To avoid bricking a device with a failed OTA update, engineers need to identify potential points of failure and create a system-level architecture to mitigate against them. This architecture's key components will comprise a telematics unit, which is in communication with the server that will be delivering the update; a gateway, or manager, which handles the local reception and distribution of the update; and a client, which is the device receiving the update.
The automotive industry is an excellent example of a high-reliability application that must adhere to a strict process when implementing OTA updates. There can be no scenario where an ECU could be allowed to brick either during or after an OTA update. Security is critical here. At every stage in the process, security needs to be observed. This typically means using encryption and authentication with keys and certificates stored in a secure, tamper-proof way.
Over-the-air updates are common in consumer products where the consequences of failure are low, but can they also be used in a high-reliability, safety-critical environment asks Osvaldo Romero, System and Architecture Engineer for Automotive Microcontrollers at NXP Semiconductors