Firmware over-the-air (FOTA) updates are essential for improving system quality, adding new features after initial release, fixing bugs and vulnerabilities, improving system performance, and reducing recall and service costs. As new features are added, the size and complexity of the firmware stored in flash memory typically increases, inevitably leading to increased FOTA completion times.
Most of this time is spent on erasing and reprogramming. Beyond optimizing the user experience through faster updates, the irreversible nature of these operations must also be considered.
Another important consideration is that FOTA operations should ideally be performed in a stable environment similar to flash programming in a production environment. However, field update environments are relatively harsh and unstable. To avoid lengthy, risky, or potentially critical FOTA operations, the time required should be minimized.
But field updates are also vulnerable to various security threats, so thorough preparation is essential. These threats can range from third-party attacks to arbitrary modifications attempted by the product owner. This article outlines key considerations for implementing FOTA.
FOTA basics
FOTA is a technology that remotely updates a device’s firmware via wireless networks such as Wi-Fi, 5G, LTE, or Bluetooth without a physical connection. The flash memory used in this process serves as a core hardware resource, either temporarily storing the update package or ultimately writing the new executable code.
Let’s first examine the classification of FOTA based on flash memory configuration. This classification is determined by whether the flash memory is located internally or externally.
- Dual-bank architecture, internal NOR flash memory method
The dual-bank flash memory space within the MCU is allocated as active and passive slots, respectively. Each partitioned slot provides a space for executing existing software while simultaneously downloading new updates. This configuration features simple hardware configuration, high security, and fast bank switching through address remapping. However, it requires twice the flash memory density compared to the software size, resulting in increased hardware costs.
- External NOR flash memory method
This method uses external NOR flash memory connected to the application processor (AP)/microcontroller (MCU) via the QSPI (Quad SPI) or OSPI (Octal SPI) interface. Its large flash memory density makes it ideal for large-scale software updates. The update file or binary image is stored in flash memory and then copied to the internal flash memory. This method overcomes internal memory limitations and facilitates the storage of multiple versions of backup binary images, including emergency recovery binary images.
Let’s look at the classification of FOTA based on its implementation mechanism. These mechanisms can be used independently or combined and reconfigured.
- A/B update (seamless update)
The active slot (bank) where the current software/firmware is running and the passive slot (bank) for update downloads are physically separated, and software is installed or disabled across the two banks. This physical separation ensures that even if power is cut or a malfunction occurs during an update, the bank where the current software is running is preserved, preventing bricking.
- Execute-in-place (XIP) and concurrency
FOTA relies entirely on external NOR flash memory, meaning that code is read directly from external NOR flash memory. This technique involves executing code in one flash memory area while simultaneously downloading new updates to another area. However, the large capacity NOR flash memory used for FOTA is logically configured as a single bank, even when using multi-chip packaging technology. Therefore, the use of XIP for FOTA is limited.
- Delta update
This update only receives the changed differences or patches, rather than the entire software update or binary image. By reducing the amount of data transmitted, it reduces the time required for FOTA and saves on flash memory writes (program/erase cycles). Currently, optimized compression algorithm solutions are being employed to enable delta updates even on MCUs with low hardware specifications.
Reliability and security enhancements
FOTA design goes beyond simply writing data. It focuses on maximizing uptime (zero downtime) by leveraging safety, efficiency, and continuity, and securely controlling flash memory within a Trusted Execution Environment (TEE).
- Integrity verification
To ensure that data written to flash memory has not been corrupted or altered, the digital signature of the downloaded data is verified using a hardware security module (HSM) or TrustZone. After writing to flash memory, a checksum or CRC check is performed on the entire area to check defects in the flash memory.
- Rollback
If a boot failure occurs with a new update or software, the system must have the ability to immediately revert to the previous version.
- Flash memory life management (wear leveling)
Maximize the hardware lifespan of flash memory by preventing flash writes from being concentrated on specific areas of flash memory.
- Secure boot integration
Root of Trust (RoT) verifies that the software written to flash memory is signed by a trusted manufacturer.
- Secure storage
In addition to securing communication between the host and flash memory, flash memory must provide secure storage. The latest secure flash memory features a built-in HSM, enabling real-time encryption and decryption without performance degradation and providing secure storage capabilities.
NOR in FOTA architecture
Among the explanations mentioned above, the FOTA architecture utilizing external NOR flash memory is a strategy that overcomes the physical limitations of embedded memory and maximizes system flexibility. As of 2026, the role of external NOR flash memory is becoming increasingly important due to the increasing size of firmware and strengthened security requirements.
FOTA utilizing external NOR flash memory offers overwhelming advantages over embedded methods in terms of safety, density, and flexibility, and is becoming the standard for industrial devices requiring high reliability and smart devices using large-capacity firmware. We will delve into the five key advantages of FOTA using external NOR flash memory.
- Scalability and cost efficiency
- Large image accommodation: Firmware containing the latest operating systems (RTOS, Embedded Linux), graphics libraries, and AI models often exceed tens of MBs in size. Adding relatively inexpensive external NOR flash memory is more advantageous for reducing overall bill of materials (BOM) costs than increasing the internal flash capacity of expensive MCUs.
- Multi-image storage: Simultaneously storing multiple versions of firmware backups and user data images dramatically increases memory resource management flexibility.
- Provides a stable backup and rollback environment
- Fail-safe mechanism: Even if a power failure or communication error occurs during an update, the existing executable code in the internal flash remains intact. The replacement process only begins after the new image has been fully downloaded and verified to prevent bricking.
- Factory recovery: Factory recovery firmware can be stored in external memory. If a critical bug is discovered in a new version, it can be immediately restored to a stable previous version or factory settings from external memory without a server connection.
- Minimized downtime
- Non-intrusive background downloads: The internal flash memory focuses on running the current application, while the external flash memory receives data in the background via an independent bus. This facilitates zero-downtime implementation, ensuring device service is not interrupted even while receiving update packets.
- Bus separation: Using separate interfaces such as QSPI and OSPI prevents bus conflicts between internal memory access (command fetch) and external memory access (update write), minimizing system performance degradation.
- Extended flash life and maintainability
- Internal flash memory protection: Flash memory has a limited number of write/erase cycles (P/E cycles). During development with frequent updates or when frequent firmware changes are required, a significant portion of write operations are handled by external memory, protecting the life of the MCU’s internal flash, which cannot be replaced.
- Modular capacity expansion: Even if firmware capacity increases due to added functionality in the product lineup, the burden of hardware redesign is reduced because only the external flash memory can be replaced with a larger capacity without replacing the MCU.
- Security and data isolation
- Physical isolation: The executable code (internal) and the update standby image (external) can be physically separated and managed.
- Security update patch: By storing the firmware in an encrypted state in external memory and decrypting it only at boot time and uploading it to internal memory or RAM, an additional layer of defense against firmware theft attacks can be added.
FOTA implementation
The success of a FOTA solution hinges on the ability to provide secure and seamless updates. The implementation of the above architecture will be key to achieving this.
The automotive industry is already responding to the changes that make FOTA essential. As the transition to software-defined vehicles (SDVs) becomes more concrete, demand for software updates is skyrocketing. This is because it enables flexible changes or additions to vehicle functions even after mass production, enabling rapid response to errors and defects and continuous delivery of new services to customers.
As the frequency of software updates increases, their importance is also increasing. United Nations Economic Commission for Europe (UNECE) WP.29 enacted R156 in June 2020, which now covers not only passenger cars, commercial vehicles, and trailers with towing devices, but also agricultural machinery equipped with software update capabilities.
UNECE WP.29 R155 and R156 define the requirements OEMs must meet in the areas of cybersecurity and software updates. UNECE regulations R155 and R156 introduce framework conditions for cybersecurity and software update capabilities for all vehicles. They also require automakers to establish certified Cyber Security Management Systems (CSMS) and Software Update Management Systems (SUMS).
R155 requires the establishment of a cybersecurity risk identification and response system, consideration of security throughout the entire vehicle lifecycle, documentation and maintenance of a CSMS based on ISO/SAE 21434, and submission of documentation and evidence during the Vehicle Type Approval (VTA) audit.
R156 addresses the security assurance of OTA or wired updates, change impact analysis and verification systems, update history management, and auditability. It’s based on the ISO 24089 standard for software updates.
The introduction of FOTA is no longer an option. It’s essential for improving system quality, adding new features, fixing vulnerabilities, enhancing system performance, and reducing recall costs.
We have examined the important considerations before adopting these new solutions. In addition to providing safe and fast update methods for improved user experience, we have also briefly discussed the security regulations that must be considered.
Scott Heo is lead principal engineer at Infineon Technologies.
Related Content
- OTA Software Updates: Changes Ahead
- Addressing the challenge of automotive OTA update
- OTA: A Core Technology for Software-Defined Vehicles
- How PCM memory bolsters OTA firmware upgrades in vehicles
- The role of phase-change memory in automotive OTA firmware upgrades
The post Memory solutions for firmware OTA updates appeared first on EDN.