cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Over the air download via API fails today, worked yesterday.

Over the air download via API fails today, worked yesterday.

flygecko
Explorer | Level 4

Hi,

  I have an embedded device that downlopads firmware updates over the air via the DropBox API.  Downloads worked fine yesterday, and fail today.  The code has not changed since then, and I even went back to a revision built a few months ago, and it fails in exactly the same way.  I am using a Texas Instruments CC3200 processor.  I use the TI library for the OTA process.  It can list the files in the repository, but when I try to access them via the link provided the device just hangs.  It subsequently reboots.  Here is some diagnostic output from the process.

sl_extLib_OtaRun: call OtaClient_ConnectServer OTA server=api.dropbox.com
OtaClient_ConnectServer: http_connect_server api.dropbox.com
[00:00:11.0967] OTA run (0)
sl_extLib_OtaRun: OtaClient_UpdateCheck, vendorStr=3.2.0
OtaClient_UpdateCheck: call http_build_request /1/metadata/auto/
CdnDropbox_SendReqDir: uri=/2/files/list_folder
metadata file=/3.2.0/f00_sys_servicepack.sig, size=256
metadata file=/3.2.0/f43_sys_servicepack.ucf, size=31348
metadata file=/3.2.0/f80_sys_mcuimgA.bin, size=151300
metadata file=/3.2.0/f80_www_logo.png, size=18406
metadata file=/3.2.0/f80_www_main2.html, size=5830
sl_extLib_OtaRun: OtaClient_UpdateCheck, numUpdates=5
[00:00:12.0260] OTA run (0)
sl_extLib_OtaRun: OtaClient_GetNextUpdate: file=/3.2.0/f00_sys_servicepack.sig, size=256
OtaClient_ResourceMetadata: call http_build_request /1/media/auto
OtaClient_ResourceMetadata: file flags=0,metadata flags=0
OtaClient_ResourceMetadata: remove old signature file /sys/servicepack.sig
CdnDropbox_SendReqFileUrl: uri=/2/files/get_temporary_link
[00:00:12.0556] OTA run (0)
sl_extLib_OtaRun: ResourceMetadata CDN file URL = https://dl.dropboxusercontent.com/apitl/1/AAAPogfVrgUuU60x7jjBJL-jMrYmSHG0O8Gb_ReadFileHeaders: domain=dl.dropboxusercontent.com, file=/apitl/1/AAAPogfVrgUuU60x7jjBJL-jMrYmSHG0O8GbVwAf7iHMQOISR2yPAH3YGlgsUr

 

After the last line the device hangs until the system watchdog reboots it, then the process repeats.  Any idea what I might be running into?

Thanks,

Vic Berry

39 Replies 39

fabiano_ogawa
New member | Level 2

I have the same problem. The update is very important on my device. My company already has thousands of equipment installed.

arun_kumar
Explorer | Level 4

@Greg, we are facing the same issue. we have more than 10K devices in field and we can't update them because of this issue. it has become a nightmare for us. please fix this as soon as possible.

Greg-DB
Dropbox Staff

Thanks again for the information! I'll reply here as soon as I have any news on this.

Greg-DB
Dropbox Staff

The team has developed a change to reduce the link length, which is tentatively planned for deployment tomorrow. I'll follow up here with an update when that's done.

IOT_Developer
Helpful | Level 5

Thank you Greg for the update, waiting for the solution update.

IOT_Developer
Helpful | Level 5

Hello Greg, any updates?

Greg-DB
Dropbox Staff

@IOT_Developer The deplyoment is still planned for today. I'll follow up here once that's done.

GreenAnt
Explorer | Level 4

Hello everyone. We have just come across this issue today. We also have a few hundred devices on the field and have been successfully doing OTA updates for TI CC3200 with Dropbox API since 2015 (back when APIv1 was still in use).

We are constantly getting links with 557 bytes in lenght and there is no feasible way to fix this in firmware for devices on the field.

Anxiously waiting for a fix!
 
Thanks!

Greg-DB
Dropbox Staff

Good news, this team worked on this, and was able to reduce the link length back to under 500 bytes. You should be able to request the shorter links again now. Please try it and let me know if you're still seeing any issues.

Please note, however, that the Dropbox API specification still does not guarantee a maximum length for this 'link' value. That being the case, please update your app(s) to accommodate a 'link' of arbitrary length (or at least, of significantly larger length).

I have also sent this along to the team as a feature request to codify a maximum length for the 'link' in the specification, however at this point I can't promise if that is something that will be done. The temporary link implementation on the Dropbox API backend is not trivial, and involves encoding certain authorization data in the link. The size of this data can vary.

Finally, an important security note:

Based on the context I've received around this issue, if I understand correctly, this is being used for updating devices over-the-air, by embedding pre-generated access tokens for a single specific Dropbox account directly in to the devices. The devices call a number of Dropbox API endpoints using that access token, such as /2/files/get_temporary_link (the result of which is used to download a firmware update payload).

The Dropbox API was designed with the intention that each user would link their own Dropbox account however, in order to interact with their own files. It is technically possible to connect to just one account as is being done here, but we don't recommend doing so, for various technical and security reasons, especially in client-side apps like this.

One of the main issues is that client-side apps can't keep secrets. A malicious user could extract the hard-coded access token from the app, and use it to access the Dropbox API directly to perform any operation (bypassing any access controls your app might have attempted to enforce). For instance, in this scenario, they could upload their own malicious payload, which would then be distributed to the other systems via the existing over-the-air update mechanism.

Of course, the actual difficulty to extract the access token and perform an attack depends on a variety of factors, and your organization can choose what level of risk you're willing to accept. Please contact a security professional for any general security advice.

For the above listed reasons though, I do not recommend using the Dropbox API in this manner. Instead, a typical CDN may be a better way to distribute updates. I've also sent this along as a feature request for a safe way to use the Dropbox API in this manner, but I likewise can't promise if this is something that would be implemented.

IOT_Developer
Helpful | Level 5

Hello Greg,

Please thank your team on our behalf and on behalf of 100K users, at least on our side.

Your statement is noted and we will proceed with firmware changes ASAP.

Need more support?