By Lynn Linse, Io T Senior Design Engineer, ATEK Access Technologies
Removable Memory Key
to Over-the-Air Updates
As Io T devices become more common, removable memory provides reliable method for delivering essential firmware updates.
With the increasing complexity of cloud-connected Internet of Things (Io T) devices, it is critical
that these devices have a rock-solid method for in-field
firmware updates. Since Io T devices have internet access,
it’s logical to expect updated firmware over-the-air
(OTA), but updating firmware OTA introduces many
challenges—especially for devices that are connecting over
a cellular/mobile network. In these cases, it is critical to
have a “Plan B” for updating these Io T devices.
With 10,000 cellular-connected devices in the field,
how long should it take to successfully update all 10,000
devices via an OTA update? A few hours? A few days? A
month? Even if 98 percent of devices update successfully
OTA in a matter of hours, that still leaves 200 devices
in the field that failed to update. What is the plan for
updating those? What is the plan if an OTA update puts
98 percent of the devices offline?
When designing an Io T device, how can designers
ensure that all (100 percent) devices can be updated in an
efficient and cost-effective manner?
Anatomy of an OTA Firmware Update
Figure 1: All
devices have the
old firmware during
The map left
shows that 100
percent of the
are in the
undesired state. They are reporting the old firmware and
are in need of a firmware update.
The map above shows that most of the remote devices
are in a progressing state (yellow). The yellow devices
have accepted the need to reflash and have successfully
obtained the new firmware image. A few devices have
reached the goal state (blue), where they have reported to
the cloud that they have updated their firmware and 100
percent function has been restored. Still, there are some
devices that remain in the old state (red). These devices
might be offline or their cellular bandwidth may be so
Figure 2: Most
received the firmware
and have started
weak that they have not been able to complete the
firmware image file transfer.
A requirement of this two-step process (where the
device successfully downloads the new firmware image
and then switches to the new image), is that all cellular
Io T devices which support OTA firmware update,
must be able to hold an entire new firmware image
locally. The older firmware paradigm, where a small
boot-strap program erases the previous firmware, then
downloads the new firmware image OTA by cellular, will
be problematic. In addition, a boot-strap program that
handles secure routed SSL/TLS in IP won’t be small.
In Phase 2, most of the remote devices have the new
firmware. Ideally, this phase included the appropriate
security and authentication steps, which would prevent
hacked firmware from being installed.
Target Corporation suffered a huge data breach in
December 2013. In the now infamous hacking of the
cash registers/point-of-sale terminals, the IT system
trusted that the infrastructure (network security) would
prevent fake firmware from reaching the devices. The
infrastructure failed and allowed hacked firmware to
reach and be accepted by the trusting terminals. The
results? Target’s Christmas shopping season was ruined.
The breach cost the retailer hundreds of millions of
dollars in lost revenue and expenses.
Figure 3 shows that most of the devices are reporting
that they are now running the updated firmware, but not
100 percent. A few devices (red) still have not even begun
the firmware-update process, and a few devices (yellow)
have failed to complete the update after at least starting
the download process. Unfortunately, the job is not done.
Now begins the most painful phase, which is the 3++
phase (three-plus-plus phase). How to get from 98