Multiple System Images for Over-The-Air Updates
First Claim
Patent Images
1. A method comprising, by one or more computing systems:
- executing software from a first partition of system memory;
requesting an over-the-air (OTA) software update from an endpoint;
receiving a manifest for the OTA update comprising a location from which the payload may be downloaded and a hash value of the payload;
requesting the payload from the location;
receiving the payload from the location;
calculating a first checksum by running a cryptographic hash function on the payload, comparing the hash value to the first checksum;
if the hash value and first checksum match;
writing the payload to a second partition of system memory;
calculating a second checksum by running the cryptographic hash function on the payload written to the second partition;
if the hash value and second checksum match;
rebooting to the second partition of system memory; and
if the hash value and second checksum fail to match;
re-writing the payload to the second partition of system memory;
if the hash value and first checksum fail to match;
identifying bad blocks of the payload; and
re-downloading the bad blocks of the payload.
2 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a mobile device performs an over-the-air firmware update by writing the updated firmware to a inactive system image partition, and rebooting the device. The security of the OTA update is maintained through checking a plurality of security signatures in an OTA manifest, and the integrity of the data is maintained by checking a hash value of the downloaded system image.
91 Citations
20 Claims
-
1. A method comprising, by one or more computing systems:
-
executing software from a first partition of system memory; requesting an over-the-air (OTA) software update from an endpoint; receiving a manifest for the OTA update comprising a location from which the payload may be downloaded and a hash value of the payload; requesting the payload from the location; receiving the payload from the location; calculating a first checksum by running a cryptographic hash function on the payload, comparing the hash value to the first checksum; if the hash value and first checksum match; writing the payload to a second partition of system memory; calculating a second checksum by running the cryptographic hash function on the payload written to the second partition; if the hash value and second checksum match; rebooting to the second partition of system memory; and if the hash value and second checksum fail to match; re-writing the payload to the second partition of system memory; if the hash value and first checksum fail to match; identifying bad blocks of the payload; and re-downloading the bad blocks of the payload.
-
-
2. The method of claim 1, further comprising:
rebooting the one or more computing systems to the second partition of system memory.
-
3. The method of claim 2, wherein the manifest comprises a manifest signature and device unique signature, and rebooting to the second partition of system memory comprises:
-
authenticating the manifest signature with a manifest signature public key; authenticating the device unique signature with a device unique public key; and failing to boot to the second partition of system memory if either authentication fails.
-
-
4. The method of claim 2, wherein the manifest comprises an encrypted serial number, and rebooting to the second partition of system memory comprises:
-
decrypting the serial number with a serial number public key; comparing the decrypted serial number to a serial number of the one or more computing devices; and failing to boot to the second partition of system memory if the serial number and the decrypted serial number are not identical.
-
-
5. The method of claim 2, rebooting to the second partition of system memory comprising authenticating a bootloader signature with a bootloader public key.
-
6. The method of claim 1, wherein the manifest comprises a predetermined battery state in which the one or more computing systems must be in order to download the payload.
-
7. The method of claim 1, wherein the manifest comprises a predetermined time period during which the one or more computing systems may download the payload.
-
8. The method of claim 1, wherein the payload comprises a plurality of blocks, each block comprising a data portion and a hash value for the block, and identifying bad blocks comprising:
- for each of the plurality of blocks;
calculating a block checksum by running a cryptographic hash function on the data portion of the block; comparing the block checksum to the hash value; and if the values are not identical, identifying the block as a bad block.
- for each of the plurality of blocks;
-
9. A non-transitory, computer-readable media comprising instructions operable, when executed by one or more computing systems, to:
-
execute software from a first partition of system memory; request an over-the-air (OTA) software update from an endpoint; receive a manifest for the OTA update comprising a location from which the payload may be downloaded and a hash value of the payload; request the payload from the location; receive the payload from the location; calculate a first checksum by running a cryptographic hash function on the payload, compare the hash value to the first checksum; if the hash value and first checksum match; write the payload to a second partition of system memory; calculate a second checksum by running the cryptographic hash function on the payload written to the second partition; if the hash value and second checksum match; reboot to the second partition of system memory; and if the hash value and second checksum fail to match; re-write the payload to the second partition of system memory; if the hash value and first checksum fail to match; identify bad blocks of the payload; and re-download the bad blocks of the payload.
-
-
10. The media of claim 1, further comprising instructions operable, when executed by the one or more computing systems, to:
reboot the one or more computing systems to the second partition of system memory.
-
11. The media of claim 2, wherein the manifest comprises a manifest signature and device unique signature, and rebooting to the second partition of system memory comprises:
-
authenticating the manifest signature with a manifest signature public key; authenticating the device unique signature with a device unique public key; and failing to boot to the second partition of system memory if either authentication fails.
-
-
12. The media of claim 2, wherein the manifest comprises an encrypted serial number, and rebooting to the second partition of system memory comprises:
-
decrypting the serial number with a serial number public key; comparing the decrypted serial number to a serial number of the one or more computing devices; and failing to boot to the second partition of system memory if the serial number and the decrypted serial number are not identical.
-
-
13. The media of claim 2, rebooting to the second partition of system memory comprising authenticating a bootloader signature with a bootloader public key.
-
14. The media of claim 1, wherein the manifest comprises a predetermined battery state in which the one or more computing systems must be in order to download the payload.
-
15. The media of claim 1, wherein the manifest comprises a predetermined time period during which the one or more computing systems may download the payload.
-
16. The media of claim 1, wherein the payload comprises a plurality of blocks, each block comprising a data portion and a hash value for the block, and identifying bad blocks comprising:
-
for each of the plurality of blocks; calculating a block checksum by running a cryptographic hash function on the data portion of the block; comparing the block checksum to the hash value; and if the values are not identical, identifying the block as a bad block.
-
-
17. An apparatus comprising:
-
one or more processors; one or more communication interfaces; one or more non-transitory, computer-readable media comprising instructions operable, when executed by one or more processors, to; execute software from a first partition of system memory; request an over-the-air (OTA) software update from an endpoint; receive a manifest for the OTA update comprising a location from which the payload may be downloaded and a hash value of the payload; request the payload from the location; receive the payload from the location; calculate a first checksum by running a cryptographic hash function on the payload, compare the hash value to the first checksum; if the hash value and first checksum match; write the payload to a second partition of system memory; calculate a second checksum by running the cryptographic hash function on the payload written to the second partition; if the hash value and second checksum match; reboot to the second partition of system memory; and if the hash value and second checksum fail to match; re-write the payload to the second partition of system memory; if the hash value and first checksum fail to match; identify bad blocks of the payload; and re-download the bad blocks of the payload.
-
-
18. The apparatus of claim 1, the media further comprising instructions operable, when executed by the one or more computing systems, to:
reboot the one or more computing systems to the second partition of system memory.
-
19. The apparatus of claim 2, wherein the manifest comprises a manifest signature and device unique signature, and rebooting to the second partition of system memory comprises:
-
authenticating the manifest signature with a manifest signature public key; authenticating the device unique signature with a device unique public key; and failing to boot to the second partition of system memory if either authentication fails.
-
-
20. The apparatus of claim 2, wherein the manifest comprises an encrypted serial number, and rebooting to the second partition of system memory comprises:
-
decrypting the serial number with a serial number public key; comparing the decrypted serial number to a serial number of the one or more computing devices; and failing to boot to the second partition of system memory if the serial number and the decrypted serial number are not identical.
-
Specification