• State Verified Answer
  • Replies 28 replies
  • Answers 1 answer
  • Subscribers 69 subscribers
  • Views 1526 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 330920
Options

Downgrade protection works only for the app_core -image-and not for the net-core -image

Georg

Hallo,

we are using the nrf5340 and the ncs Version 2.6.1.

I activated the software downgrade protection as described here Downgrade protection (nordicsemi.com)

Then I made some simultaneious FOTA updates (App-image + Net-image) by using the nRF Connect app with different versions.

What I see is that the downngrade protection works for the App-image. It is not possible to update an App-image V2.0.0. with an App-image V1.0.0.

But it is possible to downgrade the Net- image V2.0.0 with the Net-image V1.0.0

How can I activate the downgrade protection also for the net-core ?

 

Best regards,

Georg

  • 0

    Hi, 

    Do you test the MCUBoot version by adjusting CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE?

    How do you check the version number? You can check the version by 

    imgtool verify build/zephyr/net_core_app_update.bin

    Regards,
    Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi,

    I checked the version information by looking into the header of the net_core_app update.bin file.  

    Here are the configuration switches which I have added to activate the downgrade prevention:

    CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
    CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y

    In the build configuration I added:

    -DSB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y

    And  there is also a VERSION file which looks like this:

    Some additional information:

    We are using a serial external flash to store the secondary images of the app-core and the net-core.

    After making an simultaineious update by using dfu_application.zip it seems that the header ifnormation of the net_core_app_update.bin is corrupt when lokking into the memory of the nrf5340-net-core. So there is no version information any more.

    When looking into the memory of the app-core the header information seems to be ok 

    Best regards,

    Georg

  • 0 in reply to Georg

    Please use CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE for the MCUBoot version control, and then check by 

    imgtool verify build/zephyr/net_core_app_update.bin

  • 0 in reply to Amanda Hsieh

    Hi,

    I added the "CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE =20" in the mcu_boot.conf. But this does not solve the problem.

    I read out the version of the net_core_update bin and I see the correct version.

    Is there a tool to read out the version of the current programmed app-/net-image in the nrf5340 ?

    Now I want to describe what I am doing in detail.

    I have 4 bin files:

    app_update.bin Version V1.0 let's call it appV1

    net_core_app_update.bin Version V1.0 lets call it netV1

    app_update.bin Version V2.0 let's call it appV2

    net_core_app_update.bin Version V2.0 lets call it netV2

    and there are 2 zip files

    dfu_application.zip Version V1.0 let’s call it zipV1 containing appV1 and netV1

    dfu_application.zip Version V2.0 let’s call it zipV2 containing appV2 and netV2

    1.  When starting the nrf 5340 is programmed with the appV1 and the netV1 images.
    2. Then I transferred the zipV2 to my mobile and made a firmware update over bluetooth with the
      nrf connect app.Now the nrf 5340 is programmed with the appV2 and the netV2 images. Everything is ok.
    3. I do step 2 with zipV1
    4. Now the nrf 5340 is programmed with the appV2 and netV1 images. This is the problem, the downgrade prevention works for the app-core but not for the net-core. The net-core was downgraded.
    5. step 2 with zipV2
    6. Now the nrf 5340 is programmed with the appV2 and the netV2 images. Everything is ok.
    7. step 2 with netV1
    8. Now the nrf 5340 is programmed with the appV2 and netV2 images. The downgrade prevention works for the net-core when transferring a single bin-file instead of a zip file.

    What to do to get the downgrade prevention working for net-core in combination with a zip-file firmware update ?

    Best regard,

    Georg

  • 0 in reply to Georg

    Hi, 

    Georg said:
    Is there a tool to read out the version of the current programmed app-/net-image in the nrf5340 ?

    You can read the image version with the nRF Device app or get the version number in the code.  

    Georg said:
    Now the nrf 5340 is programmed with the appV2 and netV1 images. This is the problem, the downgrade prevention works for the app-core but not for the net-core. The net-core was downgraded.

    How do you check the version on the netcore?

    -Amanda H.

Related