WO2009156302A1 - Electronic device and method of software or firmware updating of an electronic device - Google Patents
Electronic device and method of software or firmware updating of an electronic device Download PDFInfo
- Publication number
- WO2009156302A1 WO2009156302A1 PCT/EP2009/057455 EP2009057455W WO2009156302A1 WO 2009156302 A1 WO2009156302 A1 WO 2009156302A1 EP 2009057455 W EP2009057455 W EP 2009057455W WO 2009156302 A1 WO2009156302 A1 WO 2009156302A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- software
- memory
- value
- electronic device
- update
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 17
- 238000005192 partition Methods 0.000 claims abstract description 39
- 230000006870 function Effects 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000001419 dependent effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
Definitions
- the present invention relates to an electronic device as well as to a method for software or firmware updating of an electronic device.
- Modern electronic devices typically comprise some hardware components, wherein at least part of the hardware components are programmable by means of software.
- the software or firmware for the operation of the electronic device can be updated for example in order to improve the operation or the security of the device.
- the software or firmware of an electronic device is updated, it must be ensured that the new software or firmware is of a more recent version than the currently stored software or firmware.
- the technique to avoid this is called anti-rollback.
- An anti-rollback scheme is advantageous as a content protection is ensured, i.e. if a vulnerability in the software or firmware is found, such a vulnerability can be avoided by a new software or a new firmware dealing with the vulnerability.
- the security of an electronic device can be improved.
- a firmware rollback is applied to an electronic device, user secrets like payment password, identity data and the like which is stored in the device may be retrieved from the device by using a firmware previously present.
- a software or firmware update can for example also be performed wirelessly over the air, i.e. a firmware over-the-air FOTA can be performed.
- An anti-rollback of a firmware or software is typically achieved based on a clock and a validity period associated to each software or firmware version.
- the clock may be implemented as hardware or software and the software will stop the clock as soon as the validity period has expired.
- the validity period has to be predefined or predetermined.
- the anti-rollback technique must be applied when an update of a software or firmware is performed which is used to control the integrity of the software for example by means of internal cryptographic keys. Therefore, hardware associated thereto will perform the integrity check of the software or firmware when the device is booted.
- GB 2430774 B discloses a method of software updating and a corresponding processor unit.
- an anti-rollback system is provided which is based on version numbers. Therefore, the version numbers must be stored securely.
- the disadvantage of such a solution is the costs required for the hardware will depend on the software numbering.
- GB 2425193 A discloses an anti-rollback system based on version numbers.
- a one-time write memory element is provided to achieve a functionality of a bit-by-bit analysis, wherein the bit will depend on the version number of the software.
- one way to bind the version of the installed software to the hardware of the electronic device is to use a special numbering of the software. Accordingly, one bit per existing software version is needed.
- the required software or hardware for the operation of the electronic devices may be divided into a plurality of partitions, wherein each partition could be updated independently of the other partitions of the software or firmware. Accordingly, if one bit is used for every existing software version, the required amount of bits may be very high which will lead to a very high cost of the electronic device.
- an electronic device which comprises a memory driver unit for reading partition headers including encrypted version numbers from a memory and for writing updated encrypted version numbers to the memory.
- the electronic device furthermore comprises an update agent unit for controlling a software of firmware update of the electronic device as well as a one-time programmable memory for storing a first value and an encrypt-decrypt unit for decrypting the partition headers stored in the memory based on the first value stored in the one-time programmable memory in order to retrieve version numbers of the partition headers.
- the update agent is adapted to compare the retrieved version numbers with a version number from a software or firmware update in order to determine whether the version number of the software or firmware update is larger than the retrieved version numbers.
- the first value is incremented and stored in the one-time programmable memory if an update is performed.
- the encrypt-decrypt unit is adapted to encrypt the version numbers of the software or firmware update based on the new first value.
- the memory driver unit is adapted to write a new partition header with the updated encrypted version numbers into the memory.
- the software or firmware of the electronic comprises at least two components, wherein each component can have its own version number and which can be updated separately.
- the update of the first value can be deactivated.
- the anti-rollback scheme is only activated when really required.
- the invention also relates to a method of software or firmware updating of an electronic device.
- Partition headers including encrypted version numbers are read from a memory.
- a software or firmware update of the electronic device is performed.
- a first value is stored in a one-time programmable memory.
- the partition headers stored in the memory based on the first value stored in the one-time programmable memory OTP to retrieve the encrypted version numbers of the partition headers,
- the retrieved version numbers are compared with a version number of a software or firmware update in order to determine whether the version number of the software or firmware update is larger than the retrieved version number.
- the first value in the one-time programmable memory OTP is incremented and stored if an updated is performed.
- the version numbers of the software or firmware update is encrypted based on the new first value.
- a new partition header with the updated encrypted version numbers is written into the memory.
- the invention relates to the idea to provide a possibility of an anti-rollback scheme. Therefore, a one-time programmable memory is provided.
- the memory is at least as long as the maximum possible version numbers.
- it cannot be predicted how many version numbers of software of firmware will be available during the lifetime of an electronic device.
- typically the software as well as the firmware can be divided into separate components which may be updated independently of each other.
- the number of bits which are required to store the version number is not dependent on the version number.
- some kind of memory needs to be provided which cannot be tempered with.
- some means of encrypting needs to be provided for linking a state of the programmable memory (a value stored in the one-time programmable memory) with the actual version number of the software or firmware stored in a memory of the electronic device.
- the invention also relates to the idea to use a monotonous counter (memory register accessible only by the anti-rollback mechanism or a one time programmable memory; each bit which is set cannot be modified any further).
- a cryptographic hardware component is used which can encrypt and decrypt signs using a symmetric cryptographic mechanism with an unknown key which can be different for each electronic device. Accordingly, when an update or upgrade of the software or firmware is performed, a value in the one time programmable memory OTP is incremented and the new OTP register value is linked to the software or firmware version numbers by means of an internal cryptographic hardware component. Accordingly, a software version is bound to the electronic device by means of a single bit.
- a software or firmware update When a firmware or software is to be updated wirelessly, a software or firmware update must be performed without having to interact with the hardware.
- the new software or hardware version can be downloaded, while the device is operating.
- An update may be performed by means of a software update agent only. The integrity of the update can be ensured by public-key cryptographic mechanism. Then the current software or firmware image can be discarded and the new software or firmware is used. However, it should be noted that a rolling back to the discarded image can be performed by merely uploading the dumped image to the device again.
- Fig. 1 shows a representation of a flash memory according to a first embodiment
- Fig. 2 shows a block diagram of part of an electronic device according to a first embodiment
- Fig. 3 shows a flow chart of a method for updating an electronic device according to the first embodiment.
- the software or firmware of an electronic device can be organized in several components each having their own version number. Accordingly, each component of the software or firmware with its own version number can be updated separately or independently.
- An encrypted version number can be stored in a flash memory together with the software or firmware.
- a one time programmable memory can be used to store a counter which is incremented when an update is performed.
- This memory can also be implemented as an one-time programmable memory OTP register which can be initialized by setting all bits to zero at the first use.
- an Encrypt and Decrypt function can be provided. These Encrypt and Decrypt functions can for example be implemented by the advanced encryption standard FIPS 197 in the cipher block chaining mode with a 128-bit key embedded in the device. Preferably, this key is only used for the Encrypt and Decrypt functions.
- the Encrypt and Decrypt functions can be used to combine a state of the one time programmable memory field state with a version number of each component of the software or firmware in connection with further data related to the software component or firmware component. Accordingly, a value can be achieved which enables an integrity check for example based on a public key signature, a hash footprint or the like.
- Fig. 1 shows a representation of a memory in an electronic device according to a first embodiment.
- the memory can be implemented as a flash memory and comprises at least a first and second partition Pl, P2.
- Each partition contains a partition header Plhdr,
- Each partition has its own version number v c (vl, v2).
- Each of the partition headers comprises an encrypted version number X c (Xl, X2) which is linked to data comprising the version number v c (vl, v2).
- the boot and update agent BUA is preferably protected by hardware means (encrypt-decrypt unit).
- Fig. 2 shows a block diagram of part of an electronic device according to a first embodiment.
- the electronic device comprises a flash driver FD for driving a memory, an update agent unit UA and a hardware unit HW, which may comprise an one-time programmable memory OTP and an encrypt-decrypt unit EDU.
- a dedicated field in a one-time programmable memory OTP is available with no bit set, i.e. all its bits are 0.
- a one-time programmable memory is one-time programmable, i.e. it can never be "reset".
- Fig. 3 shows a flow chart of a method of updating the software or firmware of an electronic device according to a first embodiment.
- the update may be performed by the electronic device according to Fig. 2.
- a download of a new software or new firmware can be performed to the device.
- the partition headers are created for each partition C. This can be done by a special behavior of the first-time boot, or using a special software loaded into the device memory and executed.
- the value Xc Encrypt (0
- the Encrypt function uses the said key embedded in the device as the encryption key.
- the encrypted version numbers Xc are used to decide whether the update should be performed, and, if so, the numbers Xc and, if necessary, the OTP field, are modified.
- the update agent unit UA reads the update partitions P' 1, P '2 and the update partition numbers v' 1, v'2 of the update of the software or the firmware.
- the update agent unit UA reads the previous value RO of the one time programmable memory OTP.
- the partition headers including the encrypted version numbers Xl, X2 of the currently stored software or firmware are inputted from a flash driver FD (as extracted from the flash memory) to the updated agent unit UA.
- step S40 the partition headers with the encrypted version numbers Xc are decrypted by means of the encrypt- decrypt unit EDU based on the said key embedded in the device.
- the result of the operation is "r ⁇
- step S50 it is determined whether the updated version number v'l is larger than the (decrypted) version number vl as stored in the flash memory and that the updated version number v'2 is larger than the (decrypted) version number v2 in the flash memory.
- step S60 it is determined whether this is true or not. If not, the electronic device is rebooted.
- step S70 the dedicated field in the one-time programmable memory OTP is modified by setting, for instance, one additional bit, to obtain a new (current) value R.
- step S80 the value rO is updated to r which is equal to R.
- r is concatenated with the updated version number v'c ( v'l , v'2) and, possibly, additional data d'c related to C to form the string "r
- step S60 the partition P' l with the updated header P'lhdr containing X' l is stored and the partition P'2 with the updated header P'2hdr containing X'2 is stored.
- an anti-rollback process can be performed that is based on the encrypted version numbers Xc.
- This process includes computing a decryption of the encrypted version number X c in order to retrieve strings of the form "r
- the partition header Pchdr contains both the version number vc and the encrypted version number Xc. In this case, it is also determined whether the version number of the software component corresponds to the decrypted version number v c .
- the additional data d c can relate to an integrity-related value like a public key signature of the software component. Furthermore, it is verified whether the validity of the signature corresponds to that of the software component.
- the update agent unit UA When the update agent unit UA performs an update, the one-time programmable memory OTP (i.e., it burns one more bit) is incremented.
- the update agent unit UA can update the values Xc of the encrypted version numbers for all components C regardless of whether they are updated them. Hence, the version numbers of those component
- C that does not change is kept by the following algorithm: compute Decrypt(XC) to retrieve an associated OTP value R, the version number vc and additional data dc - if R is equal to RO, replace Xc with Encrypt(R
- an update shall not be rolled back.
- a dependency tree of an anti-rollback function is provided and can be used to specify for each software component C which version transitions require anti-rollback.
- This dependency tree can be provided as a software component itself that does not require anti-rollback, and it can be updated by the update agent unit UA before any anti-rollback-related processing. Then during an update the update agent UA can refer to the updated tree before any of the components C are updated. Furthermore, it can check whether at least one transition requires anti-rollback or not. Depending on the result, it can performs an increment of the OTP register or it can bypasses the increment.
- the anti-rollback mechanism according to the invention prevents the rollback based on the software memory dump technique described above.
- Only one OTP register is required regardless of the number of versioned software components.
- the size of the OTP depends on the number of updates that a user is likely to perform, which is usually far less than the total number of existing software updates in the lifetime of the product. For instance, if there are two pieces of software that the user upgrades respectively from version 2.0 to 2.15 and 3.1 to 3.9, the cost of ensuring rollback according the invention will be one OTP bit only (instead of 23).
- one bit is required for an update of the one-time programmable memory.
- a value Ro is stored in the one-time programmable memory. This value is linked to the version number of the software or firmware currently stored on the electronic device.
- the value of Ro is incremented (by one) to a value R. Accordingly, a counter is implemented.
- the one-time programmable memory is not used to store the actual version numbers but it is merely used to store the value of a counter, wherein this value may correspond to the number of updates of the software and firmware which have been performed.
- the updated or incremented value R is stored in the one-time programmable memory OTP. This value is used as basis for encrypting the version number of the updated software and firmware. The encrypted version number is then stored together with the updated software of firmware. The new version of the updated counter is used to encrypt the version numbers of those parts of the software or firmware which have been updated. Alternatively or in addition, the version numbers of those parts of the software or firmware which have not been updated are also encrypted based on the value of the one-time programmable memory OTP.
- the encrypted version numbers of the software are also stored for example in a flash memory together with the software or firmware. It should be noted that if the content of the flash memory has been tempered with, then the encrypted version numbers of the software or firmware stored in the flash memory will indicate to that. This can be determined when those encrypted version numbers stored in the memory are decrypted based on the actual value of the one-time programmable memory and when the version number of the updated software or firmware is compared to the decrypted version number stored in the memory. When the encrypted version numbers are decrypted and when the flash memory has been tempered with, the associated value in the result of the decryption of the encrypted version number will not correspond to the value as stored in the one-time programmable memory. Hence, it can be determined that the content of the flash memory has been tempered with.
- the anti-rollback scheme according to the invention can be used in mobile platforms, Set-Top Boxes and car devices.
- the anti-rollback scheme according to the invention can also be used in any electronic device (like PCs) which can update the firmware "online” (not necessarily “over-the-air”).
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
An electronic device is provided which comprises a memory driver unit (FD) for reading partition headers including encrypted version numbers (X1, X2) from a memory and for writing updated encrypted version numbers (X´1, X´2) to the memory. The electronic device furthermore comprises an update agent unit (UA) for controlling a software of firmware update of the electronic device as well as a one-time programmable memory (OTP) for storing a first value and an encrypt-decrypt unit (EDU) for decrypting the partition headers stored in the memory based on the first value stored in the one-time programmable memory in order to retrieve version numbers of the partition headers. The update agent (UA) is adapted to compare the retrieved version numbers with a version number from a software or firmware update in order to determine whether the version number of the software or firmware update is larger than the retrieved version numbers. The first value is incremented and stored in the one-time programmable memory (OTP) if an update is performed. The encrypt-decrypt unit (EDU) is adapted to encrypt the version numbers of the software or firmware update based on the new first value. The memory driver unit (FD) is adapted to write a new partition header with the updated encrypted version numbers into the memory.
Description
Electronic device and method of software or firmware updating of an electronic device
FIELD OF THE INVENTION
The present invention relates to an electronic device as well as to a method for software or firmware updating of an electronic device.
BACKGROUND OF THE INVENTION
Modern electronic devices typically comprise some hardware components, wherein at least part of the hardware components are programmable by means of software. The software or firmware for the operation of the electronic device can be updated for example in order to improve the operation or the security of the device. However, when the software or firmware of an electronic device is updated, it must be ensured that the new software or firmware is of a more recent version than the currently stored software or firmware. The technique to avoid this is called anti-rollback. An anti-rollback scheme is advantageous as a content protection is ensured, i.e. if a vulnerability in the software or firmware is found, such a vulnerability can be avoided by a new software or a new firmware dealing with the vulnerability. Furthermore, by means of an update of the software or firmware, the security of an electronic device can be improved. Therefore, users can be protected from malicious attacks. For example, if a firmware rollback is applied to an electronic device, user secrets like payment password, identity data and the like which is stored in the device may be retrieved from the device by using a firmware previously present. A software or firmware update can for example also be performed wirelessly over the air, i.e. a firmware over-the-air FOTA can be performed.
An anti-rollback of a firmware or software is typically achieved based on a clock and a validity period associated to each software or firmware version. The clock may be implemented as hardware or software and the software will stop the clock as soon as the validity period has expired. However, here, the validity period has to be predefined or predetermined. On the other hand, if a problem is discovered in the firmware or software, it should be updated regardless whether the validity period has expired or not.
Alternatively, the anti-rollback technique must be applied when an update of a software or firmware is performed which is used to control the integrity of the software for example by means of internal cryptographic keys. Therefore, hardware associated thereto will perform the integrity check of the software or firmware when the device is booted. It will only perform the update with the new software or firmware if the version number of the new software or firmware is higher than that of the current software. Furthermore, it can use internal keys to update the integrity check value. However, it should be noted that here, the anti-rollback is tightly coupled to the hardware controlled integrity and secret cryptographic keys. GB 2430774 B discloses a method of software updating and a corresponding processor unit. Here, an anti-rollback system is provided which is based on version numbers. Therefore, the version numbers must be stored securely. The disadvantage of such a solution is the costs required for the hardware will depend on the software numbering.
GB 2425193 A discloses an anti-rollback system based on version numbers. A one-time write memory element is provided to achieve a functionality of a bit-by-bit analysis, wherein the bit will depend on the version number of the software. In particular, one way to bind the version of the installed software to the hardware of the electronic device is to use a special numbering of the software. Accordingly, one bit per existing software version is needed. It should be noted that in modern electronic devices, the required software or hardware for the operation of the electronic devices may be divided into a plurality of partitions, wherein each partition could be updated independently of the other partitions of the software or firmware. Accordingly, if one bit is used for every existing software version, the required amount of bits may be very high which will lead to a very high cost of the electronic device.
SUMMARY OF THE INVENTION
It is therefore an object of the invention to provide an electronic device and a method for updating a software or firmware in the electronic device which is cheaper to implement.
This object is solved by an electronic device according to claim 1 and by a method for software or firmware updating of an electronic device according to claim 4.
Therefore, an electronic device is provided which comprises a memory driver unit for reading partition headers including encrypted version numbers from a memory and for writing updated encrypted version numbers to the memory. The electronic device furthermore comprises an update agent unit for controlling a software of firmware update of the electronic device as well as a one-time programmable memory for storing a first value and an encrypt-decrypt unit for decrypting the partition headers stored in the memory based on the first value stored in the one-time programmable memory in order to retrieve version numbers of the partition headers. The update agent is adapted to compare the retrieved version numbers with a version number from a software or firmware update in order to determine whether the version number of the software or firmware update is larger than the retrieved version numbers. The first value is incremented and stored in the one-time programmable memory if an update is performed. The encrypt-decrypt unit is adapted to encrypt the version numbers of the software or firmware update based on the new first value. The memory driver unit is adapted to write a new partition header with the updated encrypted version numbers into the memory.
According to an aspect of the invention, the software or firmware of the electronic comprises at least two components, wherein each component can have its own version number and which can be updated separately.
According to an aspect of the invention, the update of the first value can be deactivated. Hence, the anti-rollback scheme is only activated when really required.
The invention also relates to a method of software or firmware updating of an electronic device. Partition headers including encrypted version numbers are read from a memory. A software or firmware update of the electronic device is performed. A first value is stored in a one-time programmable memory. The partition headers stored in the memory based on the first value stored in the one-time programmable memory OTP to retrieve the encrypted version numbers of the partition headers, The retrieved version numbers are compared with a version number of a software or firmware update in order to determine whether the version number of the software or firmware update is larger than the retrieved version number. The first value in the one-time programmable memory OTP is incremented and stored if an updated is performed. The version numbers of the software or firmware update is encrypted based on the new first value. A new partition header with the updated encrypted version numbers is written into the memory.
The invention relates to the idea to provide a possibility of an anti-rollback scheme. Therefore, a one-time programmable memory is provided. The memory is at least as long as the maximum possible version numbers. However, it should be noted that it cannot be predicted how many version numbers of software of firmware will be available during the lifetime of an electronic device. Furthermore, typically the software as well as the firmware can be divided into separate components which may be updated independently of each other. By means of the invention, the number of bits which are required to store the version number is not dependent on the version number. To avoid a tampering of the version number, some kind of memory needs to be provided which cannot be tempered with. Furthermore, some means of encrypting needs to be provided for linking a state of the programmable memory (a value stored in the one-time programmable memory) with the actual version number of the software or firmware stored in a memory of the electronic device.
The invention also relates to the idea to use a monotonous counter (memory register accessible only by the anti-rollback mechanism or a one time programmable memory; each bit which is set cannot be modified any further). Furthermore, a cryptographic hardware component is used which can encrypt and decrypt signs using a symmetric cryptographic mechanism with an unknown key which can be different for each electronic device. Accordingly, when an update or upgrade of the software or firmware is performed, a value in the one time programmable memory OTP is incremented and the new OTP register value is linked to the software or firmware version numbers by means of an internal cryptographic hardware component. Accordingly, a software version is bound to the electronic device by means of a single bit.
When a firmware or software is to be updated wirelessly, a software or firmware update must be performed without having to interact with the hardware. The new software or hardware version can be downloaded, while the device is operating. An update may be performed by means of a software update agent only. The integrity of the update can be ensured by public-key cryptographic mechanism. Then the current software or firmware image can be discarded and the new software or firmware is used. However, it should be noted that a rolling back to the discarded image can be performed by merely uploading the dumped image to the device again.
Further aspects of the invention are defined in the dependent claims.
BRIEF DESCRIPTION OF THE DRAWINGS
Advantages and embodiments of the invention will now be described in more detail with reference to the Figures.
Fig. 1 shows a representation of a flash memory according to a first embodiment,
Fig. 2 shows a block diagram of part of an electronic device according to a first embodiment, and
Fig. 3 shows a flow chart of a method for updating an electronic device according to the first embodiment.
DETAILED DESCRIPTION OF EMBODIMENTS
In the embodiments of the invention it is assumed that the software or firmware of an electronic device can be organized in several components each having their own version number. Accordingly, each component of the software or firmware with its own version number can be updated separately or independently. An encrypted version number can be stored in a flash memory together with the software or firmware. A one time programmable memory can be used to store a counter which is incremented when an update is performed. This memory can also be implemented as an one-time programmable memory OTP register which can be initialized by setting all bits to zero at the first use. Furthermore, an Encrypt and Decrypt function can be provided. These Encrypt and Decrypt functions can for example be implemented by the advanced encryption standard FIPS 197 in the cipher block chaining mode with a 128-bit key embedded in the device. Preferably, this key is only used for the Encrypt and Decrypt functions.
The Encrypt and Decrypt functions can be used to combine a state of the one time programmable memory field state with a version number of each component of the software or firmware in connection with further data related to the software component or firmware component. Accordingly, a value can be achieved which enables an integrity check for example based on a public key signature, a hash footprint or the like.
Fig. 1 shows a representation of a memory in an electronic device according to a first embodiment. The memory can be implemented as a flash memory and comprises at least a first and second partition Pl, P2. Each partition contains a partition header Plhdr,
P2hdr. Each partition has its own version number vc (vl, v2). Each of the partition headers
comprises an encrypted version number Xc (Xl, X2) which is linked to data comprising the version number vc (vl, v2). In the memory, furthermore a boot and update agent BUA and the corresponding software or firmware is stored. The boot and update agent BUA is preferably protected by hardware means (encrypt-decrypt unit). Fig. 2 shows a block diagram of part of an electronic device according to a first embodiment. The electronic device comprises a flash driver FD for driving a memory, an update agent unit UA and a hardware unit HW, which may comprise an one-time programmable memory OTP and an encrypt-decrypt unit EDU. When the said electronic device is produced, a dedicated field in a one-time programmable memory OTP is available with no bit set, i.e. all its bits are 0. A one-time programmable memory is one-time programmable, i.e. it can never be "reset".
Fig. 3 shows a flow chart of a method of updating the software or firmware of an electronic device according to a first embodiment. The update may be performed by the electronic device according to Fig. 2. Then a download of a new software or new firmware can be performed to the device.
During the production of the electronic device, the partition headers are created for each partition C. This can be done by a special behavior of the first-time boot, or using a special software loaded into the device memory and executed. During this process, the value Xc = Encrypt (0 || version number of C || additional data possibly related to C) is computed for each software component C and is stored. " || " denotes concatenation. The "0" value corresponds to the initial state of the said dedicated OTP field, read as a binary value. The Encrypt function uses the said key embedded in the device as the encryption key.
During an update, the encrypted version numbers Xc are used to decide whether the update should be performed, and, if so, the numbers Xc and, if necessary, the OTP field, are modified. In step SlO, the update agent unit UA reads the update partitions P' 1, P '2 and the update partition numbers v' 1, v'2 of the update of the software or the firmware. In step S20, the update agent unit UA reads the previous value RO of the one time programmable memory OTP. In step S30, the partition headers including the encrypted version numbers Xl, X2 of the currently stored software or firmware are inputted from a flash driver FD (as extracted from the flash memory) to the updated agent unit UA. In step S40, the partition headers with the encrypted version numbers Xc are decrypted by means of the encrypt- decrypt unit EDU based on the said key embedded in the device. For each partition C, the
result of the operation is "rθ || vc || dc". It is checked than the value "rθ" is equal to the value "RO" read from the said dedicated field in OTP memory. If it is not true, then the device is rebooted. The current version numbers vl, v2 of the update of the software or firmware are thus retrieved. In step S50, it is determined whether the updated version number v'l is larger than the (decrypted) version number vl as stored in the flash memory and that the updated version number v'2 is larger than the (decrypted) version number v2 in the flash memory.
In step S60, it is determined whether this is true or not. If not, the electronic device is rebooted. In step S70, the dedicated field in the one-time programmable memory OTP is modified by setting, for instance, one additional bit, to obtain a new (current) value R. In step S80, the value rO is updated to r which is equal to R. For each partition C, r is concatenated with the updated version number v'c ( v'l , v'2) and, possibly, additional data d'c related to C to form the string "r || v'c || d'c". This string is encrypted with the said key embedded in the device and the updated encrypted version numbers X'l, X'2 are obtained. In step S60, the partition P' l with the updated header P'lhdr containing X' l is stored and the partition P'2 with the updated header P'2hdr containing X'2 is stored.
Independently from the update process described above, during a normal boot execution, an anti-rollback process can be performed that is based on the encrypted version numbers Xc. This process includes computing a decryption of the encrypted version number Xc in order to retrieve strings of the form "r || vc || dc". It is then determined whether the value "r" is equal to the current value R of the one time programmable memory. In a preferred embodiment of the invention, the partition header Pchdr contains both the version number vc and the encrypted version number Xc. In this case, it is also determined whether the version number of the software component corresponds to the decrypted version number vc. The additional data dc can relate to an integrity-related value like a public key signature of the software component. Furthermore, it is verified whether the validity of the signature corresponds to that of the software component.
Accordingly, to ensure anti-rollback, the following algorithm is performed at boot in addition to normal boot execution:
For each protected software component C compute Decrypt(Xc) to retrieve an associated OTP value r, the version number vc and additional data dc
check that r is equal to the current OTP value check that the version number of C is equal to vC
When the update agent unit UA performs an update, the one-time programmable memory OTP (i.e., it burns one more bit) is incremented. The update agent unit UA can update the values Xc of the encrypted version numbers for all components C regardless of whether they are updated them. Hence, the version numbers of those component
C that does not change is kept by the following algorithm: compute Decrypt(XC) to retrieve an associated OTP value R, the version number vc and additional data dc - if R is equal to RO, replace Xc with Encrypt(R || vc || dc)
However, for every component C that is updated, the following algorithm can be performed: compute Decrypt(XC) to retrieve an associated OTP value R, the version number vc and additional data dc; - Check whether R=RO;
Read the component new version number v'c and additional data d'c from the update package;
Check that v'c is at least equal to vc;
Compute X'c=Encrypt(R || v'c || d'c); - Replace Xc with X'c
According to a further embodiment it is specified when an update shall not be rolled back. Here, it is specified for each software component update, whether it requires an anti-rollback function from the previous version or not. If no anti-rollback function is required the update agent unit UA can bypass the increment of the one-time programmable memory OTP.
According to still a further embodiment a dependency tree of an anti-rollback function is provided and can be used to specify for each software component C which version transitions require anti-rollback. This dependency tree can be provided as a software component itself that does not require anti-rollback, and it can be updated by the update agent unit UA before any anti-rollback-related processing. Then during an update the update agent UA can refer to the updated tree before any of the components C are updated. Furthermore, it
can check whether at least one transition requires anti-rollback or not. Depending on the result, it can performs an increment of the OTP register or it can bypasses the increment.
The anti-rollback mechanism according to the invention prevents the rollback based on the software memory dump technique described above. Only one OTP register is required regardless of the number of versioned software components. The size of the OTP depends on the number of updates that a user is likely to perform, which is usually far less than the total number of existing software updates in the lifetime of the product. For instance, if there are two pieces of software that the user upgrades respectively from version 2.0 to 2.15 and 3.1 to 3.9, the cost of ensuring rollback according the invention will be one OTP bit only (instead of 23).
According to the invention, one bit is required for an update of the one-time programmable memory. In the one-time programmable memory, a value Ro is stored. This value is linked to the version number of the software or firmware currently stored on the electronic device. When an update of the software or firmware is performed and the anti- rollback scheme according to the invention is activated, the value of Ro is incremented (by one) to a value R. Accordingly, a counter is implemented.
In other words, the one-time programmable memory is not used to store the actual version numbers but it is merely used to store the value of a counter, wherein this value may correspond to the number of updates of the software and firmware which have been performed.
The updated or incremented value R is stored in the one-time programmable memory OTP. This value is used as basis for encrypting the version number of the updated software and firmware. The encrypted version number is then stored together with the updated software of firmware. The new version of the updated counter is used to encrypt the version numbers of those parts of the software or firmware which have been updated. Alternatively or in addition, the version numbers of those parts of the software or firmware which have not been updated are also encrypted based on the value of the one-time programmable memory OTP.
Therefore, if for example the encrypted version numbers of the software are also stored for example in a flash memory together with the software or firmware. It should be noted that if the content of the flash memory has been tempered with, then the encrypted version numbers of the software or firmware stored in the flash memory will indicate to that.
This can be determined when those encrypted version numbers stored in the memory are decrypted based on the actual value of the one-time programmable memory and when the version number of the updated software or firmware is compared to the decrypted version number stored in the memory. When the encrypted version numbers are decrypted and when the flash memory has been tempered with, the associated value in the result of the decryption of the encrypted version number will not correspond to the value as stored in the one-time programmable memory. Hence, it can be determined that the content of the flash memory has been tempered with.
The anti-rollback scheme according to the invention can be used in mobile platforms, Set-Top Boxes and car devices. The anti-rollback scheme according to the invention can also be used in any electronic device (like PCs) which can update the firmware "online" (not necessarily "over-the-air").
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. In the device claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
Furthermore, any reference signs in the claims shall not be constrained as limiting the scope of the claims.
Claims
1. Electronic device, comprising: a memory driver unit (FD) for reading partition headers which include encrypted version numbers (Xl, X2) from a memory and for writing updated encrypted version numbers (X' 1; X'2) to the memory; - an update agent unit (UA) for controlling a software or firmware update of the electronic device; a one-time programmable memory (OTP) for storing a first value (R, RO); and an encrypt-decrypt unit (EDU) for decrypting the partition headers stored in the memory based on the first value (R, RO) stored in the one-time programmable memory (OTP) to retrieve version numbers of the partition headers; wherein the update agent unit (UA) is adapted to compare the retrieved version numbers with a version number from a software or firmware update to determine whether the version number of the software or firmware update are larger than the retrieved version numbers, - wherein the first value (R) is incremented and stored in the one-time programmable memory (OTP) if an update is performed; wherein the encrypt-decrypt unit (EDU) is adapted to encrypt the version numbers of the software or firmware update based on the new first value (R); and wherein the memory driver unit (FD) is adapted to write a new partition header with updated encrypted version numbers into the memory.
2. Electronic device according to claim 1, wherein the software or firmware of the electronic comprises at least two components (C), wherein each component (C) can have its own version number and which can be updated separately.
3. Electronic device according to claim 1 or 2, wherein the update of the first value (R, RO) can be deactivated.
4. Method of software or firmware updating of an electronic device, comprising the steps of: reading partition headers including encrypted version numbers (Xl, X2) from a memory, controlling a software or firmware update of the electronic device, storing a first value (R) in a one-time programmable memory (OTP) and decrypting the partition headers stored in the memory based on the first value stored in the one-time programmable memory (OTP) to retrieve the encrypted version numbers of the partition headers, comparing the retrieved version numbers with a version number of a software or firmware update in order to determine whether the version number of the software or firmware update is larger than the retrieved version number, incrementing and storing the first value in the one-time programmable memory (OTP) if an updated is performed, encrypting the version numbers of the software or firmware update based on the new first value (R), writing a new partition header with the updated encrypted version numbers into the memory.
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AT09769151T ATE540371T1 (en) | 2008-06-23 | 2009-06-16 | ELECTRONIC DEVICE AND METHOD FOR UPDATING SOFTWARE OR FIRMWARE OF AN ELECTRONIC DEVICE |
EP09769151A EP2294529B1 (en) | 2008-06-23 | 2009-06-16 | Electronic device and method of software or firmware updating of an electronic device |
CN2009801286785A CN102105883A (en) | 2008-06-23 | 2009-06-16 | Electronic device and method of software or firmware updating of an electronic device |
US12/976,857 US8543839B2 (en) | 2008-06-23 | 2010-12-22 | Electronic device and method of software or firmware updating of an electronic device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP08290596 | 2008-06-23 | ||
EP08290596.9 | 2008-06-23 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/976,857 Continuation US8543839B2 (en) | 2008-06-23 | 2010-12-22 | Electronic device and method of software or firmware updating of an electronic device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009156302A1 true WO2009156302A1 (en) | 2009-12-30 |
Family
ID=40973548
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2009/057455 WO2009156302A1 (en) | 2008-06-23 | 2009-06-16 | Electronic device and method of software or firmware updating of an electronic device |
Country Status (5)
Country | Link |
---|---|
US (1) | US8543839B2 (en) |
EP (1) | EP2294529B1 (en) |
CN (1) | CN102105883A (en) |
AT (1) | ATE540371T1 (en) |
WO (1) | WO2009156302A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2991796A1 (en) * | 2012-06-12 | 2013-12-13 | Inside Secure | METHOD OF SAVING DATA OUTSIDE A SECURE MICROCIRCUIT |
WO2014131652A1 (en) * | 2013-03-01 | 2014-09-04 | St-Ericsson Sa | A method for software anti-rollback recovery |
US9009492B2 (en) | 2012-02-29 | 2015-04-14 | Cisco Technology, Inc. | Prevention of playback attacks using OTP memory |
WO2015051982A1 (en) * | 2013-10-11 | 2015-04-16 | Continental Automotive Gmbh | Method for updating an operating function of a sensor, and sensor module |
CN108304727A (en) * | 2017-01-12 | 2018-07-20 | 联发科技股份有限公司 | The method and apparatus of data processing |
EP3688574A4 (en) * | 2017-09-26 | 2020-11-11 | Alibaba Group Holding Limited | System version upgrading method and apparatus |
CN113760337A (en) * | 2021-09-14 | 2021-12-07 | 远峰科技股份有限公司 | Upgrading rollback method and upgrading rollback system for FOTA |
US11640288B2 (en) | 2017-09-26 | 2023-05-02 | C-Sky Microsystems Co., Ltd. | System version upgrading method and apparatus |
Families Citing this family (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101610499A (en) * | 2009-07-13 | 2009-12-23 | 中兴通讯股份有限公司 | The upgrade method of wireless data card and system |
US8812854B2 (en) * | 2009-10-13 | 2014-08-19 | Google Inc. | Firmware verified boot |
EP2348405A1 (en) * | 2009-12-22 | 2011-07-27 | EchoStar Global B.V. | A method and system for changing software or firmware on an electronic device |
US8543849B2 (en) | 2010-12-06 | 2013-09-24 | Microsoft Corporation | Fast computer startup |
US8788798B2 (en) | 2010-12-06 | 2014-07-22 | Microsoft Corporation | Fast computer startup |
US8683457B1 (en) * | 2011-06-17 | 2014-03-25 | Western Digital Technologies, Inc. | Updating firmware of an electronic device by storing a version identifier in a separate header |
CN102662699A (en) * | 2012-03-27 | 2012-09-12 | 惠州Tcl移动通信有限公司 | Method for updating NFC (Near Field Communication) firmware of mobile terminal and mobile terminal |
US9110761B2 (en) * | 2012-06-27 | 2015-08-18 | Microsoft Technology Licensing, Llc | Resource data structures for firmware updates |
US9235404B2 (en) | 2012-06-27 | 2016-01-12 | Microsoft Technology Licensing, Llc | Firmware update system |
US8972973B2 (en) | 2012-06-27 | 2015-03-03 | Microsoft Technology Licensing, Llc | Firmware update discovery and distribution |
US9189225B2 (en) | 2012-10-16 | 2015-11-17 | Imprivata, Inc. | Secure, non-disruptive firmware updating |
CN103019789B (en) * | 2012-12-17 | 2016-01-20 | 深圳市九洲电器有限公司 | A kind of sign software upgrade method, device and mobile terminal |
US9407642B2 (en) * | 2013-03-13 | 2016-08-02 | Samsung Electronics Co., Ltd. | Application access control method and electronic apparatus implementing the same |
CN103220578B (en) * | 2013-03-26 | 2016-03-09 | 深圳市九洲电器有限公司 | A kind of high safe machine top box and production method, system |
US20140373003A1 (en) * | 2013-06-13 | 2014-12-18 | L'oreal | Appliance-based firmware upgrade system |
US9768957B2 (en) * | 2014-04-23 | 2017-09-19 | Cryptography Research, Inc. | Generation and management of multiple base keys based on a device generated key |
CN104021018A (en) * | 2014-06-06 | 2014-09-03 | 上海卓悠网络科技有限公司 | Terminal, upgrade patch generation method and upgrade patch recognition method |
JP2016025628A (en) * | 2014-07-24 | 2016-02-08 | 株式会社リコー | Information processing system and electronic apparatus |
EP3007094B1 (en) | 2014-10-08 | 2021-05-05 | Nintendo Co., Ltd. | Boot program, information processing apparatus, information processing system, information processing method, semiconductor apparatus, and program |
US9841970B2 (en) * | 2015-01-13 | 2017-12-12 | Ford Global Technologies, Llc | Vehicle control update methods and systems |
CN114157422A (en) | 2015-12-16 | 2022-03-08 | 密码研究公司 | Method, integrated circuit and computer readable medium for generating encryption key |
US10067770B2 (en) | 2015-12-21 | 2018-09-04 | Hewlett-Packard Development Company, L.P. | Platform key hierarchy |
ES2725684T3 (en) | 2016-08-19 | 2019-09-26 | Wegmann Automotive Gmbh | Tire pressure monitoring sensor |
US10754988B2 (en) * | 2016-08-30 | 2020-08-25 | Winbond Electronics Corporation | Anti-rollback version upgrade in secured memory chip |
CN106406939A (en) * | 2016-09-05 | 2017-02-15 | 惠州Tcl移动通信有限公司 | EMMC chip-based mobile terminal rollback prevention method and system |
KR102518881B1 (en) * | 2017-01-09 | 2023-04-05 | 삼성전자주식회사 | Method for operating semiconductor device |
US10069860B1 (en) | 2017-02-14 | 2018-09-04 | International Business Machines Corporation | Protection for computing systems from revoked system updates |
EP3481032B1 (en) * | 2017-11-06 | 2022-11-02 | Netatmo | Regression safe network communication logic for an iot device and method of managing the same |
US10552145B2 (en) * | 2017-12-12 | 2020-02-04 | Cypress Semiconductor Corporation | Memory devices, systems, and methods for updating firmware with single memory device |
US11537389B2 (en) | 2017-12-12 | 2022-12-27 | Infineon Technologies LLC | Memory devices, systems, and methods for updating firmware with single memory device |
US10659054B2 (en) * | 2018-02-23 | 2020-05-19 | Nxp B.V. | Trusted monotonic counter using internal and external non-volatile memory |
WO2020026228A1 (en) * | 2018-08-01 | 2020-02-06 | Vdoo Connected Trust Ltd. | Firmware verification |
CN109508535B (en) * | 2018-10-30 | 2021-07-13 | 百富计算机技术(深圳)有限公司 | Firmware security authentication method and device and payment terminal |
CN109471675B (en) * | 2018-10-30 | 2021-11-19 | 北京无限自在文化传媒股份有限公司 | Method and system for changing hardware |
US11372977B2 (en) * | 2018-11-12 | 2022-06-28 | Thirdwayv, Inc. | Secure over-the-air firmware upgrade |
US10769280B2 (en) * | 2018-12-13 | 2020-09-08 | Silicon Laboratories, Inc. | Side channel attack countermeasures for secure bootloading |
US11216597B2 (en) * | 2020-05-14 | 2022-01-04 | Nuvoton Technology Corporation | Security system and method for preventing rollback attacks on silicon device firmware |
CN111931213A (en) * | 2020-08-20 | 2020-11-13 | Oppo(重庆)智能科技有限公司 | File processing method, device, terminal and storage medium |
US20220382868A1 (en) * | 2021-06-01 | 2022-12-01 | Mellanox Technologies Ltd. | Unidirectional counter |
US20240086170A1 (en) * | 2022-09-09 | 2024-03-14 | Renesas Electronics Corporation | Software update system and software update method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004021178A2 (en) * | 2002-08-30 | 2004-03-11 | Koninklijke Philips Electronics N.V. | Version-programmable circuit module |
GB2425193A (en) * | 2005-04-14 | 2006-10-18 | Nec Technologies | Method for updating the software in a processor unit |
GB2430774B (en) * | 2005-10-03 | 2007-08-08 | Nec Technologies | Method of software updating and related device |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5138712A (en) * | 1989-10-02 | 1992-08-11 | Sun Microsystems, Inc. | Apparatus and method for licensing software on a network of computers |
US6006034A (en) * | 1996-09-05 | 1999-12-21 | Open Software Associates, Ltd. | Systems and methods for automatic application version upgrading and maintenance |
US6496978B1 (en) * | 1996-11-29 | 2002-12-17 | Hitachi, Ltd. | Microcomputer control system in which programs can be modified from outside of the system and newer versions of the modified programs are determined and executed |
US6468160B2 (en) * | 1999-04-08 | 2002-10-22 | Nintendo Of America, Inc. | Security system for video game system with hard disk drive and internet access capability |
EP1267579A3 (en) * | 2001-06-11 | 2003-03-19 | Canal+ Technologies Société Anonyme | MPEG table structure |
US7681034B1 (en) * | 2001-12-12 | 2010-03-16 | Chang-Ping Lee | Method and apparatus for securing electronic data |
US7260555B2 (en) * | 2001-12-12 | 2007-08-21 | Guardian Data Storage, Llc | Method and architecture for providing pervasive security to digital assets |
US7440571B2 (en) * | 2002-12-03 | 2008-10-21 | Nagravision S.A. | Method for securing software updates |
US8230084B2 (en) * | 2002-12-17 | 2012-07-24 | Sony Corporation | Network management in a media network environment |
DE10357032A1 (en) * | 2003-06-24 | 2005-01-13 | Bayerische Motoren Werke Ag | Method for reloading software in the boot sector of a programmable read only memory |
GB2404538A (en) * | 2003-07-31 | 2005-02-02 | Sony Uk Ltd | Access control for digital content |
US7603562B2 (en) * | 2005-02-02 | 2009-10-13 | Insyde Software Corporation | System and method for reducing memory requirements of firmware |
US7681031B2 (en) * | 2005-06-28 | 2010-03-16 | Intel Corporation | Method and apparatus to provide authentication code |
US8225096B2 (en) * | 2006-10-27 | 2012-07-17 | International Business Machines Corporation | System, apparatus, method, and program product for authenticating communication partner using electronic certificate containing personal information |
-
2009
- 2009-06-16 AT AT09769151T patent/ATE540371T1/en active
- 2009-06-16 EP EP09769151A patent/EP2294529B1/en not_active Not-in-force
- 2009-06-16 WO PCT/EP2009/057455 patent/WO2009156302A1/en active Application Filing
- 2009-06-16 CN CN2009801286785A patent/CN102105883A/en active Pending
-
2010
- 2010-12-22 US US12/976,857 patent/US8543839B2/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004021178A2 (en) * | 2002-08-30 | 2004-03-11 | Koninklijke Philips Electronics N.V. | Version-programmable circuit module |
GB2425193A (en) * | 2005-04-14 | 2006-10-18 | Nec Technologies | Method for updating the software in a processor unit |
GB2430774B (en) * | 2005-10-03 | 2007-08-08 | Nec Technologies | Method of software updating and related device |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9009492B2 (en) | 2012-02-29 | 2015-04-14 | Cisco Technology, Inc. | Prevention of playback attacks using OTP memory |
FR2991796A1 (en) * | 2012-06-12 | 2013-12-13 | Inside Secure | METHOD OF SAVING DATA OUTSIDE A SECURE MICROCIRCUIT |
WO2013186451A1 (en) * | 2012-06-12 | 2013-12-19 | Inside Secure | Method for backing-up data outside of a secure microcircuit |
CN104380305A (en) * | 2012-06-12 | 2015-02-25 | 英赛瑟库尔公司 | Method for backing-up data outside of a secure microcircuit |
WO2014131652A1 (en) * | 2013-03-01 | 2014-09-04 | St-Ericsson Sa | A method for software anti-rollback recovery |
WO2015051982A1 (en) * | 2013-10-11 | 2015-04-16 | Continental Automotive Gmbh | Method for updating an operating function of a sensor, and sensor module |
US10261778B2 (en) | 2013-10-11 | 2019-04-16 | Continental Automotive Gmbh | Method for updating an operating function of a sensor, and sensor module |
CN108304727A (en) * | 2017-01-12 | 2018-07-20 | 联发科技股份有限公司 | The method and apparatus of data processing |
EP3688574A4 (en) * | 2017-09-26 | 2020-11-11 | Alibaba Group Holding Limited | System version upgrading method and apparatus |
US11640288B2 (en) | 2017-09-26 | 2023-05-02 | C-Sky Microsystems Co., Ltd. | System version upgrading method and apparatus |
CN113760337A (en) * | 2021-09-14 | 2021-12-07 | 远峰科技股份有限公司 | Upgrading rollback method and upgrading rollback system for FOTA |
Also Published As
Publication number | Publication date |
---|---|
US20110208975A1 (en) | 2011-08-25 |
EP2294529A1 (en) | 2011-03-16 |
CN102105883A (en) | 2011-06-22 |
EP2294529B1 (en) | 2012-01-04 |
US8543839B2 (en) | 2013-09-24 |
ATE540371T1 (en) | 2012-01-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2294529B1 (en) | Electronic device and method of software or firmware updating of an electronic device | |
US8510570B2 (en) | System and method for authenticating a gaming device | |
EP1273996B1 (en) | Secure bootloader for securing digital devices | |
CA2606981C (en) | Retrofitting authentication onto firmware | |
EP1785902B1 (en) | Decryption key table access control on ASIC or ASSP | |
US20160154744A1 (en) | Provisioning of secure storage for both static and dynamic rules for cryptographic key information | |
US20120166781A1 (en) | Single security model in booting a computing device | |
JP5734685B2 (en) | Program, method, and storage medium for generating software for checking integrity during execution | |
US20070162964A1 (en) | Embedded system insuring security and integrity, and method of increasing security thereof | |
EP2161671A2 (en) | Device with privileged memory and applications thereof | |
US20150095652A1 (en) | Encryption and decryption processing method, apparatus, and device | |
KR20090007123A (en) | Secure boot method and semiconductor memory system for using the method | |
US9830479B2 (en) | Key storage and revocation in a secure memory system | |
JP5705235B2 (en) | Method and apparatus for storing data | |
EP2095241A2 (en) | Securing a flash memory block in a secure device system and method | |
JP2006216048A (en) | System and method for reducing memory capacity required for firmware and for providing safe update and storage area for firmware | |
EP2051181A1 (en) | Information terminal, security device, data protection method, and data protection program | |
EP2270706B1 (en) | Loading secure code into a memory | |
CN109445705B (en) | Firmware authentication method and solid state disk | |
EP2270707B1 (en) | Loading secure code into a memory | |
CN109814934B (en) | Data processing method, device, readable medium and system | |
US20020169976A1 (en) | Enabling optional system features | |
WO2012126483A1 (en) | Data protection using distributed security key | |
US20230273977A1 (en) | Managing ownership of an electronic device | |
JP2007507020A (en) | Method for reloading software into the boot sector of a programmable read-only memory |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200980128678.5 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09769151 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009769151 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |