Secure DFU Bootloader over Serial Link (UART/USB)

The Serial Secure DFU Bootloader example uses the Bootloader and DFU modules to implement a bootloader with secure Device Firmware Update (DFU) functionality. The SDK provides transport code for UART and for USB CDC ACM (nRF52840 only).

The example bootloader accepts images that contain a new bootloader, SoftDevice, application, or any combination of these. To protect the target device against malicious attackers trying to impersonate the rightful sender of the firmware update, the init packet of the firmware package must be signed.

Setup

Depending on the target board and SoftDevice, you can find the source code and the project file of the example in one of the following folders:

• <InstallFolder>\examples\dfu\secure_bootloader\pca10040_uart
• <InstallFolder>\examples\dfu\secure_bootloader\pca10040e_uart
• <InstallFolder>\examples\dfu\secure_bootloader\pca10056_uart
• <InstallFolder>\examples\dfu\secure_bootloader\pca10056_usb
• <InstallFolder>\examples\dfu\secure_bootloader\pca10056e_uart

Button assignments:

• Button 4: Holding this button during startup makes the device enter DFU mode.

USB Setup

The USB Secure DFU Bootloader example uses the CDC ACM USB class, commonly known as Virtual COM port. After connecting the USB cable, the development kit enumerates as a COMx port on Windows hosts or as a /dev/ttyACMx device on Linux/Unix hosts. The port can be opened and closed just like a traditional serial port.

On Mac, Linux, and Windows 8 and later, the correct driver should be installed automatically.

Testing

You can either create your own firmware package for testing or use one of the provided packages that are located in subfolders of <InstallFolder>\examples\dfu\secure_dfu_test_images. The provided packages have been generated using a private key that corresponds to the default public key in the project. This public key must not be used in production.

The following is the naming convention for the hex and zip files that you can use in this example:

• Application update:
  • uart\nrf528xx\hrs_application_s1xx.hex
  • uart\nrf528xx\hrs_application_s1xx.zip
  • uart\nrf528xx\blinky_mbr.hex
  • uart\nrf528xx\blinky_mbr.zip
• SoftDevice:
  • uart\nrf528xx\softdevice_s1xx.hex
  • uart\nrf528xx\softdevice_s1xx.zip
• MBR:
  • uart\nrf528xx\mbr.hex
• Bootloader:
  • uart\nrf528xx\bootloader_secure_uart_debug_without_bonds_mbr.hex
  • uart\nrf528xx\bootloader_secure_uart_debug_without_bonds_mbr.zip

Test the Serial Secure DFU Bootloader application by performing the following steps:

1. If you want to create your own firmware package for testing:
   1. Create a private key for the example. See Working with keys for instructions, and Signature verification for more information about signatures.

      Note

      The private key should be kept with very limited distribution, because it can be used to create valid firmware images to update your device. It must never be lost, because without the key, there is no way to create new DFU images.

   2. Create a public key in code format and store it in a file named dfu_public_key.c. See Working with keys for instructions.
   3. Copy the dfu_public_key.c file to the project folder, replacing the existing file.
   4. Prepare a firmware package (in zip format) that you want to use. See Creating a firmware package with nrfutil for instructions.
   5. Generate a HEX file that contains the Bootloader Settings page. See the nrfutil documentation for instructions.
2. Install micro-ecc. This library is required for the Cryptography library - nrf_crypto, which is used in the Serial Secure DFU Bootloader example.
3. Compile the bootloader.
4. If you generated a bootloader settings HEX file, flash it using the following command.

   nrfjprog --program --sectorerase settings.hex

5. Program the HEX file. See Programming the bootloader.
6. Make sure that the device enters DFU mode. DFU mode is indicated by LED 3 being lit. If a valid application is installed on the device, hold Button 4 during startup to prevent the bootloader from starting the application and force it to enter DFU mode instead.
7. If you are running the USB bootloader, and using Windows 7 (or XP), install the driver. To install the driver on Windows 7, follow these steps:
   • Open Device Manager
   • Right-click the development kit (look for the name "nRF52 ..." depending on the example)
   • Click "Update Driver Software..."
   • Click "Browse my computer for driver software"
   • Click "Browse..." and choose the folder sdk/nrf5/examples/usb_drivers
   • Click "Ok"
   • Click "Next"
   • Click "Install"
   • Click "Close"
8. Check which COM port the device is connected to.
9. Enter the following command to start the DFU process over the serial link, where package.zip is the name of the firmware package that you want to upload and COM_PORT is the COM port to which the device is connected:
   nrfutil dfu serial -pkg package.zip -p COM_PORT for UART transport
   nrfutil dfu usb_serial -pkg package.zip -p COM_PORT for USB transport
10. Observe that the device resets and runs the new application, bootloader, or SoftDevice.