FOTA Service #60
FOTA Service #60
Conversation
Co-Authored-By: George Beckstein <becksteing@embeddedplanet.com>
Co-Authored-By: George Beckstein <becksteing@embeddedplanet.com>
Co-Authored-By: George Beckstein <becksteing@embeddedplanet.com>
Co-Authored-By: George Beckstein <becksteing@embeddedplanet.com>
Co-Authored-By: George Beckstein <becksteing@embeddedplanet.com>
This allows an application to add its own logic for accepting writes to the FOTA update characteristic.
|
After working with this service on some projects, I think we should introduce another standard FOTA op-code, "FOTA confirm". Bootloaders like Mcuboot support rolling back firmware updates if they do not mark themselves as "good". ie: the firmware has a severe bug that prevents normal operation. When reset, mcuboot will then revert the update to prevent "bricking". One possible failure of this system is, since the update mechanism is in the application, there is a possibility a fatal bug could be introduced into the update mechanism code. This would prevent any future firmware upgrades to the device. The FOTA Confirm op-code would allow the FOTA client to mark the updated firmware as "OK". This is essentially a self-test of the firmware update mechanism in the BLE FOTA service case -- if BLE can be brought up, a connection can be made, and a characteristic can be written, it is pretty safe to assume that the FOTA code has not been broken by the update. There are some other recommended self-tests that should be performed, such as testing update flash memory initialization. I think this would be a common enough use case to deserve a dedicated, standard op-code. @pan- Thoughts on this? This is a problem for all field-upgradeable devices where the update mechanism is in the application itself. If Mbed-OS creates a framework for DFU, it should include features like a flexible, easy-to-integrate "factory reset" that can reinstall an image stored on a dedicated "recovery partition" (eg: a well-tested application that does nothing but let the firmware be reprogrammed in the case of a broken update). EDIT: Mcuboot has features that allow multiple images to be selected from for boot. This would be a use case for that. |
| @@ -56,3 +56,4 @@ jobs: | |||
| ./tests/TESTS/build.sh -s DeviceInformation -t GCC_ARM -m NRF52840_DK | |||
| ./tests/TESTS/build.sh -s LinkLoss -t GCC_ARM -m NRF52840_DK | |||
| ./tests/TESTS/build.sh -s LinkLoss -t GCC_ARM -m DISCO_L496AG | |||
| ./tests/TESTS/build.sh -s FOTA -t GCC_ARM -m NRF52840_DK | |||
There was a problem hiding this comment.
It should also work on disco. There are MCUboot problems but the mock example works fine locally, i.e. I can transfer a binary into the external flash of my B-L4S5I-IOT01A using the FOTA service.
Note: The disco build is also missing for the Device Information service: #62
| //}; | ||
|
|
||
|
|
||
| #endif /* MBED_OS_EXPERIMENTAL_BLE_SERVICES_INC_BASESERVICE_H_ */ |
There was a problem hiding this comment.
It's a good idea but perhaps we should add it in a separate PR with the other utility files:
- ConnectionThingy.h
- GattPresentationFormatDescriptor.h
- CharacteristicPresentationFormatDescriptor.h
- CharacteristicUserDescriptionDescriptor.h
There was a problem hiding this comment.
Ha, sorry, these files weren't supposed to be included in this PR 😅
| * | ||
| * This creates a lot of boilerplate code where a service must filter out by comparing | ||
| * which handle was written to the callback's parameters, figure out which connection, | ||
| * and then perform the appropriate action. |
There was a problem hiding this comment.
Do setWriteAuthorizationCallback and setReadAuthorizationCallback not solve this problem?
There was a problem hiding this comment.
Unrelated to the PR at hand, but:
Those APIs "solve" the problem, but I think it creates a confusing situation in the BLE API:
You can still handle characteristic writes that are authorized but you then have to filter them based on the value handle. It creates two ways to do the same thing which can be confusing to users.
The naming of "setWriteAuthorizationCallback" and "setReadAuthorizationCallback" imply they are only for read authorization/write authorization. Likewise, the naming of GattServer::EventHandler::onCharacteristicWritten (or whatever it is) implies it should be where characteristic writes are handled.
|
|
||
|
|
||
|
|
||
| #endif /* MBED_OS_EXPERIMENTAL_BLE_SERVICES_COMMON_INC_CONNECTIONTHINGY_H_ */ |
| uint8_t format[7]; | ||
| }; | ||
|
|
||
| #endif /* EP_CORE_FEATURES_FEATURE_BLE_GATTPRESENTATIONFORMATDESCRIPTOR_H_ */ |
| uint8_t format[7]; | ||
| }; | ||
|
|
||
| #endif /* MBED_OS_EXPERIMENTAL_BLE_SERVICES_DESCRIPTORS_CHARACTERISTICPRESENTATIONFORMATDESCRIPTOR_H_ */ |
|
|
||
| }; | ||
|
|
||
| #endif /* MBED_OS_EXPERIMENTAL_BLE_SERVICES_DESCRIPTORS_CHARACTERISTICUSERDESCRIPTIONDESCRIPTOR_H_ */ |
|
|
||
| symlink dependencies/mbed-os tests/TESTS/DeviceInformation/device/mbed-os | ||
| symlink services/DeviceInformation tests/TESTS/DeviceInformation/device/DeviceInformation |
There was a problem hiding this comment.
Both files are required to build the integration tests for the Device Information service. Can you add them back in?
|
|
||
| # Create mbed-os.lib for CMake builds | ||
| echo "https://github.com/ARMmbed/mbed-os" > tests/TESTS/LinkLoss/device/mbed-os.lib | ||
| echo "https://github.com/ARMmbed/mbed-os" > tests/TESTS/DeviceInformation/device/mbed-os.lib |
There was a problem hiding this comment.
Mbed CLI 2 requires that a mbed-os.lib be present in the project root.
The following is also required for the FOTA service:
echo "https://github.com/ARMmbed/mbed-os" > tests/TESTS/FOTA/device/mbed-os.lib
| @@ -0,0 +1 @@ | |||
| ROOT=. | |||
There was a problem hiding this comment.
hmm... I don't think we should have .mbed files in device folders.
| @@ -0,0 +1 @@ | |||
| https://github.com/ARMmbed/mbed-os | |||
There was a problem hiding this comment.
That should be added during bootstrap.
This PR contains the FOTA service and associated tests as outlined in #46.
Closes #46