Automotive software updates fly over-the-air for next-gen vehicles

Developing a proven solution to ensure reliable OTA updates 

A solution responding to the needs below:

• Software update delivery guarantee. Even when Wi-Fi is not available, critical updates still must be delivered via an LTE or 3G network as soon as possible. The solution should avoid overloading cellular networks, especially when vehicles are often clustered in urban centers.
• Software Update installation reliability and rollback. Installation must not fail under any conditions, as there is no personnel to fix it. Thus, engineers of OTA Update follow the highest standard of update reliability by verifying sustainability at every step. If a software update is interrupted due to any external factors, a system is designed to roll back to the previous state from the backup.
• An over-the-air update must be secure. The goal is to eliminate any issues related to ensuring safe vehicle-to-cloud communications. The team had to figure out how to enable an intact exchange of firmware, software and their metadata between OEM, Tier 1 and the Security Gateway ECU. Moreover, there were also other concerns regarding update package authenticity and integrity (data modification or data forging), authentication and confidentiality.
• Fleet management. Also, the updates must be applied timely to a large fleet of vehicles. Special campaigns were designed to monitor and control the status of software update distribution among vehicles in respect to model, market and other criteria.

OTA update flow

• Generating and storing software versions in the cloud-based Software Repository.
• Uploading OTA required software into the local vehicle storage.
• Installing new software and/or updating ECUs.

Security approach

• All vehicle-to-cloud communications are secured by TLS mutual authentication based on certificates.
• The authenticity and integrity of the software is ensured by HMAC, CMAC or Digital Signature of the OEM and other stakeholders. For example, according to Digital Signature Standard (DSS), any update must be digitally signed with a valid certificate and checked by a distributor at all stages.
• The confidentiality is protected by the encryption of software update and data based on the asymmetric algorithm before their transmission to or from the cloud

To ensure firmware installation regardless of disruptive factors, the software must be fully downloaded, the vehicle must be parked and the engine turned off. A Special Diagnosis manager is introduced as an extension to verify that the newly updated software operates as expected. It can also initiate the rollback procedure to the previous software version.

Technologies

• In-vehicle IPC: CommonAPI
• Vehicle-to-Cloud IPC: GRPC
• Cloud: Azure
• HMI: Qt5
• Over-The-Air: Wi-Fi, LTE, 3G
• Diagnostic Log and Trace: DLT component (AUTOSAR compliant)
• OS: Linux
• Arch: ARMv8
• Hardware: Renesas R-Car H3 (Raspberry Pi for test purposes)

You might also be interested in reading:
Blog: How will car software be maintained successfully for 20 years?

Read more about automotive software development