Device Firmware Update (DFU)
The Gecko OS Device Firmware Update (DFU) feature allows device firmware to be updated offline via the device serial interface. This is an alternative to the OTA (Over-The-Air) update process, which requires the device to have Internet access via the device Wi-Fi interface.
Each device to be updated must have the minimum Gecko OS kernel firmware installed. The Gecko OS kernel provides all the features required to complete the DFU process.
A DFU package is created by the Product owner using the DMS web interface or REST API.
Gecko OS devices or bridging hosts can then obtain the required DFU package from the Silabs Device Management Service (DMS). This part of the process requires Internet access.
The DFU package can then be used to update one or more devices via the serial interface.
See DFU Procedures .
The DFU process incorporates comprehensive security measures to ensure the integrity of the updated firmware. See Security and Authentication .
Special Terms
The following terms have special meaning in this documentation:
- bridging host or bridging device - refers to a device intermediate between the Gecko OS device and the DMS, for example a mobile phone running a bridging app.
- device - refers to a Gecko OS device, unless otherwise indicated.
- DFU - Device Firmware Update.
- DMS - Silabs Device Management Service.
- NVM - Non-Volatile Memory, used for storing variable settings on a Gecko OS device.
Types of DFU
Direct OTA DFU, a.k.a. Serial DFU
A single device is updated by DFU using the device Wi-Fi with direct access to the DMS DFU service. The device can retain NVM variable settings and files not in the package.
Offline DFU, a.k.a Manufacturing DFU
Multiple devices are updated with a single DFU package. The device can retain NVM variables and files not in the package.
Bridged DFU
An intermediate host, such as a mobile phone app, obtains the DFU package and caches it. It then passes it on to a Gecko OS device connected to the bridging host. This is a form of Offline DFU. A bridging app uses the DFU REST API to perform operations with the DFU host.
Factory DFU
Multiple devices are updated with a DFU package consisting of images to be programmed to specified flash locations. Devices programmed with a Factory DFU cannot retain NVM variable settings or files. All existing NVM variable settings and files are erased from the device, other than the device credentials.
DFU Procedures
Basic Procedure
- Create DFU Package. This step must be performed by the owner of the Product to be included in the package.
- Obtain DFU package from the DMS, using a Gecko OS device or a bridging device.
- Update one or more Gecko OS devices with the package.
Bridged DFU Procedure
To obtain a request from a device to determine if an update is available, use the dfu_query -o command.
To obtain a request from a device to request a DFU package, use the dfu_request command.
File Updating Rules
For security and efficiency, the DFU process updates device files only when required. A device file is updated if:
- the bundle file is not found in the device's file list
- the bundle file's hash is different from the hash in the device's file list
- the Kernel needs to be updated. In this case Applications depending on the kernel require updating.
DFU Commands and Variables
- Commands
- Variables
DFU Package
A DFU Package consists of a firmware bundle and additional data.
Security and Authentication
Package Security
DFU packages contain the firmware bundle files or images required for the update. A DFU package is generated by the DMS or other secure utility. It is signed with the Product Auth Key and is encrypted with the Product AES Key.
DMS and Device Authentication
The DMS host for DFU operations will be dfu.zentri.com
There are three credentials used in DFU package security:
- Platform Auth Key - signs Kernel and Product Auth Key
- Product Auth Key - signs Gecko OS Application, Safemode App, and DFU package
- Product AES Key - encrypts data section of DFU package
Devices can present TLS client certificates to identify themselves to the DMS.
The device authenticates the DMS by validating the DMS's server certificate against the device's internally stored DMS CA certificate.
The DMS authenticates the device using the device's certificate and key.
For a Bridged DFU, the bridging device presents a request signed by the device, containing the device EUI (Extended Unique Identifier - see IEEE - EUI ), signed by the device. Since the request is signed by the device, the bridging device is not required to authenticate separately with the DMS. See Bridged DFU Procedure .
DPA Attack Countermeasures
A DPA (Differential Power Analysis) attack can extract cryptopgraphic keys passively from a device. As this requires repetition of the cryptographic process, an attack is enabled if two or more DFU packages allow DFU between the packages, i.e.
- Package 1 'allows' a DFU to Package 2
- Package 2 'allows' a DFU to Package 1
DPA attacks can be disabled by limiting a package's allowed update packages to avoid DFU loops.
DFU REST API
TBD