Sven Reissmann
8 years ago
8 changed files with 110 additions and 77 deletions
-
91-introduction.tex
-
153-environment.tex
-
224-requirements.tex
-
355-1-update_mechanism.tex
-
195-2-multidevice_build_structure.tex
-
85-3-automatic-deployment.tex
-
1esper-ota.tex
-
78foo.tex
@ -1,32 +1,30 @@ |
|||
\section{Requirements} |
|||
|
|||
The following requirements are defined as global project goals and have been refined during the work on the project multiple times. |
|||
For the implementation of an OTA update mechanism, the following requirements were defined. |
|||
|
|||
\begin{itemize} |
|||
\item The systems should be able to perform updates on the release of new software without administrative interaction. |
|||
If a new version of the firmware is published, it should be prepared automatically for installation to the target devices. |
|||
All these devices should then download and install the new software version and start using it subsequently, if no errors have occurred during the process. |
|||
\item The systems should be able to perform updates on the release of new software without manual interaction. |
|||
If a new firmware version is published, it should be prepared automatically for installation on the target devices. |
|||
All these devices should then fetch and install the new software version and start using it subsequently, if no errors have occurred during the update. |
|||
|
|||
\item To ensure minimal maintenance effort, the update process should be insusceptible to errors as most as possible. |
|||
Even if the installation of an update fails in the middle of reprogramming the controller, the system should continue to work fully functional immediately and after a reboot. |
|||
\item To ensure minimal maintenance effort, the update process should be insusceptible to errors as much as possible. |
|||
Even if the installation of an update fails in the middle of reprogramming the device, the system should continue to work fully functional immediately and after reboot. |
|||
|
|||
\item Downloading the updated firmware should be done over the WiFi interface using the same network connection as used during normal operation. |
|||
\item Firmware downloads should be performed over the same WiFi connection as used during normal operation. |
|||
Fetching the firmware should be done side-by-side with operational traffic. |
|||
|
|||
\item The update process can happen over any untrusted wireless network or Internet connection without being vulnerable to attackers. |
|||
To prevent possible attackers from injecting malicious software into the embedded devices, a cryptographic signature mechanism must be implemented. |
|||
New firmware only gets accepted by the device, if the cryptographic signature of the downloaded firmware image can be verified. |
|||
|
|||
\item Reducing network load and aiming for the maximum possible device uptime is critical. |
|||
Therefore, the update process should only be done if a new version is available. |
|||
In contrast, the release of a new update should be rolled out to all devices as fast as possible. |
|||
While checking for available updates and downloading such an update, the device should continue to work as usual. |
|||
\item To reduce network load and aim for the maximum possible uptime of the device, the update process should only be done if a new firmware version is available. |
|||
In contrast, on the release of new firmware, the roll-out to all devices should be performed as fast as possible. |
|||
%While checking for available updates and downloading such an update, the device should continue to work as usual. |
|||
|
|||
\item For easy maintenance and monitoring, each device should provide detailed information about the currently installed firmware version and other details relevant for the update process. |
|||
|
|||
\item Devices are categorized by types. |
|||
Each type runs the same software and therefore provides the same functionality. |
|||
As the device type is hardly coupled to the hardware and the software interacts with it on a specific way, the update process must ensure that the correct firmware is used while reprogramming. |
|||
The according device type is provided as a string through a global constant at compile time and it must never be changed during operation. |
|||
|
|||
\end{itemize} |
@ -0,0 +1,78 @@ |
|||
\section{Concept for implementing OTA updates} |
|||
|
|||
Implementing \textit{OTA} updates under the given requirements involves three different components, which interact closely. |
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
\subsection{flash layout and concept} |
|||
Microcontroller boards based on the \textit{ESP8266} MCU are mostly following the same layout: the MCU is attached to a flash chip which contains the bootloader, firmware and other application data. |
|||
The memory mapping mechanism of the MCU allows only a single page of 1 MB of flash to be mapped at the same time \cite{ESP8266_Memory_Map} and the selected range must be aligned to 1 MB blocks. |
|||
|
|||
\begin{figure}[htbp] |
|||
\centering\includegraphics[scale=0.6]{flash_layout.pdf} |
|||
\caption{The flash layout used for two ROMs.} |
|||
\label{fig:memory_layout} |
|||
\end{figure} |
|||
|
|||
As the binary to download and flash possibly exceeds the size of free memory heap space, the received data must be written to the flash directly. |
|||
In contrasts, executing the code from the memory mapped flash while writing the same area with the downloaded update leads to errors, as the executed code changes immediately to the updated one. |
|||
To avoid this, we chose the memory layout shown in Figure~\ref{fig:memory_layout}. |
|||
The flash is split into half to contain two firmware ROMs with different versions, one being executed and one which is being downloaded. |
|||
This standby firmware also acts as a safety mechanism if the download fails or is interrupted as the previous version stays intact and can still be used. |
|||
In case of an error the old firmware is kept unchanged and will be used until the successful download of a newer firmware succeeds. |
|||
|
|||
In addition to the two firmware ROMs, the flash must provide room for the bootloader and its configuration. |
|||
|
|||
|
|||
\subsection{Common framework and Multidevice support} |
|||
The firmware for all \textit{ESP8266} based devices in the hackerspace are all based on the same framework. |
|||
\textit{Sming} provides the base library for this framework. |
|||
In addition, components and functionality shared by all devices has been identified and are providing a framework for the existing and possible further devices. |
|||
This framework provides a functional base for all devices and allows to reuse code providing functionality which is common in multiple devices. |
|||
The framework also includes a build system, which allows to configure some basic parameters for all devices. |
|||
Including, but not limited to, the Wi-Fi access parameters, the \textit{MQTT} connection settings and the updater URLs. |
|||
By sharing the same code, all devices ensure to have a common behavior when it comes to reporting the device status or interacting with the home-automation controller. |
|||
This eases configuration and allows to collect information about all devices at a central location. |
|||
|
|||
Each device firmware exists as a separate project and includes a link to the framework. |
|||
As development on these devices happens in cycles, older projects are missing updates of the framework and therefor do not benefit from newly added features or fixed problems. |
|||
Updating the framework version and rebuilding the firmware would often result in an easy gain of these benefits, but requires manual interaction. |
|||
More problems will arise if the application programming interface (API) of the framework changes. |
|||
In this situation, the device firmware must be updated to use the changed API, which can be an unpleasant and complex task and leads to higher latency for firmware updates. |
|||
|
|||
To prevent these problems the device firmware of all devices in the hackerspace is now integrated with the framework into a larger project. |
|||
By doing so, each device specific code is always linked to the latest version of the framework. |
|||
Device specific code is now organized as a folder for each device type. |
|||
The build system has been modified to scan for all device specific folders and call the original build process for each of them. |
|||
|
|||
To build the software, a \textit{Makefile} \cite{make} is used, which provides a simple way for reproducible builds. |
|||
|
|||
The according device type is provided as a string through a global constant at compile time and it must never be changed during operation. |
|||
|
|||
|
|||
\subsection{Automatic deployment process} |
|||
The source code of the \textit{ESPer} project is published into a \textit{GIT} source code repository which is provided by the hackerspace. |
|||
To avoid interferences between different build environments on developers computers and roll out new versions as early as possible, the code has been integrated into a continuous integration (CI) system. |
|||
The CI, which is based on \textit{drone}\cite{drone} and provided as part of the hackerspace infrastructure, allows to execute commands on each version published into the \textit{GIT} repository. |
|||
Therefore a \textit{drone} configuration file as shown in Listing~\ref{lst:drone} has been added to the source code as \texttt{.drone.yml}. |
|||
|
|||
|
|||
The base topology used is shown in Figure \ref{fig:topology}. |
|||
\begin{figure}[htbp] |
|||
\centering\fbox{\includegraphics[width=.98\linewidth]{topology.pdf}} |
|||
\caption{The base network topology.} |
|||
\label{fig:topology} |
|||
\end{figure} |
|||
|
|||
|
|||
|
|||
\subsection{Publish device information} |
|||
For monitoring and maintenance purposes, each device publishes a set of information to a well-known \textit{MQTT} topic after connecting to the network. |
|||
Beside already existing dates like device type, chip and flash ID, the information block has been extended with details about the bootloader, SDK and firmware version as well as relevant details from the bootloader configuration, like the currently booted ROM slot and the default ROM slot to boot from. |
|||
This allows administrators to find devices with outdated bootloaders and helps to find missing and failed updates. |
|||
|
|||
|
Write
Preview
Loading…
Cancel
Save
Reference in new issue