Devices must be kept up-to-date to keep up with the latest updates and close newly discovered vulnerabilities. Traditionally, technicians updated devices manually, a time-consuming and inefficient practice. These practices also led to inconsistent updates and potential security risks.
Firmware Over the Air (FOTA) Updates are a resource-saving method of remotely updating a device's firmware. Deployed firmware updates are downloaded by the device and then installed.
Some of the FOTA Update benefits include:
- Lower power consumption than manual updates
- Reduced human error
- Reduced workload
- Better efficiency
As Internet of Things (IoT) devices are connected to the internet, the need for IoT OTA Updates (Over the Air Updates) grows stronger. A flaw in the device software can lead to severe security risks, which when exploited can lead to domino-effect breakdowns in thousands of devices. An update FOTA solution is able to prevent this problem.
But implementing a FOTA update solution is no easy task. It requires immense investment in a backend infrastructure that works seamlessly to keep the FOTA Updates running smoothly. Fortunately, solutions already exist that facilitate this.
In this article, we will look at a FOTA Update, how it works, and how you can quickly implement FOTA updates on your devices.
What is a FOTA update?
A FOTA update is a wireless method of upgrading a device's firmware, allowing users to access new features, bug fixes, and security enhancements without manual intervention or connection to a computer. FOTA updates are essential to keep remote devices running smoothly.
How does a FOTA software update work?
FOTA updates allow a device's firmware to be updated over a wireless ("air") internet connection. The best way to understand the intricacy of a software update using FOTA is through a diagram:
Image: Over-The-Air software update process
Although this FOTA update image describes updates for a fleet of vehicles, it can be applied to any fleet of devices.
As you can see, a FOTA update process requires several steps and elements:
✔️ Communication between devices and the update server
✔️ Verifying certificates
✔️ And so on
In its most basic (and somewhat oversimplified) form, a FOTA update works as follows:
- Build and test the new firmware version
- Upload the latest firmware version to a server
- Notify connected devices that a new update is available
- Devices negotiate with the server to determine if an update is required
- If required, the latest firmware version is downloaded and verified
- The device reboots and installs the new firmware version
- The device confirms that the update was successful and provides feedback to the server
There are many steps between these, but the above forms the most essential elements of a successful Over-the-Air Software Update procedure.
Benefits of FOTA Updates
A software update using FOTA is carried out to improve one or more of the following:
✔️ A device's power consumption,
✔️ Human error potentials,
✔️ Flexibility, and
Bad firmware is a prime cause of high power consumption. Multiplied by many thousands of devices, these high-consumption devices can result in substantial unexpected costs. FOTA Updates can push updates that significantly reduce power consumption.
Automated FOTA updates can be carried out without any human intervention. Whereas commercial devices typically require users to confirm the update, systems such as emteria's Device Hub—a cloud-based IoT device management platform—let you schedule updates for device downtimes.
This prevents human error, such as forgetting to accept the update and leaving some security flaws unpatched.
FOTA updates furnish tremendous flexibility to fleet managers. You can update devices remotely on a schedule, without any human intervention. You can also update a subset of devices or just one device as a test.
A core reason for FOTA updates are security patches to fix vulnerabilities or upgrade the entire firmware to a more secure version. Doing this through FOTA updates is crucial—it simply wouldn't be feasible to do it manually when deploying a lot of devices in the field. By shipping a software update using FOTA, secure embedded systems can be maintained.
What is FOTA update in Android?
An Android FOTA update follows the same basic principles as a FOTA update for other devices. The OS is built and uploaded to a server, and devices negotiate to receive the update. If the update fails, the device needs a fallback mechanism to remain operational.
Because Android is such a popular system, security flaws can be exploited quickly by malicious actors to try to gain access to a device. Discovered vulnerabilities are mostly published in the Common Vulnerabilities and Exposures (CVE) database, which lists known vulnerabilities in various systems.
Although this database is essential for the global prioritization of security flaws that need fixing, bad actors can also leverage the information to try to compromise devices.
FOTA updates let developers quickly issue OTA firmware updates to whole fleets of devices suffering from any CVEs.
Android also regularly releases its Android Security Bulletins, highlighting security vulnerabilities that need to be addressed through a FOTA Update.
In addition, the underlying Linux kernel can also be subject to weaknesses that need to be patched, as the Dirty Pipe vulnerability showed.
Do FOTA Updates work for all Android devices?
Commercial Android devices have some kind of FOTA update Android mechanism in place, where large manufacturers send device updates according to their schedules. But an OTA infrastructure is not a standard feature provided by AOSP or Google as an additional service. Smaller fleets of custom Android devices are mostly lacking the resources to implement such an infrastructure. Building a FOTA client to update Android is an enormous task, and few companies can implement it effectively in-house.
Fortunately, a few third-party solutions exist to facilitate FOTA update for Android solutions and ensure that enterprise Android devices are updated with the latest firmware.
How FOTA Android updates have changed
FOTA updates modify the firmware, so they must be carried out carefully.The device needs enough memory to carry out the update and roll back if any failure occurs while the code that runs the hardware is being updated.
How Android has stored its OS on a device plays a significant role in how FOTA updates were carried out. There have been three major partition designs in Android's history:
- Legacy/traditional partitions
- A/B partitions
- Dynamic partitions
Image: Android partitions
How Android partitions are structured
Before getting into the specific update "style" that later Android versions use, it's essential to understand how the Android operating system is structured.
Android is divided into the following core partitions:
- Bootloader: This boots the device, loads the kernel into memory, and checks the integrity of the partitions.
- /boot partition: This contains the Linux kernel, as well as several scripts that run to start the system.
- /data partition: All user data is stored here.
- /recovery partition: When other partitions are inactive, this "mini OS" can update them. Before Android implemented the A/B Partition system (more info below), all updates were run by the /recovery partition.
- /system partition: Most of the system files are stored here. This includes certain C libraries, system media, system apps, and the Android framework itself.
- /vendor partition: This is for system files specific to that device, extensions of kernel drivers, and any hardware abstracting layers (HALs).
Each OEM might also implement its own partitions, but the above are the core ones.
One or more of the partitions are updated when running a FOTA update.
The style of FOTA update you can carry out depends on the Android version. Let's dive into each one of these.
Legacy partition update style
Before Android 7 (Nougat), Android devices used a traditional partition system, which we now call a legacy partition system.
In a legacy partition layout, each partition is used once, and adding or resizing them can be difficult. Additionally, there is no fallback if something goes wrong during the update process.
Legacy FOTA Updates carry the risk that the devices no longer work after the update, making them useless. Even if the device still works, it is inoperable for a lot longer compared with A/B seamless updates.
The steps involved in a legacy partition update typically go as follows:
- The device checks for updates. If an update exists, it receives the URL and description.
- The device downloads the entire FOTA update package and stores it in the /cache or /data partition.
- The device verifies the update package's code signature, and also checks the integrity of the whole package with a checksum to detect transmission errors.
- It reboots into recovery mode (i.e., it boots into the /recovery partition).
- The update package is verified again and used to update the necessary partitions.
- The device reboots normally, and the updated partitions are loaded and executed.
- The system checks the /recovery partition against the desired contents and updates it if necessary.
- The update is complete, with all logs stored on the device.
A/B partitions (seamless updates)
Android 7 introduced the A/B partition layout and the "seamless" update model.
A/B system updates in Android involve two partitions labeled A and B.
For example, you would have a /system_a and a /system_b partition.
Each partition is called a "slot." The system uses the active slot (either A or B), while the unused slot acts as a fallback. The bootloader will always boot from the active slot, which can be changed to the other bootable slot if the current slot becomes unbootable. Each slot has a bootable and successful attribute, with the latter indicating whether the slot can boot, run, and update itself.
One of the cons of this system is that more memory space is needed on a device. This need for more space was improved with dynamic updates, although you still need more space than in the legacy partition configuration.
The A/B partition layout works as a fallback solution, ensuring the device can always recover from a failed update. If an update fails, the system simply reverts to the previous slot and continues working, reducing downtime and preventing the device from not booting ever again.
If an A/B partition is present, it is also possible to download only partial packages of FOTA updates. This is called seamless updates, instead of waiting for the entire update package to be downloaded it starts with only small chunks, and installs them right away on the second partition. It is a kind of streaming function, because you don't have to download the full update package first to install the updates afterward. An A/B partition configuration can be used without seamless updates, but seamless updates require A/B.
A/B partition in combination with seamless updates have the following benefits:
- The /cache or /data partitions are no longer required to store update packages, freeing up space for other data.
- FOTA updates can be carried out seamlessly while the system operates.
- Streaming updates to A/B devices removes the need to download the update package beforehand.
- If an update fails, the user can still use the old operating system without being affected by the failure.
- There is minimal downtime during the update process, with the device only restarting when switching to the updated partition.
Dynamic partition layouts are the most recent type of partition layout supported in Android 10 and above. Dynamic partitions combine partitions for system, vendor, and product, and can be created, resized or destroyed dynamically via FOTA. The device creates a super partition, which allows for dynamic sizing of sub-partitions. Unlike the other partition layouts, there is no need to have extra space for growing partitions, making it a more flexible and efficient solution.
Android system update error FOTA: What to do
Assuming your infrastructure, code building, and update host server are all properly configured and maintained, some things that could lead to hiccups during updates include:
- FOTA downloading update package errors due to poor internet connectivity
- Low battery
- Insufficient storage
- Update files corrupted
- Hardware issues
Verifying FOTA update packages
FOTA update packages must be verified at various stages of the installation cycle in all update styles. They get checked initially at the hosting server and device level to ensure the package is not malicious.
It's no longer necessary to upgrade the entire operating system. These days, Delta updates are possible, also known as incremental updates.
These updates focus only on the changed parts of the firmware. They greatly reduce the local memory space required to store the update, as well as the total bandwidth.
When updating devices on data plans, the cost savings can be immense.
Upgrade vs FOTA update
An upgrade is not the same as an update. An upgrade typically refers to updating the entire operating system to a higher stable version. Updates only install improvements.
Full-scale Android upgrades can also be carried out through a FOTA update.
FOTA: scheduling application updates
It's also possible to update the apps themselves, not just the firmware.
Although you can also update apps using an OTA update method, usually, it is done through an app store. It isn't necessary to use the Google Play Store as there are alternatives. For professional devices, it makes sense to have a private app repository in place to deploy apps for your specific use case and keep them up to date that way, instead of FOTA scheduling application updates.
System applications typically do need some kind of "FOTA update system application" strategy because system apps typically don't get updated through an app store.
What is a private app repository?
Companies desire to offer apps for their proprietary solutions that operate on the Android platform without making them available to the public. On a private app repository, apps are hosted and distribution among the users. There are multiple reasons for this, including the ability to ensure data privacy, restrict access to third-party platforms, and permit the installation of only secure applications. A private app repository can assist in achieving all these objectives.
Simplify FOTA updates for your devices
Emteria is a software company that has created a versatile version of Android that works on various hardware configurations. Our version of Android—emteria.OS—fully supports FOTA updates. And we have also built the infrastructure necessary to manage the entire update process, taking care of the building, hosting, and delivery of updated Android versions to all your devices.
Emteria implements all the latest update technology for updates—seamless updates through dynamic partitions, and delta updates.
Fleet managers can connect their Android devices to emteria's Device Hub to manage devices remotely and push updates to those devices when desired.
OTA firmware updates
Building versus buying an OTA firmware update solution
A OTA update infrastructure allows remote device software updates, simplifies the process and reduces time and costs. But should you build the infrastructure yourself or rely on a ready-made solution?