NEED HELP WITH FOTA VIA DEVICE PROVISIONING ON MY NRF7002DK - AZURE FOTA - IOT HUB

Hello, I'm trying to do the fota via azure IoT hub, except I can't, I don't know if I'm doing it wrong because I followed the doc   Azure FOTA  https://shorturl.at/fsAJ1 ainsi que  Azure IoT Hub https://shorturl.at/eoT57 , maybe I missed something.

sdk 2.5.99-dev1

I would like to add this, when try to download the zephyr.bin on my azure

<err> download_client: Unable to connect, errno 113
[00:00:44.678,955] <err> fota_download: Download client error
[00:00:44.689,544] <err> azure_fota: FOTA download failed

If you need more information, I'm open, thank you, I hope to find a solution :)

Parents
  • Hi,

    When you repeatedly edit the ticket, it makes it hard for us to follow the history and development of the issue.

    In one of your previous images, it looked like you were able to download the new image. Has that changed, or do I remember the old image incorrectly?

    113 is ECONNABORTED, with the explanation "Software caused connection abort". My first guess is that something is wrong with the credentials you have written to the device.

    Best regards,

    Didrik

  • Hi Didrik,

    I hope this message finds you well. I'm reaching out to discuss the Azure IoT Hub + DPS + FOTA sample that your team provided. We appreciate your efforts in sharing this resource. However, we're encountering some challenges in implementing it effectively.

    Our team has been diligently working to follow the sample, particularly regarding the use of DPS as the provisioning point and the FOTA for firmware updates. Unfortunately, the current documentation doesn't seem to provide the level of detail necessary for us to replicate the process successfully.

    To enhance our understanding and expedite the deployment, it would be immensely helpful if you could confirm that someone from your team has successfully tested this sample. Could you try it yourself? Moreover, could you provide a step-by-step guide detailing the Azure configurations and processes your team followed? Specific areas where we require further clarity include:

    1. The Kconfig settings necessary for integrating with DPS and FOTA.
    2. The exact Azure certificates used in the setup, what certificate and rootCA were used where.
    3. The configurations related to CONFIG_FOTA_SEC_TAG, CONFIG_MQTT_HELPER_SEC_TAG, and CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG.

    Given the current state of the documentation, I'm concerned that others attempting to use your sample might face similar roadblocks. Comprehensive guidance would not only benefit our team but also enhance the overall utility of the sample for everyone involved.

    If providing such detailed information is not feasible, we might consider developing a custom wrapper around the Azure library to meet our needs. However, I'm optimistic that with your team's expertise and support, we can effectively utilize the existing resources.

    Thank you in advance for your attention to this matter. I look forward to your response and any additional insights your team can offer to facilitate a smoother implementation process on our end.

    Best regards,
    Actif

  • Hi,

    I think this should have been posted as a separate ticket, but I'll try to answer it here anyway, and hopefully  can find some guidance in the anwer too.

    Firstly, the Azure IoT Hub sample is tested for every NCS release. If it doesn't work as expected and documented, it is reported in the "Known issues" section of the NCS docs: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/releases_and_maturity/known_issues.html

    To your questions:

    1.
    The Azure IoT Hub sample contains the required Kconfig options. For nRF7002 DK, you can see the FOTA options here: https://github.com/nrfconnect/sdk-nrf/blob/v2.5.1/samples/net/azure_iot_hub/boards/nrf7002dk_nrf5340_cpuapp.conf#L86.
    For DPS, the basic set of options is here: https://github.com/nrfconnect/sdk-nrf/blob/v2.5.1/samples/net/azure_iot_hub/overlay-dps.conf

    Note that you will have to take root CAs fot the TLS connection into account for both, which may affect your Kconfig options, answered in more detail below.

    2. and 3.
    For FOTA, CONFIG_AZURE_FOTA_SEC_TAG has to be configured to a sec tag where you plan to put the root CA for the FOTA server. If you use Azure blob storage, this may be set to the sec tag where you have Baltimore root cert installed.

    For DPS, you can use the CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to set the sec tag for the root certificate if it differs from the IoT Hub root CA. As of today, DPS still uses Baltimore CyberTrust certificate, but this will change as that certificate expires in May 2025 and that has to be planned for.

    This means that if you use Azure blob storage and DPS, you can configure the sec tags to be the same and install Baltimore root cert to that sec tag. You can do that by enabling MQTT_HELPER_PROVISION_CERTIFICATES (default enabled for nRF7002 DK) and putting the certificate in an included header file called ca-cert-2.h.


    I hope this clears up things a bit. If not, please don't hesitate to ask again.

    Kind regards,

    Jan Tore

  • Hello Jan Tore,

    Thank you for providing such a detailed answer to my query. As it turns out, it ended up being a separate ticket, and I have included the link to it in case you want to check it out.


    Azure IoT Hub sample, integration of DPS and FOTA not working 

    I wanted to bring to your attention the issue we often face while using the Nordic sample. There is a significant gap in explaining the steps involved, which can sometimes hinder our understanding of the product. While I understand that your team cannot support all external platforms and solutions, I believe that comprehensive documentation of your product's workings is essential for customers to keep up with your product and team.

    A complete and thorough walkthrough of your sample would be highly beneficial for both Nordic and its customers. Your product would gain faster traction, and we, as customers, could experience the benefits of the Nordic platform without facing constant development delays and other problems.

    For instance, your Azure IoT hub sample doesn't touch on the Azure platform usage, but your team did have to interact with it to validate your solution. How can we expect to replicate your solution architecture if it is not explicitly described and explained? Joining a solution diagram could also be beneficial.

    Thank you for taking the time to read my message.

    Regards,
    Vincent

  • Thanks for your feedback, Vincent! It's valuable for us to understand how to make the documentation better.

    In the Azure IoT Hub sample docs, there's a link to the Azure IoT Hub library documentation where Iot Hub setup is presented: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/networking/azure_iot_hub.html#prereq-connect-to-azure-iot-hub

    There, we link to Azure's own documentation on how to set up an account and IoT Hub, which is how we do it ourselves when testing: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-create-through-portal

    In addition, our own docs have some additional details on the credentials part and how to use Azure's portal and tools to add those. The challenge with this, is that it can get outdated and out of sync with Azure's side of things. We've tried to hit a good compromise here, between pointing to external sources that are always up to date and adding some guidance to Azure's docs, but we might have missed the target.

    I tested the Azure Iot Hub sample today for nRF7002 DK on NCS v2.5.1, with DPS and FOTA. It worked accoring to the explanations in the sample docs. I did note some improvements that we will make to the docs for the next NCS release (v2.6.0), related to credentials and where we place the links mentioned above.

    If you still have issues with Azure IoT Hub + DPS + FOTA, please raise a new ticket and I will follow up. If you do that, please enable the following Kconfig options to get some more logging and share the logs:

    CONFIG_AZURE_IOT_HUB_LOG_LEVEL_DBG=y
    CONFIG_AZURE_FOTA_LOG_LEVEL_DBG=y

    Best regards,

    Jan Tore

  • Hello, Thank you for your nice explanation it is appreciated.

    I use the same certificates for DPS and FOTA, it works with DPS, so I get the telemetry and for FOTA I get the error mentioned above.

    I'm using blob storage to host my binary file that I need to flash later via FOTA, do I need to specify a certificate from the blob storage server, or is the DPS certificate used directly by blobstorage?

  • I hope to get an anwer as soon as possible :)

Reply Children
  • I can't guarantee that blob storage and DPS use the same certificates in all instances, but in the common case and today that is the case. Keep in mind, though, that this will not last for long. DPS will soon be transitioning to DigiCert Global Root G2, same as IoT Hub: https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169

    That should not be a problem, as you already have that certificate in place in order to be able to connect to the IoT Hub at all.

    When it comes to the error that you see, I think this is because CONFIG_AZURE_FOTA_SEC_TAG is pointing to the wrong sec tag. In this case, and provided that your blob storage instance indeed uses Baltimore CyberTrust root CA, it should be set to the sec tag where you have provisioned that certificate:

    • If you have placed the Baltimore certificate in "ca-cert.pem", then you should set CONFIG_AZURE_FOTA_SEC_TAG to the same value as CONFIG_MQTT_HELPER_SEC_TAG.
    • If the certificate is in "ca-cert-2.pem", CONFIG_AZURE_FOTA_SEC_TAG should be set to the value of CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG.
  • Here's my configuration for FOTA and DPS

    CONFIG_AZURE_IOT_HUB_DPS=y


    # ID scope can be omitted and supplied at runtime
    CONFIG_AZURE_IOT_HUB_DPS_ID_SCOPE=""
    CONFIG_AZURE_IOT_HUB_HOSTNAME=""

    #We use the device ID in our case
    CONFIG_AZURE_IOT_HUB_SAMPLE_DEVICE_ID_USE_HW_ID=n
    CONFIG_AZURE_IOT_HUB_DPS_REG_ID="device-0000002"


    CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=y
    CONFIG_MQTT_HELPER_SEC_TAG=10
    CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=11
    CONFIG_MQTT_HELPER_STACK_SIZE=16384
    CONFIG_TLS_MAX_CREDENTIALS_NUMBER=6

    # FOTA
    CONFIG_AZURE_FOTA=y
    CONFIG_AZURE_FOTA_TLS=y
    CONFIG_AZURE_FOTA_APP_VERSION_AUTO=n
    CONFIG_AZURE_FOTA_APP_VERSION="v0.0.0"

    #FOTA TAG
    CONFIG_AZURE_FOTA_SEC_TAG=10

    # Change the security tag for the tag where certificates are provisioned
    # for the server where the FOTA image is hosted
    #
    CONFIG_BOOTLOADER_MCUBOOT=y
    CONFIG_FOTA_DOWNLOAD=y
    CONFIG_DFU_TARGET=y
    CONFIG_MCUBOOT_IMG_MANAGER=y
    CONFIG_IMG_MANAGER=y
    CONFIG_STREAM_FLASH=y
    CONFIG_FLASH_MAP=y
    CONFIG_FLASH=y
    CONFIG_IMG_ERASE_PROGRESSIVELY=y
    CONFIG_DOWNLOAD_CLIENT=y
    CONFIG_DOWNLOAD_CLIENT_STACK_SIZE=4096

    This is how my certificate files are reported
    ca-cert-2.pem
    private-key.pem
    ca-cert.pem
    client-cert.pem

    You can see the tags
    CONFIG_MQTT_HELPER_SEC_TAG=10
    CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=11

    and my FOTA TAG
    CONFIG_AZURE_FOTA_SEC_TAG=10
    at 10 or 11, it doesn't work any more.

    I feel like I'm missing something, I'm not sure what.

  • Do I need to do any configuration on  azure DPS and blobstorage, like a link or something? If so, which ones, as I don't know because I've just created a blobstorage as a resource and put its link  and the path of my .bin in my twin device.

  • I think we'll need some more information about your blob storage and device twin. You can create a new private ticket and share the content of the firmware object in the device twin, and then we can take it from there.

Related