HL7810, MQTT Certs and ERROR code 907

zsen · October 29, 2023, 2:52am

Hi,

I have an hl7810 modem and try to have aws iot connection. I think I need a help to write certs, I did like this:
As u know when U create a thing on the aws iot, it will give you 2 root(ca1 and ca2) certs and 3 different certs ( public, private and dev pem certs). How many of them should I use?

What I did sequently,

AT+KCERTSTORE=0,1188,0
rootCA1
AT+KCERTSTORE=1,1224,0
pem.crt(device)
AT+KPRIVKSTORE=0,1675
and private key

and then this is my mqtt config:

AT+KMQTTCFG=1,1,“XXXXXXx.eu-west-1.amazonaws.com”,8883,4,“zfr_hl7810”,120,1,1,“test_topic”,“hello zafer”,0,1,“”,“”,6,“”

and when I send this: AT+KMQTTCNX=5

I have an error with

+CME ERROR: 907

+KMQTT_IND: 5,0

So what is the 907 mean and What are those certs I need to write and correct way to write certs into the modem. is there any python script? or any tool

moreover, I am quite confused.

What is the +KSSLCRYPTO config I need to use for this?

Amazon Root CA 1 is RSA 2048 bit key:
Amazon Root CA 3 is ECC 256 bit key:

So I couldn’t understand really what the corresponding KSSLCRYPTO config is for the aws

Thanks

jyijyi · October 29, 2023, 5:40am

can you tested with simple TCP socket with SSL first?

zsen · October 29, 2023, 6:25pm

thanks for the quick reply @jyijyi I tried with these commands:

AT+KTCPCFG=1,3,“xxxxxxxx.iot.eu-west-1.amazonaws.com”,8883,0,6,1

OK

+KTCPCFG: 2

OK

+KTCP_NOTIF: 2,13

tcp notify 2,13 mean “SSL connection error”.

here are the certs that I used look like when I run AT+KCERTSTORE? command :

AT+KSSLCRYPTO?
OK

+KSSLCRYPTO: 0,8,3,25392,12,4,1,0

+KSSLCRYPTO: 1,8,1,8192,4,4,1,0

+KSSLCRYPTO: 2,8,2,16,0,4,1,0

+KSSLCRYPTO: 3,8,2,32,0,4,1,0

+KSSLCRYPTO: 4,8,2,256,0,4,1,0

+KSSLCRYPTO: 5,8,2,512,0,4,1,0

+KSSLCRYPTO: 6,8,2,8192,4,4,1,0

+KSSLCRYPTO: 7,8,2,16384,8,4,1,0

OK

jyijyi · October 30, 2023, 12:25am

Did you try other server like google first with other ca cert?
It seems your cert has problem

zsen · October 30, 2023, 12:34am

I tried these certs on the python app, I can say they are working.

here are certs profiles:

AT+KPRIVKSTORE?
private_key,0,1680

private_key,1,0

private_key,2,0

OK

CONNECT
root_cert,0,1188
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----
root_cert,1,0
root_cert,2,0
root_cert,3,0
local_cert,0,1225
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIVAIiiq/O+7tWgwjIAVt9zVBN/9olFMA0GCSqGSIb3DQEB
CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t
IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMzEwMjkwMTAx
NTZaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqPA0DKPSH4+uso2qe
z50wrZJNPMqk8tr0ZToqdhZsGVE4EGUQaQABoWe8f5T7QBlJ9JiBDACoaFNcWgIi
T+aY6lDZJxyfLVv8Oo/SoMLQipB8d70QaHby2fdXSlvI9ngDP+NPALD5luzFJ4YT
U1/DF2Z6GaudcyPaRK+eb304rmmacccYz3D1jknqCLmg6cYzL4axECk5oEnoCJ/3
XsODSjxt2vyhLIjMxp6LGYp16R80lsgJSJUpAw+D7c7MzQ3TQyIkjlLtQZJdfShE
nY6G/IEQEGzfGu0Z1Dje/u/hqUdGb/8kaAlYtJanwrWzVaLB8hMiIR+/A5EdSRQD
FnJVAgMBAAGjYDBeMB8GA1UdIwQYMBaAFP5x0923Tg5lPQ6FhE0ieorJ7NndMB0G
A1UdDgQWBBRjD//69befHpcBFDqhj2bx9wMKSzAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEASar0eKwqCi/beas8Vbxs+AUs
ePjKI4TZPvWlFcKQp7jVPHTr0SZaI2UXuEh3nyViRRXtdDsSDqtRh5Ju1oa9UDd3
OGW3zEQla6UTPEnO3q+IQOjN6CMZ3IFoyhDc5FYEJQSxOr1DWUnMzcJJ827+558r
qklKeHBARxS5tc8JLUbue/EQRzkJOZQDA/jJbY2LBj7fMhn9E4UZ+6DI4+vJ+QgD
Nreags1RuDSIXADUTc9w8lPAasoPI4arLEsSVAMI0s/+Oq9Uf0HvInmUJqhs1ki3
kTHEH6R0giNwWcKmO82MbnVXY8trjdB3P81JLkpdLgrllRpn9FRiAzV+JXDCCA==
-----END CERTIFICATE-----

local_cert,1,0
local_cert,2,0

OK

I suspect KSSLCRYPTO, Which profile I should use,

here are my current profiles.

+KSSLCRYPTO: 0,8,1,8192,4,4,3,0

+KSSLCRYPTO: 1,8,1,8192,4,4,1,0

+KSSLCRYPTO: 2,8,2,16,0,4,1,0

+KSSLCRYPTO: 3,8,2,32,0,4,1,0

+KSSLCRYPTO: 4,8,2,256,0,4,1,0

+KSSLCRYPTO: 5,8,2,512,0,4,1,0

+KSSLCRYPTO: 6,8,2,8192,4,4,1,0

+KSSLCRYPTO: 7,8,2,16384,8,4,1,0

OK

and I tried all these :

AT+KTCPCFG=1,3,“54.246.168.82”,8883,0,0,0
AT+KTCPCFG=1,3,“54.246.168.82”,8883,0,1,0
AT+KTCPCFG=1,3,“54.246.168.82”,8883,0,6,0

and here is the weird thing:

if I set the mode as a client instead of a secure client. I can see it is connected but When I try to send a data error comes out.

+KTCPCFG: 4,1,1,0,“54.246.168.82”,8883,65119,0,0,0,0,0

+KTCPCFG: 5,1,1,0,“54.246.168.82”,8883,7467,0,0,0,0,0

+KTCPCFG: 6,1,1,0,“54.246.168.82”,8883,36820,0,0,0,0,0

jyijyi · October 30, 2023, 1:25am

did you send file like this?

connecting google server can make sure the way you transfer cert is correct and see if it really relate to +KSSLCRYPTO

zsen · October 30, 2023, 11:01am

@jyijyi , I just wanted to go through your instructions there again,

You can just use AT+KCERTSTORE=0

are you sure this works now? because when I send that command, after “connect” print terminal stuck there
I sent AmazonRootCA1.pem but still nothing else I got, only I can see “connect” print output

jyijyi · October 30, 2023, 11:17am

AT command says below:

zsen · October 30, 2023, 11:36am

now it is ok ending by ,+++,

I am trying to send now getting this error:

CONNECT

+CME ERROR: 930

but if I specify number if byte AT+KCERTSTORE=0,1188,0 then no error: get ok respond

zsen · October 30, 2023, 11:39am

a219aa9ffd3cc7fcfddfd49ab6e7e3ee9e9c88b8ff097c3b9a9aebe6cc2274e1-private.pem.zip (3.7 KB)

here are my certs.

zsen · October 30, 2023, 11:48am

I:
ran AT&k3
TERRA term settings:

jyijyi · October 30, 2023, 11:48am

how about testing this cert first?

zsen · October 30, 2023, 11:50am

there is no problem, this cert file loaded succesfully.

zsen · October 30, 2023, 11:54am

Ok What did I notice:

I have added a new line end of the cert then it work, I got ok command but Im not sure if this is the correct way or not.
rootca1.pem
before:

after:

after works for me.

this is the your file: cert.crt

zsen · October 30, 2023, 12:39pm

What is the equivalent Cipher Suite Configuration for AWS certs?
this is my TCP config: AT+KTCPCFG?

+KTCPCFG: 1,0,1,3,“54.246.168.82”,8883,63562,0,0,0,6,0

this is what I generated on the aws: Root CA 1 RSA 2048 bit key

this is my crypto ciphers: AT+KSSLCRYPTO?

+KSSLCRYPTO: 0,8,3,25392,12,4,1,0

+KSSLCRYPTO: 1,8,1,8192,4,4,1,0

+KSSLCRYPTO: 2,8,2,16,0,4,1,0

+KSSLCRYPTO: 3,8,2,32,0,4,1,0

+KSSLCRYPTO: 4,8,2,256,0,4,1,0

+KSSLCRYPTO: 5,8,2,512,0,4,1,0

+KSSLCRYPTO: 6,8,2,8192,4,4,1,0

+KSSLCRYPTO: 7,8,2,16384,8,4,1,0

ATI9

HL7810.5.5.4.0-23.08.0.FreeRTOS.w31
HL78xx.5.5.4.0.RK_03_02_00_00_32661_001.20230804
2023/08/04 01:23:15
IMEI-SV: 3547205103248815
Legato RTOS: 23.08.0.FreeRTOS.w31 2023/07/25 07:29:47
atSwi: 23.08.0.FreeRTOS.w31
UBOOT: 01.03
Apps: RKAPP_03_02_00_00_32641_001__1fde1ce17d7e3fbbfdf42e040fbd895c9c9e532d
MAC: ALT1250_03_02_00_00_32661_NB
PHY: 0.0.320106
PMP: 320716
AISE: ISE2APP_00_00_00_09

SBUB: 1
SBFW: 1
FPuK1: 1B993663
FPuK2: 25DF28C5
RBUB: 0
RBFW: 0
MCU-Disable: 1

OK

jyijyi · October 30, 2023, 12:52pm

do you mean it can connect to google server but not with your AWS server?

zsen · October 30, 2023, 1:07pm

no, I haven’t tested it with google server, do you have any instructions on how to set google?

I tried like this:

AT+KTCPCFG=1,0,“www.google.com”,80

+KTCPCFG: 3

OK
AT+KTCPCNX=3

OK

+KTCP_NOTIF: 3,3

jyijyi · October 30, 2023, 1:22pm

this is not ssl connection…
you might need to set up some server to test both simple TCP or SSL TCP

zsen · October 30, 2023, 1:32pm

I know, but you asked me google, and just wanted to test google with port80.

you might need to set up some server to test both simple TCP or SSL TCP

Sir, this should not be difficult this much, sierra should have some tools, more over there is no documentation that clearly covers all these points.

anyway, How about this point?

jyijyi · October 30, 2023, 1:48pm

I think need to first figure out if your cert problem or other problem

Test here shows that custom server works with the custom cert

Topic		Replies	Views
Unable to establish connection to MQTT broker on AWS IoT Core HL78	1	839	October 3, 2022
HL7650 throwing SSL Connection error Legacy HL Series	8	1202	January 2, 2020
HL7800 AWS MQTT Document/Support IoT Modules	2	1053	March 13, 2020
HL7802 AT+KCERTSTORE error HL78	5	1256	March 11, 2021
AWS communication Legacy HL Series	12	720	February 27, 2020

HL7810, MQTT Certs and ERROR code 907

Related Topics