CPS Firmware Over-the-Air Updates
AuroraSOC manages firmware updates for the CPS device fleet with staged rollouts, automatic pause on anomalies, and rollback support.
Architecture
Every device has two firmware slots (A/B). The active slot runs the current firmware; the inactive slot receives the update. On reboot, the bootloader switches to the new slot. If the new firmware fails to produce a healthy heartbeat within 5 boot attempts, the bootloader automatically reverts.
Staged Rollout
Updates roll out in stages to limit blast radius:
| Stage | Percentage | Criteria to Advance |
|---|---|---|
| 1 | 5% | All devices healthy, no heartbeat loss |
| 2 | 25% | Stage 1 stable for 1 hour |
| 3 | 50% | Stage 2 stable for 2 hours |
| 4 | 100% | Stage 3 stable for 4 hours |
Auto-Pause Triggers
The rollout automatically pauses if:
- Heartbeat loss rate exceeds 10% of updated devices
- Any device enters crash-loop (boot count > 5 without successful mark)
- Attestation drift detected on updated devices
API
# Upload a firmware bundle
POST /api/v1/cps/firmware/bundles
Content-Type: multipart/form-data
- version: "1.2.0"
- target_device_type: "esp32c3"
- signature: "cosign-signature"
- file: firmware.bin
# Create a rollout
POST /api/v1/cps/firmware/rollouts
{
"bundle_id": "uuid",
"target_devices": ["esp32c3_env_01", "esp32c3_env_02", ...]
}
# Start rollout
POST /api/v1/cps/firmware/rollouts/{id}/start
# Advance to next stage
POST /api/v1/cps/firmware/rollouts/{id}/advance
# Emergency rollback
POST /api/v1/cps/firmware/rollouts/{id}/rollback
Anti-Rollback Protection
Each firmware bundle carries a monotonic anti-rollback counter. The device refuses to install firmware with a counter lower than the currently burned value, preventing downgrade to known-vulnerable versions.
Signature Verification
Firmware bundles are signed with cosign. The device's ATECC608A secure element verifies the signature using the manufacturing-provisioned public key before accepting the image.