Presentation at April 2017 SVIOS Meetup at Tile. Talking about connected and IOT best practices for implementing OTA firmware update (converted from Keynote version to upload to Slideshare).
4. FIRMWARE IS…
▸ Software that runs on an
embedded device CPU
▸ App typically written in ‘C’ and
compiled into binary
▸ First loaded onto device using
a wired connection or
‘programmer’ device
▸ App runs on power on
6. IF THERE’S A PROBLEM WITH YOUR PHONE APP…
▸ You push out an update to the App Store
▸ But what if there’s a problem with the firmware?
7. IF PROBLEM IS WITH FIRMWARE YOU CAN:
▸ Ignore it. Maybe no one will notice
▸ Ask user to plug into a USB cable and manually update
▸ Factory recall the device then update and send back
▸ Send a new device to every new customer
11. HOW OTA UPDATES WORK
Firmware
v2.0 binary
Update
Server
1
Version ?
v1.0
App Firmware
2
OK
App Firmware
4
Here’s
2.0
I have
v1.0?
3
App
Update
Server
12. DEVICE NEEDS
▸ Enough flash storage to keep 2 or more copies of firmware
Current
New
Factory
(optional but recommended)
13. FIRMWARE NEEDS TO HAVE…
‣ Way to get firmware version, HW rev, and type
‣ Unique ID (if user has more than one)
‣ Switch to/from normal and update mode
‣ Detect incomplete/corrupt downloads
‣ Recover from bad update (bricking)
Factory
(maybe not so optional)
15. HOW TO SWITCH INTO UPDATE WITH BLE
▸ Scan/connect normally
▸ Standard BLE Service has an ‘update mode’ characteristic
▸ Write ‘1’ into characteristic (for example)
▸ Firmware reboots, this time running Update BLE Service
▸ Scan for Update service
▸ Connect and transfer binary
16. HOW TO SWITCH OUT OF UPDATE WITH BLE
▸ Wait for download complete
▸ Checksum
▸ If OK, overwrite old firmware
▸ Restart into normal mode with new firmware
▸ If not OK, either request retransmit or go back to normal
17. RECOVER FROM BAD FIRMWARE/STATE
▸ Make it hard to accidentally
invoke factory reset
▸ Overwrite current firmware from
on-board factory version
▸ Should not require connection
(may not be there)
▸ OK to lose cached data
24. ENCRYPTION BEST-PRACTICES
▸ Use asymmetric public-key encryption
▸ Use digital signatures to verify devices
▸ Choose BLE chip with built-in crypto hardware
▸ Do full security audit/code review before launch
▸ If feasible, use a ‘secure enclave’ chip to hold private keys
25. PROBLEM WITH ON-CHIP DECRYPTION
▸ Need enough flash to keep 3 or more copies of firmware
Factory (Optional)
New (encrypted)
Current
New (decrypted)
(Plus scratch space during decryption)
27. PLAN B: DECRYPT ON PHONE
OK
App Firmware
4
Here’s
2.0
I have
v1.0?
3
App
Update
Server
Requires
pairing
28. DECRYPTING ON IPHONE (HOMEWORK)
▸ Don’t decrypt until absolutely necessary
▸ Go watch WWDC 2015 Video: “Security and Your Apps”
▸ https://developer.apple.com/videos/play/wwdc2015/706/
▸ If too lazy check out: SecureEnclaveCrypto library on GitHub
▸ https://github.com/trailofbits/SecureEnclaveCrypto
▸ Set up bonding/pairing between phone and device
▸ https://devzone.nordicsemi.com/question/47091/getting-an-ios-
central-app-to-bond/
29. BARE MINIMUM FIRMWARE UPDATE SYSTEM
▸ Manual deployment checklist
▸ Web download site with SSL (i.e. Amazon S3)
▸ Firmware metadata (text file)
▸ Simple mobile SDK (REST to server - BLE to device)
▸ Firmware with OTA update + software toggle
▸ BLE hardware with 2x flash
30. A PROPER UPDATE SYSTEM
▸ Rapid firmware build and
deploy (with encryption)
▸ Back-end update server (with
SSL/TLS and REST API)
▸ Release workflow automation
▸ Mobile app SDK (REST to
server - BLE to device)
▸ Push notification (or
WebSocket support)
▸ Application UX/UI design
templates
▸ Firmware with OTA update +
software toggle
▸ Hardware support for OTA
(4x flash + crypto + factory reset)
▸ Device segmentation and
analytics
▸ End-to-end encryption
31. THINK DIFFERENT
▸ Treat Firmware Updates like App Updates
▸ Release an MVP device then iterate
quickly with new features
▸ Have different firmware for different
markets (or users)
▸ Use serial numbers & encryption to avoid
piracy
▸ Do not load final firmware at factory (!?!)
33. PLAN AHEAD
▸ Don’t leave firmware update support to the last minute
▸ Don’t host firmware updates on same back-end as app-server
▸ Always have a fallback plan / factory reset
▸ Design app UX with firmware update in mind
▸ Test, test, test
34. ▸ If all this seems too daunting…
▸ Get in touch: raminf@gmail.com
Q&A
Thank You