Firmware

By RIOD Engineering · June 26, 2026

Secure OTA Architecture for EV Chargers

OTA gone wrong bricks fleets. The engineering fix is a design that architecturally minimizes bricking, and treats safety as a boot-time invariant instead of a firmware convention.

This is the architecture we run in production, at chargers where remediation costs are measured in truck rolls.

Secure OTA Architecture for EV Chargers

The threat model

Threats to defend against: bad firmware pushed (bug or malicious), power loss mid-update, network drop mid-download, malicious rollback to a known-vulnerable version, unsigned images injected via the local port.

Each threat has a specific mitigation in the architecture. Not all mitigations are visible to the OTA API; some are baked into the bootloader and flash layout.

Dual partition (ping-pong) storage

Two firmware slots in flash. New image writes to the inactive slot. Bootloader checks the requested slot's signature against the trusted root, verifies the CRC, then boots.

If boot fails (crashes, watchdog resets before commit, no phone-home within window), bootloader marks the slot bad and reverts to the previous slot on next boot. There is always a working slot to fall back to.

Signature verification and anti-rollback

Signed images: private key at RIOD; public key in the bootloader (fused into eFuse for tamper resistance). Any image without a valid signature is refused. This blocks arbitrary image injection.

Anti-rollback counter: each release has a monotonically increasing version number stored in eFuse. Attempts to install a lower version fail. This blocks downgrade attacks that would reinstate known vulnerabilities.

Fleet rollout coordination

OTA at fleet scale needs staged campaigns, health gates, canary cohorts and automatic rollback triggers. Covered in detail in our operations suite content, but the firmware side has to support what the fleet layer demands.

The firmware exposes health signals (session-success in the last N sessions, error-code rates, comms stability) that the campaign manager evaluates to promote or halt cohorts.

Secure boot flow, step by step

  • Download the new image to the inactive flash partition
  • Verify the image signature against the bootloader's trusted key
  • Reboot into the new slot
  • Run health checks (session start, CMS heartbeat, no crash for N minutes)
  • Commit the new slot as the active boot target
  • Rollback to the previous slot automatically if any health check fails

Threat mitigation table

  • Bad or buggy image: signature verified, health-gate rollback
  • Downgrade to vulnerable version: anti-rollback counter blocks it
  • Power loss mid-update: previous slot is always intact and bootable
  • Interrupted download: partial images fail signature, never boot
  • Local port injection: signature verification refuses unsigned images

Deploying EV charging?

Talk to our team about your project. We design, supply, and manage EV charging infrastructure across India.

Schedule a meeting