Device commands
When you are building an IoT application, you need the ability to interact with your device through commands remotely. An example in the industrial vertical is to use remote commands to request specific data from a piece of equipment. An example usage in the smart home vertical is to use remote commands to schedule an alarm system remotely.
With AWS IoT Core, you can use the bi-directional MQTT protocol to implement command and control of devices. The device subscribes to a specific command MQTT topic. When the device receives a command message, it should verify that the message arrived in the correct order by implementing a sequential ID. The device should then perform the action, and publish a message to the cloud with the results of the command. This ensures that commands are acted upon in order, and the device’s current state is always known and maintained in the cloud.
AWS provides the AWS IoT Device Shadow service to implement command and control over MQTT using these best practices. The device shadow has several benefits over using standard MQTT topics, such as a clientToken, to track the origin of a request, version numbers for managing conflict resolution, and the ability to store commands in the cloud in the event that a device is offline and unable to receive the command when it is issued. The device’s shadow is commonly used in cases where a command needs to be persisted in the cloud even if the device is currently not online. When the device is back online, the device requests the latest shadow information and executes the command.
AWS IoT Device Shadow service
IoT solutions that use the AWS IoT Device Shadow service in AWS IoT Core manage command requests in a reliable, scalable, and straightforward fashion. The AWS IoT Device Shadow service follows a prescriptive approach to both the management of device-related state and how the state changes are communicated. This approach describes how the service uses a JSON document to store a device's current state, desired future state, and the difference between current and desired states.
-
The device should check its desired state as soon as it comes online by subscribing to the
$aws/things/
topic. A device reports initial device state by publishing that state as a message to the update topic<<thingName>>
/shadow/name/<<shadowName>>
/get$aws/things/
.<<thingName>>
/shadow/name/<<shadowName>>
/update -
The Device Shadow reads the message from the topic and records the device state in a persistent data store.
-
A device subscribes to the delta messaging topic
$aws/things/
upon which device-related state change messages will arrive.<<thingName>>
/shadow/name/<<shadowName>>
/update/delta -
A component of the solution publishes a desired state message to the topic
$aws/things/
and the Device Shadow tracking this device records the desired device state in a persistent data store.<<thingName>>
/shadow/name/<<shadowName>>
/update -
The Device Shadow publishes a delta message to the topic
$aws/things/
, and the Message Broker sends the message to the device.<<thingName>>
/shadow/name/<<shadowName>>
/update/delta -
A device receives the delta message and performs the desired state changes.
-
A device publishes an acknowledgment message reflecting the new state to the update topic
$aws/things/
and the Device Shadow tracking this device records the new state in a persistent data store.<<thingName>>
/shadow/name/<<shadowName>>
/update -
The Device Shadow publishes a message to the
$aws/things/
topic.<<thingName>>
/shadow/name/<<shadowName>>
/update/accepted -
A component of the solution can now request the updated state from the Device Shadow.
AWS IoT Jobs for device commands
In addition to the features described previously for device commands, you can also use AWS IoT Jobs to create a command pipeline, where the device infers the command from the payload of the MQTT message, as opposed to the topic. This enables you to perform new kinds of remote operations with minimal device-side code changes. You can control the rate of roll-outs using Jobs, and provide abort, retry, and timeout criteria to further customize the behavior of the job. AWS IoT Jobs integrates with fleet indexing and thing groups, which allows you to search your fleet and target devices in your fleet that meet specific criteria. With job templates, you can pre-define all kinds of device commands and create a library of reusable commands with just a few clicks on the target of your choice.
Firmware updates
Supporting firmware updates without human intervention is critical for security, scalability, and delivering new capabilities.
AWS IoT Device Management provides a secure and easy way for you to manage IoT deployments including executing and tracking the status of firmware updates. AWS IoT Device Management uses the MQTT protocol with AWS IoT message broker and AWS IoT Jobs to send firmware update commands to devices, as well as to receive the status of those firmware updates over time. AWS IoT Jobs also integrates with AWS Signer to provide additional security to prevent unauthorized firmware updates and man in the middle attacks. AWS Signer is a fully managed code-signing service to ensure the trust and integrity of your code. With AWS Signer, you can validate code against a digital signature to confirm that the code is unaltered and from a trusted publisher. Firmware images can be signed with a private key in the cloud using the code signing feature, and the device verifies the integrity of that firmware image with the corresponding public key.
To implement firmware updates using AWS IoT Device Management and AWS IoT Jobs, see the following diagram.
-
A device subscribes to the IoT job notification topic
$aws/things/
upon which IoT job notification messages will arrive.<<thingName>>
/jobs/notify-next -
A device publishes a message to
$aws/things/
to start the next job and get the next job, its job document, and other details including any state saved in statusDetails.<<thingName>>
/jobs/start-next -
The AWS IoT Jobs service retrieves the next job document for the specific device and sends this document on the subscribed topic
$aws/things/
.<<thingName>>
/jobs/start-next/accepted -
A device performs the actions specified by the job document using the
$aws/things/
MQTT topic to report on the progress of the job.<<thingName>>
/jobs/jobId/update -
During the upgrade process, a device downloads firmware using a pre-signed URL for Amazon S3. Use code-signing to sign the firmware when uploading to Amazon S3. By code-signing your firmware the end-device can verify the authenticity of the firmware before installing. FreeRTOS devices can download the firmware image directly over MQTT to eliminate the need for a separate HTTPS connection.
-
The device publishes an update status message to the job topic
$aws/things/
reporting success or failure.<<thingName>>
/jobs/jobId/update -
Because this job's execution status has changed to final state, the next IoT job available for running (if any) will change.