enabling firmware updates over lwpan - arm techcon 2017
TRANSCRIPT
Enablingfirmware
updatesoverLPWAN
JanJongboom|DeveloperEvangelist|Arm
ArmTechCon2017
©2017ArmLimited2
©2017ArmLimited3
©2017ArmLimited4
ThecaseforLPWANsPo
wer
con
sum
ptio
n /
Band
wid
th
Range
IoTsweetspot
©2017ArmLimited5
Picktwo
High bandwidth Low power
Long range
©2017ArmLimited6
Manychoices,samecharacteristics
LoRaWANcanachievea15
kmrangeatpower
consumptionlevelslow
enoughtoenable10-year
batterylife.
[...]worksoveralong
distance(between5and
40kminopenfield)andis
ultralow-power,witha
batterylifeof10to20
years.
FirstcellularNB-IoTmodule
combineseasy,affordable,
globalconnectivitywith
over10years’batterylife
forlowdatarateIoT
applications.
[...]freeM2M/IoT
communicationusinglow
power(10yearsbatterylife)
andcost-efficienthardware
($2hardware)offeringa
rangeof5to10km.
LoRaWAN
Sigfox
NB-IoT
Weightless-P
©2017ArmLimited
LPWANPhysicscrash-course©2017ArmLimited
©2017ArmLimited8
Highlinkbudget
TX
P (dBm)
RX
DerivedfromworkbyThomasTelkamp
TXPower
Connectorloss
Antennagain
Connectorloss
Antennagain
RXPower
Pathlossandfading
14
0
-100
©2017ArmLimited8
Highlinkbudget
TX
P (dBm)
RX
DerivedfromworkbyThomasTelkamp
TXPower
Connectorloss
Antennagain
Connectorloss
Antennagain
RXPower
Pathlossandfading
14
0
-100
Receiversensitivity
©2017ArmLimited8
Highlinkbudget
RX
DerivedfromworkbyThomasTelkamp
TXPower
Connectorloss
Antennagain
Connectorloss
Antennagain
RXPower
Pathlossandfading
Receiversensitivity-137dBm
14dBm151dBmlinkbudget
©2017ArmLimited9
Linkbudget
Wi-Fi
Unlicensed LPWAN
Licensed LPWAN
TXPower RXSensitivity Linkbudget
20.5 dBm -75 dBm 95.5dBm
14 dBm -137 dBm 151dBm
23 dBm -129 dBm 152dBm
©2017ArmLimited10
Theoreticalmaximuminfreespace
2.4GHz,with95.5dBmlinkbudget:550meters
915MHz,with151dBmlinkbudget:850,000meters
©2017ArmLimited11
©2017ArmLimited12
Unfortunately...wedon'tliveinfreespace
Attenuation Reflection and diffraction Fresnel zone
©2017ArmLimited
BasedonTokyo-modelforcalculatingrealisticpathloss
Picture by Moyan Brenn: https://commons.wikimedia.org/wiki/File:Tokyo_(16043023330).jpg©2017ArmLimited
Hatamodel
Large city (250 bps)
Large city (1,760 bps)
Suburb (250 bps)
TXheight RXheight Range
0.1 m 40 m 4km
0.1 m 40 m 2.5km
0.1 m 40 m 9km
Suburb (250 bps) 1 m 100 m 13km
©2017ArmLimited©2017ArmLimited https://www.flickr.com/photos/aaronjacobs/64368770
Aggressivesleeping
©2017ArmLimited15
Transmitaslittleaspossible
Nogatewaypinning
Nokeep-alive
NB-IoT:200mW
Sigfox:25mW
https://www.flickr.com/photos/pheezy/5875298232
©2017ArmLimited16
ListenaslittleaspossibleRXconsumption:9mA
500mAh/9mA/24h=2.31days
2.31days!==10years
©2017ArmLimited17
Relayingdatabacktodevice
TX RX TX RX TX RX
LoRaWAN Class A, LTE-M Power Save Mode, Sigfox
©2017ArmLimited17
Relayingdatabacktodevice
TX RX TX RX TX RX
LoRaWAN Class A, LTE-M Power Save Mode, Sigfox
RX TXRX
LoRaWAN Class B, LTE-M EdRX
RX RX
©2017ArmLimited18
Tinypackets
NoIProutinginpackets
Securityinmessage,notintransportlayer
NoTLShandshakes(6messages,6.5Kdata)
Small13-14byteheader
Everybytecounts!
©2017ArmLimited©2017ArmLimited
Howto
©2017ArmLimited20
Naiveapproach
TX RX TX RX TX RX
Firmwarefragment
Veryinefficient!
Device 1
TX RX TX RX TX RX
Device 2
©2017ArmLimited21
Betterapproach
RX
Manyfirmwarefragments
Device 1
Device 2
RX
Device N
RX
©2017ArmLimited22
But...howdowedothis?
1. Instructdevicestouseanewsetofkeys(sameforeveryone).
2. Instructdevicestowakeupatthesametime.
3. Gatewaycantransmittoalldeviceswithonemessage.
Problem:lowQoSanduni-directional
©2017ArmLimited23
Settingupthedevice
DeviceAddress:0xCF32AB09MulticastKey:9310E28FA291...
©2017ArmLimited24
Settingupthedevice
Packetsize:204bytesPacketcount:491Padding:16bytes
©2017ArmLimited25
Startingmulticastsession
Frequency:924.525MHzDatarate:220bytes/sec
Timetostart:812secafterULevent13
ULCounter|RTC----------------15|78114|70413|62312|491...
©2017ArmLimited26
DealingwithlowQoS
CRChashoffirmware(sentwithdevice'sowncredentials)
OK!
©2017ArmLimited27
DealingwithlowQoS
CRChashoffirmware(sentwithdevice'sowncredentials)
OK!
Forwarderrorcorrection
http://www.inference.phy.cam.ac.uk/mackay/gallager/papers/ldpc.pdf
©2017ArmLimited28
Speed
220bytespersecondinrealworldscenario(2.5KMrangeincities)
180KBFirmwaresize,30KBwithdeltaupdates
Transmissioncosts3m30s@10mAcurrent
https://www.reddit.com/r/Eyebleach/comments/68r4rt/tortoise_taxi/
©2017ArmLimited29
Networkcapacityrequired
EU868DR3(SF9,125KHz)
US915DR11(SF9,500KHz)
Totaltime
3m36s
2m09s
Incrementalupdate:36KB,noroundrobin,10%packetloss
Packets Correction
336
170 25
51
Timep/p
262ms.
559ms.
500mAhbattery,15mARXcurrent=0.18%ofbatteryperupdate
©2017ArmLimited©2017ArmLimited
Security
PicturebyYuriSamoilovhttps://www.flickr.com/photos/yusamoilov/13334048894
©2017ArmLimited31
Linklayersecurityisnotenough
Firmware manifest Containsfirmwarehash
ContainsmanufactureranddeviceclassID
Signedwithprivatekey
©2017ArmLimited32
Separatetrustedandnon-trustedcode
(Notyetimplemented)
©2017ArmLimited33
Bootloadersupport
NewinMbedOS5.5
Bootloaderverifiesintegrity,
preferablyinnon-writableflash
Tamper-proofsecureelementto
protectkeys
https://os.mbed.com/blog/entry/firmware-updates-mbed-5-flashiap/
©2017ArmLimited©2017ArmLimited
Caveatshttp://www.totalprosports.com/wp-content/uploads/2013/04/first-pitch-fail-baseball-fail-gifs.gif
©2017ArmLimited©2017ArmLimited
Networkcongestion
Sendingalotofdatahasnegativeeffectonnetwork
Higherdatarateisbetter
RXsensitivityisuselesswhensomeonescreamsnexttoyou
Spreadspectrumhelpsagainstnarrowbandinterference
©2017ArmLimited36
SpectrumregulationsinEU
Unlicenseddoesnotmeanunregulated
1%dutycyclein868MHzband,exceptat869.525MHz
Downside:it'stheRX2channel
Round-robinbetweengateways
Driveovertositeanddeploytemporarygateway
©2017ArmLimited37
USisbothbetterandworse
Better
Worse
Nodutycycle
Widerchannels(500KHzvs.125KHz)
Faster
400ms.dwelltime
915MHzbandisusedforalotofotherstuff,lowerQoS
©2017ArmLimited
Applicability
fornon-LoRanetworkshttps://en.wikipedia.org/wiki/Computer_network#/media/File:Internet_map_1024.jpg
©2017ArmLimited39
Multicast
RXischeaperthanTX
ManyLPWANsusesameprincipleasLoRaWAN
Mightnotbeneededinlicensedspectrum
TX RX TX RX TX RX
©2017ArmLimited40
TheSigfoxissue
DesignedasTXonly,modulationneedsSDR
RXaddedatlaterpoint,simplemodulationscheme
Linkbudgettodeviceiswaylower(20dBm)
©2017ArmLimited41
Forwarderrorcorrection
ApplicabletoeveryLPWAN
Removesdeliveryguaranteeinlinklayer
Alsousableinnon-LPWAN,f.e.overUDP
©2017ArmLimited42
Firmwareupdateservice
Re-usableforanyprotocol
Must-haveforanyIoTdevice
ForIPdevices:MbedCloud
©2017ArmLimited
Currentstate
©2017ArmLimited44
Referenceimplementation
Multi-TechxDot(Cortex-M3,32KRAM)
LoRaWAN1.02
mbedOS5.5
NetworkserverbyTheThingsNetwork
©2017ArmLimited45
Client+bootloader
Opensource
Apache2.0
AvailableonGitHub
Verylittlesecurity!
SecurebootloaderandcryptographicallysecureupdateserviceavailableaslicensableIP
fromArm.
©2017ArmLimited46
Forwarderrorcorrection
C++libraryavailableonGitHub
Useslessthan2KofRAM,flashasstoragelayer
https://github.com/janjongboom/mbed-lorawan-frag-lib/
©2017ArmLimited©2017ArmLimited
Standardizationwork
LoRaAlliancemeetinglastweek
Twospecs:'multicast'and'datablock'specs
AimingtostandardizeinnextLoRaWANstandard
SpecificationsareavailableforLoRaAlliancemembers
©2017ArmLimited
Reference implementation:
https://github.com/ArmMbed/fota-lora-radio
©2017ArmLimited
Demo:http://bit.ly/lora-update-demo
ThankYou!
Danke!
Merci!
!
�����!Gracias!
Kiitos!감사합니다धन्यवाद
©2017ArmLimited
http://bit.ly/lora-update-demo
©2017ArmLimited
TheArmtrademarksfeaturedinthispresentationareregisteredtrademarksor
trademarksofArmLimited(oritssubsidiaries)intheUSand/orelsewhere.Allrights
reserved.Allothermarksfeaturedmaybetrademarksoftheirrespectiveowners.
www.arm.com/company/policies/trademarks