Over-the-air (OTA) means that updates for firmware and software are no longer performed via cable but wirelessly. This can be achieved using various radio standards, including cellular radio and WLAN, but Bluetooth and NFC are also conceivable, for example, at charging stations. In a car, the updates affect the engine control units (ECUs) and the infotainment system. While updates for engine control units usually close security gaps and improve performance, an updated infotainment system contributes to enhanced comfort and personalized use.
See table 1: Description of (F)OTA in a smartphone and car
As more and more new vehicles come to the market place with software-intensive ECUs, software maintenance requirements will also increase: According to a study by the US National Highway Traffic Safety Administration (NHTSA), 15% of all vehicle safety recalls in the USA in 2015 were down to software errors. The elimination of such errors is much more complex for vehicles than it is for smartphones, for example. If a bug or critical vulnerability related to the software is detected in the vehicle, it needs to be repaired in a specialist workshop. This is the only place where experts are able to provide updates from the software suppliers, usually OEMs, via a cable connection. This not only costs time and frays nerves but is also fairly expensive for the OEM.
Prerequisite: Networked vehicles
Cellular radio equipment is the key feature to enable OTA updates for ever smarter vehicles. An important milestone for establishing cellular radio in cars is the "eCall" regulation of the EU: All new vehicle models in the European Union have been fitted with the "emergency call function" since March 2018. This special function automatically calls the emergency services, using the European emergency number 112, in case of an accident, but also offers vehicle suppliers a basic option for communication via OTA. Therefore, costs can be saved and money possibly made, as the OTA interface enables new functions and applications - if the hardware permits it - to be purchased and activated via an app store.
The advantages of OTA updates are wide ranging: Users no longer have to visit a workshop for updates and benefit from the latest software and firmware and related improvements, as well as constantly updated maps and new apps. Suppliers can gain more knowledge about vehicle users and vehicle configurations, avoid the costs of software-related recalls, and ensure their vehicles are much safer.
Transfer and distribution
The aim of the OTA method is to replace the transfer of updates via a cable, which has to be performed in a workshop, with a mobile connection between the OEM's server and the vehicle's telematics unit. However, the "eCall" system is not suitable for this, as it cannot transfer data except for emergency calls. The vehicle therefore either requires a separate SIM card or must access a connection via a smartphone hotspot or WLAN network. If a connection has been established, the OTA Manager, which acts as the gateway, can initiate the update process.
See image 1: Presentation of the OTA process in a car
Essential: Safety and security
In addition to the many advantages, OTA updates also present a considerable risk potential. It is essential to protect the transfer of the data packets; otherwise, third parties may gain access to important vehicle functions or data.
Safety and security are therefore essential aspects for the success of OTA. Security describes how secure the transfer route is, while safety refers to the safe implementation of the update process. Security includes securing the transfer route using various mechanisms such as TLS (SSL transmission), HTTPS, user identification, VPN, and E2EE. If these are not secured sufficiently, man-in-the-middle attacks, electrical system spoofing, theft of intellectual property, spying on the driver or even the shutdown or manipulation of vehicle functions may occur.
Storage and execution of the update are generally relevant in terms of safety. To prevent manipulation of the software and to ensure the authenticity and integrity of the data, the software package needs to be signed cryptographically. Within the hardware structure,
a hardware security module (HSM) can assume this safety feature.
No annoying waiting for the installation of updates
There are also a few points to keep in mind when it comes to the time and duration of updates. The vehicle's ECUs can only receive updates in the safe state, i.e. when the engine is switched off. Furthermore, users do not want to have to wait for an update process before they can drive again. Therefore, the update process should take place as conveniently and inconspicuously as possible, thus avoiding longer vehicle downtime.
Possible solutions include the introduction of redundant memory systems in which both the new firmware and a back-up of the old firmware are stored. If the update process is not successful, the functionality of the vehicle is still maintained. A further measure is planned update processes that take place at a desired time, usually at night.
To guarantee a faster upload, the size of the data packets should be as small as possible. The software size varies considerably between ECUs and infotainment systems: If the entire code has to be replaced, several gigabytes of data may be generated. This can be remedied, however, by compressing the data packets using delta coding. Instead of the entire software code, it only contains the changes to the old version. This reduces the amount of data to just a few hundred megabytes.
Possible solutions from Rutronik
Rutronik already offers a range of solutions to implement an OTA update of the vehicle, including cellular radio modules (BT, NFC, 3G, 4G, WiFi). In addition, security microcontrollers with integrated HSMs are available, including Infineon's AURIX family and the SPC58 family from ST Microelectronics, as well as security chips and chips for cellular network access from both suppliers.
From a software perspective, Rutronik also offers its customers solutions such as the cloud-based management software Telit IoT Portal. It is especially designed for the distribution of software to a large number of clients. The platform can be "branded" for different purposes and suppliers and enables individualized messages to be sent to clients. When using the "Geofence" function, the software transfer can be limited to a certain area and the normal limitations and typical staggers of a software roll-out are also provided.
Customers who utilize Rutronik's ever increasing portfolio are already prepared for a future with OTA updates.
Find components at <link www.rutronik24.com _blank external-link-new-window "open internal link">www.rutronik24.com</link>.
Subscribe to our <link www.rutronik.com/newsletter _blank external-link-new-window "open internal link">newsletter</link> and stay updated.