enabling firmware updates over lpwan - tech symposia 2017 taiwan

EnablingfirmwareupdatesoverLPWAN

JanJongboom|DeveloperEvangelist|Arm

TechSymposia2017

©2017ArmLimited3

Wait,what...LPWAN?Po

wer

con

sum

ptio

n /

Band

wid

th

Range

IoTsweetspot

©2017ArmLimited4

Picktwo

High bandwidth Low power

Long range

©2017ArmLimited5

Manychoices...

10yearsbatterylife,10kmrange

©2017ArmLimited7

Highlinkbudget

TX

P (dBm)

RX

DerivedfromworkbyThomasTelkamp

TXPow

er

Conn

ectorloss

Antenn

again

Conn

ectorloss

Antenn

again

RXPow

er

Pathlossandfading

14

0

-100

Receiversensitivity

©2017ArmLimited7

Highlinkbudget

RX

DerivedfromworkbyThomasTelkamp

TXPow

er

Conn

ectorloss

Antenn

again

Conn

ectorloss

Antenn

again

RXPow

er

Pathlossandfading

Receiversensitivity-137dBm

14dBm151dB

mlinkbud

get

©2017ArmLimited8

Linkbudget

Wi-Fi

Unlicensed LPWAN

Licensed LPWAN

TXPower RXSensitivity Linkbudget

20.5 dBm -75 dBm 95.5dBm

14 dBm -137 dBm 151dBm

23 dBm -129 dBm 152dBm

©2017ArmLimited9

Theoreticalmaximuminfreespace

2.4GHz,with95.5dBmlinkbudget:550meters

915MHz,with151dBmlinkbudget:850,000meters

©2017ArmLimited11

Unfortunately...wedon'tliveinfreespace

Attenuation Reflection and diffraction Fresnel zone

©2017ArmLimited

BasedonTokyo-modelforcalculatingrealisticpathloss

Picture by Moyan Brenn: https://commons.wikimedia.org/wiki/File:Tokyo_(16043023330).jpg©2017ArmLimited

Hatamodel

Large city (250 bps)

Large city (1,760 bps)

Suburb (250 bps)

TXheight RXheight Range

0.1 m 40 m 4km

0.1 m 40 m 2.5km

0.1 m 40 m 9km

Suburb (250 bps) 1 m 100 m 13km

©2017ArmLimited©2017ArmLimited https://www.flickr.com/photos/aaronjacobs/64368770

Aggressivesleeping

©2017ArmLimited14

Transmitaslittleaspossible

Nogatewaypinning

Nokeep-alive

NB-IoT:200mW

Sigfox:25mW

https://www.flickr.com/photos/pheezy/5875298232

©2017ArmLimited15

ListenaslittleaspossibleRXconsumption:9mA

500mAh/9mA/24h=2.31days

2.31days!==10years

©2017ArmLimited16

Relayingdatabacktodevice

TX RX TX RX TX RX

LoRaWAN Class A, LTE-M Power Save Mode, Sigfox

RX TXRX

LoRaWAN Class B, LTE-M EdRX

RX RX

©2017ArmLimited17

Tinypackets

NoIProutinginpackets

Securityinmessage,notintransportlayer

NoTLShandshakes(6messages,6.5Kdata)

Small13-14byteheader

Everybytecounts!

©2017ArmLimited18

IoTdeploymentstarget10yearslifetimeBut 10 years is a really long time!

©2017ArmLimited©2017ArmLimited

Howto

©2017ArmLimited21

Naiveapproach

TX RX TX RX TX RX

Firmwarefragment

Veryinefficient!

Device 1

TX RX TX RX TX RX

Device 2

©2017ArmLimited22

Betterapproach

RX

Manyfirmwarefragments

Device 1

Device 2

RX

Device N

RX

©2017ArmLimited23

But...howdowedothis?

1. Instructdevicestouseanewsetofkeys(sameforeveryone).

2. Instructdevicestowakeupatthesametime.

3. Gatewaycantransmittoalldeviceswithonemessage.

Problem:lowQoSanduni-directional

©2017ArmLimited24

Settingupthedevice

DeviceAddress:0xCF32AB09MulticastKey:9310E28FA291...

©2017ArmLimited25

Settingupthedevice

Packetsize:204bytesPacketcount:491Padding:16bytes

©2017ArmLimited26

Startingmulticastsession

Frequency:924.525MHzDatarate:220bytes/sec

Timetostart:812secafterULevent13

ULCounter|RTC----------------15|78114|70413|62312|491...

©2017ArmLimited27

DealingwithlowQoS

CRChashoffirmware(sentwithdevice'sowncredentials)

OK!

©2017ArmLimited28

DealingwithlowQoS

CRChashoffirmware(sentwithdevice'sowncredentials)

OK!

Forwarderrorcorrection

http://www.inference.phy.cam.ac.uk/mackay/gallager/papers/ldpc.pdf

©2017ArmLimited29

Speed

220bytespersecondinrealworldscenario(2.5KMrangeincities)

180KBFirmwaresize,30KBwithDeltaupdates

Transmissioncosts3m30s@15mAcurrent

https://www.reddit.com/r/Eyebleach/comments/68r4rt/tortoise_taxi/


SecurityPicturebyYuriSamoilovhttps://www.flickr.com/photos/yusamoilov/13334048894

©2017ArmLimited31

Linklayersecurityisnotenough

Firmware manifest Containsfirmwarehash

ContainsmanufactureranddeviceclassID

Signedwithprivatekey

©2017ArmLimited33

Bootloadersupport

NewinMbedOS5.5

Bootloaderverifiesintegrity,preferablyinnon-writableflash

Tamper-proofsecureelementtoprotectkeys

https://os.mbed.com/blog/entry/firmware-updates-mbed-5-flashiap/


Caveatshttp://www.totalprosports.com/wp-content/uploads/2013/04/first-pitch-fail-baseball-fail-gifs.gif


Networkcongestion

Sendingalotofdatahasnegativeeffectonnetwork

Higherdatarateisbetter

RXsensitivityisuselesswhensomeonescreamsnexttoyou

Spreadspectrumhelpsagainstnarrowbandinterference

©2017ArmLimited36

SpectrumregulationsinEU

Unlicenseddoesnotmeanunregulated

1%dutycyclein868MHzband,exceptat869.525MHz

Downside:it'stheRX2channel

Round-robinbetweengateways

Driveovertositeanddeploytemporarygateway

©2017ArmLimited37

USisbothbetterandworse

Better

Worse

Nodutycycle

Widerchannels(500KHzvs.125KHz)

Faster

400ms.dwelltime

915MHzbandisusedforalotofotherstuff,lowerQoS

©2017ArmLimited39

Referenceimplementation

Multi-TechxDot(Cortex-M3,32KRAM)

LoRaWAN1.02

mbedOS5.5

NetworkserverbyTheThingsNetwork

©2017ArmLimited40

Client+bootloader

Opensource

Apache2.0

AvailableonGitHub

Verylittlesecurity!

SecurebootloaderandcryptographicallysecureupdateserviceavailableaslicensableIPfromArm.


Reference implementation:

https://github.com/ArmMbed/fota-lora-radio

Demo:http://bit.ly/lora-update-demo

©2017ArmLimited

Recap

1. LPWANsareawesome!

2. Securefirmwareupdatesarenecessity

3. FirmwareupdatesoverLPWANdeemedimpossible...Buttheyarenot!

©2017ArmLimited

TheArmtrademarksfeaturedinthispresentationareregisteredtrademarksortrademarksofArmLimited(oritssubsidiaries)intheUSand/orelsewhere.Allrightsreserved.Allothermarksfeaturedmaybetrademarksoftheirrespectiveowners.www.arm.com/company/policies/trademarks

enabling firmware updates over lpwan - tech symposia 2017 taiwan

Internet