Open droidblastnz opened 1 year ago
Whether I use B03 or B04 is the same problem, both return not authorized
i'm facing the same problems. i have a SIMCOM A7670E AT+SIMCOMATI gives me this:
AT+SIMCOMATI
Manufacturer: INCORPORATED
Model: A7670E-FASE
Revision: A011B03A7670M7_F
A7670M7_B03V02_211123
QCN:
IMEI: 862205056091731
MEID:
+GCAP: +CGSM,+FCLASS,+DS
DeviceInfo:
OK
I read somewhere that you need to enable SNI (server name indication) on hivemq
AT+CSSLCFG="enableSNI",0,1
OK
I can't see you're using this setting, maybe it helps! I get a handshake failure.
AT+CMQTTCONNECT=0,"tcp://myinstance.s2.eu.hivemq.cloud:8883",60,1,my_username,my_password
+CMQTTCONNECT: 0,32
ERROR
I don't know where to look for a firmware update. Can i use the firmware you suggested?
i'm facing the same problems. i have a SIMCOM A7670E AT+SIMCOMATI gives me this:
AT+SIMCOMATI Manufacturer: INCORPORATED Model: A7670E-FASE Revision: A011B03A7670M7_F A7670M7_B03V02_211123 QCN: IMEI: 862205056091731 MEID: +GCAP: +CGSM,+FCLASS,+DS DeviceInfo: OK
I read somewhere that you need to enable SNI (server name indication) on hivemq
AT+CSSLCFG="enableSNI",0,1 OK
I can't see you're using this setting, maybe it helps! I get a handshake failure.
AT+CMQTTCONNECT=0,"tcp://myinstance.s2.eu.hivemq.cloud:8883",60,1,my_username,my_password +CMQTTCONNECT: 0,32 ERROR
I don't know where to look for a firmware update. Can i use the firmware you suggested?
Appears no firmware for my board I would try https://cloud-intl.emqx.com as it has a different cert than HiveMQ.
Full commands used to test
AT+CPIN? AT+CSQ AT+CGREG? AT+COPS? AT+NETOPEN AT+NETOPEN? AT+IPADDR
AT+CSSLCFG="sslversion",0,4 AT+CSSLCFG="authmode",0,1 AT+CSSLCFG="ignorelocaltime",0,1 AT+CSSLCFG="cacert",0,"isrgrootx1.pem"
AT+CSSLCFG="enableSNI",0,1 AT+CMQTTSTART AT+CMQTTACCQ=0,"client",1,4 AT+CMQTTSSLCFG=0,0
AT+CMQTTCONNECT=0,"tcp://xxx.s1.eu.hivemq.cloud:8883",60,1,"xxx","xxx"
AT+CMQTTDISC=0,120 AT+CMQTTREL=0 AT+CMQTTSTOP
I can't do anything at the moment, I'm waiting for simcom's reply, I will test it as soon as I have news
I can't do anything at the moment, I'm waiting for simcom's reply, I will test it as soon as I have news
Any update please?
I'm using the SIM7600E-H, and I was facing the issue than @droidblastnz. At that time, here is the firmware version that I was using: LE11B14SIM7600M22 With this version, I was able to connect successfully to:
But not to:
I was getting this error: +CMQTTCONNECT: 0,31
Then, I updated the modem with this firmware version: LE20B04V03SIM7600M22
Right now, after having activated SNI Flag, I'm able to connect to:
PS: I'm using STM32 HAL
Here is the AT command, that I used:
AT+CSSLCFG="sslversion",0,4
OK
AT+CSSLCFG="enableSNI",0,1
OK
AT+CSSLCFG="ciphersuites",0,0xFFFF
OK
AT+CSSLCFG="ignorelocaltime",0,1
OK
AT+CSSLCFG="cacert",0,"hivemq_ca.pem"
OK
AT+CMQTTDISC=0,60
+CMQTTDISC: 0,0
OK
AT+CMQTTREL=0
OK
AT+CMQTTSTOP
+CMQTTSTOP: 0
OK
AT+CMQTTSTART
OK
+CMQTTSTART: 0
AT+CMQTTACCQ=0,"your_device_id",1,4
OK
AT+CMQTTSSLCFG=0,0
OK
AT+CMQTTWILLTOPIC=0,5
>death
OK
AT+CMQTTWILLMSG=0,37,1
>your_lwt_message
OK
AT+CMQTTCONNECT=0,"tcp://xxx.s2.eu.hivemq.cloud:8883",5,1,"xxx","xxx"
OK
+CMQTTCONNECT: 0,0
AT+CMQTTSUB=0,3,1
>your_subscribe_topic
OK
+CMQTTSUB: 0,0
AT+CMQTTTOPIC=0,8
>your_publish_topic
OK
AT+CMQTTPAYLOAD=0,63
>your_message
OK
AT+CMQTTPUB=0,1,60
OK
+CMQTTPUB: 0,0
By the way, do someone know the difference between LE11 vs B20 firmware versions ? Which one is the most recent ?
Hi everyone, I have not heard back from SIMCOM yet, I will follow up.
I will consult SIMCOM about the difference between LE11 and B20, thank you for @MisterRoy response
@lewisxhe @MisterRoy can you please confirm how you are getting the cert to the module what steps/command you are using? Trying with emqx.com and they have a crt not pem.
Downloaded emqxsl-ca.crt and converted
openssl x509 -in emqxsl-ca.crt -out emqxsl-ca.pem
Uploaded to FTP server emqxsl-ca.pem
connect modem and downloaded emqxsl-ca.pem
with this command
AT+CFTPSGETFILE="emqxsl-ca.pem",4
T-SIM7600 documentation states this below.
The directory to save the downloaded file.Numeric type, range is 1-4, default is 1(/cache) 1 – F:/ (/cache) 2 – D:/(sd card) 3 – E:/ (/data/media/) 4 – /mssl_cert/(this is for CA file downloading)
AT+FSCD=mssl_cert/
16:11:32.400 -> +FSCD: E:/mssl_cert/
16:11:32.400 ->
16:11:32.400 -> OK
16:12:11.140 ->
16:12:20.141 -> +FSLS: (0-2)
16:12:28.717 -> OK
16:13:24.655 -> +FSLS: SUBDIRECTORIES:0,FILES:0
16:13:24.702 -> OK
16:18:08.438 ->
16:18:08.438 -> +FSCD: E:/mssl_cert/
16:18:08.485 ->
16:18:08.485 -> OK
So why does command AT+CCERTLIST
show my certs?
16:08:48.513 -> +CCERTLIST: "emqxsl-ca.crt"
16:08:48.558 -> +CCERTLIST: "emqxsl-ca.pem"
End result for me is still
16:01:14.669 -> +CSSLCFG: 0,4,1,1,300,"emqxsl-ca.pem","","",1,"",0xFFFF
16:01:14.715 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
16:01:14.762 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
16:01:14.810 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
16:01:14.857 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
16:01:14.903 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
16:01:14.903 -> +CSSLCFG: 6,4,0,1,30"","",0,""
16:01:19.130 -> OK
16:01:19.833 ->
16:01:19.833 -> +CMQTTCONNECT: 0,34
34 open SSL session failed - to me its not finding the cert that I uploaded with AT+CFTPSGETFILE="emqxsl-ca.pem",4
Hello i'm also trying updating SIM7600G-H to LE20B04V03SIM7600M22. Actual: AT+SIMCOMATI
Manufacturer: SIMCOM INCORPORATED Model: SIMCOM_SIM7600G-H Revision: LE20B03SIM7600M22 SIM7600M22_B03V02_200828 QCN: IMEI: 868822040986638 MEID: +GCAP: +CGSM DeviceInfo: 173,170
When I'am starting the upgrade tool, i will get following error: 1# Failed read imei failed. Please repower DUT.
Can anybody help me. Thanks Best regards Daniel
There is no way to upgrade, and SIMCOM didn't reply me how to deal with it, I have no choice, I try to use B03 to connect to MQTTS port 8883, it is normal.
AT+CMQTTSTART +CGREG: 0,1 OK SMS DONE OK +CMQTTSTART: 0 AT+CCERTDOWN="ca_cert.pem",1338 >-----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE----- OK AT+CSSLCFG="sslversion",0,4 OK AT+CSSLCFG="authmode",0,1 OK AT+CSSLCFG="cacert",0,"ca_cert.pem" OK AT+CSSLCFG="clientcert",0,"cert.pem" ERROR AT+CSSLCFG="clientkey",0,"key_cert.pem" ERROR AT+CMQTTSSLCFG=0,0 OK AT+CMQTTREL=0 OK AT+CMQTTACCQ=0,"Sim7600_fa7d2288",1 OK AT+CMQTTCONNECT=0,"tcp://broker.emqx.io:8883",60,1 OK +CMQTTCONNECT: 0,0 PB DONE Manufacturer: SIMCOM INCORPORATED Model: SIMCOM_SIM7600G-H Revision: LE20B03SIM7600M22 SIM7600M22_B03V03_210525 QCN: SVN: 01 IMEI: 86882204249xxxxx MEID: +GCAP: +CGSM DeviceInfo: 173,170 OK
Bit lost to how you are downloading the cert to the module. Can you confirm what tool you are using, what the process is to get the file to module and actually where the pem is located?
I have tried Ardinuo IDE, Teraterm and SSCOM V5.13.1 tool. Please detailed the steps and tool you are using as this is where my issue lies.
I've got it. First I have disconnected the Port from Arduino. Then I got the following error: Connect Sahara Server failed.
The error is described here: https://www.edaboard.com/threads/sim7600-lte-firmware-update.404060/
After Updating Firmware: SIM_DATA: AT+SIMCOMATI Manufacturer: SIMCOM INCORPORATED Model: SIMCOM_SIM7600G-H Revision: LE20B04SIM7600M22 SIM7600M22_B04V03_210527 QCN: IMEI: 868822040986638 MEID: +GCAP: +CGSM DeviceInfo: 173,170
Now i also can connect to Azure IOT HUB.
Thanks to all
I did it without a certificate. AT+CMQTTCONNECT=0,"tcp://xxx.azure-devices.net:8883",90,1,"username","password" Where password is a SharedAccessSignature from Azure.
But next step i will try with certificate.
@lewisxhe
22:05:08.282 -> +CSSLCFG: 0,4,0,1,300,"emqxsl-ca.pem","","",1,"",0xFFFF
22:05:08.329 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
22:05:08.375 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
22:05:08.423 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
22:05:08.423 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
22:05:08.470 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
22:05:08.518 -> +CSSLCFG: 6,4,0,1,3,0,1,300,"K
22:05:17.036 -> OK
22:05:20.637 ->
22:05:20.637 -> +CSSLCFG: 0,4,0,1,300,"emqxsl-ca.der","","",1,"",0xFFFF
22:05:20.683 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
22:05:20.731 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
22:05:20.778 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
22:05:20.778 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
22:05:20.825 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
22:05:20.872 -> +CSSLCFG: 6,4,0,1,3,0,1,300,"K
22:05:26.380 -> +CMQTTSTART: 0
22:05:26.380 ->
22:05:26.428 -> OK
22:05:31.462 ->
22:05:31.462 -> OK
22:05:35.576 ->
22:05:35.576 -> OK
22:05:42.940 ->
22:05:42.940 -> OK
22:05:43.599 ->
22:05:43.599 -> +CMQTTCONNECT: 0,32
No matter what I try I cannot connect whether HiveMQ or EMQX.
Downloaded .pem or .der which are valid
AT+CSSLCFG="sslversion",0,4
AT+CSSLCFG="authmode",0,1
AT+CSSLCFG="ignorelocaltime",0,1
AT+CSSLCFG="cacert",0,"emqxsl-ca.pem"
AT+CSSLCFG="enableSNI",0,1
AT+CSSLCFG="ciphersuites",0,0xFFFF
AT+CSSLCFG="ignorelocaltime",0,1
AT+CSSLCFG="cacert",0,"emqxsl-ca.pem" //or
AT+CSSLCFG="cacert",0,"emqxsl-ca.der"
Same result 32
22:05:08.282 -> +CSSLCFG: 0,4,0,1,300,"emqxsl-ca.pem","","",1,"",0xFFFF
22:05:08.329 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
22:05:08.375 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
22:05:08.423 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
22:05:08.423 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
22:05:08.470 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
22:05:08.518 -> +CSSLCFG: 6,4,0,1,3,0,1,300,"K
22:05:17.036 -> OK
22:05:20.637 ->
22:05:20.637 -> +CSSLCFG: 0,4,0,1,300,"emqxsl-ca.der","","",1,"",0xFFFF
22:05:20.683 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
22:05:20.731 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
22:05:20.778 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
22:05:20.778 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
22:05:20.825 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
22:05:20.872 -> +CSSLCFG: 6,4,0,1,3,0,1,300,"K
22:05:26.380 -> +CMQTTSTART: 0
22:05:26.380 ->
22:05:26.428 -> OK
22:05:31.462 ->
22:05:31.462 -> OK
22:05:35.576 ->
22:05:35.576 -> OK
22:05:42.940 ->
22:05:42.940 -> OK
22:05:43.599 ->
22:05:43.599 -> +CMQTTCONNECT: 0,32
Viewed with QPST to see the .pem and .der were located in the /mssl_cert/ directory.
Whether I use the command AT+CFTPSGETFILE
or AT+CCERTDOWN
it doesnt work aka connect this is a bug in the T-SIM7600 firmware.
The directory to save the downloaded file.Numeric type, range is 1-4, default is 1(/cache) 1 – F:/ (/cache) 2 – D:/(sd card) 3 – E:/ (/data/media/) 4 – /mssl_cert/(this is for CA file downloading)
What firmware are you using? We have the same board ...
What do you mean with start another issue?
I have uploaded LE20B04SIM7600M22 to my SIM7600 which i got from the link above
Where do you get a clientID from HiveMQ?
Where do you get a clientID from HiveMQ?
Sign up for the free version https://www.hivemq.com/pricing/
@lewisxhe can you please confirm if https://drive.google.com/file/d/19wsgsu86b5nOKYwRir4Ae2xF-eBuU8ch/view?usp=sharing will work with the T-SIM7600G-H / ESP WROVERB board? Checking the file sizes they are different to the version LE20B03SIM7600M22 you supplied that didnt work for this board from LilyGO.
Below is the following commands in order and then the logs
Works and connect 8883 to the free broker.emqx.io
AT+CSSLCFG="sslversion",0,4
AT+CSSLCFG="authmode",0,1
AT+CSSLCFG="ignorelocaltime",0,1
AT+CSSLCFG="cacert",0,"broker.emqx.io-ca.pem"
AT+CSSLCFG="ciphersuites",0,0xFFFF
AT+CMQTTREL=0
AT+CMQTTSTOP (returns 9 has its not connected to disconnect)
AT+CMQTTSTART
AT+CMQTTACCQ=0,"client1",1
AT+CMQTTSSLCFG=0,0
AT+CMQTTCONNECT=0,"tcp://broker.emqx.io:8883",60,1,"admin","public"
AT+CMQTTDISC=0,120
AT+CMQTTREL=0
AT+CMQTTSTOP
AT+CSSLCFG? output below
12:17:27.974 -> +CSSLCFG: 0,4,0,1,300,"","","",0,"",0x0 (note the SNI 0)
12:17:28.021 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
12:17:28.067 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
12:17:28.116 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
12:17:28.170 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
12:17:28.211 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
12:17:28.265 -> +CSSLCFG: 6,4,0,1,300,"","","",0,",1,300,"",
AT+CSSLCFG?
AT+CSSLCFG="sslversion",0,4
AT+CSSLCFG="authmode",0,1
AT+CSSLCFG="ignorelocaltime",0,1
AT+CSSLCFG="cacert",0,"emqx-com-chain.pem"
AT+CSSLCFG="ciphersuites",0,0xFFFF
AT+CMQTTREL=0
AT+CMQTTSTOP 9
AT+CMQTTSTART
AT+CMQTTACCQ=0,"client1",1
AT+CMQTTSSLCFG=0,0
AT+CSSLCFG="enableSNI",0,1 (here lies the issue and difference)
AT+CMQTTCONNECT=0,"tcp://xxxx.ala.us-east-1.emqxsl.com:8883",60,1,"xxx","xxx"
AT+CMQTTDISC=0,120
AT+CMQTTREL=0
AT+CMQTTSTOP
12:27:40.021 -> +CSSLCFG: 0,4,1,1,300,"emqxsl-ca.pem","","",1,"",0xFFFF (note the SNI 1)
12:27:40.069 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
12:27:40.115 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
12:27:40.162 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
12:27:40.209 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
12:27:40.209 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
12:27:40.256 -> +CSSLCFG: 6,4,0,1,300,"","",0x
First logs section Error 32 with SNI enabled (Both emqx and hiveMQ require SNI) Second logs section +CMQTTCONNECT: 0,0 SNI not enabled (free does not need SNI)
13:01:19.266 -> +CMQTTCONNECT: 0,32
13:01:38.682 ->
13:01:38.682 -> +CSSLCFG: 0,4,1,1,300,"broker.emqx.io-ca.pem","","",1,"",0xFFFF
13:01:38.776 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
13:01:38.776 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
13:01:38.824 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
13:01:38.872 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
13:01:38.919 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
13:01:38.966 -> +CSSLCFG: 6,4,0CSSLCFG:
13:01:57.382 -> OK
13:01:59.914 ->
13:01:59.914 -> +CSSLCFG: 0,4,1,1,300,"broker.emqx.io-ca.pem","","",0,"",0xFFFF
13:01:59.961 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
13:02:00.009 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
13:02:00.056 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
13:02:00.104 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
13:02:00.150 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
13:02:00.197 -> +CSSLCFG: 6,4,0,4,0,1,3
13:02:09.365 -> OK
13:02:11.296 ->
13:02:11.296 -> +CMQTTCONNECT: 0,0
13:02:21.498 ->
13:02:21.498 -> +CMQTTDISC: 0,0
13:02:21.547 ->
13:02:21.547 -> OK
13:02:25.890 ->
13:02:25.890 -> OK
13:02:29.699 ->
13:02:29.699 -> +CMQTTSTOP: 0
13:02:29.699 ->
13:02:29.699 -> OK
13:02:29.699 ->
13:02:29.699 -> +CMQTTNONET
"SNI" (Server Name Indication) extension used in the Transport Layer Security (TLS) protocol. SNI (Server Name Indication) is an important extension in the TLS protocol that enables clients to specify the desired server hostname during the handshake, facilitating proper SSL certificate selection for multi-domain hosting scenarios.
Error 32 is handshake fail
@droidblastnz, yes, EMQ's CA certificate is given with .crt extension.
Here are the steps I followed to upload the certificate to the modem:
I opened the file (emqxsl-ca.crt) with a text editor and changed it from CRLF (windows) to LF (linux). I personally used notepad++ to achieve this task
Pay attention to the file content length, and keep it in mind
Use a terminal emulator (PuTTY, TeraTerm, MobaXterm, ...) to talk with the modem, by connecting it directly to your computer, then use the following command
AT+CCERTDOWN="emqx_ca_cert.pem",
After the modem responds with >, copy the file content (see image below) and paste it in the terminal emulator.
The modem should answer OK After that, the certificate should have been successfully uploaded to the internal memory of the modem.
Now you should normally be able to connect to EMQX Cloud using the command I listed in my previous answer. Don't forget to enable SNI !
@MisterRoy thanks my modem is not returning OK
Opened emqxsl-ca.crt in Notepad++ changed LF (linux) Assume when you say copy Ctrl+C and Ctrl+V which picks up LF?
In Teraterm select CR or CR/LF?
ran AT+CCERTDOWN="emqxsl-ca.pem",1338
Here you see no OK from the modem hence why I have been using this command to put the file to the modem
AT+CFTPSGETFILE="emqxsl-ca.pem",4
@droidblastnz,
After changing CRLF to LF, save the file and drag and drop it to Tera Term, just after the command AT+CCERTDOWN="emqxsl-ca.pem",1338 and let me know how it behaves
Regarding the config on Tera Term, I don't know since I'm not using it, sorry
@MisterRoy getting strange behavior with teraterm, which way are you using PuTTY, TeraTerm, MobaXterm?
I use MobaXterm. I copy the file content, then paste it on MobaXterm as it doesn't support drag & drop.
Same as teraterm
Close MobaXterm or Teraterm down Arduino IDE
and Putty
Okay, try to programmatically write the certificate to the modem
Here a C-array representing the certificate.
char emqx_certificate[]="-----BEGIN CERTIFICATE-----\n\
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n\
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n\
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n\
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n\
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n\
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n\
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n\
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n\
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n\
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n\
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n\
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n\
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n\
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n\
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n\
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n\
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n\
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n\
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n\
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n\
-----END CERTIFICATE-----";
@MisterRoy Ok have teraterm and MobaXterm working. In MobaXterm how do you send a command please?
I can type AT and get OK back now.
Copy the certificate, then right-click on mobaxterm terminal, and click on Paste.
@MisterRoy
AT+CSSLCFG="sslversion",0,4
AT+CSSLCFG="authmode",0,1
AT+CSSLCFG="ignorelocaltime",0,1
AT+CSSLCFG="cacert",0,"isrgrootx1.pem" //needs SNI enabled error 32
AT+CSSLCFG="enableSNI",0,1
AT+CSSLCFG="ciphersuites",0,0xFFFF
AT+CSSLCFG="cacert",0,"broker.emqx.io-ca.pem" //doesn not need SNI enabled works
AT+CSSLCFG="cacert",0,"emqxsl-ca.pem" //needs SNI enabled error 32
+CCERTLIST: "broker.emqx.io-ca.pem"
+CCERTLIST: "emqxsl-ca.pem"
+CCERTLIST: "isrgrootx1.pem"
So I think I have my certs loaded to the module but again cannot do via AT+CCERTDOWN="emqxsl-ca.pem",1338
If I use AT+CFTPSGETFILE="emqxsl-ca.pem",4
it puts it to the module (/mssl_cert/), the command CERTLIST confirms they are present.
The directory to save the downloaded file.Numeric type, range is 1-4, default is 1(/cache) 1 – F:/ (/cache) 2 – D:/(sd card) 3 – E:/ (/data/media/) 4 – /mssl_cert/(this is for CA file downloading)
PDF documentation says CCERTDOWN or CFTPSGETFILE or Web so technically I feel I have the certs on the module to test with.
Using MQTT Explorer with each Cert above to check connectivity passes for HiveMQ Free and Private and EMQX Free and Private.
So with this in mind the Cert appears to be valid per each test.
The only issue comes on when SNI is needed and enabled.
So the T-SIM7600G-H has not firmware update available so with the above tests and confirmation of the cert via MQTT Explorer to me what is the issue with SNI being enabled?
Is this a bug with the firmware?
@lewisxhe does the T-SIM7600G-H on the B03 firmware support TLS1.3 and Cyphersuite with the 0XFFFF Support all?
Numeric type, SSL ciphersuites
0X002F TLS_RSA_WITH_AES_128_CBC_SHA
0XFFFF Support all
Server certificate
subject=CN = *.ala.us-east-1.emqxsl.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3314 bytes and written 405 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
With MQTT explorer and the emqxsl-ca.pem you can connect without validating the cert. Checking SIM7500_SIM7600_SIM7800 Series_MQTT(S)_Application Note_V3.00.pdf 5.2.1 Connect to SSL/TLS MQTT server (not verify server) still comes back with a MQTTConnect 32 error.
AWS IOT has connected ok, SNI is not enabled
18:06:38.664 ->
18:06:38.664 -> +CSSLCFG: 0,4,2,1,300,"cacert.pem","clientcert.pem","clientkey.pem",0,"",0xFFFF
18:06:38.757 -> +CSSLCFG: 1,4,0,1,300,"","","",0,"",0x0
18:06:38.804 -> +CSSLCFG: 2,4,0,1,300,"","","",0,"",0x0
18:06:38.851 -> +CSSLCFG: 3,4,0,1,300,"","","",0,"",0x0
18:06:38.898 -> +CSSLCFG: 4,4,0,1,300,"","","",0,"",0x0
18:06:38.898 -> +CSSLCFG: 5,4,0,1,300,"","","",0,"",0x0
18:06:38.944 -> + 8,4,0,
18:06:45.897 -> +CMQTTSTART: 0
18:06:45.897 ->
18:06:45.897 -> OK
18:06:50.679 ->
18:06:50.679 -> OK
18:06:54.627 ->
18:06:54.627 -> OK
18:07:04.374 ->
18:07:04.374 -> OK
18:07:06.620 ->
18:07:06.620 -> +CMQTTCONNECT: 0,0
TLS 1.2 128
SSL handshake has read 5495 bytes and written 476 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
@droidblastnz which firmware do your modem run on ? Have you tried upgrading your modem with the firmware I sent above ?
+CGMR: LE20B03SIM7600M22
I have tried @MisterRoy the firmware but cant seem to get past the sierra issue, note all drivers are in place when it does to download mode where you need to add the other two drivers.
My board a T-SIM7600G-H B03 just doesnt want to upgrade to B04.
2023-06-07 14:13:55: Waiting switch To Download Mode...
2023-06-07 14:13:59: Connecting Sahara Server COM15 1 times....
2023-06-07 14:14:04: saharaHandle=0x07c4, Version:0
2023-06-07 14:14:07: Connecting Sahara Server COM15 2 times....
2023-06-07 14:14:12: saharaHandle=0x07f8, Version:0
2023-06-07 14:14:14: Connecting Sahara Server COM15 3 times....
2023-06-07 14:14:19: saharaHandle=0x07f8, Version:0
2023-06-07 14:14:22: Connecting Sahara Server COM15 4 times....
2023-06-07 14:14:27: saharaHandle=0x07d4, Version:0
2023-06-07 14:14:29: Connecting Sahara Server COM15 5 times...
LE20B04V03SIM7600M22 (https://drive.google.com/file/d/19wsgsu86b5nOKYwRir4Ae2xF-eBuU8ch/view?usp=sharing) Mine has the ESP32 and SIM7600 on the one board.
Did some further testing....
Cipher Block Chaining: TLS_RSA_WITH_AES_128_CBC_SHA
In 2013, researchers demonstrated a timing attack against several TLS implementations using the CBC encryption algorithm (see isg.rhul.ac.uk). Additionally, the CBC mode is vulnerable to plain-text attacks in TLS 1.0, SSL 3.0 and lower. A fix has been introduced with TLS 1.2 in form of the GCM mode which is not vulnerable to the BEAST attack. GCM should be preferred over CBC.
Lilygo T-SIM7600G-H supports the followings ciphersuites so as per the detail above you will not use 0X002F option.
<ciphersuites> Numeric type, SSL ciphersuites
0X002F TLS_RSA_WITH_AES_128_CBC_SHA
0XFFFF Support all
@lewisxhe what ciphersuites does support all 0XFFFF support please?
AWS appears to work because you can choose your ciphersuites and TLS version see https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html#tls-policy-table, here you see what certs are allowed
AWS does not use SNI or user/password.
Steps for AWS
AT+CSSLCFG="sslversion",0,4
AT+CSSLCFG="authmode",0,2
AT+CSSLCFG="ignorelocaltime",0,1
AT+CSSLCFG="cacert",0,"cacert.pem"
AT+CSSLCFG="clientcert",0,"clientcert.pem"
AT+CSSLCFG="clientkey",0,"clientkey.pem"
Downloading a cert to Lilygo T-SIM7600G-H via AT+CCERTDOWN doesn't work for me so I used the following commands to get the certs to the module
AT+CFTPSGETFILE="cacert.pem",4
AT+CFTPSGETFILE="clientcert.pem",4
AT+CFTPSGETFILE="clientkey.pem",4
Downloaded Docker Desktop and ran up emqx added the Lets encrypt Cert and have the same MQTT connect error of 0, 32.
docker pull emqx/emqx:5.1.0
So in summary it appears that the Lilygo T-SIM7600G-H B03 M22 Firmware doesnt support the later ciphersuites required to connect to most if not all excluding AWS IOT e.g, HiveMQ or EMQX MQTT brokers unless on the insecure port of 1883.
EMQX https://cloud-intl.emqx.com support TLS 1.2/1.3 HiveMQ https://console.hivemq.cloud support TLS 1.2/1.3
SNI also plays a part in the TLS handshake not creating a connection.
@MisterRoy for some reason I cannot update the firmware on the Lilygo T-SIM7600G-H board so this doesnt look to be a option.
@lewisxhe really need Lilygo to address this issue please.
For any one who is stuck on MQTT 1883 and wants 8883 see this fork. It would be better if the T-Sim7600 had firmware that accommodated later Certs and ciphersuites
Copy TinyGsmClientSIM7600.h and TinyGsmClient.h
Call TinyGsmClientSecure client(modem); remark out TinyGsmClient client(modem);
//TinyGsmClient client(modem);
TinyGsmClientSecure client(modem);
PubSubClient mqtt(client);
Change port 1883 to 8883
Revise TinyGsmClientSIM7600.h line 627 as its SSL wrapper
if (_ssl) {
sendAT(GF("+CSSLCFG=\"sslversion\",0,4"));
waitResponse();
sendAT(GF("+CSSLCFG=\"authmode\",0,0"));
waitResponse();
sendAT(GF("+CSSLCFG=\"ignorelocaltime\",0,1"));
waitResponse();
sendAT(GF("+CSSLCFG=\"negotiatetime\",0,25"));
waitResponse();
sendAT(GF("+CSSLCFG="), "\"cacert\",0,\"", certificates[mux].c_str(), "\"");
//sendAT(GF("+CSSLCFG=\"cacert\",0,\"isrgrootx1.pem\""));
waitResponse();
// sendAT(GF("+CSSLCFG=\"clientcert\",0,\"cert.pem\""));
// waitResponse();
// sendAT(GF("+CSSLCFG=\"clientkey\",0,\"key_cert.pem\""));
// waitResponse();
sendAT(GF("+CCHSET=1,1"));
waitResponse();
sendAT(GF("+CCHSTART"));
waitResponse();
sendAT(GF("+CCHSSLCFG=0,0"));
waitResponse();
}
Please provide some example code using the Tiny_GSM library to connect to a cloud MQTT broker on 8883.
Example in the library will not connect to a private xxxxx.s1.eu.hivemq.cloud 8883 but connects to broker.hivemq.com 1883 without issue.