• State Verified Answer
  • Replies 6 replies
  • Subscribers 71 subscribers
  • Views 479 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 332734
Options

Thingy91: Serial Timeout when running Claiming and Provisioning python script

nobuddy

Hi Dev Team,

I am trying reprovision my Thingy91 so that I may generate a JWT signed with a device key to use A-GNSS and REST FOTA.

I have been following the guide for nRF Cloud Device Provisioning. All steps were successful up until I tried to run the claim_and_provision_device.py. I would get a serial timeout at AT%ATTESTTOKEN. The error reads:

C:\Users\x\Nordic\cell-fund\utils-master\python\modem-firmware-1.3+>python ./claim_and_provision_device.py --api_key *redacted* --ca ./*redacted*_ca.pem --ca_key ./*redacted*_prv.pem

Loading CA and key...
Opening serial port...
Available ports:
 1: COM8                 Thingy:91
Selected serial port: COM8

Disabling modem...
-> at AT+CFUN=4

Serial timeout
-> at AT%ATTESTTOKEN
String b'%ATTESTTOKEN: ' not detected in line b'ERROR\r\r\n'
ATTESTTOKEN command failed

The Thingy91 firmware is up to date (mfw_nrf9160_1.3.5) and I'm building the projects on nRF SDK v2.6.1

I thought the issues might be:

  1. Wrong/invalid API key and certificates
    • I triple checked my API key (copy/pasted and hand-typed), autocompleted any certificate paths, and tried cert arguments with the equal signs similar to the example code in the github repo
    • python3 ./claim_and_provision_device.py --apikey $API_KEY --ca=./ca.pem --ca_key=ca_prv_key.pem
  2. Interference caused by build
    • I ran both the nRF Device Provisioning sample built with prj.conf settings specified in the repo and the cellfund_less2_exer2 solution because it was minimal and barebones.

None of the above resolved the ATTESTTOKEN issue.

It might be worth noting that in nRF Cloud, I have my device listed twice - the first for the initial thingy91 setup, and the second for the reprovisioning.

Hoping you can provide some guidance.

Parents
  • 0

    Hello  .  I saw a nearly identical issue raised in the github repository for this script, and I answered it there:
    https://github.com/nRFCloud/utils/issues/42#issuecomment-2338809075


    The issues 1 and 2 you mention are unrelated. You have a serial communications issue so none of those options matter.

    Regarding having the device listed twice, I recommend removing both devices listed before running the script again, once you resolve the serial communications issue. The certificates needed for the old device ID will be overwritten in the device, so that old ID will no longer work.

    Make sure you consider what kind of device ID you want the device to use with nRF Cloud. By default, the claim_and_provision_device.py script assumes it will use a UUID-style device ID. In order to use an nrf-IMEI style ID, the the options: --id_imei --id_str nrf-

Reply
  • 0

    Hello  .  I saw a nearly identical issue raised in the github repository for this script, and I answered it there:
    https://github.com/nRFCloud/utils/issues/42#issuecomment-2338809075


    The issues 1 and 2 you mention are unrelated. You have a serial communications issue so none of those options matter.

    Regarding having the device listed twice, I recommend removing both devices listed before running the script again, once you resolve the serial communications issue. The certificates needed for the old device ID will be overwritten in the device, so that old ID will no longer work.

    Make sure you consider what kind of device ID you want the device to use with nRF Cloud. By default, the claim_and_provision_device.py script assumes it will use a UUID-style device ID. In order to use an nrf-IMEI style ID, the the options: --id_imei --id_str nrf-

Children
  • 0 in reply to Pete Skeggs

    Addendum:
    A colleague pointed out the most obvious problem, however. The nRF Cloud device provisioning service does not support the nRF9160, but only the nRF9151 and nRF9161. See: docs.nordicsemi.com/.../README.html

    But, the device_credentials_installer.py script does support all nRF91 families running modem firmware >= 1.3.0, and will use a securely generated device private key which is locked inside the modem and is not vulnerable to extraction. The JWT will then be signed by the private key.

  • 0 in reply to Pete Skeggs

    That was me -- I also posted on the github repo in case it was an issue. The Decision flow for nRF Cloud Provisioning JWT mentions "nRF9160 DK and Thingy:91 shipped with RSA256 must be reprovisioned to get ES256 certificate" so I thought the script supported it.

    I confirmed I have no issues communicating with the Thingy:91 on COM8 and updated the firmware on the nRF52840, see images below.

    I then:

    1. removed both devices listed in my nRF cloud,
    2. reran the device_credentials_installer.py and nrf_cloud_onboard.py,
    3. rebuilt the Thingy91 with the nRF provisioning sample,
    4. ensured I still could communicate through serial via nRF Serial Terminal,
    5. disconnected the device, and
    6. ran the nrf_claim_and_provision_device.py with the same error, see image below

    This seems to confirm nRF9160 isn't supported.

    If it isn't supported but the script can generate a JWT for private keys, what is the next step to get JWT authentication working? Can I continue following the flow chart and try one of the JWT samples for authorization? Or should I continue with the JWT authentication for nRF Cloud? Or are there other steps I need to take specific for the nRF9160?

  • +1 in reply to nobuddy

    Hello. I did not realize you were following that Miro diagram and "JWT authentication" document. These are unnecessary to follow to accomplish your goal. They are only provided to give a curious user a deep explanation into all the options for provisioning and how JWTs work in a general sense with nRF Cloud. In fact, the note on the "JWT authentication" document states:

    Note:

    This guide is not a tutorial, and does not model real-world use cases with specific hardware.
    Instead, this guide provides a conceptual understanding of JWT authentication on nRF Cloud using tokens that you generate using an online tool.

    The device provisioning service is definitely not required to use JWTs. You do not need to run the nRF provisioning sample. You do not need to use a script to generate a JWT to use with your Thingy:91. You only need to have ES256 certificates and  modem firmware >= 1.3.0 installed in the device. The device_credentials_installer.py script will install ES256 certificates for you.

    Note that in your new screenshot of the terminal output, it is still having serial communication issue -- it says "Serial timeout". What application was installed on your Thingy:91 when you ran this script?

    After you used the device_credentials_installer.py and ran nrf_cloud_onboard.py, you should see your device listed again in your nRF Cloud account. Do you? I suspect they failed, because you likely had the nRF provisioning sample present. The interactive shell is not supported by device_credentials_installer.py -- it sends raw modem AT commands, not shell commands, to the device. 

    If your device is not listed in your account, please first install the AT client sample which the device_credentials_installer.py script needs for it to run properly. A precompiled copy of the AT client sample is available in the Thingy:91 downloads .zip file here: https://www.nordicsemi.com/Products/Development-hardware/Nordic-Thingy-91/Download#infotabs.

    Please rerun those two scripts and share the full output of each. Also tell me if you now see your device listed again in your account.
     
    Once your device is listed, your device is fully ready to use JWTs. The nrf_cloud_jwt library does this for you. This library is automatically used in our sample applications for REST: nrf_cloud_rest_fota, nrf_cloud_rest_device_message, and nrf_cloud_rest_cell_location, and location samples. You only need to compile and flash one of these samples to try it out.

    Please see this more-relevant documentation:
    https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/external_comp/nrf_cloud.html
    https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/networking/nrf_cloud_rest.html
    https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/cellular/nrf_cloud_rest_fota/README.html

  • 0 in reply to Pete Skeggs
    Pete Skeggs said:
    What application was installed on your Thingy:91 when you ran this script?

    The nRF Provision sample, as mentioned in step 3 of my previous comment. 

    Pete Skeggs said:
    you should see your device listed again in your nRF Cloud account. Do you? I suspect they failed,

    I do see it, but many fields are clear or unknown, not sure if this is considered failed or not. At the time of my previous message when the device_credential_installer.py script was ran, the script outputted Credential verification: PASS. The Onboarding python script showed onboard API call request: 202 - Accepted, and Status SUCCEEDED, Error Count 0, and nrf-"", OK. 

    Nonetheless, I will start again, remove the device from my nrf Cloud, install the at_client sample, and rerun the device_credential_installer.py. Below is the output of the script with redactions:

    Loading CA and key...
Creating device certificate...
Writing CA cert(s) to device...
<- OK

Writing dev cert to device...
<- OK

Verifying credentials...
<- OK

Verifying Client Cert
<- OK

Verifying Private Key
<- OK

Private Key exists, SHA not verified
Credential verification: PASS
Saving nRF Cloud device onboarding CSV file onboard.csv...
--- File onboard.csv exists; overwrite, append, or quit (y,a,n)? y
Onboarding CSV file saved, row count: 1

    I then reran the onboarding script, outputs with redaction:

    Devices to be onboarded: 1
Onboarding API call result: 202 - Accepted
Response: {"bulkOpsRequestId":""}
Fetching results for bulkOpsRequestId: 
Waiting 5s...
Onboarding status: SUCCEEDED

CSV-formatted results:
bulkOpsRequestId,
status,SUCCEEDED
endpoint,ONBOARD_DEVICES
requestedAt,2024-09-11T02:11:55.686Z
completedAt,2024-09-11T02:11:57.551Z
uploadedDataUrl,https://bulk-ops-requests.nrfcloud.com/
Error count,0

Device ID,Result
nrf-"",OK

    The device is listed on my account, similar to yesterday.

    If this is expected, then I'm good to go and can review the attached links you provided.

    I really appreciate the help and guidance,  !

Related