Connecting an nRF9160 to AWS

Question

Hello, 
 I'm attempting to connect the nRF9160 DK to our AWS IoT account. I've been following the information in this question: https://devzone.nordicsemi.com/f/nordic-q-a/44528/switch-cloud-endpoint-from-nordic-aws-to-our-own-aws-account but I'm having an issue establishing the connection. 
 So far I have been able to call the certificates from a replica of 'certificates.h' and flash these onto the nRF91 using the nrf_inbuilt_key commands and have been able to establish a broker connection but receive a time out error when connecting to AWS with MQTT. I am currently modifying mqtt_simple to acheve this connection. 
 
 So far I have updated 'pj.conf' with: 
 # General config
CONFIG_TEST_RANDOM_GENERATOR=y

# Networking
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y

# LTE link control
CONFIG_LTE_LINK_CONTROL=y
CONFIG_LTE_AUTO_INIT_AND_CONNECT=n
CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES=y

# BSD library
CONFIG_BSD_LIBRARY=y

# AT Host
CONFIG_UART_INTERRUPT_DRIVEN=y
CONFIG_AT_HOST_LIBRARY=y

# MQTT
CONFIG_MQTT_LIB=y
CONFIG_MQTT_LIB_TLS=y

# Appliaction
CONFIG_MQTT_PUB_TOPIC="my/publish/topic"
CONFIG_MQTT_SUB_TOPIC="my/subscribe/topic"
CONFIG_MQTT_CLIENT_ID="MQTT_TEST"
CONFIG_MQTT_BROKER_HOSTNAME="xxxxxxxxxxx.iot.eu-west-1.amazonaws.com" (redacted)
CONFIG_MQTT_BROKER_PORT=8883
CONFIG_NRF_CLOUD_SEC_TAG=1234

# Main thread
CONFIG_MAIN_THREAD_PRIORITY=7
CONFIG_MAIN_STACK_SIZE=4096

CONFIG_HEAP_MEM_POOL_SIZE=1024 
 
 I have added the following additional functions to mqtt_simple: 
 #include "certificates.h"

#define NRF_CLOUD_HOSTNAME CONFIG_MQTT_BROKER_HOSTNAME
#define NRF_CLOUD_SEC_TAG CONFIG_NRF_CLOUD_SEC_TAG

static struct nct {
	struct mqtt_sec_config tls_config;
	struct mqtt_client client;
	struct sockaddr_storage broker;
	struct mqtt_utf8 dc_tx_endp;
	struct mqtt_utf8 dc_rx_endp;
	u32_t message_id;
} nct;

static void client_init(struct mqtt_client *client)
{
	mqtt_client_init(client);

	broker_init();

	/* MQTT client configuration */
	client->broker = &broker;
	client->evt_cb = mqtt_evt_handler;
	client->client_id.utf8 = (u8_t *)CONFIG_MQTT_CLIENT_ID;
	client->client_id.size = strlen(CONFIG_MQTT_CLIENT_ID);
	client->password = NULL;
	client->user_name = NULL;
	client->protocol_version = MQTT_VERSION_3_1_1;

	/* MQTT buffers configuration */
	client->rx_buf = rx_buffer;
	client->rx_buf_size = sizeof(rx_buffer);
	client->tx_buf = tx_buffer;
	client->tx_buf_size = sizeof(tx_buffer);

	nct.client.transport.type = MQTT_TRANSPORT_SECURE;

	struct mqtt_sec_config *tls_config = &nct.client.transport.tls.config;

	memcpy(tls_config, &nct.tls_config, sizeof(struct mqtt_sec_config));
}

static int nct_provision(void)
{
 printk("nct provisions active
");
 
 static sec_tag_t sec_tag_list[] = {NRF_CLOUD_SEC_TAG};
 
 nct.tls_config.peer_verify = 2;
 nct.tls_config.cipher_count = 0;
 nct.tls_config.cipher_list = NULL;
 nct.tls_config.sec_tag_count = ARRAY_SIZE(sec_tag_list);
 nct.tls_config.sec_tag_list = sec_tag_list;
 nct.tls_config.hostname = CONFIG_MQTT_BROKER_HOSTNAME;
 
 
 int err;
 
 printk("BSD and Cloud provisions defined
");
 /* Delete certificates */
 nrf_sec_tag_t sec_tag = NRF_CLOUD_SEC_TAG;
 
 for (nrf_key_mgnt_cred_type_t type = 0; type < 5; type++) {
 err = nrf_inbuilt_key_delete(sec_tag, type);
 printk("nrf_inbuilt_key_delete(%d, %d) => result=%d
",
 sec_tag, type, err);
 }
 err = nrf_inbuilt_key_delete(0,0);
 printk("nrf_inbuilt_key_delete(0, 0) => result=%d
",
 err);
 /* Provision CA Certificate. */
 err = nrf_inbuilt_key_write(NRF_CLOUD_SEC_TAG,
 NRF_KEY_MGMT_CRED_TYPE_CA_CHAIN,
 NRF_CLOUD_CA_CERTIFICATE,
 strlen(NRF_CLOUD_CA_CERTIFICATE));
 printk("nrf_inbuilt_key_write(%d, root-CA => result=%d)
",
 NRF_CLOUD_SEC_TAG, err);
 if (err) {
 printk("NRF_CLOUD_CA_CERTIFICATE err: %d", err);
 return err;
 }
 
 /* Provision Private Certificate. */
 err = nrf_inbuilt_key_write(
 NRF_CLOUD_SEC_TAG,
 NRF_KEY_MGMT_CRED_TYPE_PRIVATE_CERT,
 NRF_CLOUD_CLIENT_PRIVATE_KEY,
 strlen(NRF_CLOUD_CLIENT_PRIVATE_KEY));
 printk("nrf_inbuilt_key_write(%d, Private Key => result=%d)
",
 NRF_CLOUD_SEC_TAG, err);
 if (err) {
 printk("NRF_CLOUD_CLIENT_PRIVATE_KEY err: %d", err);
 return err;
 }
 
 /* Provision Public Certificate. */
 err = nrf_inbuilt_key_write(
 NRF_CLOUD_SEC_TAG,
 NRF_KEY_MGMT_CRED_TYPE_PUBLIC_CERT,
 NRF_CLOUD_CLIENT_PUBLIC_CERTIFICATE,
 strlen(NRF_CLOUD_CLIENT_PUBLIC_CERTIFICATE));
 printk("nrf_inbuilt_key_write(%d, Public Cert => result=%d)
",
 NRF_CLOUD_SEC_TAG, err);
 if (err) {
 printk("NRF_CLOUD_CLIENT_PUBLIC_CERTIFICATE err: %d",
 err);
 return err;
 }
 return 0;
}

void main(void)
{
	int err;
	int err_provision;
	printk("The MQTT simple sample started
");

 err_provision = nct_provision();
	if (err_provision != 0) {
 printk("ERROR: nct_provision failure %d
", err_provision);
 return;
	}
	printk("err_provision = %d
", err_provision);
	modem_configure();

	client_init(&client); 
 I have changed the following in Kconfig: 
 menu "MQTT simple sample"
config MQTT_PUB_TOPIC
	string "MQTT publish topic"
	default "my/publish/topic"

config MQTT_SUB_TOPIC
	string "MQTT subscribe topic"
	default "my/subscribe/topic"

config MQTT_CLIENT_ID
	string "MQTT Client ID"
	default "MQTT_TEST"

config MQTT_BROKER_HOSTNAME
	string "MQTT broker hostname"
	default "xxxxxxxxx.iot.eu-west-1.amazonaws.com" (redacted)

config MQTT_BROKER_PORT
	int "MQTT broker port"
	default 8883

config MQTT_MESSAGE_BUFFER_SIZE
	int ""
	default 128

config MQTT_PAYLOAD_BUFFER_SIZE
	int ""
	default 128

config NRF_CLOUD_SEC_TAG
	int ""
	default 1234 
 Finally, the certs are inside certificates.h: 
 /*
 * Copyright (c) 2018 Nordic Semiconductor ASA
 *
 * SPDX-License-Identifier: BSD-5-Clause-Nordic
 */

#define NRF_CLOUD_CLIENT_ID "MQTT_TEST"

#define NRF_CLOUD_CLIENT_PRIVATE_KEY \
	"-----BEGIN RSA PRIVATE KEY-----
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"-----END RSA PRIVATE KEY-----
"

#define NRF_CLOUD_CLIENT_PUBLIC_CERTIFICATE \
	"-----BEGIN CERTIFICATE-----
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"-----END CERTIFICATE-----
"

#define NRF_CLOUD_CA_CERTIFICATE \
	"-----BEGIN CERTIFICATE-----
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"xxxxxxx
" \
	"-----END CERTIFICATE-----
" 
 
 I'm not sure what is still left to change in order to make the connection to AWS.

MJD093 · Accepted Answer

Håkon Alseth said: CONFIG_MAIN_STACK_SIZE=4096 
 
 Ok so that solved the hard fault error but the main program still doesn't seem to load into the main loop. Device boots up Zephyr and then, nothing. Link Monitor just ends there. No printk for the application starting nor any other printks for errors or ones added to check liveness. 
 10 NRF_EGU2 Non-Secure	OK
11 NRF_TWIM2 Non-Secure	OK
12 NRF_SPIM3 Non-Secure	OK
13 NRF_TIMER0 Non-Secure	OK
14 NRF_TIMER1 Non-Secure	OK
15 NRF_TIMER2 Non-Secure	OK
16 NRF_SAADC Non-Secure	OK
17 NRF_GPIOTE1 Non-Secure	OK

SPM: NS image at 0x8000
SPM: NS MSP at 0x20023688
SPM: NS reset vector at 0xd8fd
SPM: prepare to jump to Non-Secure image.
***** Booting Zephyr OS v1.14.99-ncs1-3-g3c4f27282002 ***** 
 Håkon Alseth said: Have you removed all the socket APIs, and used the nrf_* prefixed function calls? 
 I believe so yes, I have edited all socket commands to use the nrf_* prefixed versions found in nrf_socket.h. <net/sockets> has been removed and should flag errors if I try to call any non-nrf_* socket commands. 
 I have been doing some reading into the Socket API and in any example, this is the way the connect API is called and its arguments are set. Not sure why it would return EINVAL. 
 Håkon Alseth said: This is due to byte ordering on ARM vs. x86. The function in firmware is correct for ARM LE arch. 
 Ok, I have returned that function back to the way it is set in the ftp example. 
 Håkon Alseth said: No nrf_* prefixed structs or function calls? I am very unsure what this errno is, as there's nothing that should set it to this value. How are you printing the errno? 
 None. As mentioned before, in this example I no longer include nrf_socket.h so all references to nrf_* prefixed commands cause compilation errors. 
 Unless I'm mistaken, errno is just an int value that is defined in errno.h to represent different error types. So I have just been printing err and errno as: 
 printk("Attempting to establish connection to EC2
");
	do {
 err = connect(UDP_Socket, (struct sockaddr *)&UDP_sockaddr, sizeof(UDP_sockaddr));
	} while (err < 0 && errno == EAGAIN);

 printk("Connect Error: %d:%d
", err, errno); 
 When in the code for the nrf_* prefixed version, it returns this value, err = -1 and errno = 22: 
 Timer trigger for UDPSend!
Socket ID: 2
Socket created for transfer
Attempting to establish connection to EC2
Connect Error: -1:22
Failure to establish connection via nrf_connect, closing socket 
 When in the code for the non-nrf_* version, it returns this value, err = -1 and errno = 134: 
 Socket ID: 2
Socket created for transfer
Attempting to establish connection to EC2
Connect Error: -1:134
Failure to establish connection via nrf_connect, closing socket 
 
 EDIT: 
 I think I got the error. This is UDP and connect() is supposed to auto return immediately under DGRAM. It's not supposed to take any time to connect so blocking isn't necessary as all connect() does for UDP is assign a destination address to the socket without attempting to request a connection and receive an ACK back. Blocking makes sense from the examples as they used TCP Sockets. 
 As for the connect() failing with err = -1, I believe it was the line: 
 struct sockaddr_in *UDP_sockaddr = &my_sockaddr; 
 Removing the * and making a sole struct with [struct sockaddr_in UDP_sockaddr] seems to let err = 0 and errno = 0. 
 int err;
	int UDP_Socket;

	// Sets up UDP Socket information
	struct sockaddr_in UDP_sockaddr;
	UDP_sockaddr.sin_port = htons(xxxx); /**< Port, in network byte order */
	UDP_sockaddr.sin_family = AF_INET; /**< Socket family, IPv4 socket */
	UDP_sockaddr.sin_addr.s_addr = inet_addr(xx,xx,xxx,xx); /**< IPv4 address, in hex format */
	printk("IP address: %x
", UDP_sockaddr.sin_addr.s_addr);

	UDP_Socket = socket(AF_INET, SOCK_DGRAM, 0); //Opens UDP socket using UDP protocols 
 I am also curious if errno is actually cleared between functions as send() will fail on my test kit as it can't actually attach to a network to execute the send() command. As send() fails it reports errno as 114 which then appears for the connect() function's errno when it is called again, Setting errno = 0 after the send() function errors out shows that errno still is 0 (and not 114) when connect is called during the next timer trigger. 
 The new Link Monitor output is: 
 16 NRF_SAADC Non-Secure	OK
17 NRF_GPIOTE1 Non-Secure	OK

SPM: NS image at 0x8000
SPM: NS MSP at 0x200232e8
SPM: NS reset vector at 0xd97d
SPM: prepare to jump to Non-Secure image.
***** Booting Zephyr OS v1.14.99-ncs1-3-g3c4f27282002 *****
UDP_Test Application started
Socket ID: 2
Sending AT command: AT+CFUN=4
Modem response: OK
Sending AT command: AT%XSYSTEMMODE=0,1,0,0
Modem response: OK
Sending AT command: AT%XMAGPIO
Modem response: OK
Sending AT command: AT+CFUN=1
Modem response: OK
Modem enabled
IP address: XXXXXXXX
Socket created for init
Socket ID: 2
Attempting to establish connection to EC2
Connect Error: 0:0
Config and Connect Successful
Socket ID: 2
Socket created for transfer
Attempting to establish connection to EC2
Connect Error: 0:0
Send socket connected
Error sending Hello AWS
 to IP XXXXXXXX
Send Error: -1:114
Dropping into main while loop
Timer trigger for UDPSend!
Socket ID: 2
Socket created for transfer
Attempting to establish connection to EC2
Connect Error: 0:0
Send socket connected
Error sending Timer Trigger
 to IP XXXXXXXX
Send Error: -1:114
 
 Happily, this has also solved the issue where sockets would start to fail to be created (even though the sockets were closing after failing out) after about 7 timer calls. I hope to be able to test this bit of code soon when the remote kit in an NB-IoT area is available tomorrow. Will update when I test it.

Connecting an nRF9160 to AWS

Top Replies