This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Possible to enter DFU only when bonded?

Unless I am not understanding the code correctly (highly possible...), once the bootloader has restarted into DFU mode, no bond is required to upload new firmware. This works great if you have to physically press a button to enter DFU mode.

Not so safe when doing it buttonless since anyone with "nRF Toolbox" could potentially upload an image. Yes, I know there is DEVICE_TYPE and DEVICE_REVISION as a safety check.

Is it possible to require being bonded to the application before allowing the restart into DFU? Maybe by changing the security setting of one of the dfu characteristics? I know the DFU bootloader changes the gap address, so the bond wouldn't be valid anymore, but that's OK if you can prevent getting into DFU without a bond in the first place.

Thanks.

Parents
  • @Chris: It's a good point that there should be a security check before we allow a master to tell the device to enter bootloader mode in the example. Recently we provided signing solution as an experimental project in SDK 9.0. However, this only block attacker to flash non-genuine firmware but not blocking him to flash the device with older or wrong firmwares that come from the vendor.

    But it's not too difficult to implement some security check before you allow the application to start the bootloader. As you mentioned, you can set the write permission on the DFU characteristic to require encryption. So that bonding is needed if the central want to write 0x01 here to start DFU. If it's the case, you should also block unwanted central to connect to your device by using whitelist.

    If your application should have an open connection and allow any central to bond, then you may want to implement proprietary password and/or public+private key authentication procedure before you allow the application to enter bootloader mode.

  • But it works perfectly when set to OPEN, so the service changed indication must be working correctly, no?

    Making that one change to NO_MITM breaks it.

    Btw, I am using SDK8.0.0.

    I assume you are talking about:

    ble_enable_params.gatts_enable_params.service_changed = IS_SRVC_CHANGED_CHARACT_PRESENT; //=1
    

    It's in there and my bootloader is based on the ble_app_hrs example.

Reply
  • But it works perfectly when set to OPEN, so the service changed indication must be working correctly, no?

    Making that one change to NO_MITM breaks it.

    Btw, I am using SDK8.0.0.

    I assume you are talking about:

    ble_enable_params.gatts_enable_params.service_changed = IS_SRVC_CHANGED_CHARACT_PRESENT; //=1
    

    It's in there and my bootloader is based on the ble_app_hrs example.

Children
No Data
Related