Making Full Vehicle OTA Updates a Reality

The advantages of being able to perform in-the-field software updates to cars are well established: it will save manufacturers money, enable critical bugs to be patched immediately, and allow compelling new features to be added to the vehicle at any time during its lifecycle. At present however, few vehicles actually have the ability to receive updates. Even the cars that do support Over-The-Air (OTA) updates are only designed to update the infotainment or telematics systems. If an OEM discovers a fault in the firmware that controls a critical function such as the brakes or an airbag, then the vehicle has to be returned to the dealership. Electronic Control Units (ECUs) that control features like the engine, brakes, steering are deeper within the vehicle network architecture, and are typically Microcontrollers (MCUs) with small amounts of embedded Flash and RAM. This brings constraints which require a different update approach.

Unlike a mobile phone or PC, car owners will not tolerate downtime of their vehicles while updates take place. Therefore, updates critical to vehicle operation should ideally take place seamlessly and invisibly in the background.

Overview of Update Flow

The diagram above shows the key components which take the update file from the OEM’s servers to the specific ECU within a vehicle. A secure connection is set up over a cellular network between an individual vehicle and the server. This allows the new, updated firmware to be sent securely to the vehicle’s Telematics Unit, and then on to the OTA Manager. The OTA Manager manages the update process for all ECUs within the vehicle. It controls the distribution of firmware updates to ECUs and will tell the ECU when to perform the update. This is important in the case when multiple ECUs need to be updated simultaneously –- e.g. to add a new feature to the vehicle which involves multiple ECUs. Once the update process is complete, the OTA manager will send confirmation to the OEM.

[Learn about more trends and developments in automotive technology at Design & Manufacturing New England, April 13-14.]

An external NAND Flash can be fitted to the ECU which runs the OTA Manager to allow for the firmware update to be stored until they are required. The external Flash can also be used to store backup copies of the firmware for other vehicle ECUs which can be called upon in the case of a major fault in an ECU update, which leaves an ECU without any working firmware. These backup copies would be secured via encryption and authentication protection to prevent any tampering of the firmware whilst stored in the external memory module.

The OTA Manager contains a table of every ECU within the vehicle including information such as serial numbers and current firmware version. This allows the OTA Manager to verify firmware updates which arrive and ensure that they are authorized for use in this vehicle. If the ECU being updated does not have security functionality then the OTA manager would also be responsible for decrypting and authenticating the incoming update.