firmware updates for automotive edge nodes
TRANSCRIPT
PUBLIC
OSVALDO ROMEROAPPLICATIONS ENGINEER
STEVE MIHALIK
SENIOR FIELD APP ENGINEER
AMF-AUT-T2341
FIRMWARE UPDATES FOR
AUTOMOTIVE EDGE NODES
1 PUBLIC
AGENDA
• FOTA Overview
• S32K Portfolio
• S32K Use cases
• Secure OTA in S32K144
2 PUBLIC
Objective
• Overview of OTA and its challenges.
• Understand how NXP handles over the air updated in their portfolio.
• Understand how to handle over the air updates in low cost edge nodes MCUs such
as S32K devices.
3 PUBLIC
FW OVER THE AIR
OVERVIEW
4 PUBLIC
Today: 90% of Auto Innovation via electronics
#1 Auto Analog/ RF #1 Auto MCU (ex JPN) #1 Auto Merchant MEMS Sensors
#1 INFOTAINMENTTUNERS
SOFTWARE-DEFINED DIGITAL RADIO
MULTIMEDIA PROCESSORS
SOUND SYSTEM DSPs & AMPLIFIERS
NFC BT PAIRING
WIRELESS POWER CHARGING
POWER MANAGEMENT
#1 SECURE CAR ACCESSIMMOBILIZER/ SECURITY
REMOTE KEYLESS ENTRY
PASSIVE KEYLESS ENTRY/ GO
BI-DIRECTIONAL KEYS
NFC
ULTRA WIDE BAND
ADAS & SECURITY POWERTRAIN & CHASSISMICROCONTOLLERS
PRESSURE/ MOTION SENSORS
BATTERY MANAGEMENT
DRIVERS
STANDARD
PRODUCTSLOGIC
POWER
DISCRETES
#1 VEHICLE NETWORKINGCAN/LIN/ FLEXRAY
ETHERNET
CENTRAL GATEWAY CONTROLLER
SECURITY
RF
#1 SAFETYMICROCONTROLLERS AIRBAG
ANALOG AIRBAG
MICROCONTROLLERS BRAKING
ANALOG BRAKING
SENSORS BRAKING
TIRE PRESSURE MONITORING
#1 BODYMICROCONTROLLERS
POSITION/ ANGLE SENSORS
SYSTEM BASIS CHIPS
NXP is #1
5 PUBLIC
FOTA Overview: Common Recall Process
• Done at a dealer
• A special hardware tool is used
• Engine is not running
• The target node application is halted
• Main application erased and reprogrammed
6 PUBLIC
FOTA Overview: Motivations
• Increasing number of recalls
• Dealer update $
• As firmware complexity increases, the probability of required firmware updates also
increases
• User convenience vs going to dealer
• Safety can be improved with quicker updates
7 PUBLIC
OEM
Server
FOTA Overview: MOVING DEEPER INTO THE VEHICLE
FOTA Update of Infotainment & Telematics Systems
High DensityNVM
OEM
Server
High DensityNVM
e.g. Telematics Unit
Infotainment Unit
e.g. Powertrain ECU
High DensityNVM
e.g. Telematics Unit, Gateway
High DensityNVM
Embedded NVM
Embedded NVM
Embedded NVM
Infotainment Unit
e.g. Braking ECU
e.g. Body ECU
FOTA Update of Major ECUs within the vehicle
New Challenges with this architecture:- Security throughout- Cost sensitivity of embedded ECUs- Embedded NVM vs High Density NVM- Strategy of when & what to update
Central In-vehicle FOTA Server
In-vehicle FOTAClients
Focused on updates to software on the infotainment & telematics, but not propagating further into the vehicle architecture
8 PUBLIC
FOTA Overview: Moving Deeper in the Vehicle
9 PUBLIC
FOTA Overview: A/B Swap Use Case
Reset vectors to bootloader, which is never erased
Current
Firmware
Bootloader
Old
Firmware
Flash
prior to
update
Current
Firmware
Bootloader
New
Firmware
Flash
after
updateNew
Firmware
Bootloader
Current
Firmware
Flash
after next
key-on
Advantages:
• Update can be carried out while current application is actively running from flash
• Always have original firmware to roll back to in case of issue
• Vehicle is always available – guaranteed no vehicle downtime regardless of update errors
Disadvantage:
• Requires ~2x flash application storage
10 PUBLIC
FOTA Overview: In Place Use Case
Reset vectors to bootloader, which is never erased
Current
Firmware
BootloaderFlash
before to
update New
Firmware
Bootloader Flash
after
update
Advantages:
• No need for additional flash Disadvantage:
• Requires vehicle downtime during update process
• Not possible to instantly “roll-back” if an issue occurs
11 PUBLIC
FOTA Overview: Assumptions
• End node:
− gets partial or full image for flashing
− will have at least enough spare erased flash for a full image
− receives updated software over serial link
− has boot block which never changes with OTA updates
• Best case: update is performed while running existing software
• Before new firmware becomes active, application/boot firmware can perform:
− Security validation
− Functional validation
• New firmware starts on reset following the update completion
12 PUBLIC
FOTA Overview: Challenges AT CHIP
• Additional memory for AB swap
• Remapping
• Read while write
• Security
13 PUBLIC
FOTA Overview: Automotive FOTA MAPM
em
ory
Siz
e
S32K144
Over the air update
S32K146
S32K148
Full
IMX
Partial
MPC5748G
General
Purpose
Gateway
Infotainment
Other
MPC57xx
14 PUBLIC
FOTA Overview: FULL FOTA DEMO
• This demo was designed to demonstrate firmware update capabilities common on many
NXP devices. The demo platform uses two MPC5748G evaluation boards:
− One will send update via CAN
− Other receives update, programs into flash and makes it the default firmware for next boot
• Key features:
− Flash remapping – map sections of flash to different addresses, providing a simple method to
switch between firmware
− Flash Read-While-Write (RWW) capability (Being able to erase and program a block of flash whilst
simultaneously executing from another block)
− Firmware Authentication (Confirming that the firmware is from a valid source and that it has not
been tampered with during transmission)
15 PUBLIC
S32K PORTFOLIO
16 PUBLIC
S32K Portfolio: Targeting General Purpose Applications
Battery Management Tire pressure receiverWireless chargingHuman machine interfaceBody control module
Climate control Door/Window/sunroof Near Field Communication Lighting Secure transmission / encryption in cars
Chassis systemsPMSM/BLDC motorcontrol Touch sensing Park assist
Nox reduction systems
Motorbike ECU/ABS DC/DC converters
E-shifter
Rear view camera tilt Steering wheel electronics
17 PUBLIC
S32K Portfolio: S32K For Edge Nodes
roof
module
Door control
front left
Door control
front right
Door control
rear left
Door control
rear right
HVAC
main
Park
heating
Steering
column
module
Park
assistance
Ambient
lighting
heater
left
fan
right
fan
left
Front power
module left
front power
module right
energy
manager
HVAC
rear
TPMS
Antenna
Car Access
module
Wiper
Control
heater
right
dashboard
Seat
control
Steering sensors
angle/torque
Gateway /
Body (Domain)Control Module
Engine
control
Stability
control
Transmission
control
Damping
control
(Adaptive) Cruise
control
Headlight
control
Anti-lock
brake
Battery
management
rain light
sensor
immolighting
switch
start/stop
CAN (FD)
LIN
FlexRay
Ethernet
Diagnosis
flapper
1
flapper
...
Surround View
Cam 1
Cam 4Cam 2
Cam 3
Radar
Unit
Sens1
Sens 4Sens 2
Sens 3
ADAS Unit
Remote Tuner
Amplifier
Display Front
Display Rear
Display Rear
Telematics
Box
Window
Mirror
Powertrain/Chassis
Unit
Gateway /
Body (Domain)Control Module
BackboneHead Unit
2B NODES IN 2014
4B NODES IN 2020
OVERGROWING
AUTOMOTIVE MARKET
KEY ENABLER FOR ALL CAR
INNOVATION
COMMUNICATION, ENERGY
MANAGEMENT, SAFETY, SECURITY
18 PUBLIC
Crossbar Switch with MPU
RAM
Up To
64KB
System
Periphera
l
Bridge Flash
Up To
512K
NV
IC
Cortex M4F
112 MHz
FPU, DSP, MPU,
4 KB I/D-Cache
Dflash
Up To
64KB
RTC
PMC2.7 - 5.5V
FLL Clk Mult
Ext Osc (8 - 40MHz)
Fast R/C OSC(48MHz 1%)
LP OSC (128KHz 10%)
SCG
High performance
• ARM Cortex M4F up to 112MHz w FPU
• eDMA from 57xxx family
Software Friendly Architecture
• High RAM to Flash ratio
• Independent CPU and peripheral clocking
• 48MHz 1% IRC – no PLL init required in LP
• Registers maintained in all modes
• Programmable triggers for ADC no SW delay
counters or extra interrupts
Functional safety
• ISO26262 support for ASIL B or higher
• Memory Protection Unit
• ECC on 512K Flash / 64K Dataflash and RAM
• Independent internal OSC for Watchdog
• Diversity between ADC and ACMP
• Diversity between SPI/SCI and FlexIO
• Core self test libraries
• Scalable LVD protection
• CRC
Low power
• Low leakage technology
• Multiple VLP modes and IRC combos
• Wake-up on analog thresholds
Security
• CSEc (SHE-spec)
Digital
Components
5V Analogue
ComponentsMCU Core
and Memories
Operating Characteristics
• Voltage range: 2.7V to 5.5V
• Temperature (ambient): -40°C to +125°C
Packages & IO
• Open-drain for 3.3 V and hi-drive pins
• Powered ESD protection
• Packages: 100 BGA, 64 LQFP, 100 LQFP
secu
rity
Slow R/C OSC(8MHz 3%)
16ch
eDMA
LVD
WDOG EWM
Debug
SWD JTAG
Communications / I/O System
2x A
DC
16ch 1
2bit
AC
MP
W 8
-bit D
AC
4x F
lexT
ime
r8ch 1
6-B
it
3x F
lex C
AN
1 w
ith
FD
2x P
DB
3x S
PI
1x I
2C
Flex IO
I2S
UA
RT
SP
ILP
IT
CR
C
3x U
AR
T/L
IN
S32K Portfolio: S32K144 Block Diagram
19 PUBLIC
FlashPin Count
16/24 32 48 64 80 100 100 BGA 144 176
2M S32K148 S32K148 S32K148
1M S32K146 S32K146 S32K146
512K S32K144 S32K144 S32K144
256K S32K118S32K142 /
S32K118S32K142
128K S32K116 S32K116 KEAZ128 KEA128
64KKEAZN64 /S32K114
S32K114 KEAZ(N)64 KEAZ64
32K KEAZN32 KEAZN32
16K KEAZN16 KEAZN16
8K KEAZN8
*potential option
S32K Portfolio: S32K1xx / KEA Product Series Compatibility
• Pin Compatibility:
− Within S32K1xx product series
− To KEA products
• IP Compatibility:
− With MPC55xx/MPC56xxx/MPC57xxx product series:
FlexCAN, eDMA, QuadSPI
− With Freescale Kinetis and KEA products:
FlexTimer, IIC, LSPI, UART, ADC, CRC, FlexIO
20 PUBLIC
S32K Portfolio: Flash System
256 KB 256 KB
Bank 0
Program Flash
128bits
Flash Controller
128bit Prefetch buffer
128bit Store buffer
64 KB
Bank 1
FlexNVM
64 bits
64bit Prefetch buffer
64bit Store buffer
32 bits
XBAR
4 KB
FlexRAM
S0
32bits
EEPROM
emulation
21 PUBLIC
S32K Portfolio: Flash Arrays
FOTA relevant features:
• Sector size (= minimum erase size)
4K Bytes in Program Flash (bank 0)
2K Bytes in Data Flash (bank 1)
• Read-While-Write (RWW) features between Bank0 (Program Flash) and Bank1 (Data Flash)
Key additional flash features:
• C90TFS (Thin-Film-Storage) technology
• ECC support: Single Bit Error Correction and Double Bit Error Detection
− 32bit ECC word in data flash
− 64bit ECC word in program flash
• Access time: Flash clock is about #1/4 of the core clock
22 PUBLIC
S32K USE CASES
23 PUBLIC
S32K Use Cases: S32K144 A/B Swap
S32K144
Device
• Flash driver
• Flags
• User data
64 KB
Array1
Bootloader
Image B
256 KB
New
image
Sector
to update
60KB
010110010110011001010101010
110101011110000101010101010
101010101010101010101010101
010101010101001011110000010
110010101010010101010101011
Program Flash
Bank 0Data Flash
Bank 1
SRAM
Array 0
Bootloader
Image A
256 KB
Update over CAN
Over the air update
New
firmware
image
GATEWAY
EDGE NODE
MPC5748G
Device
24 PUBLIC
S32K144
Device
• Running:
Bootloader
• No new image
available
• Branch to image A
Update imageC
AN
BU
S
CA
N B
US
Handshake
flag
S32K144
Device
Running: Image A
• Update request
• New image flag set
S32K144
Device
Running: Bootloader
• New image request
detected
• Check program flash
array available
S32K144
Device
Running: Bootloader
• No new image
available
• Branch to image A
S32K Use Cases: A/B Swap Steps (1 of 4)
25 PUBLIC
S32K Use Cases: A/B Swap Steps (2 of 4)
S32K144
Device
Running: Bootloader
• Download flash
driver to
Dflash/RAM
Flash
CMDs
CA
N B
US
CA
N B
US
Handshake
flag
26 PUBLIC
CA
N B
US
S32K144
Device
Running: Bootloader
• Receive new
image segment
• Write new segment
in RAM
S32K144
Device
Running: DFLASH (or
RAM if desired)
• If necessary, erase
older image, but not
bootloader!!!
• Write new image
segment in flash array
available
• When completed
branch to bootloader
New image
segment
S32K144
Device
Running: Bootloader
• Handshake for
next segment
CA
N B
US
Request new
image
segment
Loop until completed
S32K Use Cases: A/B Swap Steps (3 of 4)
27 PUBLIC
S32K144
Device
Running: Bootloader
• Set update flag
completed
• Issue a reset
S32K144
Device
Running: Bootloader
• New image flag
detected
• Update complete flag
detected
• Update flash side
available
• Branch to new image
S32K144
Device
Running: Image B
Erase update status
flags
S32K Use Cases: A/B Swap Steps (4 of 4)
28 PUBLIC
1. Have two separate object files
− Requires more overhead in file management!
2. “Fix up” references to flash addresses in startup code.
Examples: (assume one binary; all source is compiled at same time so there are
no external references):
− Masters (like DMA) reference to flash: boot code defines offset variable that is used in
code
DMA.SADDR = 0x100000 + OTA_offset;
− Code constants: Use RAM based table for references that contain OTA offset variable
− Function calls & branches
S32K Use Cases: A/B Swap Options without Flash Remapping
29 PUBLIC
Pros/Limitations
- Pro: A-B swap allows backup immediately available
- Limitation: compared to large MCUs with multiple code partitions, updating the
image cannot be done live
S32K Use Cases: A/B Swap Summary for S32K144
36 PUBLIC
• Larger program flash and data flash
• External QuadSPI (serial flash) support
− Enables option of storing current and new FW in serial flash.
Simpler recovery to prior version – no need to resend from gateway or OTA
New image can be stored “at leisure” then updated faster from local memory
S32K Use Cases: Looking forward: S32K148
37 PUBLIC
S32K SECURITY
38 PUBLIC
S32K14x Security: Security – Why Worry?
• Same problem which Julius Caesar faced 2000 years ago.
• Avoid hacker attacks
• Prevent reprogramming
• Steal OEM firmware
• Use cases
- Immobilizer / Component Protection
- Mileage Protection
- Secure Boot
- Secure Communication
39 PUBLIC
S32K14x Security: SHE – An Early Automotive Security Standards
• Background:
− Created by Audi (main driver), BMW and Escrypt
− Published as a official HIS standard(HIS => Herstellerinitiative Software, German for 'OEM software initiative')
• Key features of the SHE specification:
− A secure storage for crypto keys
− Crypto algorithm acceleration (AES-128)
− Secure Boot mechanism to verify custom firmware after reset
− Offers 19 security specific functions
− Up to 10 general and 5 special purpose crypto keys
40 PUBLIC
S32K14x Security: Cryptographic Secure Engine (CSE) uses SHE
CSE1 CSE2CSE3
CSEc
• SHE Specification
Implementation
Support additional
customer
requirements
• More keys
• New key attributes
• More Secure Boot
features and
behavior
• New functions
• Support extern flash memory
• Encrypted key images
• Works with OTP-keys
• ISP code protection
Flash-less ready
Optimized Security for
Low-End MCU
1st Automotive
Security Module
ARM CoresPPC Cores
41 PUBLIC
S32K14x Security: S32K Security Module (CSEc) – Overview
• SHE functionality moves from dedicated master module into the flash system
• Secure key storage only accessible by CSEc
• Crypto Keys
− Several General-Purpose keys
− Special Purpose keys
(e.g. Secret, Master and Secure-Boot Key & CMAC)
− Support of additional encrypted keys in public flash memory.
• True Random Number System
• CSEc supports AES-128 with
ECB, CBC and CMAC mode\
• Use Cases
- Secure Boot - Check Boot Loader for Integrity and Authenticity
- Check parts of Flash Memory for Integrity and Authenticity
- Secure Communication
- Component Protection
Status
Register
Programm
Flash
Flex NVM
FlexRAM
SecureNVM
Memory
Controller
Control
Register
InterruptsRegister
Access
MCU
Flash Controller
Cortex-
M4FDbgConnect
CSEc
42 PUBLIC
SUMMARY
• Firmware is increasing in the vehicle.
• FOTA is necessary in today’s vehicles
• NXP portfolio can help in your FOTA application
• CSEc for secure FOTA