Multiple system images for over-the-air updates

US 9,183,393 B2
Filed: 01/12/2012
Issued: 11/10/2015
Est. Priority Date: 01/12/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising, by one or more computing systems:

executing software from a first partition of system memory;

requesting an over-the-air (OTA) software update from an endpoint;

receiving a manifest for the OTA update, the manifest comprising a location from which a payload is to be downloaded, a hash value of the payload, a manifest signature, a device unique signature, and a download policy comprising a download condition for downloading the payload;

requesting the payload from the location;

receiving the payload from the location in response to the download condition being satisfied, wherein the received payload comprises a plurality of blocks, each block comprising a data portion and a hash value for the block;

calculating a first checksum of the payload by running a cryptographic hash function on the received payload; and

comparing the hash value of the payload to the first checksum of the received payload;

wherein if the hash value of the payload and first checksum of the received payload match;

writing the received payload to a second partition of system memory;

calculating a second checksum of the payload by running the cryptographic hash function on the payload written to the second partition;

wherein if the hash value of the payload and the second checksum of the payload written to the second partition match;

rebooting the one or more computing systems to the second partition of system memory;

wherein if the hash value of the payload and the second checksum of the payload written to the second partition fail to match;

re-writing the received payload to the second partition of system memory; and

wherein if the hash value of the payload and the first checksum of the received payload fail to match, for each of the plurality of blocks of the received payload;

calculating a block checksum by running the cryptographic hash function on the data portion of the block; and

comparing a downloaded hash value of the block to the block checksum;

wherein if the downloaded hash value of the block and the block checksum fail to match;

identifying the block as a bad block of the payload; and

re-downloading the bad block of the payload.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a mobile device performs an over-the-air firmware update by writing the updated firmware to a inactive system image partition, and rebooting the device. The security of the OTA update is maintained through checking a plurality of security signatures in an OTA manifest, and the integrity of the data is maintained by checking a hash value of the downloaded system image.

Citations

20 Claims

1. A method comprising, by one or more computing systems:
- executing software from a first partition of system memory;
  
  requesting an over-the-air (OTA) software update from an endpoint;
  
  receiving a manifest for the OTA update, the manifest comprising a location from which a payload is to be downloaded, a hash value of the payload, a manifest signature, a device unique signature, and a download policy comprising a download condition for downloading the payload;
  
  requesting the payload from the location;
  
  receiving the payload from the location in response to the download condition being satisfied, wherein the received payload comprises a plurality of blocks, each block comprising a data portion and a hash value for the block;
  
  calculating a first checksum of the payload by running a cryptographic hash function on the received payload; and
  
  comparing the hash value of the payload to the first checksum of the received payload;
  
  wherein if the hash value of the payload and first checksum of the received payload match;
  
  writing the received payload to a second partition of system memory;
  
  calculating a second checksum of the payload by running the cryptographic hash function on the payload written to the second partition;
  
  wherein if the hash value of the payload and the second checksum of the payload written to the second partition match;
  
  rebooting the one or more computing systems to the second partition of system memory;
  
  wherein if the hash value of the payload and the second checksum of the payload written to the second partition fail to match;
  
  re-writing the received payload to the second partition of system memory; and
  
  wherein if the hash value of the payload and the first checksum of the received payload fail to match, for each of the plurality of blocks of the received payload;
  
  calculating a block checksum by running the cryptographic hash function on the data portion of the block; and
  
  comparing a downloaded hash value of the block to the block checksum;
  
  wherein if the downloaded hash value of the block and the block checksum fail to match;
  
  identifying the block as a bad block of the payload; and
  
  re-downloading the bad block of the payload.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the manifest further comprises a battery level reboot threshold, and the method further comprises rebooting the one or more computing systems to the second partition of system memory in response to a battery level of the one or more computing systems meeting the battery level reboot threshold.
  - 3. The method of claim 1, wherein rebooting the one or more computing systems to the second partition of system memory comprises:
    - authenticating the manifest signature with a manifest signature public key;
      
      authenticating the device unique signature with a device unique public key; and
      
      failing to boot to the second partition of system memory if either authentication fails.
  - 4. The method of claim 1, wherein the manifest further comprises an encrypted serial number, and rebooting the one or more computing systems to the second partition of system memory comprises:
    - decrypting the serial number with a serial number public key;
      
      comparing the decrypted serial number to a serial number of the one or more computing systems; and
      
      failing to boot to the second partition of system memory if the serial number and the decrypted serial number are not identical.
  - 5. The method of claim 1, wherein rebooting the one or more computing systems to the second partition of system memory comprises authenticating a bootloader signature with a bootloader public key.
  - 6. The method of claim 1, wherein the download condition comprises a predetermined battery state in which the one or more computing systems must be in order to download the payload.
  - 7. The method of claim 1, wherein the download condition comprises a predetermined time period during which the one or more computing systems are to download the payload.
  - 8. The method of claim 1, wherein the download condition comprises a defined state of the one or more computing systems, and the download condition is satisfied when the one or more computing systems are in the defined state.

9. A non-transitory, computer-readable media comprising instructions operable, when executed by one or more computing systems, to:
- execute software from a first partition of system memory;
  
  request an over-the-air (OTA) software update from an endpoint;
  
  receive a manifest for the OTA update, the manifest comprising a location from which a payload is to be downloaded, a hash value of the payload, a manifest signature, a device unique signature, and a download policy comprising a download condition for downloading the payload;
  
  request the payload from the location;
  
  receive the payload from the location in response to the download condition being satisfied, wherein the received payload comprises a plurality of blocks, each block comprising a data portion and a hash value for the block;
  
  calculate a first checksum of the payload by running a cryptographic hash function on the received payload; and
  
  compare the hash value of the payload to the first checksum of the received payload;
  
  wherein if the hash value of the payload and first checksum of the received payload match;
  
  write the received payload to a second partition of system memory;
  
  calculate a second checksum of the payload by running the cryptographic hash function on the payload written to the second partition;
  
  wherein if the hash value of the payload and the second checksum of the payload written to the second partition match;
  
  reboot the one or more computing systems to the second partition of system memory;
  
  wherein if the hash value of the payload and the second checksum of the payload written to the second partition fail to match;
  
  re-write the received payload to the second partition of system memory; and
  
  wherein if the hash value of the payload and the first checksum of the received payload fail to match, for each of the plurality of blocks of the received payload;
  
  calculate a block checksum by running the cryptographic hash function on the data portion of the block; and
  
  compare a downloaded hash value of the block to the block checksum;
  
  wherein if the downloaded hash value of the block and the block checksum fail to match;
  
  identify the block as a bad block of the payload; and
  
  re-download the bad block of the payload.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The media of claim 9, wherein the manifest comprises a battery level reboot threshold, and the instructions are further operable, when executed by the one or more computing systems, to reboot the one or more computing systems to the second partition of system memory in response to a battery level of the one or more computing systems meeting the battery level reboot threshold.
  - 11. The media of claim 9, wherein rebooting the one or more computing systems to the second partition of system memory comprises:
    - authenticating the manifest signature with a manifest signature public key;
      
      authenticating the device unique signature with a device unique public key; and
      
      failing to boot to the second partition of system memory if either authentication fails.
  - 12. The media of claim 9, wherein the manifest further comprises an encrypted serial number, and rebooting the one or more computing systems to the second partition of system memory comprises:
    - decrypting the serial number with a serial number public key;
      
      comparing the decrypted serial number to a serial number of the one or more computing systems; and
      
      failing to boot to the second partition of system memory if the serial number and the decrypted serial number are not identical.
  - 13. The media of claim 9, wherein rebooting the one or more computing systems to the second partition of system memory comprises authenticating a bootloader signature with a bootloader public key.
  - 14. The media of claim 9, wherein the download condition comprises a predetermined battery state in which the one or more computing systems must be in order to download the payload.
  - 15. The media of claim 9, wherein the download condition comprises a predetermined time period during which the one or more computing systems are to download the payload.
  - 16. The media of claim 9, wherein the download condition comprises a defined state of the one or more computing systems, and the download condition is satisfied when the one or more computing systems are in the defined state.

17. An apparatus comprising:
- one or more processors of one or more computing systems;
  
  one or more communication interfaces;
  
  one or more non-transitory, computer-readable media comprising instructions operable, when executed by the one or more processors, to;
  
  execute software from a first partition of system memory;
  
  request an over-the-air (OTA) software update from an endpoint;
  
  receive a manifest for the OTA update, the manifest comprising a location from which a payload is to be downloaded, a hash value of the payload, a manifest signature, a device unique signature, and a download policy comprising a download condition for downloading the payload;
  
  request the payload from the location;
  
  receive the payload from the location in response to the download condition being satisfied, wherein the received payload comprises a plurality of blocks, each block comprising a data portion and a hash value for the block;
  
  calculate a first checksum of the payload by running a cryptographic hash function on the received payload; and
  
  compare the hash value of the payload to the first checksum of the received payload;
  
  wherein if the hash value of the payload and first checksum of the received payload match;
  
  write the received payload to a second partition of system memory;
  
  calculate a second checksum of the payload by running the cryptographic hash function on the payload written to the second partition;
  
  wherein if the hash value of the payload and the second checksum of the payload written to the second partition match;
  
  reboot the one or more computing systems to the second partition of system memory;
  
  wherein if the hash value of the payload and the second checksum of the payload written to the second partition fail to match;
  
  re-write the received payload to the second partition of system memory; and
  
  wherein if the hash value of the payload and the first checksum of the received payload fail to match, for each of the plurality of blocks of the received payload;
  
  calculate a block checksum by running the cryptographic hash function on the data portion of the block; and
  
  compare a downloaded hash value of the block to the block checksum;
  
  wherein if the downloaded hash value of the block and the block checksum fail to match;
  
  identify the block as a bad block of the payload; and
  
  re-download the bad block of the payload.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, wherein the manifest further comprises a battery level reboot threshold, and the instructions are operable, when executed by the one or more processors, to reboot the one or more computing systems to the second partition of system memory in response to a battery level of the one or more computing systems meeting the battery level reboot threshold.
  - 19. The apparatus of claim 17, wherein rebooting the one or more computing systems to the second partition of system memory comprises:
    - authenticating the manifest signature with a manifest signature public key;
      
      authenticating the device unique signature with a device unique public key; and
      
      failing to boot to the second partition of system memory if either authentication fails.
  - 20. The apparatus of claim 17, wherein the manifest further comprises an encrypted serial number, and rebooting the one or more computing systems to the second partition of system memory comprises:
    - decrypting the serial number with a serial number public key;
      
      comparing the decrypted serial number to a serial number of the one or more computing systems; and
      
      failing to boot to the second partition of system memory if the serial number and the decrypted serial number are not identical.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Inventors
Djabarov, Gueorgui, Hotz, George, Gandhi, Shaheen Ashok
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US13/349,419
Publication Number

US 20130185548A1
Time in Patent Office

1,398 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 11/1433   during software upgrading

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 21/602   Providing cryptographic fac...

G06F 21/64   Protecting data integrity, ...

G06F 8/654   using techniques specially ...

H04L 41/082   the condition being updates...

H04L 63/123   received data contents, e.g...

H04M 1/72406   by software upgrading or do...

H04W 12/10   Integrity

H04W 12/35   Protecting application or s...

H04W 12/61   Time-dependent

H04W 4/50   Service provisioning or rec...

Multiple system images for over-the-air updates

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple system images for over-the-air updates

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links