server_fota/Release/ble_peripheral_server_fota.hex --target RSL15

    2. Pack the signed ble_peripheral_server_fota image with the certificates:

      rslsec trust pack --out ./assets/apps/RSL15/hbk1/signed_ble_peripheral_server_fota.hex --bin ./assets/apps/RSL15/hbk1/signed_ble_peripheral_server_fota.bin --content ./assets/cert/hbk1/content.crt --image ../ble_peripheral_server_fota/Release/ble_peripheral_server_fota.hex --target RSL15 --contentAddress 0 --config 0

      The signed_ble_peripheral_server_fota.hex and signed_ble_peripheral_server_fota.bin files are created in the directory.

Step 3: Create a FOTA Image

To create the FOTA image, run mkfotaimg.exe (located in ${<cmsis_pack_root>}/ONSemiconductor/<device>/<version>/firmware/source/lib/fota/tools/mkfotaimg.exe), with signed_fota.bin and signed_ble_peripheral_server_fota.bin, to create the FOTA image file:

mkfotaimg.exe -o ./assets/apps/RSL15/hbk1/signed_fota_signed_ble_peripheral_server_fota.fota ./assets/apps/RSL15/hbk1/signed_fota.bin ./assets/apps/RSL15/hbk1/signed_ble_peripheral_server_fota.bin -s 0xD800

The signed_fota_signed_ble_peripheral_server_fota.fota file is created in the directory.

Figure: Secure Keys and Certificate and Signed Firmware Images

Step 4: Test the Secure ble_peripheral_server_fota Application

To test the application, perform these steps:

  1. Open J-link Commander and connect to RSL15. Load the signed_secure_bootloader.hex file into the provisioned device:

    J-Link>loadfile <path_to_hexfile>\signed_secure_bootloader.hex

  2. After copying signed_fota_signed_ble_peripheral_server_fota.fota and renaming the image to .bin, load the signed_fota_signed_ble_peripheral_server_fota.bin file into the provisioned device:

    J-Link>loadbin <path_to_binary>\signed_fota_signed_ble_peripheral_server_fota.bin 0x10D800

    You can see the LED blinking on your EVB. Your device is now ready to perform a FOTA update.

  3. Updating the application
    1. Run the BLE Explorer utility.
    2. BLE Explorer scans for ble_peripheral_server_fota.
    3. Connect FOTA_GPIO to ground on your EVB to start FOTA DFU mode.
    4. You can see the name RSL FOTA in the BLE Explorer window.
    5. Connect to the name RSL FOTA.
  4. Click on the Update Firmware option in the BLE Explorer window, and select the signed_fota_signed_secure_ble_peripheral_server_fota.fota image file.