• State Not Answered
  • Replies 5 replies
  • Subscribers 88 subscribers
  • Views 1392 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 262341
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to recover lost mesh keys/configuration?

BlueMike

Dear Mesh Experts,  
 
what's the recommended approach to recover lost mesh keys?  
 
Imagine, for example, an industrial mesh installation with hundreds of nodes, all provisioned and operated by a single smartphone. Now, what if the smartphone gets lost without a backup of the mesh configuration/keys? How can we recover without resetting and re-provisioning the whole mesh? What's the recommended approach?
 
My current idea is to implement it the following:

  1. Push a button on one of the nodes to temporarily enable a key/mesh-recovery GATT service/characteristic.
  2. Connect with a new smartphone to the GATT service/characteristic to recover the keys/mesh configuration.

In theory quite simple. And because the user needs physical access to the mesh, it's also sufficiently secure for our usecase.
Question are:

  • Is there a better way to do it?
  • How would you approach this requirement?

Your advise is very much appreciated,  
Thank you.

Parents
  • 0

    It is indeed possible to get the NetKey, Appkey, Unicast address, Device Key from the provisioned device, if the keys are not placed in a secure enclave. It would be a laborious process as you will have to do this node by node and do the "magic" action that will put the node in this recovery mode.
    This will allow you to build the JSON file after you have queried all the nodes for their configurations, you will have to be careful not to miss nodes that can be catastrophic for address management.
    This is very atypical so you will need to check if the queries for all the configuration settings are all present and can be readback to build the complete JSON. This is not recommended  but indeed doable.

    It may be simpler to email the provisioning information for every installation from the smartphone, as shown in the nRF Mesh app and maybe even create a printed version of the JSON file as a backup.

  • 0 in reply to daviddedwin

    Hello David, hello Hung Bui,

    Thank you very much for the detailed explanations.

    My original idea was to create a json export of the complete mesh configuration and store it in flash on the device. This was meant as a worst case emergency backup. However, with only 40k or flash left, it's already foreseeable that we're running out of storage space... So for now email export will be the only option.

    Btw. email export: Imagine the exported configuration is imported into various other devices: How do you avoid that multiple devices assign the same address? And how can you recover if it would happen?

    Again, thanks for your help,
    And all the best for 2021,
    Michael.

Reply
  • 0 in reply to daviddedwin

    Hello David, hello Hung Bui,

    Thank you very much for the detailed explanations.

    My original idea was to create a json export of the complete mesh configuration and store it in flash on the device. This was meant as a worst case emergency backup. However, with only 40k or flash left, it's already foreseeable that we're running out of storage space... So for now email export will be the only option.

    Btw. email export: Imagine the exported configuration is imported into various other devices: How do you avoid that multiple devices assign the same address? And how can you recover if it would happen?

    Again, thanks for your help,
    And all the best for 2021,
    Michael.

Children
  • 0 in reply to BlueMike

    Hi Michael, 

    AFAIK the Bluetooth Mesh spec doesn't describe how multiple provisioners can communicate and co-operate it's "implementation specific"

    Here are some quotes I found from the spec that related to your question: 

    A Provisioner is typically a smart phone or other mobile computing device. Although only a single Provisioner is required on a network to do provisioning, multiple Provisioners may be used. The method to share cached data and coordinate across multiple Provisioners is implementation specific.

    The Provisioner’s device key is only used when one Provisioner is communicating directly with another Provisioner and this device key has been communicated OOB. Device keys of Provisioners should be coordinated across multiple Provisioners.

    You would need to define different address domains for different provisioners, so that they won't provision the same address to multiple devices. 

  • 0 in reply to BlueMike

    Hi Michael,

    Wishes to you for a super productive 2021 as well. The exported JSON contains the snapshot of the network so it contains the unused addresses.
    Your followup question states that after exporting the JSON to multiple devices and if those provisioner devices are used for provisioning new devices on the Network, how do we ensure that the address ranges are managed. 

    This would mean that you want a versioned solution for the JSON over the email JSON file and also split the address ranges over different provisioner devices.

    You can  store the JSON file on a Microsoft OneDrive or dropbox or file storage on cloud equivalent  as the master copy and the phones that are provisioning are only slaves i.e. provision  using the address range allocated to them , the phones should place their updated JSON on the file storage for remerging to form the new master copy. The phones can also be expected to save the JSON for every node commissioned or configured so an journal trail is created.

    This would mean a PC app or webapp running over the JSON master and providing the JSON with the split address ranges to the phones and also remerging to create a new master.

    You can also implement such a solution over email instead of a file store

    Hope this helps. Please vote up my answer if it is helpful.

    Thanks
    David

Related