"Productionising" the FX30s


#1

Hi, we want to sell the FX30s to customers and it needs to go through a production process to set it up with our legato app etc.

  1. What is the recommended way of loading the legato app, updating the FW and otherwise configuring the device in a production environment? i.e. it ideally needs to be automated out the box (including setting up passwords, keys etc)
  2. Does it need to happen over the USB cable (which will be enumerated every time) or can it happen over the serial cable?
  3. What is the recommended way to secure the device from tampering/uploading different applications etc.

One of the methods I can image is installing a basic app that connects to airvantage which tells it what to install. However this would consume a lot of data. Could this be achieved via the IP connection of the USB cable?

Thanks,

Karl


#2

@karlkuhn,

There are a number of way you can achieve this.

  • Build the entire system (apps, configuration, etc) into a single file and upgrade the unit with swiflash.
  • Take the generic unit, load the application and then run a script to configure it i.e. change the root password, turn all of the interfaces off you want to, etc.
  • Re what is the recommended way to secure a device, you can make it as secure or insecure as you want. The bare minimum would be to change the root password as mentioned above, after this you can secure it any number of ways from using secure file storage areas to completely disabling the ability to upload new applications.

Essentially everything ill really need to be done over the USB Ethernet initially yes. Would not recommend doing it OTA in a production environment, too slow and unreliable.

Regards

Matt


#3

Thanks @mlw , that is some useful information.I will look into it.

So presumably (if I remember correctly) all FX30s enumerate as 192.168.2.2 or was it 192.168.2.1. So I can use that as the starting point for the process. i.e SSH to it using the known default password… cp in the required files and execute a script which does all the necessary config.

Sounds about right? Presumably this would be the process for updating the FW as well.


#4

The unit gives itself the IP address 192.168.2.2, the host PC is given 192.168.2.1.

Updating firmware etc is covered in the legato documentation.

https://docs.legato.io/latest/toolsTarget.html

Regards

Matt


#5

Hi @mlw is there a way to automate/script the initial connection to the device, i.e. resolving the key / password prompts without user intervention?

Thanks,
Karl


#6

@karlkuhn,

Not sure what you are asking, the units we supply are standard production units that don’t automatically do anything, if you want it to do something then you will need to load something onto the unit yourself to get it to do this. Product supplied ‘as is’ will not.

Regards

Matt


#7

Hi @mlw, thanks for the reply. Yes the units are standard. I need to put this through a production process that a production person can run. i.e. Ideally they click a button, that then does everthing it needs to and result in a passed or failed.

To achieve this, I am creating script to run using scp and plink (or ssh). To copy, install and configure everthing I need. However the first time I connect with scp and plink or ssh, I need to a) accept a key and b) set a new password.

This is something that I have not found an automated (without user interaction) way to achieve. I was hoping someone here might have suggestions as I am sure others have need to solve this?

Thanks,


#8

@karlkuhn,

Ok see the issue/objective. You cannot get around the SSH asking you to set the password. This is being forced because in the past on the AriLink products customers left all of the defaults on and then got upset with us that there was a security breach, so we force it now.

Back to your issue, the only way around this I would say is to create a Legato app (.cwe file) and load it with the SWIFlash/FDT tool, this can be done outside of an SSH session, hopefully you will be able to set it to auto run as well.

Regards

Matt


#9

Hi Karl,
If you’re building from source, you can create you own set of ssh keys and install the public key to /home/root/.ssh
BR,
Chris