Why Ignoring Firmware Over-The-Air (FOTA) Updates in Automotive ECU can be a Costly Mistake
Your smartphone has the capability to download the latest OS version over the air (using wireless connectivity without being physically plugged).
A similar remote device management model is also very popularly deployed for automotive and other IoT based automation systems.
This is necessary to effectively manage and update the latest software packages in all the electronic components.
This remote software management feature is called a Firmware Over-The-Air (FOTA) or Over-The-Air (OTA) updates.
While we considered the example of smartphone with respect to over the air upgrade, the criticality of these firmware updates is much higher in automotive ECUs.
Let’s have a look at some car recall instances that highlight the need for FOTA and also doing it right.
Perils of Not making OTA/FOTA Part of your Product Development Process at the Design Phase
Till now, we have only talked about the details of FOTA update process but to understand its impact, we need to understand the perils of its absence.
Let’s start with a few examples:
In 2015, a prominent automotive OEM had to recall 1.4 million cars after their electronic systems were hacked. The hackers were able to almost paralyze the vehicles by disabling brakes.
This was a major crisis for the OEM and they had to push out OTA updates into thousands of vehicles to mitigate the issue.
Another automotive OEM also faced the heat when their vehicles’ electronic system was hacked by security hackers in September 2016.
The auto manufacturer had been working on code signing and cryptographic validation of OTA updates for months. They had to accelerate the rollout of these features following the attack.
- In yet another incident, a global automotive OEM had released an over-the-air (OTA) update that made the infotainment system reboot every 30-40 seconds. To make matters worse, users were not even given the option to decline the update or roll back to an earlier version.
Moral of the story- You just not got to do the OTA but also do it right.
From cost overheads (due to recalls) to damage in reputation, absence of FOTA is undoubtedly quite detrimental to any automotive OEM.
Now that we know how important Firmware Over-The-Air Upgrade is to automotive OEMs, let’s explore how the manual software update process looked like and why there was a need for FOTA updates.
How Manual Automotive ECU Firmware Update Works
The electronic control units are interconnected using a specific type of network interface/Bus (CAN, LIN, MOST, FlexRay etc.). The manual firmware update is performed with the help of a module that is connected to the automotive ECU externally.
Such a module will act as gateway for software updates. The firmware updates for the control units will be received by this IoT gateway module over the in-vehicle network.
The process may sound simple. But when we factor in the large number of automotive ECUs for each firmware update, the issue of compatibility of control units from different vendors and frequency of updates, we will find ourselves confronted with numerous operational challenges.
Here is a brief snapshot of a possible scenario of manual automotive firmware update:
- A firmware update is usually required to release a new version of the software, resolve a bug or potential security threat, or to release a new feature.
- If the ECU has been sourced from a supplier, they may be requested to release an update.
- After the automotive software update release is ready, the supplier will ship it to the OEM who will test it for QA and approve the version for the release.
- Next, the OEM will contact the different dealers as well as the customers over mail or call and inform them about the update. In the meanwhile, the OEM will also send the software update to the dealers.
- The customers will now have to visit their dealers and get the control unit updated. At the service center, the mechanic will connect the automotive ECU reprogramming tool to the vehicle’s network bus and access the control unit to be updated.
For this entire process, the dealer will charge the OEM for recall labour.
Sounds too complicated and costly, right?!
And this is where Firmware Over-The-Air (FOTA) update has an edge and is a value-add process.
How Automotive Firmware Over-The-Air Update Works
In the times of Connected Cars, ADAS and Electric Vehicles, automotive ECU software influence a lot of critical features of the vehicle.
All this have made the software updates of automotive control unit more critical and more frequent.
Thus, we got in touch with our IoT consultants to understand more about the application of Firmware over the Air (FOTA) updates for automotive applications.
Essentially, FOTA update is a 3-step process. It encompasses designing the update package, managing delivery and re-flashing the automotive ECU.
Let’s explore each one of them:
Update Package Generation: This is the 1st stage of FOTA update. The software update package is generated that contains the code to fix the identified control unit issue or to integrate the new feature.
The update can be aimed at a specific firmware component in the device or the entire device itself. The different components of the FOTA update package can be Bootloader software, Firmware configuration and application firmware.
Once the firmware build is ready with the intended changes, a FOTA image is generated with the necessary security settings and checksum code, which helps to ensure code integrity during installation in the target device. This generated image is also tested locally to ensure reliability of the firmware update.
Update Package Delivery Management: After the update package, containing the bug fixes or new feature is generated, it is pushed to a distribution platform. This platform may be controlled by the automotive OEMs or the vendor.
The versioning of the software is handled by this platform along with the delivery of the software package to the intended car model and control unit.
The dealers can easily get the update package from the centralized platform. Such an arrangement ensures that the software package does not need to be distributed to the dealers separately. Hence, the time-to-market is reduced significantly.
Performing the FOTA Update: The above two steps did not involve the vehicle as the process was being carried out by OEMs and vendors. However, the last step of FOTA update requires the vehicle to be able to accept the update and execute it.
And for this, a component (Telematics Gateway Unit to be precise) is required that can establish a connection with the update server.
At the device side, FOTA can be triggered in two ways. First, via the Delivery Management system or the device can itself choose to check if an update firmware is available in the server. A time interval can be defined for this.
Once the firmware update image is available, the device initiates a download from the server via secure channel. The device then checks for the integrity of the downloaded image by calculating and verifying the checksum of the package.
After the package integrity is verified, the device authenticates the source of the image and then proceeds to update the device. Post the update, the device sends notification to the server with the updated version number.
Here, the onus is on the OEMs to integrate a gateway unit in the car that can serve as a client to download the ECU firmware update and execute in on the intended vehicle ECU.
Future of FOTA in Automotive
The automotive industry has evolved along the lines of the mobile phone industry in terms of software. Updating the automotive ECUs is no longer optional; for certain scenarios, it is indispensable.
And as the updates are getting more frequent, the OEMs cannot expect customers to visit the dealer for every update.
FOTA has to be made a regular feature in vehicles as it will help the OEMs to save on manpower and other costs. Also, vehicles will not have to be driven to garages or service stations for ECU firmware updates. The customer delight earned from this will be an added bonus.