By RIOD Engineering · June 26, 2026
OTA gone wrong bricks fleets. The engineering fix is a design that architecturally minimizes bricking, and treats safety as a boot-time invariant instead of a firmware convention.
This is the architecture we run in production, at chargers where remediation costs are measured in truck rolls.

Threats to defend against: bad firmware pushed (bug or malicious), power loss mid-update, network drop mid-download, malicious rollback to a known-vulnerable version, unsigned images injected via the local port.
Each threat has a specific mitigation in the architecture. Not all mitigations are visible to the OTA API; some are baked into the bootloader and flash layout.
Two firmware slots in flash. New image writes to the inactive slot. Bootloader checks the requested slot's signature against the trusted root, verifies the CRC, then boots.
If boot fails (crashes, watchdog resets before commit, no phone-home within window), bootloader marks the slot bad and reverts to the previous slot on next boot. There is always a working slot to fall back to.
Signed images: private key at RIOD; public key in the bootloader (fused into eFuse for tamper resistance). Any image without a valid signature is refused. This blocks arbitrary image injection.
Anti-rollback counter: each release has a monotonically increasing version number stored in eFuse. Attempts to install a lower version fail. This blocks downgrade attacks that would reinstate known vulnerabilities.
OTA at fleet scale needs staged campaigns, health gates, canary cohorts and automatic rollback triggers. Covered in detail in our operations suite content, but the firmware side has to support what the fleet layer demands.
The firmware exposes health signals (session-success in the last N sessions, error-code rates, comms stability) that the campaign manager evaluates to promote or halt cohorts.
Talk to our team about your project. We design, supply, and manage EV charging infrastructure across India.