AWS Partner Network (APN) Blog

AWS IoT on Mongoose OS, Part 1

For ESP8266 and ESP32 microcontrollers

By Tim Mattison. Tim is a Partner Solutions Architect with AWS who is focused on IoT.

Welcome to the first in a series of blog posts about AWS IoT connectivity on microcontrollers. The purpose of this series is to show how our firmware and hardware partners are working together to make it possible to iterate on and develop IoT projects rapidly without sacrificing security.

Background

AWS IoT sets a high bar for security. Today it requires Transport Layer Security (TLS) version 1.2 with mutual authentication. In the past, the computational requirements meant that certain devices might not have had enough RAM or CPU to connect directly. These devices would normally connect to AWS IoT through a gateway device or proxy that would handle the security and authentication on their behalf. One very popular device, Espressif ESP8266, had this limitation for a long time. Until now.

The first step in our IoT journey is to move from the “security by proxy” model and shift the mutual authentication and encryption into our microcontroller. In this post, we’re going to show you how to take your own ESP8266 (or ESP32) and connect it directly to AWS IoT using Mongoose OS. Mongoose OS is an open source operating system for microcontrollers that emphasizes cloud connectivity. It was developed by Cesanta, a Dublin-based embedded software company and Advanced APN Technology Partner.

Goals

When you complete the steps in this blog post, you’ll have:

  • Certificates for your ESP8266 that will be registered with AWS IoT and stored on your local computer
  • A firmware image for the ESP8266 that can connect to AWS IoT directly and can be configured with your AWS IoT endpoint, Wi-Fi SSID, and Wi-Fi password without reflashing it
  • A build environment that you can use to develop new firmware

Prerequisites

For this tutorial, you’ll need:

Some notes before you start

You must run all the commands in these instructions in the same command-line shell.

We assume that the mos application is in your path.  If it isn’t, you’ll need to reference it directly or add it to your path.

The mos application will create an AWS IoT policy in your account called mos-default. This is an open policy for development purposes only.  Do not use this policy in a production deployment or in an account that handles production data.  If you’d prefer to create your own policy, see Example Policies in the AWS IoT documentation to learn more.

If the mos application doesn’t detect your serial port, read the “Troubleshooting – Installing Serial Drivers” section after the tutorial.

Step 1 – Build and flash Mongoose OS

1. Navigate to the git repository in your shell.

2. Navigate to the c_mqtt firmware example directory:

$ cd fw/examples/c_mqtt

3. Build the firmware:

$ mos build --arch esp8266
Connecting to http://mongoose.cloud, user test
Uploading sources (3007 bytes)
Success, built c_mqtt/esp8266 version 1.0 (20170315-154447/???).
Firmware saved to build/fw.zip

4. Flash the firmware:

$ mos flash
Loaded temp/esp8266 version 1.0 (20170313-194120/???)
Using port /dev/cu.SLAB_USBtoUART
Opening /dev/cu.SLAB_USBtoUART...
Connecting to ESP8266 ROM, attempt 1 of 10...
  Connected
Running flasher @ 460800...
  Flasher is running
Flash size: 4194304, params: 0x0240
Deduping...
    2544 @ 0x0 -> 0
  553248 @ 0x11000 -> 483616
  131072 @ 0xdb000 -> 20480
     128 @ 0x3fc000 -> 0
Writing...
    4096 @ 0x1000
   77824 @ 0x11000
   12288 @ 0x25000
   98304 @ 0x29000
    4096 @ 0x44000
   12288 @ 0x4a000
   61440 @ 0x4e000
   20480 @ 0x5f000
    4096 @ 0x65000
   12288 @ 0x67000
   24576 @ 0x6b000
  159744 @ 0x72000
   20480 @ 0xdb000
    4096 @ 0xfb000
Wrote 516096 bytes in 12.76 seconds (316.02 KBit/sec)
Verifying...
    2544 @ 0x0

5. Configure Wi-Fi by replacing YOUR_WIFI_SSID and YOUR_WIFI_PASSWORD with the appropriate values for your environment:

$ mos wifi YOUR_WIFI_SSID YOUR_WIFI_PASSWORD
Using port /dev/cu.SLAB_USBtoUART
Getting configuration...
Setting new configuration...
Saving and rebooting...

6. Generate certificates, upload them to the NodeMCU board, and set up the MQTT parameters by replacing REGION with the name of the region that you want to use with AWS IoT:

$ mos aws-iot-setup --aws-region REGION --aws-iot-policy mos-default
Using port /dev/cu.SLAB_USBtoUART
AWS region: us-east-1
Connecting to the device...
Current MQTT confit: {
  "clean_session": true,
  "keep_alive": 60,
  "pass": "",
  "pub": "/response",
  "reconnect_timeout_max": 60,
  "reconnect_timeout_min": 10,
  "server": "axxxxxxxxxxxxz.iot.us-east-1.amazonaws.com:8883",
  "ssl_ca_cert": "ca-verisign-ecc-g2.crt.pem",
  "ssl_cert": "aws-iot-exxxxxxxxf.crt.pem",
  "ssl_cipher_suites": "",
  "ssl_key": "aws-iot-exxxxxxxxf.key.pem",
  "ssl_psk_identity": "",
  "ssl_psk_key": "",
  "sub": "/request",
  "user": "",
  "will_message": "",
  "will_topic": ""
}
Generating certificate request, CN: mos-M3SRGEJDINMOPB12
Generating private key locally
Asking AWS for a certificate...
Certificate ID: bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8
Certificate ARN: arn:aws:iot:us-east-1:0xxxxxxxxxx8:cert/ bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8
Wrote private key to aws-iot-bxxxxxxxc.key.pem
Wrote certificate to aws-iot-bxxxxxxxc.crt.pem
Attaching policy "Mongoose" to the certificate...
Uploading certificate...
Uploading key...
Uploading CA certificate...
New config: {
  "clean_session": true,
  "keep_alive": 60,
  "pass": "",
  "pub": "/response",
  "reconnect_timeout_max": 60,
  "reconnect_timeout_min": 10,
  "server": "axxxxxxxxxxxxz.iot.us-east-1.amazonaws.com:8883",
  "ssl_ca_cert": "ca-verisign-ecc-g2.crt.pem",
  "ssl_cert": "aws-iot-bxxxxxxxc.crt.pem",
  "ssl_cipher_suites": "",
  "ssl_key": "aws-iot-bxxxxxxxc.key.pem",
  "ssl_psk_identity": "",
  "ssl_psk_key": "",
  "sub": "/request",
  "user": "",
  "will_message": "",
  "will_topic": ""
}
Setting new configuration...
Saving and rebooting...

7. Open a serial console to monitor the device:

$ mos console

Step 2 – Interact with the device

1. Log in to the AWS IoT console, and then choose Test to get to the MQTT client.

2. In the Publish section, set the topic to /request.

3. In the text area below the topic, type:

{
    gpio: {
        pin: 2,
        state: 0
    }
}

4. Choose the Publish to Topic button.

At this point, the built-in blue LED on the NodeMCU board will turn on.

The blue LED is on GPIO2, which is inverted, so setting it to state 0 turns the blue LED on.

5. In the text area below the topic type:

{
    gpio: {
        pin: 2,
        state: 1
    }
}

6. Choose Publish to topic again. The LED will turn off.

ESP32 Support

Mongoose OS supports several architectures. Everything we’ve described –so far will work on Espressif ESP32 boards as well. The only thing that you’ll need to change is the –arch flag and the name of the serial device:

For ESP32 build the firmware with this command:

mos build --arch esp32

Troubleshooting – installing serial drivers

If your serial port wasn’t detected automatically, you might need to install a serial port driver.  Look at your NodeMCU board and identify its serial chip.  The two most common chips are the CP2102 and the CH340.  The CP2102 looks like this:

If you have the CP2102, you need to download the Silicon Labs serial drivers.

If you have the CH340, download the driver appropriate for your operating system. Windows drivers and MacOS drivers are currently provided for this component.

Coming up

In the next article in this series, we’ll show you how to protect your TLS credentials with Microchip’s ATECC508A chip.  This combination of an ESP8266 and ATECC508A is inexpensive and can help provide a framework for a secure IoT solution.