Production-grade OTA firmware update system with ECDSA signing, anti-rollback, and hardware-anchored verification
This repository implements a real secure firmware pipeline used in:
- Automotive ECUs
- Industrial controllers
- Medical devices
- Aerospace embedded systems
It protects the device from:
| Threat | Defense |
|---|---|
| Firmware tampering | ECDSA digital signatures |
| Malware injection | Secure boot public-key verification |
| Downgrade attacks | eFuse anti-rollback versioning |
| Broken OTA | Dual-slot with rollback |
| Rogue updates | Signed-image enforcement |
This is the cryptographic chain of trust:
ROM Bootloader (hardware root) ↓ Secure Bootloader (contains public key) ↓ Signed Application Image ↓ eFuse Secure Version Check ↓ Application allowed to execute
| Component | Purpose |
|---|---|
ota_signing_key.pem |
Private key (never leaves PC) |
signature_verification_key.bin |
Public key stored in bootloader |
espsecure |
Signs firmware |
bootloader |
Verifies signature before boot |
eFuse |
Blocks downgrades |
The device cannot be reprogrammed with unsigned or older firmware.
Private ECDSA signing key is configured in ESP-IDF.
ESP-IDF extracted the public key and embedded it into the secure bootloader.
The ESP-IDF ran espsecure and signed the firmware using ECDSA.
Files generated:
esp32_secure_ota.bin→ signed firmwaresignature_verification_key.bin→ bootloader public key
This proves:
- Bootloader contains verification logic
- Signature checks are enforced
This confirms:
- Only signed firmware can be flashed
- Bootloader + OTA data + app images are all aligned
👨💻 Author