How to Verify OTA Image

LPWAN Modules / EVBs RAK11720
1

Hi,

I’m trying to figure out how to verify the image we upload via (BLE). Is there a way to generate signed images and is there a mechanism to allow only us to update the device?

I was reading about ambiq secure ota, looks like there are some keys that can be used to verify the authenticity of the OTA image? How would I generate new keys and include the new key during compilation?

1 Like
2

came across a keys_info0.py file that contains the following:

from am_defines import *

minAesKeyIdx = 8
maxAesKeyIdx = 15
minHmacKeyIdx = 8
maxHmacKeyIdx = 15

###### Following are just dummy keys - Should be substituted with real keys #######
keyTblAes = [
        # Info0 Keys - Starting at index 8
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
        0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
        0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5, 0xA5,
        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
        0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE,
    ]

keyTblHmac = [
        # Info0 Keys - Starting at index 8
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA, 0x55,
        0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE,
    ]

custKey = [
        0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE,
    ]

# These are dummy values. Contact AMBIQ to get the real Recovery Key
recoveryKey = [
        0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE,
    ]

###################################################################################

wrapKey                     = custKey
minWrapMode                 = AM_SECBOOT_KEYWRAP_NONE

INFO_KEY                    = 0xd894e09e
FLASH_KEY                   = 0x12344321```

is this relevant?
3

Hi @sabith-atlaslabs

I will check your case.

Best regards,
Sercan.

4

Hi @sabith-atlaslabs,

Unfortunately, I want to inform you that I am also not able to prepare a secure OTA sample. However, I want to give information you about steps how I am preparing OTA images. Maybe, this can help you to find a way. By the way, while changing/programming info0 file, there can be chance to brick module. This is your own risk.

Before starting, I want to simply describe RAK11720 flash placement.

Ambiq Internal/Secure Bootloader: It covers flash area from 0x00 to 0xC000. It is managing dual bank swap operations according to info0 file.
RAK Internal Bootloader: It is from 0xC000 to 0x14000 address. It is managing over the UART update for Arduino IDE. If you send AT+BOOT command, you can jump to this bootloader.

For OTA operations, you must use dual bank placement. So, your application code size must be smaller than 448kB. To use secure OTA, you must create your own info0.bin file with following python script. I used pycryptodome python package to create it. Please do not use pycrypto or Crypto python packages. You can find key files inside keys_info.py. I used following command to create info.bin file:

Screenshot 2025-03-10 at 21.32.12
Screenshot 2025-03-10 at 21.32.121712×616 72.9 KB

After that, you must program your own info0.bin by using jlink-prog-info0.txt file over J-Link.

Now, you are ready to create OTA package.

Screenshot 2025-03-10 at 21.33.14
Screenshot 2025-03-10 at 21.33.141504×754 82.3 KB

You can test to update MCU via this OTA package by using J-Link with jlink-ota.txt file. Unfortunately, if I enabled security options, I am not able to update Rak11720. When I close these, I am able to update MCU over BLE.

If you want to update it over BLE with Android application, you must use following python script.

Screenshot 2025-03-10 at 22.02.59
Screenshot 2025-03-10 at 22.02.591524×420 57.9 KB

I am sorry about the current condition. My recommendation to you is to get direct support from Ambiq Micro. If I can get any solution, I will inform you.

Best regards,
Sercan.