A Deep Dive Into Firmware Over the Air for IoT Devices

An Overview of IoT Devices and FOTA

IoT devices are a combination of hardware and software which are programmed to collect and transmit the data over to the internet, other networks, or a variety of applications. There are various categories of IoT devices such as sensors, actuators, machines, gateways, and more. These IoT devices can be used independently, or can be attached to any other devices such as appliances, doors, industrial machinery, medical equipment, and other important assets. In today’s fast-paced environment, these devices offer the capability to provide all important sensory information without any manual intervention to their users via integrations with mobile apps or analytical platforms. These sensors solve various real-world problems such as asset tracking, infrastructure management, condition-based monitoring, industrial automation, and more. 

Companies that offer IoT solutions have to deploy and manage a large number of IoT devices in globally-dispersed locations. To make sure that all the devices are working and transmitting the telemetry data as expected without any failure, it is very important to monitor these devices and keep them updated with the latest version of their firmware or software. These new versions of the firmware may contain bug fixes, patches for security vulnerabilities, or new functionalities throughout the device’s lifecycle. Since IoT devices are low powered, low memory constrained devices, and deployed at distributed locations, it is crucial to do firmware upgrades over the air (FOTA) for these devices. FOTA happens remotely, and users do not need to be physically available at the same location. FOTA is an essential process for any IoT solution offerings as it enables IoT devices to provide uninterrupted flow of data to the users.

FOTA Architecture and Components

FOTA is not only limited to the application firmware or software binary file upgradation, but can also be designed to transfer various other artifacts such as baseband images, new certificate files, configuration files, and scripts to the field deployed devices. There are various components while designing FOTA services.

The FOTA Client

The FOTA client is a piece of software that runs on the end device on which the FOTA upgrade needs to be done. This service interacts with the FOTA server to receive the FOTA trigger, downloading new firmware images and upgrading the device. This service checks with the FOTA server on a regular interval if any new package is available to download and install on the device. The value of the check-in interval depends upon the business needs. For example, once per day, alternating days, or once a week, or in some cases the FOTA server triggers on its own based on the device’s battery and connectivity status. Once the device receives the trigger to get the new firmware version, the client takes the correct measures to download and install the new version. 

Key Considerations When Designing a FOTA Client

• Efficient: In case of network unavailability during the firmware download, it should be able to resume the download rather than restarting it again, which saves the network bandwidth and time. 
• Reliable: Since many IoT devices work on constrained networks like CATM1 and NB-IoT, there is more of a probability that the download does not get completed in one instance. Therefore, it is a good design practice to have a retry mechanism in place to handle such scenarios. This will help achieve the high success rate with the FOTA image download. 
• Fault tolerant: The client must have the mechanism in place to prevent/handle the device reboot during the FOTA "in progress" state. 
• Secure: To avoid the unauthorized firmware installation, the device should be enabled with a secure boot so that the client can authenticate the downloaded firmware images. 

The FOTA Server

The FOTA server is the application that resides on the cloud and communicates with the FOTA client to update the firmware or required artifact on an IoT device. It is good to have a powerful GUI implemented for the FOTA server to accomplish the various functionalities. It is also a better user experience to implement an effective FOTA solution. After all, this application is responsible for doing various tasks to accomplish end-to-end FOTA execution.

Campaign Management

Whenever a new firmware is released, the solution provider identifies which field devices need to be upgraded with the new firmware version and when this needs to be executed. This will help avoid any disruption in the active service. New firmware or a new configuration file could be specific to a customer, so it is very important to identify and group the correct devices and their models that need to be upgraded. The campaign is created with the list of devices, the new firmware version, and the time of execution. The server should be simultaneously capable of managing the different campaigns to support FOTA services for various devices. 

Storage Server

Many FOTA solutions provide server storage to maintain the various versions of the firmware in their database. This allows the FOTA to find the correct firmware version from its storage while executing the campaign. In the case that the FOTA solutions do not provide the storage server, then it is important to implement functionality that can pull the correct version of the firmware from the specified database. 

Device Management

The FOTA server maintains the list of all the devices and their current firmware versions that are registered with FOTA service. It also keeps a track of when the last time the end device was checked on to help diagnose the issues in case the end device is not connecting with the cloud or transmitting the data as expected.

FOTA Protocols 

There are various ways to design and implement the FOTA services. Lightweight IoT devices with modem capabilities can be managed through the Light Weight Machine to Machine (LwM2M) protocol. Open Mobile Alliance (OMA) defines the specifications for the LwM2M protocol. It is an application layer over the Datagram Transport Layer Security (DTLS) like the User Datagram Protocol (UDP). LwM2M provides the security through data encryption and authentication services. LwM2M alfirso supports two mechanisms for the FOTA integration: the PULL and PUSH method. It works on the object models, and for more details, refer to the LwM2M specification. 

Other than LwM2M, HTTPS is another way to securely perform the FOTA services. This method uses the two-way security to establish the HTTPS connection between the FOTA client and the server for data encryption and authentication services. This works over the Transport Layer Security (TLS), which is a secure, connection-oriented protocol. Many chipset vendors provide the HTTPS APIs which can be integrated with the FOTA client to implement FOTA services.  

FOTA Process 

The FOTA process defines the steps needed to update the new firmware image on the IoT devices. It is not necessary that the FOTA image should be a full image of the firmware. However, it is a great practice to use delta FOTA (DFOTA) images to efficiently use the network bandwidth as it also reduces the overall time for device upgrade. DFOTA is less error prone because in this process, only a small chunk of the firmware image gets downloaded in place of a whole firmware image. It is very important that the FOTA procedure is executed only when the device is on a good network signal (Received Signal Strength Indicator, or RSSI), and has sufficient battery life to complete the whole procedure. The FOTA process consists of following steps for complete image or delta image update on the device:

1. The FOTA can be triggered by various methods. For example, when the FOTA client checks in on a regular/pre-defined time interval or the user forces/commands the device’s FOTA client to check in on the FOTA server.  
2. At the time of check in, if the server application identifies a new campaign available for the device, then it triggers an action to download the new firmware version on the device. The FOTA client downloads the firmware on its local storage. After the successful download completion, it reports to the FOTA server. 
3. The FOTA client holds the firmware update until it validates and verifies the integrity and authenticity of the new downloaded firmware image. The firmware images are verified through the digital signature to prevent the malicious code from running during the boot process. 
4. After the firmware validation of the downloaded images is complete, the client executes the new firmware and reports the status to the server. If the new firmware image works fine, then the server is notified with the new firmware version at the device. If it is unsuccessful, then the client performs the rollback to the earlier version and notifies the error to the server. Please refer to the diagram below for a visual representation of the FOTA process.

Conclusion

Due to the increasing demand for IoT devices, a solution to remotely upgrade and manage the devices is needed. FOTA is an essential part of any field IoT deployment because in many scenarios it is very expensive or impossible to physically access the device. FOTA brings the ease of use as well as reduces the overall maintenance cost of a solution. It helps to keep the device operational, updated with latest feature and vulnerability fixes throughout its lifecycle without any customer service disruption.