PUBLIC

OSVALDO ROMEROAPPLICATIONS ENGINEER

STEVE MIHALIK

SENIOR FIELD APP ENGINEER

AMF-AUT-T2341

FIRMWARE UPDATES FOR

AUTOMOTIVE EDGE NODES

1 PUBLIC

AGENDA

• FOTA Overview

• S32K Portfolio

• S32K Use cases

• Secure OTA in S32K144

2 PUBLIC

Objective

• Overview of OTA and its challenges.

• Understand how NXP handles over the air updated in their portfolio.

• Understand how to handle over the air updates in low cost edge nodes MCUs such

as S32K devices.

3 PUBLIC

FW OVER THE AIR

OVERVIEW

4 PUBLIC

Today: 90% of Auto Innovation via electronics

#1 Auto Analog/ RF #1 Auto MCU (ex JPN) #1 Auto Merchant MEMS Sensors

#1 INFOTAINMENTTUNERS

SOFTWARE-DEFINED DIGITAL RADIO

MULTIMEDIA PROCESSORS

SOUND SYSTEM DSPs & AMPLIFIERS

NFC BT PAIRING

WIRELESS POWER CHARGING

POWER MANAGEMENT

#1 SECURE CAR ACCESSIMMOBILIZER/ SECURITY

REMOTE KEYLESS ENTRY

PASSIVE KEYLESS ENTRY/ GO

BI-DIRECTIONAL KEYS

NFC

ULTRA WIDE BAND

ADAS & SECURITY POWERTRAIN & CHASSISMICROCONTOLLERS

PRESSURE/ MOTION SENSORS

BATTERY MANAGEMENT

DRIVERS

STANDARD

PRODUCTSLOGIC

POWER

DISCRETES

#1 VEHICLE NETWORKINGCAN/LIN/ FLEXRAY

ETHERNET

CENTRAL GATEWAY CONTROLLER

SECURITY

RF

#1 SAFETYMICROCONTROLLERS AIRBAG

ANALOG AIRBAG

MICROCONTROLLERS BRAKING

ANALOG BRAKING

SENSORS BRAKING

TIRE PRESSURE MONITORING

#1 BODYMICROCONTROLLERS

POSITION/ ANGLE SENSORS

SYSTEM BASIS CHIPS

NXP is #1

5 PUBLIC

FOTA Overview: Common Recall Process

• Done at a dealer

• A special hardware tool is used

• Engine is not running

• The target node application is halted

• Main application erased and reprogrammed

6 PUBLIC

FOTA Overview: Motivations

• Increasing number of recalls

• Dealer update $

• As firmware complexity increases, the probability of required firmware updates also

increases

• User convenience vs going to dealer

• Safety can be improved with quicker updates

7 PUBLIC

OEM

Server

FOTA Overview: MOVING DEEPER INTO THE VEHICLE

FOTA Update of Infotainment & Telematics Systems

High DensityNVM

OEM

Server

High DensityNVM

e.g. Telematics Unit

Infotainment Unit

e.g. Powertrain ECU

High DensityNVM

e.g. Telematics Unit, Gateway

High DensityNVM

Embedded NVM

Embedded NVM

Embedded NVM

Infotainment Unit

e.g. Braking ECU

e.g. Body ECU

FOTA Update of Major ECUs within the vehicle

New Challenges with this architecture:- Security throughout- Cost sensitivity of embedded ECUs- Embedded NVM vs High Density NVM- Strategy of when & what to update

Central In-vehicle FOTA Server

In-vehicle FOTAClients

Focused on updates to software on the infotainment & telematics, but not propagating further into the vehicle architecture

8 PUBLIC

FOTA Overview: Moving Deeper in the Vehicle

9 PUBLIC

FOTA Overview: A/B Swap Use Case

Reset vectors to bootloader, which is never erased

Current

Firmware

Bootloader

Old

Firmware

Flash

prior to

update

Current

Firmware

Bootloader

New

Firmware

Flash

after

updateNew

Firmware

Bootloader

Current

Firmware

Flash

after next

key-on

Advantages:

• Update can be carried out while current application is actively running from flash

• Always have original firmware to roll back to in case of issue

• Vehicle is always available – guaranteed no vehicle downtime regardless of update errors

Disadvantage:

• Requires ~2x flash application storage

10 PUBLIC

FOTA Overview: In Place Use Case

Reset vectors to bootloader, which is never erased

Current

Firmware

BootloaderFlash

before to

update New

Firmware

Bootloader Flash

after

update

Advantages:

• No need for additional flash Disadvantage:

• Requires vehicle downtime during update process

• Not possible to instantly “roll-back” if an issue occurs

11 PUBLIC

FOTA Overview: Assumptions

• End node:

− gets partial or full image for flashing

− will have at least enough spare erased flash for a full image

− receives updated software over serial link

− has boot block which never changes with OTA updates

• Best case: update is performed while running existing software

• Before new firmware becomes active, application/boot firmware can perform:

− Security validation

− Functional validation

• New firmware starts on reset following the update completion

12 PUBLIC

FOTA Overview: Challenges AT CHIP

• Additional memory for AB swap

• Remapping

• Read while write

• Security

13 PUBLIC

FOTA Overview: Automotive FOTA MAPM

em

ory

Siz

e

S32K144

Over the air update

S32K146

S32K148

Full

IMX

Partial

MPC5748G

General

Purpose

Gateway

Infotainment

Other

MPC57xx

14 PUBLIC

FOTA Overview: FULL FOTA DEMO

• This demo was designed to demonstrate firmware update capabilities common on many

NXP devices. The demo platform uses two MPC5748G evaluation boards:

− One will send update via CAN

− Other receives update, programs into flash and makes it the default firmware for next boot

• Key features:

− Flash remapping – map sections of flash to different addresses, providing a simple method to

switch between firmware

− Flash Read-While-Write (RWW) capability (Being able to erase and program a block of flash whilst

simultaneously executing from another block)

− Firmware Authentication (Confirming that the firmware is from a valid source and that it has not

been tampered with during transmission)

15 PUBLIC

S32K PORTFOLIO

16 PUBLIC

S32K Portfolio: Targeting General Purpose Applications

Battery Management Tire pressure receiverWireless chargingHuman machine interfaceBody control module

Climate control Door/Window/sunroof Near Field Communication Lighting Secure transmission / encryption in cars

Chassis systemsPMSM/BLDC motorcontrol Touch sensing Park assist

Nox reduction systems

Motorbike ECU/ABS DC/DC converters

E-shifter

Rear view camera tilt Steering wheel electronics

17 PUBLIC

S32K Portfolio: S32K For Edge Nodes

roof

module

Door control

front left

Door control

front right

Door control

rear left

Door control

rear right

HVAC

main

Park

heating

Steering

column

module

Park

assistance

Ambient

lighting

heater

left

fan

right

fan

left

Front power

module left

front power

module right

energy

manager

HVAC

rear

TPMS

Antenna

Car Access

module

Wiper

Control

heater

right

dashboard

Seat

control

Steering sensors

angle/torque

Gateway /

Body (Domain)Control Module

Engine

control

Stability

control

Transmission

control

Damping

control

(Adaptive) Cruise

control

Headlight

control

Anti-lock

brake

Battery

management

rain light

sensor

immolighting

switch

start/stop

CAN (FD)

LIN

FlexRay

Ethernet

Diagnosis

flapper

1

flapper

...

Surround View

Cam 1

Cam 4Cam 2

Cam 3

Radar

Unit

Sens1

Sens 4Sens 2

Sens 3

ADAS Unit

Remote Tuner

Amplifier

Display Front

Display Rear

Display Rear

Telematics

Box

Window

Mirror

Powertrain/Chassis

Unit

Gateway /

Body (Domain)Control Module

BackboneHead Unit

2B NODES IN 2014

4B NODES IN 2020

OVERGROWING

AUTOMOTIVE MARKET

KEY ENABLER FOR ALL CAR

INNOVATION

COMMUNICATION, ENERGY

MANAGEMENT, SAFETY, SECURITY

18 PUBLIC

Crossbar Switch with MPU

RAM

Up To

64KB

System

Periphera

l

Bridge Flash

Up To

512K

NV

IC

Cortex M4F

112 MHz

FPU, DSP, MPU,

4 KB I/D-Cache

Dflash

Up To

64KB

RTC

PMC2.7 - 5.5V

FLL Clk Mult

Ext Osc (8 - 40MHz)

Fast R/C OSC(48MHz 1%)

LP OSC (128KHz 10%)

SCG

High performance

• ARM Cortex M4F up to 112MHz w FPU

• eDMA from 57xxx family

Software Friendly Architecture

• High RAM to Flash ratio

• Independent CPU and peripheral clocking

• 48MHz 1% IRC – no PLL init required in LP

• Registers maintained in all modes

• Programmable triggers for ADC no SW delay

counters or extra interrupts

Functional safety

• ISO26262 support for ASIL B or higher

• Memory Protection Unit

• ECC on 512K Flash / 64K Dataflash and RAM

• Independent internal OSC for Watchdog

• Diversity between ADC and ACMP

• Diversity between SPI/SCI and FlexIO

• Core self test libraries

• Scalable LVD protection

• CRC

Low power

• Low leakage technology

• Multiple VLP modes and IRC combos

• Wake-up on analog thresholds

Security

• CSEc (SHE-spec)

Digital

Components

5V Analogue

ComponentsMCU Core

and Memories

Operating Characteristics

• Voltage range: 2.7V to 5.5V

• Temperature (ambient): -40°C to +125°C

Packages & IO

• Open-drain for 3.3 V and hi-drive pins

• Powered ESD protection

• Packages: 100 BGA, 64 LQFP, 100 LQFP

secu

rity

Slow R/C OSC(8MHz 3%)

16ch

eDMA

LVD

WDOG EWM

Debug

SWD JTAG

Communications / I/O System

2x A

DC

16ch 1

2bit

AC

MP

W 8

-bit D

AC

4x F

lexT

ime

r8ch 1

6-B

it

3x F

lex C

AN

1 w

ith

FD

2x P

DB

3x S

PI

1x I

2C

Flex IO

I2S

UA

RT

SP

ILP

IT

CR

C

3x U

AR

T/L

IN

S32K Portfolio: S32K144 Block Diagram

19 PUBLIC

FlashPin Count

16/24 32 48 64 80 100 100 BGA 144 176

2M S32K148 S32K148 S32K148

1M S32K146 S32K146 S32K146

512K S32K144 S32K144 S32K144

256K S32K118S32K142 /

S32K118S32K142

128K S32K116 S32K116 KEAZ128 KEA128

64KKEAZN64 /S32K114

S32K114 KEAZ(N)64 KEAZ64

32K KEAZN32 KEAZN32

16K KEAZN16 KEAZN16

8K KEAZN8

*potential option

S32K Portfolio: S32K1xx / KEA Product Series Compatibility

• Pin Compatibility:

− Within S32K1xx product series

− To KEA products

• IP Compatibility:

− With MPC55xx/MPC56xxx/MPC57xxx product series:

FlexCAN, eDMA, QuadSPI

− With Freescale Kinetis and KEA products:

FlexTimer, IIC, LSPI, UART, ADC, CRC, FlexIO

20 PUBLIC

S32K Portfolio: Flash System

256 KB 256 KB

Bank 0

Program Flash

128bits

Flash Controller

128bit Prefetch buffer

128bit Store buffer

64 KB

Bank 1

FlexNVM

64 bits

64bit Prefetch buffer

64bit Store buffer

32 bits

XBAR

4 KB

FlexRAM

S0

32bits

EEPROM

emulation

21 PUBLIC

S32K Portfolio: Flash Arrays

FOTA relevant features:

• Sector size (= minimum erase size)

4K Bytes in Program Flash (bank 0)

2K Bytes in Data Flash (bank 1)

• Read-While-Write (RWW) features between Bank0 (Program Flash) and Bank1 (Data Flash)

Key additional flash features:

• C90TFS (Thin-Film-Storage) technology

• ECC support: Single Bit Error Correction and Double Bit Error Detection

− 32bit ECC word in data flash

− 64bit ECC word in program flash

• Access time: Flash clock is about #1/4 of the core clock

22 PUBLIC

S32K USE CASES

23 PUBLIC

S32K Use Cases: S32K144 A/B Swap

S32K144

Device

• Flash driver

• Flags

• User data

64 KB

Array1

Bootloader

Image B

256 KB

New

image

Sector

to update

60KB

010110010110011001010101010

110101011110000101010101010

101010101010101010101010101

010101010101001011110000010

110010101010010101010101011

Program Flash

Bank 0Data Flash

Bank 1

SRAM

Array 0

Bootloader

Image A

256 KB

Update over CAN

Over the air update

New

firmware

image

GATEWAY

EDGE NODE

MPC5748G

Device

24 PUBLIC

S32K144

Device

• Running:

Bootloader

• No new image

available

• Branch to image A

Update imageC

AN

BU

S

CA

N B

US

Handshake

flag

S32K144

Device

Running: Image A

• Update request

• New image flag set

S32K144

Device

Running: Bootloader

• New image request

detected

• Check program flash

array available

S32K144

Device

Running: Bootloader

• No new image

available

• Branch to image A

S32K Use Cases: A/B Swap Steps (1 of 4)

25 PUBLIC

S32K Use Cases: A/B Swap Steps (2 of 4)

S32K144

Device

Running: Bootloader

• Download flash

driver to

Dflash/RAM

Flash

CMDs

CA

N B

US

CA

N B

US

Handshake

flag

26 PUBLIC

CA

N B

US

S32K144

Device

Running: Bootloader

• Receive new

image segment

• Write new segment

in RAM

S32K144

Device

Running: DFLASH (or

RAM if desired)

• If necessary, erase

older image, but not

bootloader!!!

• Write new image

segment in flash array

available

• When completed

branch to bootloader

New image

segment

S32K144

Device

Running: Bootloader

• Handshake for

next segment

CA

N B

US

Request new

image

segment

Loop until completed

S32K Use Cases: A/B Swap Steps (3 of 4)

27 PUBLIC

S32K144

Device

Running: Bootloader

• Set update flag

completed

• Issue a reset

S32K144

Device

Running: Bootloader

• New image flag

detected

• Update complete flag

detected

• Update flash side

available

• Branch to new image

S32K144

Device

Running: Image B

Erase update status

flags

S32K Use Cases: A/B Swap Steps (4 of 4)

28 PUBLIC

1. Have two separate object files

− Requires more overhead in file management!

2. “Fix up” references to flash addresses in startup code.

Examples: (assume one binary; all source is compiled at same time so there are

no external references):

− Masters (like DMA) reference to flash: boot code defines offset variable that is used in

code

DMA.SADDR = 0x100000 + OTA_offset;

− Code constants: Use RAM based table for references that contain OTA offset variable

− Function calls & branches

S32K Use Cases: A/B Swap Options without Flash Remapping

29 PUBLIC

Pros/Limitations

- Pro: A-B swap allows backup immediately available

- Limitation: compared to large MCUs with multiple code partitions, updating the

image cannot be done live

S32K Use Cases: A/B Swap Summary for S32K144

36 PUBLIC

• Larger program flash and data flash

• External QuadSPI (serial flash) support

− Enables option of storing current and new FW in serial flash.

Simpler recovery to prior version – no need to resend from gateway or OTA

New image can be stored “at leisure” then updated faster from local memory

S32K Use Cases: Looking forward: S32K148

37 PUBLIC

S32K SECURITY

38 PUBLIC

S32K14x Security: Security – Why Worry?

• Same problem which Julius Caesar faced 2000 years ago.

• Avoid hacker attacks

• Prevent reprogramming

• Steal OEM firmware

• Use cases

- Immobilizer / Component Protection

- Mileage Protection

- Secure Boot

- Secure Communication

39 PUBLIC

S32K14x Security: SHE – An Early Automotive Security Standards

• Background:

− Created by Audi (main driver), BMW and Escrypt

− Published as a official HIS standard(HIS => Herstellerinitiative Software, German for 'OEM software initiative')

• Key features of the SHE specification:

− A secure storage for crypto keys

− Crypto algorithm acceleration (AES-128)

− Secure Boot mechanism to verify custom firmware after reset

− Offers 19 security specific functions

− Up to 10 general and 5 special purpose crypto keys

40 PUBLIC

S32K14x Security: Cryptographic Secure Engine (CSE) uses SHE

CSE1 CSE2CSE3

CSEc

• SHE Specification

Implementation

Support additional

customer

requirements

• More keys

• New key attributes

• More Secure Boot

features and

behavior

• New functions

• Support extern flash memory

• Encrypted key images

• Works with OTP-keys

• ISP code protection

Flash-less ready

Optimized Security for

Low-End MCU

1st Automotive

Security Module

ARM CoresPPC Cores

41 PUBLIC

S32K14x Security: S32K Security Module (CSEc) – Overview

• SHE functionality moves from dedicated master module into the flash system

• Secure key storage only accessible by CSEc

• Crypto Keys

− Several General-Purpose keys

− Special Purpose keys

(e.g. Secret, Master and Secure-Boot Key & CMAC)

− Support of additional encrypted keys in public flash memory.

• True Random Number System

• CSEc supports AES-128 with

ECB, CBC and CMAC mode\

• Use Cases

- Secure Boot - Check Boot Loader for Integrity and Authenticity

- Check parts of Flash Memory for Integrity and Authenticity

- Secure Communication

- Component Protection

Status

Register

Programm

Flash

Flex NVM

FlexRAM

SecureNVM

Memory

Controller

Control

Register

InterruptsRegister

Access

MCU

Flash Controller

Cortex-

M4FDbgConnect

CSEc

42 PUBLIC

SUMMARY

• Firmware is increasing in the vehicle.

• FOTA is necessary in today’s vehicles

• NXP portfolio can help in your FOTA application

• CSEc for secure FOTA