22. SUOTA Overview

In order to be able to update application software over-the-air, the DA1453x/DA1458x must be connected to an external non-volatile memory (SPI flash or EEPROM).

In this Tutorial:

  • DA1453x is referring to DA14531-00, DA14531-01, DA14530, DA14535 and DA14533

    • The DA14531-00 is the main DA14531 device. The -00 is just a new naming to introduce the variant DA14531-01. The DA14531-01 is a ROM variant of the main DA14531-00.

    • The DA14535 is a DA14531 upgrade.

    • The DA14533 is optimized for automotive and industrial applications at higher temperatures, and it is rated as operating up to 105 ºC and compliant with the AEC-Q100 (Grade 2) standard.

  • DA1458x is referring to DA14585 and DA14586.

In addition, several software components and tools are required:

  • Bootloader

  • SUOTA Service

  • Image Creation Tool

  • Non-volatile Memory Programming Tool

Each of these items is described in the following sections and the following video provides an overview of the SUOTA process.

Demonstration of Dialog SmartBond™ DA145xx SUOTA

23. Cybersecurity Mechanism in SDK 6.0.24 for Secure Boot and SUOTA

The latest SDK 6.0.24 introduces enhanced Cybersecurity mechanisms to ensure secure boot and firmware updates for Bluetooth-enabled devices. These updates include support for encrypted and signed images.

The Secure Secondary Bootloader now supports booting encrypted and/or signed images, ensuring that only authorized firmware is executed. The bootloader allows for up to five decryption keys and five verification keys, which are securely stored in the OTP (One-Time Programmable) memory. To facilitate secure firmware updates, the mkimage tool is used to create:

  • Single SUOTA Images for direct firmware updates

  • Multi-Images, consisting of two single images combined with a product header, ensuring efficient memory allocation for SUOTA updates.

The encrypted/signed multi-application image is stored in external flash/EEPROM and transferred via Bluetooth to the SUOTA smartphone application. The SUOTA application includes an anti-rollback feature to prevent downgrading to older, potentially vulnerable firmware versions. These topics will be covered in detail in this tutorial, guiding you through the implementation of these security features step by step.

_images/SUOTA_RED.svg

Figure 63 Cybersecurity Mechanism in SDK 6.0.24 for Secure Boot and SUOTA

23.1. Bootloader

The Software Update Over-the-Air procedure is based upon the use of a secondary bootloader. The secondary bootloader resides in the external non-volatile memory, along with one or more application images. In addition to the secondary bootloader, DA1453x/DA1458x devices contain a ROM based bootloader that is executed (before the dual image bootloader) when a Power-on-Reset or Hardware Reset occurs.

_images/bootloader-overview.png

Figure 64 Bootloader Execution Overview

23.1.1. ROM Bootloader

When a Power-on Reset occurs the ROM based bootloader on the DA1453x/DA1458x device is executed. This searches for an application image that it can load into internal RAM and execute.

23.1.2. Secondary Bootloader

The secondary bootloader is stored in external non-volatile memory. When the ROM bootloader executes, it locates the secondary bootloader and loads it into RAM. The secondary bootloader then searches the external non-volatile memory for an application image. Assuming one is located then this is loaded into RAM and executed.

golden image

Secondary bootloader uses the concept of a golden image ensuring that, even in the event of a power failure during an update, the device is always recoverable.

In SUOTA Secondary Bootloader we discuss more about this important feature.

23.2. Software Update Over-the-Air (SUOTA) Service

Renesas SUOTA service is instantiated as a GATT Primary Service.

The service defines a control point by which it enables a peer device to initiate a software update and it defines two roles:

  • The SUOTA Initiator, which is the device that transmits the firmware image. It holds the role of the GATT Client for the SUOTA service and also the Central’s role for GAP.

  • The SUOTA Receiver, which receives the new software image, stores the image into the external SPI Flash/EEPROM device and runs the new image. It is the GATT Server for the SUOTA service and also holds the GAP Peripheral Role.

23.3. Image Creation & Non-volatile Memory Programming Tool

The SmartSnippets™ ToolBox contains a non-volatile memory programming tool that supports the creation of SUOTA images. Further details are provided in the following chapters.