Best practice for safe FOTA (aws)

tpg 5 months ago

Hi,

I was wondering what is the recommended best practice for safe FOTA using AWS and the nrf sdk (aws_fota.h).

The requirements would be:

the update is not bricking the device in the field, for example due to interruption due battery voltage and
we can prevent updates in certain situations where the device should available.
- an ongoing update is okay.

To just suspend the fota library would good, but aws_fota.h does not support this, or?

So what happens if we interrupt during fota download, here?

Is the download continued?
Is the unit getting a new download job?
Is the unit installing a corrupt upgrade?
Or, what does the aws job when the unit does not report that the download is finished?

When it comes to the second point, the only thing we can do is to delay the reboot? Here is also the question what happens if mcuboot is interrupted during the update by an unexpected power down, is it able to recover?

Top Replies

tpg 5 months ago in reply to Sigurd +1

Thank you that sounds good. I'll see that that is also tested on our hardware. So for our case, I'll just delay the reboot after the AWS_IOT_EVT_FOTA_DONE event, in case the device is required to be…

0 ontosalsa 5 months ago

To ensure FOTA is safe when using AWS and avoid mcuboot being interrupted during the update process due to sudden power outage, but I think it is completely recoverable. However, what I wonder is whether the device on which the upgrade is being installed is corrupted?

happy wheels
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sigurd 5 months ago

Hi!

With MCUboot, you have two image slots, The primary slot, containing the application that will be booted, and the secondary slot, where a new application can be stored before it is activated. MCUboot is resilient against power failures. You download the new app image in the background, and the new image is validated before it's accepted and booted. A "corrupted" image will fail validation. The application can decide when to apply/activate the new image. When the download is complete, you get the AWS_IOT_EVT_FOTA_DONE event, and you need to restart the device to apply the new image. AFAIK, you will need to retry the job if the job fails, I believe AWS supports automatically retrying failed jobs.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 tpg 5 months ago in reply to Sigurd

Thank you that sounds good. I'll see that that is also tested on our hardware.

So for our case, I'll just delay the reboot after the AWS_IOT_EVT_FOTA_DONE event, in case the device is required to be available.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 tpg 5 months ago in reply to Sigurd

Ok, one follow up question. The modem is also guaranteed to be safe in this regard when it comes to firmware updates?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sigurd 5 months ago in reply to tpg

Hi,

Yes, that is safe. When it comes to FOTA, that is one of the most important aspects when the FOTA procedure is designed.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel