What is TR069-client?
TR069-client - is a client software designed to manage the STB using the TR-069 network protocol.
TR-069 is a technical specification that defines CPE WAN Management Protocol (CWMP). The CPE (equipment for customer premises) is STB.
TR069-client supports the following functionality:
- Firmware Upgrade.
- Reboot.
- Send a file to the device.
- Viewing Device Logs.
To configure TR-069 client add the following fields to the build.prop file:
- ro.stb.management.s0 - server link. A link to the server can be specified as http-, https-link, IP-address or hostname.
- ro.stb.management.s1 – login, which is used for authorization on the server according to TR-069
- ro.stb.management.s2 - password, which is used for authorization on the server according to TR-069
- ro.stb.management.s3 - login, which is used for authorization on the STB according to TR-069
- ro.stb.management.s4 - password, which is used for authorization on the STB according to TR-069
- ro.stb.management.s5 - login which is used for Basic or Digest http/https authentication
- ro.stb.management.s6 - password that is used for Basic or Digest http/https authentication
- ro.stb.management.s7 - the local full path to the third-party SSL certificate, if any
Attention! To avoid storing information in clear text all of the fields must be encoded using the Base64. All fields except "ro.stb.management.s0" can be empty. If the field "ro.stb.management.s0" is empty, the service will finish its work immediately.
Attention! Server link and other parameters build.prop file can be changed only by changing firmware of the device.
Attention! After resetting the STB to the factory settings, the configuration data of the TR-069 client is not erased. Only logs are deleted.
How does STB connect to ACS?
Interaction STB - ACS-server is organized using client–server model. The STB (client) automatically connects to the ACS server as soon as a network connection appears. Further, the STB connects to the server every 60 seconds. When connected via the RPC Inform method, the following data is transferred to the server: IP address of the STB in the local network, serial number, manufacturer, model, Product class, software version, hardware version, Ethernet MAC-address, real IP-address, wireless network name or SSID, device logs.
Attention! Please note that on the local network (LAN) the server can initiate the STB connection itself, ignoring the connection interval equal to 60 seconds. This feature is configured on the server side
Firmware Upgrade
To update firmware, download software image version to STB (must be .zip). If the file was successfully downloaded, Recovery Manager validates the file (verifies the correctness of the file and its signature). In case of successful downloading and validation of the file, Reboot in Recovery and Firmware Upgrading occurs.
Files sending to the device
By default all files sent from the server to the STB are saved in the Download folder.
Reboot
After the reboot command is received by a set-top box, the reboot only happens if the device can send a response to the server that the reboot command was successful. This ensures that the device does not reboot cyclically. After rebooting, the STB automatically connects to the server.
Viewing Device Logs
To view logs from the device, the DeviceLogs field (in the group InternetGatewayDevice.DeviceInfo.) has been added to the recommended client data model. When sending a log file, two blocks are generated:
- Logs TR (receiving commands from the server and their statuses) - last 100 commands.
- WARNINGs and ERRORs of the device (logcat).
By default, the device sends requests to the server once a minute.
Security
The CPE WAN Management Protocol is designed to allow a high degree of security in the interactions that use it. The CPE WAN Management Protocol is designed to prevent tampering with the transactions that take place between a CPE and ACS, provide confidentiality for these transactions, and allow various levels of authentication. The following security mechanisms are incorporated in this protocol:
- The protocol supports the use of TLS for communications transport between CPE and ACS. This provides transaction confidentiality, data integrity, and allows certificatebased authentication between the CPE and ACS.
- The HTTP layer provides an alternative means of CPE and ACS authentication based on shared secrets.
The TR-069 client supports a secure connection over SSL/TLS. If the certificate is self-signed, you can put it on the device and point the full path to it in the field "ro.stb.management.s7". Thus, it is possible to use a secure connection using this certificate.
The TR-069 client supports Basic and Digest authentication at all stages of connection to the server. For this, the fields "ro.stb.management.s5" and "ro.stb.management.s6" are used.
The fields "ro.stb.management.s3" and "ro.stb.management.s4" specify the login and password for the server authentication on the device. If the server data is incorrect, the device ignores this connection. If the server data is correct, the STB initiates a connection to the server.
Server requirements
The TR-069 client can work with various implementations of the ACS server that support the TR-069 standard. One server can operate STBs of different types, on which the client TR-069 is installed.
The server part of the protocol was implemented and tested using GenieACS, an open-source software product that supports the TR-069 protocol.