Best way to pull new firmware OTA into remote devices

nerves

#1

Hi there :slight_smile:
I was wondering, what Nerves experts would suggest as a solution for OTA firmware updates to a fleet of remote devices. Of course there is nerves_firmware_ssh (and nerves_firmware_http), but it assumes one can SSH (or HTTP PUT) to the device, which means the device needs to have a known address. That’s easy on local networks, but harder when the device is deployed remotely on other networks.

What I think the best way would be, is deploying a release server and letting all the devices check periodically for updates, securely downloading them, and then updating themselves. This seems the most reasonable option to me, but I didn’t find a package for pulling a new firmware (only pushing it via SSH or HTTP). I can write something like that, but I wanted to ask before I re-invent the wheel.

What’s your opinion?


#2

Definitely hop over to the #Nerves Slack channel, https://elixir-lang.slack.com. We are currently working on a server platform for deploying firmware updates. Currently most people have a Phoenix Channel or MQTT channel open to their server, and push update notifications. That push notification will usually have a secure URL in which to download the updated firmware.

The platform that is currently being built will work similar to this as well, but will be open source and built by the Nerves community.


#3

That’s amazing news @entone, thanks! Joining the Slack channel now


#4

Is there a repo for this project?


#5

So, I ended up creating a simple update manager GenServer that subscribes on an MQTT topic and downloads/validate/apply firmware updates when notified. It works very well, even though it’s quite specific to my use case. I’d be happy to switch to the open-source solution mentioned here when possible, and possibly contribute to it.


#6

Any update on this project?


#7

I have my check with server portion written, to the point where I’m ready to download and apply the update. How do you actually go about doing this?


#8

Any update on a firmware update server platform?


#9

Replying myself : I stumbled upon a blog post about NervesHub. It’s not ready for production, but it seems that there is serious work under progress :slight_smile:


#10

Thanks for pinging us on NervesHub. It’s technically private beta right now and we have a couple companies regularly using it in production. At the moment, our focus is on improving device authentication and first-time device registration. That has turned out to be more work than expected so we have been quieter on announcing progress. I expect that we’ll have something working fairly well by end-of-year, but with very rough docs.

If you’re building custom hardware right now and anticipate using NervesHub, I’d add an ATECC508A (~60-70 cent adder) to your board. That chip securely stores the private key used for authentication and locks down a couple other important pieces of device information in one-time-programmable memory. The chip can also be used with Amazon IoT, etc., so you’re not locked into NervesHub.