| Shubham Patil | 341d80f | 2022-08-08 18:11:54 +0530 | [diff] [blame] | 1 | # Matter OTA |
| 2 | |
| 3 | ## Generate CHIP OTA image |
| 4 | |
| 5 | User can generate the Matter OTA image by simply enabling |
| 6 | `CONFIG_CHIP_OTA_IMAGE_BUILD` config option. OTA image is generated in `build` |
| 7 | directory with name `<project name>-ota.bin`. This image then can be used with |
| 8 | OTA Provider Application. |
| 9 | |
| 10 | Please make sure that version number is set to correct value. Use |
| 11 | `CONFIG_DEVICE_SOFTWARE_VERSION` and `CONFIG_DEVICE_SOFTWARE_VERSION_NUMBER` |
| 12 | config options for setting software version. |
| 13 | |
| 14 | Matter OTA image can also be generated using |
| 15 | [ota_image_tool.py](https://github.com/project-chip/connectedhomeip/blob/master/src/app/ota_image_tool.py) |
| 16 | script. |
| 17 | |
| 18 | ## Enabling OTA Requestor |
| 19 | |
| 20 | - Please make sure `CONFIG_ENABLE_OTA_REQUESTOR` config option is enabled for |
| 21 | enabling OTA requestor feature. |
| 22 | - Currently all-clusters-app, lighting-app, and ota-requestor-app supports OTA |
| 23 | requestor functionality. |
| 24 | - Build and flash any supported app, and commission it. |
| 25 | |
| 26 | ## Setup OTA Provider app |
| 27 | |
| 28 | Setup any of the OTA Provider, commission it and install the appropriate access |
| 29 | control list. |
| 30 | |
| 31 | - [Linux OTA Provider](../../../examples/ota-provider-app/linux) |
| 32 | - [ESP32 OTA Provider](../../../examples/ota-provider-app/esp32) |
| 33 | |
| 34 | ## Query for an OTA Image |
| 35 | |
| 36 | ### Using Console |
| 37 | |
| Marcin Kajor | ecd0f6f | 2023-06-14 11:34:04 +0200 | [diff] [blame] | 38 | After commissioning is successful, read the default-otaproviders list of |
| Rohit Jadhav | ad18ca1 | 2023-05-10 23:14:53 +0530 | [diff] [blame] | 39 | requestor using the command below. |
| Shubham Patil | 341d80f | 2022-08-08 18:11:54 +0530 | [diff] [blame] | 40 | |
| 41 | ``` |
| Rohit Jadhav | ad18ca1 | 2023-05-10 23:14:53 +0530 | [diff] [blame] | 42 | ./out/debug/chip-tool otasoftwareupdaterequestor read default-otaproviders <REQUESTOR NODE ID> 0 |
| 43 | ``` |
| 44 | |
| Marcin Kajor | ecd0f6f | 2023-06-14 11:34:04 +0200 | [diff] [blame] | 45 | If the list does not have your provider, write into default-otaproviders list of |
| 46 | requestor using the command below. |
| Rohit Jadhav | ad18ca1 | 2023-05-10 23:14:53 +0530 | [diff] [blame] | 47 | |
| 48 | ``` |
| 49 | ./out/debug/chip-tool otasoftwareupdaterequestor write default-otaproviders '[{"fabricIndex": 1, "providerNodeID": <PROVIDER_NODE_ID_1>, "endpoint": 0}, {"fabricIndex": 1, "providerNodeID": <PROVIDER_NODE_ID_2>, "endpoint": 0}]' <REQUESTOR_NODE_ID> 0 |
| 50 | ``` |
| 51 | |
| 52 | Press Enter in requestor device console and type below query. |
| 53 | |
| 54 | ``` |
| 55 | >matter ota query |
| Shubham Patil | 341d80f | 2022-08-08 18:11:54 +0530 | [diff] [blame] | 56 | ``` |
| 57 | |
| 58 | Once the transfer is complete, OTA requestor sends ApplyUpdateRequest command to |
| 59 | OTA provider for applying the image. Device will restart on successful |
| 60 | application of OTA image. |
| 61 | |
| 62 | ### Using chip-tool |
| 63 | |
| 64 | After commissioning is successful, announce OTA provider's presence using |
| 65 | chip-tool. On receiving this command OTA requestor will query for OTA image. |
| 66 | |
| 67 | ``` |
| Marcin Kajor | ecd0f6f | 2023-06-14 11:34:04 +0200 | [diff] [blame] | 68 | ./out/debug/chip-tool otasoftwareupdaterequestor announce-otaprovider <PROVIDER NODE ID> 0 0 0 <REQUESTOR NODE ID> 0 |
| Shubham Patil | 341d80f | 2022-08-08 18:11:54 +0530 | [diff] [blame] | 69 | ``` |
| Shubham Patil | 81f71a0 | 2023-06-07 01:16:02 +0530 | [diff] [blame] | 70 | |
| 71 | ## Encrypted OTA |
| 72 | |
| 73 | ESP32 supports transferring encrypted OTA images. Currently, an application |
| 74 | image can be encrypted/decrypted using an RSA-3072 key pair. |
| 75 | |
| 76 | ### Firmware Changes |
| 77 | |
| 78 | - Enable configuration options for OTA requestor and Encrypted OTA: |
| 79 | |
| 80 | ``` |
| 81 | CONFIG_ENABLE_OTA_REQUESTOR=y |
| 82 | CONFIG_ENABLE_ENCRYPTED_OTA=y |
| 83 | ``` |
| 84 | |
| 85 | - Applications need to provide the key pair to the OTA image processor using |
| 86 | the `InitEncryptedOTA()` API to decrypt the received OTA image. |
| 87 | |
| 88 | - For testing purposes, in `examples/lighting-app/esp32`, there is a logic of |
| 89 | embedding the private key in the firmware. To quickly test, please generate |
| 90 | the key pair and rename it as `esp_image_encryption_public_key.pem` and copy |
| 91 | it to directory `examples/lighting-app/esp32`. |
| 92 | |
| 93 | Please follow the steps below to generate an application image for OTA upgrades: |
| 94 | |
| 95 | 1. Generate a new RSA-3072 key pair or use an existing one. |
| 96 | |
| 97 | - To generate a key pair, use the following command: |
| 98 | |
| 99 | ``` |
| 100 | openssl genrsa -out esp_image_encryption_key.pem 3072 |
| 101 | ``` |
| 102 | |
| 103 | - Extract the public key from the key pair: |
| 104 | ``` |
| 105 | openssl rsa -in esp_image_encryption_key.pem -pubout -out esp_image_encryption_public_key.pem |
| 106 | ``` |
| 107 | |
| 108 | 2. Encrypt the application binary using the |
| 109 | [esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py) |
| 110 | script. |
| 111 | |
| 112 | - Use the following command to encrypt the OTA image with the public key: |
| 113 | |
| 114 | ``` |
| 115 | python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin |
| 116 | ``` |
| 117 | |
| 118 | - Append the Matter OTA header: |
| 119 | ``` |
| 120 | src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 --version 2 --version-str "v2.0" -da sha256 lighting-app-encrypted.bin lighting-app-encrypted-ota.bin |
| 121 | ``` |
| 122 | |
| 123 | 3. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app. |
