Elektor Chip E-Lock Reference Project [130499/130280]

Here are some goodies (source code, tools and documentation) to play with the Elektor E-lock* Secure Server Board (130280).

Here are some goodies (source code, tools and documentation) to play with the Elektor E-lock* Secure Server Board (130280).

Connect the Secure Server Board (SSB) to the same network as your test computer.
Run ISLRaw.exe to find the SSB. Once found, you can attribute it an IP address.
You will be asked to load the server certificates. Make sure you have (created) valid ones. See the documents below for details on how to create certificates.
Run ISLElektor.exe to connect to the SSB and play with it. You must enter the IP you setup before and port number 2013. Then clic connect. Connecting can take up to 20 seconds.

*) Buy the E-lock in the Elektor shop: http://www.elektor.com/130280-91

A Microsoft Visual C++ 2010 Express project is attached below to show how to communicate with the server. It is a command line utility that takes the server IP address and the port number (2013) as parameters. When the certificate and key files are valid it will connect to the server, switch the relays on, wait one second, switch the relays and disconnect. You can use this project as a starting point for your own applications.

The server commands are detailed in the attached documents.

The project includes parts of the open source library cyassl (http://www.yassl.com/). This is a secure wrapper for standard socket functions like read, write, send and recv (cyassl_read, cyassl_write, etc.). You have to feed it the certificates before you can connect to a secure server. It is not necessary to compile cyassl first, it is all one big project.

If you prefer you can create a library for cyassl and use it for instance with Mingw or on Linux or Mac. Many different platforms are supported. See also the remarks on compiling cyassl below.

Pitfalls

Certificates expire. If you can ping the server but you cannot connect to it while its LED blinks at the normal unconnect rate of about 2 Hz, it may be that your certificates have expired. Create new certificates to solve this.
Restore factory settings erase main application. If you boot the board with JP3 in place, the server will revert to its factory settings. This may/will also erase its main application, making it impossible to connect to the server afterwards. If this is the case the LED will blink fast (>2 Hz). The solution is to set the server's IP address using ISLRaw, then reboot the server without JP3, set again the server's IP address using ISLRaw, then use ISLElektor to upload the (new) firmware to the server (this takes about a minute). After setting once more the server's IP address with ISLRaw you can upload the certificates and finally connect again to the server.
CYASSL is needed. To build a project for communicating with the server you need an SSL library. We have used the Open Source library CYASSL 2.8.0. Download it from www.yassl.com. Try to see if you can compile the library without errors for your platform.
Once the library compiles successfully, add the following code fragment to the top of the file "settings.h" (in the folder "cyassl-2.8.0\cyassl\ctaocrypt\"):

#define WIN_SOCLUTIONS

#ifdef WIN_SOCLUTIONS

#define NO_CYASSL_SERVER

#define USE_WINDOWS_API

#define NO_DES

#define NO_DES3

#define NO_DSA

#define NO_MD4

#define NO_RC4

#define NO_RABBIT

#define NO_HC128

#define NO_PSK

#define CYASSL_SHA512

#define CYASSL_SHA384

#define HAVE_AESGCM

#define GCM_TABLE

#endif

Replace line 3166 of the file cyassl-2.8.0\src\internal.c with this

//WIN_SOCLUTIONS is a TLS client and does not verify Certificate signature

#ifndef WIN_SOCLUTIONS

ret = ParseCertRelative(&dCert, CERT_TYPE, !ssl->options.verifyNone,

ssl->ctx->cm);

#else

ret = ParseCertRelative(&dCert, CERT_TYPE, ssl->options.verifyNone,

ssl->ctx->cm);

#endif

Replace line 2032 of the file cyassl-2.8.0\src\ssl.c with this

//WIN_SOCLUTIONS is a TLS client and does not verify Certificate signature

#ifdef WIN_SOCLUTIONS

ret = ParseCertRelative(&cert, CERT_TYPE, NO_VERIFY, cm);

#else

ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm);

#endif

Recompile the CYASSL library. If you now see errors or multiple definitions, your compiler project or makefile probably defines some symbols that you don't want. You or your makefile must not define OPENSSL_EXTRA. Compilation may produce some type cast warnings but no errors.

If you experience problems with cyassl refer to the manual (http://www.yassl.com/yaSSL/Docs-cyassl-manual-toc.html).

It may be useful to make cyassl verbose so it will output debug messages. To do so, build the library with the constant DEBUG_CYASSL defined _AND_ by calling CyaSSL_Debugging_ON() somewhere at the beginning of your program.

The attached archive "130499-cyassl-as-library.ZIP" contains a project showing how to use cyassl as a library in your own project.

The attached file "bpl.zip" contains the BPL and DLL files that are needed to run the precompiled tools. They are now also included in the file "ISLElektor050314.zip" below.

Project Elements

EN2014040081.pdf (PDF)

Elektor article April 2014 (E-Lock)

130499-11-V06032014-elock.zip (ZIP)

Microsoft Visual C++ 2010 Express Project

ISLElektor050314.zip (ZIP)

Precompiled tools, documentation and firmware

130499-cyassl-as-library.ZIP (ZIP)

Microsoft Visual C++ 2010 Express Project using CYASSL as a library

bpl.zip (ZIP)

BPL & DLL files needed for the precompiled tools

Discussion (11 comments)

Yoyod 10 years ago

Hi,

In order to use the E-Lock card, I've started to develop an API for Python 3.4.1

It is a very simple API, that can open & close a connexion with the ELock, set the relays state, set temperature config and get temperature value.

In order to get the connexion you will need 3 files (instead of 2 with ISLElektor.exe) :

./ISLclient-cert.pem : Client certificate
./ISLclient-key.pem : Client key
./cacert.pem : CA Certificate

The Libary implement two classes :

PyELockMsg : A class taht can encode or decode a message to or from the E-Lock card
PyELock : A class that handle the connexion aand some basic function (like set relay state, get temperature etc...)

At the end of the source code, you will find some test of the two classes

14/04/2015 : Now the source code is also available in a GitHub repository : https://github.com/yoann-darche/PyELockAPI. Please fill free to update or enhance.

Enjoy it !

Yoann

PyELockLib.zip (4kb)

ClemensValens 10 years ago

Hi Yoann, Thank you very much for your contributions to this project! I am sure that you are a great help to other users. Regards, Clemens

1 Attachment(s) 1 Comment(s)

Yoyod 10 years ago

As I've encounter several issue while trying to configure the E Lock card, I've created this document, discribebing all steps (from generating keys to connect to the card).

I hope that will help you.

Config Elock - Detailled steps.pdf (649kb)

1 Attachment(s) 0 Comment(s)

Yoyod 10 years ago

Hi all,

I've an issue, that seem easy to solve, but after many try, and read I can not find the solution. Maybe could you help me....

So I've 2 Elock cards, and I've followed the documentation to generate Keys and Certificates.

I've used the ISLRaw software (on Win7 x64, only one Inet active, no bluetouth). I've successfully set the IP adress, gateway, certficates and key.

When I try to connect to the device with ISLElektor I got the status 'Error' after few seconds.

I can ping the device.

After lot reading I've try to reset the firmware, I've successfully done it, with all expected step sate described.

But I can't connect in normal mode using ISLElektor (same status : Error).

I've decided to use second ELock, and test with the demo certificates from the Zip file from Elektor, I run into the same situation....

What am I missing ! Any Idea ?

Thanks,

Yoann

I've try on the

ed010 10 years ago

IDear Yoann, I had the same problem, created new certificates and still the error when connecting. After changing the NTP server to ntp1.nl.net (holland) it works fine. k.rgds. Edwin

Yoyod 10 years ago

I've successfully configure it, as it was not evident for me, I post here a document that describes all my step. May that will help you. Yoann

Yoyod 10 years ago

Hi, I've not meet any issue regarding the generation of the Server and Client key, cert. But when I try to run the client software, I can't connect, nor to select the keys and certificates from the ISLElektor, should I copy my key and certificate somewhere precisely to be read by ISLElektor program with a specific name ? I've stored all key, certificate in the subdirectory named "certs". Yoann

HaSch 10 years ago

The demo certificates are expired you have to create new ones. I tried hard but can't create client certificates (see my post "Can't generate certificates"). Creating client certificates in the same way as the server certificates (Network Configuration Getting Started, step 2.4 with "ISLclient-req.pem" and "ISLclient-key.pem" and step 2.5 with "ISLclient-cert.pem" and "ISLclient-req.pem") ends with an error: failed to update database TXT_DB error number 2 What does this error message mean? Created client certificate and client key doesn't work but ISLserver-cert.pem and ISLserver-key.pem are accepted using ISL software. So, I copied ISLserver-cert.pem to ISLclient-cert.pem and ISLserver-key.pem to ISLclient-key.pem. Is it a security risk if the client certificates are the same as the server certificates? Why is listed in the documentation that the certificates must be produced separately if they can be simply copied? Hans

4 Comment(s)

DE170001 10 years ago

Where can i download the firmware to e-lock "ISLSecFile.S19" ?

HaSch 10 years ago

Just here (see above): http://www.elektor-labs.com/sites/default/files/ISLElektor050314_0.zip

1 Comment(s)

ddartois 10 years ago

I run ISLraw and see the MAC address of my e-lock board. Clicking 'Set remote IP' has no effect. Any clue?

Regards.

Dominique.

islraw.png (19kb)

ClemensValens 10 years ago

Well done! There may be some obscure network thing (protocol or something) sitting in the way on your workstation. Maybe you can find it if you compare closely the two PCs? Regards, Clemens

ddartois 10 years ago

Hi Clemens. It works! I eventually set an IP address (and certicate, DNS...) from another PC. I used a laptop running Win7, same OS as my workstation. I don't know why it's OK on my laptop with a lot of interfaces I had to disable. My workstation has just one Ethernet card. IMHO the first configuration of the card is really difficult, unreliable. Right now I'am gonna play with cyassl. See you later ;-) Regards, Dominique

ddartois 10 years ago

Hi Clemens. I'm using Win7 SP1 64b. I have read this document. I have disabled 3 Virtual Interfaces (WMWare). I'have just one physical NVIDIA Ethernet interface, no bluetooth nor WiFi... I have Microsoft interfaces with status diconnected (I don't know exactly what they are for ) : Card Tunnel isatap.{7ECB8607-9F4C-47FC-9729-3151B07C7F4A} Card Tunnel isatap.lan Card Tunnel isatap.{059318B4-B848-4F28-B064-43984024AC5E} Certificate must have expired (so I have prepared a brand new one). I have stopped Norton firewall and antivirus. I executed ISLraw with admin rights. Thanks. Regards, Dominique

ClemensValens 10 years ago

Hi Dominique, Did you read this thread? http://www.elektor-labs.com/contribution/islraw-and-islelektor.14142.html At the end the conclusion is that you must disable all network interfaces which may include Bluetooth for ISLRaw to work properly. Which OS are you on? Regards, Clemens

1 Attachment(s) 4 Comment(s)

HaSch 10 years ago

Hi,

I followed the guide 'network-configuration' to create new certificates and keys. 2.1 to 2.4 worked well but I stayed at 2.5 'Generating the Certificate'.

If I run the command:

openssl ca -config /etc/ssl/openssl.cnf -out ISLserver-cert.pem -infiles /etc/ssl/demoCA/ISLserver-req.pem

I always get the following error message:

Using configuration from /etc/ssl/openssl.cnf

Error opening CA private key ./demoCA/private/cakey.pem

3069232336:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r')

3069232336:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

unable to load CA private key

What's going wrong?

Hans

HaSch 10 years ago

Any suggestions? Generating client certificates in the same way as the server certificates (Network Configuration Getting Started, step 2.4 with "ISLclient-req.pem" and "ISLclient-key.pem" and step 2.5 with "ISLclient-cert.pem" and "ISLclient-req.pem") ends with an error: failed to update database TXT_DB error number 2 What does this error message mean? Generated client certificate and client key doesn't work but ISLserver-cert.pem and ISLserver-key.pem are accepted using ISL software. So, I copied ISLserver-cert.pem to ISLclient-cert.pem and ISLserver-key.pem to ISLclient-key.pem and Is it a security risk if the client certificates are the same as the server certificates? Why is listed in the documentation that the certificates must be produced separately if they can be simply copied? Hans

HaSch 10 years ago

wrong order see posting below

HaSch 10 years ago

Thanks, ddartois and Clemens. I recognized the typo before and corrected it. Now, with "cd .." all works fine. Regards, Hans Edit: OK, now I get another error: Generating client certificates in the same way as the server certificates (step 2.4 with "ISLclient-req.pem" and "ISLclient-key.pem" and step 2.5 with "ISLclient-cert.pem" and "ISLclient-req.pem") the certificate and key are generated but ending with an error: failed to update database TXT_DB error number 2 Thus, server and client certificates and key are accepted using ISL software, but an connecting error occurs. What's that? I tried ISLserver-cert.pem and ISLserver-key.pem instead of ISLclient-cert.pem and ISLclient-key.pem. That works! Hans

ClemensValens 10 years ago

You are right ddartois. I was just reproducing the OP's problem when your post came in. There is a typo in the document network-configuration.pdf: - page 7, line 6: "-config /etc/ssl/openssl.conf" must be "-config /etc/ssl/openssl.cnf" Before executing the command at the top of page 8, first do a "cd ..", then everything works fine. Regards, Clemens

ddartois 10 years ago

I think you are in the demoCA folder when you run the command "openssl ca -config..." . Go to the parent dir ("cd ..") and run the commande again.

HaSch 10 years ago

Ok, here we go: I'm in /etc/ssl/demoCA: root@RPiFIVE:~# cd /etc/ssl/demoCA root@RPiFIVE:/etc/ssl/demoCA# openssl ca -config /etc/ssl/openssl.cnf -out ISLserver-cert.pem -infiles /etc/ssl/demoCA/ISLserver-req.pem Using configuration from /etc/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 3070080208:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r') 3070080208:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load CA private key Here is the content of file /etc/ssl/openssl.cnf: # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 # Policies used by the TSA examples. tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Internet Widgits Pty Ltd # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo #################################################################### [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] # These are used by the TSA reply generation only. dir = ./demoCA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = md5, sha1 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no)

ClemensValens 10 years ago

To me it looks like a path or rights problem. Are the paths correct? Are you calling openssl from the right folder? Maybe there is a typo somewhere that you can correct by making the paths more explicit? Add the etc/ssl part? Please post the contents of your file /etc/ssl/openssl.cnf Provide as much info as possible. Regards, Clemens

HaSch 10 years ago

Hello Clemens, all steps before worked fine! ./demoCA/private/cakey.pem exists and has the rights 644. Regards, Hans

ClemensValens 10 years ago

Hello HaSch, How did step 2.3 go? The error message shows that the file cakey.pem cannot be found. This file is produced in step 2.3 according to the end of page 6. Regards, Clemens

9 Comment(s)

intelligentsoc 10 years ago

Hi to all of you.

The e-Lock-board is delivered with ready to use firmware. You only need to assign an IP address and to install certificates.

If you run into trouble, you can reset the firmware following the steps below:

¡¡¡ ATTENTION !!!

This procedure will reset the board and it could become unusable. Use it AT YOUR OWN RISK..

Before you begin, you will need:

An encrypted .S19 file with the firmware (as included in the download: 'ISLSecFile.S19').
To have ALL network interfaces unavailable except the one you will use to connect with the board.
To have stopped (disconnected) ALL antivirus, firewall, anti-malware and any other software that could affect the IP connection.
To have the RJ-45 cable disconnected.

NOTE: On the e-Lock board jumper JP3's pin 1 is marked with a little white dot near X2 oscillator's upper right corner - when you can read elektor chip in front of you and the RJ-45 connector is of the right side.

Once done, follow these steps:

First, we erase all software & IP config.

Disconnect the board from power.
Connect pins 1-2 on jumper JP3.
Power the board. Wait three or four seconds.
Disconnect pins 1-2 on jumper JP3.
Disconnect the board from power.
Connect pins 2-3 on jumper JP3.
Power the board. Wait three or four secconds
Disconnect pins 2-3 on jumper JP3.
Disconnect the board from power.
Connect the RJ-45 cable.
Power the board. --> The light is on and not blinking. Now, the chip is empty. We can begin to upload the firmware.
Execute ISLRaw with Admin rights. Be sure the IP address belongs to the network the e-Lock board is connected to.
Wait some seconds for the IP connection to settle down.
Click on 'Scan MAC' button.
The e-Lock MAC address would appear in the device list as 'ISLBoot' and 'not configured'.
Re-check the IP address, select the device to be configured and click 'Set remote IP' --> The board's light must be blinking fast.
Close ISLRaw.
Execute ISLElektor.
Enter the IP fixed on step 16)
Click 'Connect' button --> After few seconds, 'port' would be '2012' and there would be a blue tag saying 'connected'. The board's light is blinking fast.
Click 'New firmware' button.
In the File Open dialog, select the encrypted .S19 file --> The tag turns yellow and should say 'Transfer...'
Once the transfer ends, the connection is reset and ISLElektor app is closed automatically
The firmware is loaded now, and the board is in the 'factory state'. From now on, the board is as you received it first time.
Run again ISLRaw as admin (remember to have antivirus, firewalls, anti-malware, etc, disconnected).
After several seconds, click 'Scan MAC'. Again, the board's MAC addres would be detected (if this fails, wait some more for the IP connection to become established).
Select device and click 'Set remote IP'.
A new dialog asking for certificates must open.
Proceed as indicated in 1.3 of Network Configuration manual. DON'T FORGET to test the DNS and the Gateway IP address. Both must be valid IPs in your network. If not, ISLElektor will not be able to check certificate.

Hope this help you.

0 Comment(s)

sclaes 10 years ago

Is this a windows only project?

Regards,

Stefaan Claes

ClemensValens 10 years ago

Hello Stefaan, The e-lock has its own operating system inside and is therefore independent of Windows, Linux, OSX or whatever. To talk to the e-lock you must do some network programming on the platform of your preference. The example projects provided are for Windows but can be easily ported to another platform. The library cyassl is platform independent, just follow the build instructions on the cyassl website (http://www.yassl.com/yaSSL/Docs-cyassl-manual-2-building-cyassl.html).

1 Comment(s)

morris51 10 years ago

Hi I have successfuly installed e-lock hardware on my local wifi system, and every thing seems to work ok. However I configured the temperature scan time to scan every 5s , but I get a reading with the get temperature button , The 5s sampleing time does not update automatically,,,,,any suggestions why???

morris51 10 years ago

Thanks your reply makes sense, my system appears to be working fine......bye for now

intelligentsoc 10 years ago

Perhaps you're talking about display temp. automatically every five seconds? If so, remember that ISLElector is only a demo program. When you set up the sample rate it is sent to board to configure the chip, but IT IS NOT set up the display interval. The chip will read the temp. sensor at intervals of n seconds (depending on configuration), but it is the application who must display it, so the display interval is up to the programmer.

intelligentsoc 10 years ago

Hi morris51. Our tests worked fine and temperature is scan automatically every several seconds. You can do a "manual" test: if you touch the temp. sensor, you would see change the data. Can you give us more detailed info?

3 Comment(s)

intelligentsoc 10 years ago

Hi.
I'll try to do my best to explain the e-Lock's start up process.

When you receive the board, it has the firmware loaded, so it is necessary only to setup an IP address and to load certificates in order to have it fully functional.

IMPORTANT!!!! Please, take into account that some firewalls / antivirus can disturb ISLRaw connection, so it's very important to have those disabled when connet e-Lock with ISLRaw.

When you connect e-Lock board for the first time, the red light is fixed to indicate it needs an IP and certificates.

1 - Run ISLRaw.exe WITH ADMINISTRATOR RIGHTS.
2 - Click 'Scan MAC' button. It would appear the MAC address of e-Lock boards connected.
3 - Select the MAC with IP 'not configured'
4 - Set the IP you want to assign e-Lock and click 'Set Remote IP' button. It must appear a new screen to load certificates
5 - Select admin certificate, key and CA certificate as correspond.
6 - Adjust the other settings. You can leave SNTP server and DNS Address by default. Pay attention to Gateway address. It must be the gateway of your network.
7 - Click 'Send' button.
8 - A window indicating succesfull config is shown.

At this point, e-Lock is configured with IP and certificate so it is ready to work as expected.

IT IS VERY IMPORTANT that ISLElektor has Internet connection since it needs to validate certificate's date. In order to avoid security risk, this validation is made against Internet Time Servers.

To TEST the e-Lock functionalities, ISLElektor application was included.

Once you enter your e-Lock IP address and click 'Connect' button FIRST time, it is necessary to load client certificate to validate connection against e-Lock. You can use the demo certificates included or generate your own ones as indicated in docs.

Once client certificate has benn validated, the blue 'Connected' string is shown.

Now, you can test e-Lock functionality.

Thank you.

0 Comment(s)

dyer.p@btinternet.com 10 years ago

Please note I am using Windows 8.1.

I have managed to set the ip address on the E-Lock board. However this required the downloading of several Borland files.

Could you please provide a link to the files you used to compile the program.

I can now ping the board.

However when I try to connect using ISLElektor, after downloading several more files, it fails. In particular the new window to select the Client Certificate key does not appear. I have tried the program in XP compatibility mode but that doesn't help. I'd like to start by trying to get the correct version of the Borland files.

I'd be grateful for some help with this.

Regards

Peter

apple 10 years ago

Elektor replaced the board with above problems, no further problems.

intelligentsoc 10 years ago

Shortly (because space is very narrow :-) ). In order to ISLRaw works properly, it is necessary to disable ALL NETWORK INTERFACES (please, read our last comment "How to Reinstall Firmware") except the one the board is connectred to. This can be the issue with Bluetooth. I'll try try your other issues and come back with answers.

apple 10 years ago

Hi, took some time to organize a W7 PC. Results are similar, but in this case (with board 1) I can connect (it connects within 2 secs), than after clicking on firmware reload, I get a prompt to specify the file (ISLSecFile.S19), message becomes 'Transferring', that seems to crash after about 10 secs (window disappears). The IP address of the card appears to have changed after the transfer attempt; I cannot ping the address after the transfer attempt, ISLraw does not find the board, and I need to reset the board with the jumber to get the IP address changed with ISLraw. No prompts for certificates, etc. Interesting detail: as product it shows: ISLBoot -%2TL-WR104 (instead of ISLBoot). Board 1 worked ok on W8, until I had to change the board IP address, but took the wrong jumper setting and erased the firmware. After that, the board behavior has been erratic. When testing with the W7 PC, I noticed that RDP did not work from W8 to W7 PC. I removed Bluetooth sw from the W8 PC and that sorted the RDP problem. I tested board1 again, no change. Board 2 and 3 started working again after I removed Bluetooth software from the W8 PC. I got prompts to specify the required certificates, and both boards are working ok now. So, 1 board still having problems, and no way to get that one started. Thanks, Leen

intelligentsoc 10 years ago

Hi. Did you follow the steps on the comment "Getting started with e-Lock software"? Can you test it with w7? "Getting started..." was tested with w7 64b

apple 10 years ago

Hallo Clemens, I seem to have same problems as described by PD. Also using W8 64b. I bought 6 boards, tried 3 so far, all 3 have problems. First board: worked initially ok, but later on I had to update the IP address. I Took the wrong jumper setting (pin 1 not marked on the board...), used ISLraw to set the IP address but do not get anything after updating the address. It does not ask for certificates. Second board: did not connect at all. I have reset this board similar to first one above, with ISLraw I appear to be able to set the IP address, and there it stops. Third board: with ISLraw I set the IP address, I then got the prompts for the certificates, and that was it. I cannot connect, after 2 secs trying to connect, it shows: Error. I got 3 more boards, still in sealed boxes, and wonder whether I should try further ? Grateful for any advice! Thanks, Leen

ClemensValens 10 years ago

I suggest you send your board back to us and we will replace it. Normally you shouldn't have to reflash the board because it is already flashed in production. In case that our service people are being difficult, which I don't expect, send them to me. Regards, Clelmens

dyer.p@btinternet.com 10 years ago

Yes, no problem with steps 1-8. The problem is when I start ISLElector after step 8 it doesn't connect. I do wonder if my firmware writing is working properly. I had thought the firmware had to be deleted before writing the new firmware but that doesn't now seem to happen. However something is being written because steps 4-8 above work OK Regards Peter

ClemensValens 10 years ago

Hi Peter, Do you follow the recommendations from intelligentsoc's post? Regards, Clemens

dyer.p@btinternet.com 10 years ago

I have now been through the ISL Raw process several times and reloaded the firmware. However I am still unable to communicate after completing the ISL Raw process. One thing I have noticed is that when I write the firmware I do not get a warning notice as described in section 10 of the note. The open screen for the new firmware comes up immediately. However it appears to write OK as the correct screen comes up OK when I reopen ISLRaw and am able to enter the key cert etc. I would be grateful for any clue as to how I might proceed before I give up! many thanks Peter

intelligentsoc 10 years ago

Getting started with e-Lock software. Hi. I'll try to do my best to explain the e-Lock's start up process. When you receive the board, it has the firmware loaded, so it is necessary only to setup an IP address and to load certificates in order to have it fully functional. IMPORTANT!!!! Please, take into account that some firewalls / antivirus can disturb ISLRaw connection, so it's very important to have those disabled when connet e-Lock with ISLRaw. When you connect e-Lock board for the first time, the red light is fixed to indicate it needs an IP and certificates. 1 - Run ISLRaw.exe WITH ADMINISTRATOR RIGHTS. 2 - Click "Scan MAC" button. It would appear the MAC address of e-Lock boards connected. 3 - Select the MAC with IP "not configured" 4 - Set the IP you want to assign e-Lock and click "Set Remote IP" button. It must appear a new screen to load certificates 5 - Select admin certificate, key and CA certificate as correspond. 6 - Adjust the other settings. You can leave SNTP server and DNS Address by default. Pay attention to Gateway address. It must be the gateway of your network. 7 - Click "Send" button. 8 - A window indicating succesfull config is shown. At this point, e-Lock is configured with IP and certificate so it is ready to work as expected. IT IS VERY IMPORTANT that ISLElektor has Internet connection since it needs to validate certificate's date. In order to avoid security risk, this validation is made against Internet Time Servers. To TEST the e-Lock functionalities, ISLElektor application was included. Once you enter your e-Lock IP address and click "Connect" button FIRST time, it is necessary to load client certificate to validate connection against e-Lock. You can use the demo certificates included or generate your own ones as indicated in docs. Once client certificate has benn validated, the blue "Connected" string is shown. Now, you can test e-Lock functionality. Thank you.

dyer.p@btinternet.com 10 years ago

Well I seem to be able to reload the firmware although I usually have to try several times. I have to delete the firmware and the ip setting then run ISLraw. Reset the ip then load the firmware, which doesn't always work correctly, then run ISLRaw to set the security parameters. Then I can log in to ISLElektor and read the version no. However as soon as I try and write to the board it gives up. Its as if writing immediately corrupts the firmware. When I try an logion in again I get an immediate error. Regards Peter

ClemensValens 10 years ago

Hello pd, We are looking into this. Please keep us informed of any progress you are making. Regards, Clemens

dyer.p@btinternet.com 10 years ago

I should have said I'm using the 64 bit version of windows. Unfortunately although I am apparently able to connect on port 2013, connection status shows connected on a blue background I have not been able to get any of the buttons to work properly. The version is shown as 0.03. Regards Peter

dyer.p@btinternet.com 10 years ago

Well I did get there or almost there in the end. I generated new certificates but then had problems with ISLRaw. Unfortunately I tried to reset as per the notes on page 3 by using the jumper. Needless to say I guessed wrong for pin 1 and ended up deleting the firmware. However I was able to reload the firmware and when I tried again I was able to configure via ISLRaw and then connect with ISLElektor. I could read the version number so I presume I have a proper connection although I haven't been successful with the other functions so far. It just shows it pays to read the manual!! Oh and I am using windows 8.1 fully patched. Regards Peter

Peter Mul 10 years ago

Sorry to say, but I've also a problem with ISLElektor. The connection status is 2 seconds read 'Connecting' and then 'Error'. # I can ping the board and it responds. # Running the program in XP compatibility mode SP2 or SP3 does not help, neither does 'Run as Administrator' # With wireshark i can see the communication in both directions. OS Windows 7 64bit fully patched. Same problem on Windows Server 2008R2 - I know that one was not tested, but just as additional info. Hope somebody can give some info to solve thius problem. sc

ClemensValens 10 years ago

Hello Peter, You can download the Borland files from the main project page. These are the files we used. It has been tested on Windows 7 and XP. Regards, Clemens

16 Comment(s)

Elektor Chip E-Lock Reference Project [130499/130280]

Project Elements

Discussion (11 comments)

Yoyod 10 years ago

ClemensValens 10 years ago

Yoyod 10 years ago

Yoyod 10 years ago

ed010 10 years ago

Yoyod 10 years ago

Yoyod 10 years ago

HaSch 10 years ago

DE170001 10 years ago

HaSch 10 years ago

ddartois 10 years ago

ClemensValens 10 years ago

ddartois 10 years ago

ddartois 10 years ago

ClemensValens 10 years ago

HaSch 10 years ago

HaSch 10 years ago

HaSch 10 years ago

HaSch 10 years ago

ClemensValens 10 years ago

ddartois 10 years ago

HaSch 10 years ago

ClemensValens 10 years ago

HaSch 10 years ago

ClemensValens 10 years ago

intelligentsoc 10 years ago

sclaes 10 years ago

ClemensValens 10 years ago

morris51 10 years ago

morris51 10 years ago

intelligentsoc 10 years ago

intelligentsoc 10 years ago

intelligentsoc 10 years ago

dyer.p@btinternet.com 10 years ago

apple 10 years ago

intelligentsoc 10 years ago

apple 10 years ago

intelligentsoc 10 years ago

apple 10 years ago

ClemensValens 10 years ago

dyer.p@btinternet.com 10 years ago

ClemensValens 10 years ago

dyer.p@btinternet.com 10 years ago

intelligentsoc 10 years ago

dyer.p@btinternet.com 10 years ago

ClemensValens 10 years ago

dyer.p@btinternet.com 10 years ago

dyer.p@btinternet.com 10 years ago

Peter Mul 10 years ago

ClemensValens 10 years ago

Embed Code