Secure FW updates via BLE or USB

DX_HK 3 months ago

I am currently developing a HID device that supports BLE and USB.
I have tested the firmware update function via both BLE and USB (USB CDC ACM).
However, I am experiencing the following issues:

BLE connection
The firmware update service is available to anyone.
When using smpmgr, it seems the only way to update is by specifying the advertised name when not connected to a PC.
The firmware should only be updated from a PC with a secure connection. Are there any tools or methods that can achieve this?

USB connection
It is defined as a USB composite device. The problem is that the virtual COM port is visible to users even when the firmware update is not being used.
Is there a way to hide this?

If possible, I would like to use existing tools,

but if I have to develop something myself (or if I can get better results that way), I will do so.

Any advice would be appreciated.

0 Turbo J 3 months ago

The lib requires a COM port to work over USB. And while you could move that USB support into MCUBOOT itself, it increases the bootloader size in flash by a lot. Not really recommended on the NRF52840.

BLE needs to be in disconnected (advertising) state for bleak python BTLE lib to be able to connect. This limitation might be windows only - BTLE APIs in Windows are dog ***. The smpmgr stuff uses bleak internally.

It should establish BTLE secure connection as long as there is bonding information in windows OS available.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel