Post on 28-Jan-2018
EnablingfirmwareupdatesoverLPWAN
JanJongboom|DeveloperEvangelist|Arm
TechSymposia2017
©2017ArmLimited2
©2017ArmLimited3
Wait,what...LPWAN?Po
wer
con
sum
ptio
n /
Band
wid
th
Range
IoTsweetspot
©2017ArmLimited4
Picktwo
High bandwidth Low power
Long range
©2017ArmLimited5
Manychoices...
10yearsbatterylife,10kmrange
©2017ArmLimited
LPWANPhysicscrash-course©2017ArmLimited
©2017ArmLimited7
Highlinkbudget
TX
P (dBm)
RX
DerivedfromworkbyThomasTelkamp
TXPow
er
Conn
ectorloss
Antenn
again
Conn
ectorloss
Antenn
again
RXPow
er
Pathlossandfading
14
0
-100
Receiversensitivity
©2017ArmLimited7
Highlinkbudget
RX
DerivedfromworkbyThomasTelkamp
TXPow
er
Conn
ectorloss
Antenn
again
Conn
ectorloss
Antenn
again
RXPow
er
Pathlossandfading
Receiversensitivity-137dBm
14dBm151dB
mlinkbud
get
©2017ArmLimited8
Linkbudget
Wi-Fi
Unlicensed LPWAN
Licensed LPWAN
TXPower RXSensitivity Linkbudget
20.5 dBm -75 dBm 95.5dBm
14 dBm -137 dBm 151dBm
23 dBm -129 dBm 152dBm
©2017ArmLimited9
Theoreticalmaximuminfreespace
2.4GHz,with95.5dBmlinkbudget:550meters
915MHz,with151dBmlinkbudget:850,000meters
©2017ArmLimited10
©2017ArmLimited11
Unfortunately...wedon'tliveinfreespace
Attenuation Reflection and diffraction Fresnel zone
©2017ArmLimited
BasedonTokyo-modelforcalculatingrealisticpathloss
Picture by Moyan Brenn: https://commons.wikimedia.org/wiki/File:Tokyo_(16043023330).jpg©2017ArmLimited
Hatamodel
Large city (250 bps)
Large city (1,760 bps)
Suburb (250 bps)
TXheight RXheight Range
0.1 m 40 m 4km
0.1 m 40 m 2.5km
0.1 m 40 m 9km
Suburb (250 bps) 1 m 100 m 13km
©2017ArmLimited©2017ArmLimited https://www.flickr.com/photos/aaronjacobs/64368770
Aggressivesleeping
©2017ArmLimited14
Transmitaslittleaspossible
Nogatewaypinning
Nokeep-alive
NB-IoT:200mW
Sigfox:25mW
https://www.flickr.com/photos/pheezy/5875298232
©2017ArmLimited15
ListenaslittleaspossibleRXconsumption:9mA
500mAh/9mA/24h=2.31days
2.31days!==10years
©2017ArmLimited16
Relayingdatabacktodevice
TX RX TX RX TX RX
LoRaWAN Class A, LTE-M Power Save Mode, Sigfox
RX TXRX
LoRaWAN Class B, LTE-M EdRX
RX RX
©2017ArmLimited17
Tinypackets
NoIProutinginpackets
Securityinmessage,notintransportlayer
NoTLShandshakes(6messages,6.5Kdata)
Small13-14byteheader
Everybytecounts!
©2017ArmLimited18
IoTdeploymentstarget10yearslifetimeBut 10 years is a really long time!
©2017ArmLimited19 ©2017ArmLimited
©2017ArmLimited©2017ArmLimited
Howto
©2017ArmLimited21
Naiveapproach
TX RX TX RX TX RX
Firmwarefragment
Veryinefficient!
Device 1
TX RX TX RX TX RX
Device 2
©2017ArmLimited22
Betterapproach
RX
Manyfirmwarefragments
Device 1
Device 2
RX
Device N
RX
©2017ArmLimited23
But...howdowedothis?
1. Instructdevicestouseanewsetofkeys(sameforeveryone).
2. Instructdevicestowakeupatthesametime.
3. Gatewaycantransmittoalldeviceswithonemessage.
Problem:lowQoSanduni-directional
©2017ArmLimited24
Settingupthedevice
DeviceAddress:0xCF32AB09MulticastKey:9310E28FA291...
©2017ArmLimited25
Settingupthedevice
Packetsize:204bytesPacketcount:491Padding:16bytes
©2017ArmLimited26
Startingmulticastsession
Frequency:924.525MHzDatarate:220bytes/sec
Timetostart:812secafterULevent13
ULCounter|RTC----------------15|78114|70413|62312|491...
©2017ArmLimited27
DealingwithlowQoS
CRChashoffirmware(sentwithdevice'sowncredentials)
OK!
©2017ArmLimited28
DealingwithlowQoS
CRChashoffirmware(sentwithdevice'sowncredentials)
OK!
Forwarderrorcorrection
http://www.inference.phy.cam.ac.uk/mackay/gallager/papers/ldpc.pdf
©2017ArmLimited29
Speed
220bytespersecondinrealworldscenario(2.5KMrangeincities)
180KBFirmwaresize,30KBwithDeltaupdates
Transmissioncosts3m30s@15mAcurrent
https://www.reddit.com/r/Eyebleach/comments/68r4rt/tortoise_taxi/
©2017ArmLimited©2017ArmLimited
SecurityPicturebyYuriSamoilovhttps://www.flickr.com/photos/yusamoilov/13334048894
©2017ArmLimited31
Linklayersecurityisnotenough
Firmware manifest Containsfirmwarehash
ContainsmanufactureranddeviceclassID
Signedwithprivatekey
©2017ArmLimited32
Separatetrustedandnon-trustedcode
(Notyetimplemented)
©2017ArmLimited33
Bootloadersupport
NewinMbedOS5.5
Bootloaderverifiesintegrity,preferablyinnon-writableflash
Tamper-proofsecureelementtoprotectkeys
https://os.mbed.com/blog/entry/firmware-updates-mbed-5-flashiap/
©2017ArmLimited©2017ArmLimited
Caveatshttp://www.totalprosports.com/wp-content/uploads/2013/04/first-pitch-fail-baseball-fail-gifs.gif
©2017ArmLimited©2017ArmLimited
Networkcongestion
Sendingalotofdatahasnegativeeffectonnetwork
Higherdatarateisbetter
RXsensitivityisuselesswhensomeonescreamsnexttoyou
Spreadspectrumhelpsagainstnarrowbandinterference
©2017ArmLimited36
SpectrumregulationsinEU
Unlicenseddoesnotmeanunregulated
1%dutycyclein868MHzband,exceptat869.525MHz
Downside:it'stheRX2channel
Round-robinbetweengateways
Driveovertositeanddeploytemporarygateway
©2017ArmLimited37
USisbothbetterandworse
Better
Worse
Nodutycycle
Widerchannels(500KHzvs.125KHz)
Faster
400ms.dwelltime
915MHzbandisusedforalotofotherstuff,lowerQoS
©2017ArmLimited
Currentstate
©2017ArmLimited39
Referenceimplementation
Multi-TechxDot(Cortex-M3,32KRAM)
LoRaWAN1.02
mbedOS5.5
NetworkserverbyTheThingsNetwork
©2017ArmLimited40
Client+bootloader
Opensource
Apache2.0
AvailableonGitHub
Verylittlesecurity!
SecurebootloaderandcryptographicallysecureupdateserviceavailableaslicensableIPfromArm.
©2017ArmLimited©2017ArmLimited
Reference implementation:
https://github.com/ArmMbed/fota-lora-radio
Demo:http://bit.ly/lora-update-demo
©2017ArmLimited
Recap
1. LPWANsareawesome!
2. Securefirmwareupdatesarenecessity
3. FirmwareupdatesoverLPWANdeemedimpossible...Buttheyarenot!
ThankYou!Danke!Merci!
!�����!Gracias!Kiitos!감사합니다धन्यवाद
©2017ArmLimited
http://bit.ly/lora-update-demojan.jongboom@arm.com
©2017ArmLimited
TheArmtrademarksfeaturedinthispresentationareregisteredtrademarksortrademarksofArmLimited(oritssubsidiaries)intheUSand/orelsewhere.Allrightsreserved.Allothermarksfeaturedmaybetrademarksoftheirrespectiveowners.www.arm.com/company/policies/trademarks