RE: Option to roll back from confirmed image slot in rare OTA situations

Håkon Alseth — Mon, 11 Oct 2021 08:56:29 GMT

Hi,

[quote user=""]Already found a way how I can switch between two different images in flash from the current firmware and it's super useful[/quote]

Its great to hear this!

[quote user=""]Firmware image that laying on backend cloud server includes logic to check that main features like server connection and peripherals working well to make a decision to keep that version or roll back to the previous one. One more secure mechanism implemented using MCU boot it's if firmware not confirming itself device switching back to known firmware stored in a flash that should work well. All those methods providing a good way of reliability, so it really hard to brick the device in process of OTA.[/quote]

You can read about the concepts of mcuboot, specifically how it behaves when reverting (and how to trigger it), here:

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.7.0/mcuboot/design.html

[quote user=""]I understand that this is a very unlikely case, but if it's happening in production all user devices would be bricked as the result of for example a hacker attack on the server and replacing image to as in my example "self-confirming blink" so the device should be shipped back for restoration e.t.c[/quote]

In order for mcuboot to accept an image, it must match the static partition layout in addition to be signed with your own key. If the key is compromised, you can get into this scenario.

Just applying arbitrary binary data to mcuboot (ie. from a "fake" webserver) will not trigger such a scenario, as mcuboot will recognize that the incoming data is not signed accordingly.

Kind regards,

Håkon