apns pem 推送证书生成

  1. Certificates, Identifiers & Profiles,下载 Apple Push Services文件,生成的是 apns.cer,将cer双击导入到苹果系统。

  2. 从钥匙串中导出p12文件,证书和证书的key,注意设置安全密码:
    file

  3. 通过命令行开始生成

    cert:
    openssl pkcs12 -clcerts -nokeys -out apns_cert.pem -in apns_cert.p12
    key:
    openssl pkcs12 -nocerts -out apns_cert_key.pem -in apns_cert_key.p12

    这个过程会提示你输入之前的文件的密码,以及新生成的文件的密码,一定要区分清楚,因为后面的程序调试是需要生成文件的密码的。

  4. 将两个pem合成一个

    cat apns_cert.pem apns_cert_key.pem > ck.pem
  5. 验证
    开发证书:
    openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns_cert.pem -key apns_cert_key.pem
    量产证书:
    openssl s_client -connect gateway.push.apple.com:2195 -cert apns_cert.pem -key apns_cert_key.pem
    如果验证成功,内容结尾显示如下:

    SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DES-CBC3-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: xxx
    Start Time: 1627218051
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

    Verify return code: 0 (ok),说明成功。

如何解除google ads和google账户的绑定关系

如果你恰好在研究admob,当你开通admob时,提示你有ads绑定无法开通。

那么如何将ads从google账号下解除呢:

  • 登录ads
  • 依次点击顶部的“工具与设置”-“帐号访问权限和安全”,在这里可以看到有权访问该Google Ads帐号的用户,其中就有“您本人”。
  • 点击“您本人”后面的“移除访问权限”,即可彻底删除Google Ads帐号

esp32 header fields are too long issue

error log

httpd_txrx: httpd_resp_send_err: 431 Request Header Fields Too Large - Header fields are too long for server to interpret

解决

在menuconfig中,调整HTTPD_MAX_REQ_HDR_LEN 的值:

menuconfig=>component config=>HTTP server=>max http request header leagth

官方其实已经对此问题做了说明,\examples\protocols\http_server\simple\README.md

If the server log shows "httpd_parse: parse_block: request URI/header too long", especially when handling POST requests, then you probably need to increase HTTPD_MAX_REQ_HDR_LEN, which you can find in the project configuration menu (`idf.py menuconfig`): Component config -> HTTP Server -> Max HTTP Request Header Length

esp32 console 源码关键部分解析

相关源码路径: \examples\system\console\components\cmd_system

这个框架实际就是一个现成构架好的命令字,参数以及回调函数的框架,只要我们按照规范填写对应的参数,就能实现一个完整的console命令。

流程框架

    // 第1步:
    /*参数段设置*/
    // 第2步:
    /*命令结构体配置*/
    // 第3步:将命令结构体插入命令序列
    ESP_ERROR_CHECK(esp_console_cmd_register(&cmd));

第1步,参数段说明

我们找一个例子说明,其他的都是类似的步骤。

    int num_args                = 1;
    deep_sleep_args.wakeup_time = arg_int0("t", "time", "<t>", "Wake up time, ms");
#if SOC_PM_SUPPORT_EXT_WAKEUP
    deep_sleep_args.wakeup_gpio_num = arg_int0(NULL, "io", "<n>", "If specified, wakeup using GPIO with given number");
    deep_sleep_args.wakeup_gpio_level = arg_int0(NULL, "io_level", "<0|1>", "GPIO level to trigger wakeup");
    num_args += 2;
#endif
    deep_sleep_args.end = arg_end(num_args);

字段

deep_sleep_args 是用户创建的结构体,这个根据实际需要创建,例子中用的是int做参数,所以结构体主要是 arg_int, 以此类推,你可以选择arg_rem、arg_lit、arg_db1、arg_str等等。

这个结构体定义的最后一个成员是固定的 end,用来限制参数的个数。

参数构造函数

arg_int0:表示当前字段最多一个参数,可以为空,类型为int。
arg_int1:标识当前为一个必填字段,类型为int。
arg_intn:以此类推。

如果是其他类型,就有其他类似arg_xxx的参数构造函数。

我们具体以上面的内容为例子

arg_int0("t", "time", "<t>", "Wake up time, ms");

其中有4个成员,分别是:

  • "t":参数字段简写
  • "time":参数字段全拼
  • "< t >":参数类型,t表示时间值
  • "Wake up time, ms":参数功能描述

第2步,命令结构体

源码例子:

 const esp_console_cmd_t cmd = {
        .command = "deep_sleep",
        .help =
            "Enter deep sleep mode. "
#if SOC_PM_SUPPORT_EXT_WAKEUP
            "Two wakeup modes are supported: timer and GPIO. "
#else
            "Timer wakeup mode is supported. "
#endif
            "If no wakeup option is specified, will sleep indefinitely.",
        .hint     = NULL,
        .func     = &deep_sleep,
        .argtable = &deep_sleep_args
    };

其中 command、help、hint、func、argtable 是系统的固定定义,分别表示:

  1. command:命令字
  2. help:帮助说明
  3. hint:参数详细说明,为NULL时,由系统生成
  4. func:回调函数
  5. argtable:参数列表

第3步,开发自己的命令行

从上面的内容可以知道,我们要设计自己的命令行需要做一下工作:

  1. 设计完整的命令。
  2. 拆分出命令字,参数,搞清楚参数的类型和个数。
  3. 填写deep_sleep_args参数结构(填写实际的对象,这里只是举例)。
  4. 填写 esp_console_cmd_t cmd对象。
  5. 实现回调函数,这个也是最主要的内容。
  6. 将cmd将入系统命令队列。

到这里,我们就实现了自己的命令行,是不是很简单,主要的工作量都在准确实现参数列表和回调上。

ble-gatt-communication-flow-between-eps32-and-nordic

ble gatt 通讯过程详解(基于esp32和nordic)

最近完成了esp32 自动扫描nordic设备的广播名称,并跟nordic uart server通讯的功能。

esp32 :ble uart client, gatt_client
nordic:ble uart server (NUS), gatt_server

要点

  • 要注意UUID表示成数组时的高低序,刚开始一直在排查代码,导致在这里浪费了好多时间。
  • 获取正确的UUID,以及char的数量和properties,可以通过第三方LightBlue来获取这些信息。

说明:因为通讯的交互过程跟char的数量以及属性有关系的,有几个char,是只读还是读写等,这些都对应不同的交互流程。 所以以下的内容过程就是针对nordic NUS的特征的而撰写的,如果你自己的设备有所不同,要灵活调整,不可生搬硬套,重要的是理解gatt本质。

nordic NUS服务配置




说明:ca9e 是nordic的蓝牙串口服务 NUS,下面有两个 char。 RX uuid 是0002,属性是write 和write without response, TX uuid 是0003,属性是notify。

通讯交互流程图

说明

  • 本来想文字再详细的说明下流程,发现上面的图已经表达的很清晰了,就没必要了,看图反而更直观。
  • 以上的流程是标准参考流程,开发时,根据实际的产品流程需求,可以重新打断和组合,实现新的流程。
  • 业务层实际的交互数据是在 esp_ble_gattc_write_char_descr过程中完成的。
  • 因为整个流程是一环扣一环的,所以如果开发中发现结果不对,就是哪一步错误了或者遗漏触发了,可以参考以上的流程和代码来核对。
  • 以上的内容对应gattc_demo的例子,可以从esp官网下载和确认。

How to Secure ESP32 Firmware and Flash Memory on ESP-IDF Framework

ref:https://circuitdigest.com/article/how-to-secure-esp32-firmware-and-flash-memory-using-esp-idf-framework

How to Secure ESP32 Firmware and Flash Memory on ESP-IDF Framework

In the era of Internet of Things(IoT), wireless communication is getting increasingly popular in everyday life. In the world of IoT devices, ESP32 is a popular low-cost System on Chip (SoC) microcontroller with built-in hybrid WiFi and Bluetooth chips by Espressif Systems. Because of its robust design and ultra-low power consumption, it has become so popular in IoT applications. But when we talk about IoT applications, security in IoT will come to our mind for data safety and secure connection. ESP32 supports X.509 certificate-based mutual authentication for HTTPs, IoT cloud (AWS-IoT, Azure, Google Firebase, etc.) authentication, and data communications. Over the Internet, ESP32 also gives us the data security for stored data into FLASH memory and Boot Sectors to prevent the data from being stolen. Today we talk about the ESP32 security features, mainly related to of Boot sectors. The two main security features on ESP32 are called Secure-Boot and flash security, also known as Flash-Encryption.

What eFUSE Blocks in ESP32?

The ESP32 has a 1024-bits One-Time-Programmable (OTP) memory block. This OTP memory block is divided into 4-block of 256-bits each.

file

These blocks of memory store the keys of the Flash encryption and Secure Boot. Because of the OTP memory block, there is no software present to read out those memory blocks. One and only ESP32 hardware can read and validate the Security features.

What is Flash Encryption? How to Enable it on ESP32?

ESP32 Flash Encryption is a security feature for the ESP32 provided by the ESP-IDF by Espressif System to protect the flash memory. Flash encryption is encrypting the contents of ESP32’s SPI flash memory and when this feature is enabled, the following types of data are encrypted by default:

  • Firmware Bootloader
  • Partition Table
  • “app” type partitions or Application partitions
  • Any partition marked with an “encrypted” flag in the partition table is also encrypted.
    In ESP-IDF projects, users can easily enable the Flash Encryption from the project configuration by the
idf.py menuconfig

After open the ESP32 project config menu, now navigate to

“Security Features” -->  
“Enable flash encryption on boot” --> 
“Enable usage mode (Development(NOT SECURE))” / “Enable usage mode (Release)”

In flash encryption there are two modes:

  • Development Mode: In this mode, the ESP32 flash memory partitions are all encrypted and open for modification and are also accessible to readout flash by the UART.
  • Release Mode: This mode is especially recommended for the manufacturing and production stages. In this mode, the readout of the flash by the UART/JTAG is totally blocked and new firmware can only be updated by over-the-air(OTA).

When the flash encryption is enabled, the binaries of the current code flash into the ESP32’s memory as a plain text file. But after completion of the flash process, on the first boot of the ESP32, the device itself encrypted each and every upper mention partition, one by one by using the AES flash encryption key which is stored into the eFUSE-BLK1 at the time of flash. After encrypting the partition the ESP32 device restarted itself and processed with the programmed logic.

The ESP32’s flash execution process decrypts the flash memory data when the ESP32’s execution unit tries to read and for the writing process, the flash execution process encrypts the data before writing into the flash memory.

file

What is Secure-Boot? How to Enable it on ESP32?

The ESP32 Secure-boot is a security feature, which provides security to run correct applications on ESP32 hardware. When secure boot is enabled, each and every flash memory’s binaries [Software bootloader & Application firmware] are verified before loading with the RSA-3072 based Secure-boot’s signature keys. We can call the Secure-boot a “Guardian of The ESP32”.

For enabling the Flash Encryption, in the same steps we can enable the Secure-boot from the project menuconfig.

“Security Features” -->  
“Enable hardware Secure Boot in bootloader”

How Secure-boot works?

When the ESP32 device is booted up, then ESP32 hardware’s trusted rom or we said the 1st stage bootloader runs verification with RSA-3072 based secure-boot key on the software bootloader and then the software bootloader verifies the application firmware with the same signature key and start the application.
file

Conclusion

The ESP32 comes with a secure environment [Secure-boot & Flash-Encryption], which we need to enable while flashing the code. For more security, we need to enable both of them.

centos change timezone

copy /usr/share/zoneinfo/xxx/xxx to /etc/localtime

原因:

为什么设置了时区以后,已经运行的程序在使用localtime函数调用时没有使用新时区呢?这个可以通过glibc的源码来回 答。localtime等涉及到本地所在时区的函数在调用的时候会先调用tzset这个函数,这一点可以通过tzset函数的manpage看出来。 tzset完成的工作是把当前时区信息(通过TZ环境变量或者/etc/localtime)读入并缓冲。事实上tzset在实现的时候是通过内部的 tzset_internal函数来完成的,显式的调用tzset会以显式的方式告知tzset_internal,而单独调用localtime的时候 是以隐式的方式告知tzset_internal,前者将强制tzset不管何种情况一律重新加载TZ信息或者/etc/localtime,而后者则是 只有在TZ发生变化,或者加载文件名发生变化的时候才会再次加载时区信息。因此,如果只是/etc/localtime的内容发生了变化,而文件名" /etc/localtime"没有变化,则不会再次加载时区信息,导致localtime函数调用仍然以老时区转换UTC时间到本地时间。

解决方法:在调用localtime之前调用tzset,则可强制刷新时区信息

mysql导入ibd文件错误提示

现象

执行

ALTER TABLE tbl_name IMPORT TABLESPACE;

提示

Table 'xxx.xxx' doesn't exist in engine

先检查是不是真的不存在,其实是刚手动创建的,所以不是这个问题。

再排查,发现其中的一种错误:
覆盖或者导入的ibd文件,没有给予正确的用户归属权限,用chown设置下,就正常了

当iphone升级成14.6以后,xcode12.4出现Unsupported OS version的问题

配置

system:mac air 11.4beta
xcode:12.4 12D4e
iphone:XR 14.6

现象

在xcode,手机出现“Unsupported OS version”,导致无法下载调试。

原因

原因是当前系统和硬件下,xcode就本限制在了当前版本,无法升级到最新的,导致无法支持最新的手机版本。

解决

参考:

https://stackoverflow.com/questions/67863355/xcode-12-4-unsupported-os-version-after-iphone-ios-update-14-6

因为原贴已经说的很清楚了,建议直接看原贴,如果想偷懒可以直接看以下总结步骤:

  1. 本机切换到路径:/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport
  2. 下载最新的release版本 https://raw.githubusercontent.com/iGhibli/iOS-DeviceSupport/master/DeviceSupport/14.5(FromXcode_12.5_Release_Candidate_xip).zip
  3. 解压后,出现的是14.5
  4. 将14.5复制一份,改成14.6,然后xcode退出,重进,然后iphone就正常了,可以连接下载了