Skip to main content

4.3 Firmware Loading and Device Programming

Firmware loading and device provisioning are mandatory final assembly steps that configure the electronic system for its intended function. This process involves installing the embedded code, setting unique identifiers, and configuring calibration tables. Errors here — loading the wrong revision or failing security verification — result in non-functional products and exposure to security vulnerabilities. Strict revision control, automated verification, and security sequencing are mandatory.

4.3.1 Programming Targets and Transports

The programming method and interface are dictated by the target hardware and the required speed.

A) Targets and Interfaces

The programming process must target all embedded memory types:

  • MCU/SoC Internal Flash: Programmed via SWD/JTAG (fastest and most robust) or UART ISP/USB DFU (requires setting a boot mode).
  • External Flash (SPI/NAND/eMMC): Programmed via the main CPU bootloader or a dedicated in-circuit SPI connection. Power stability is critical for eMMC/NAND.
  • Secure Elements (TPM): Keys are injected via I²C/SPI and must be audited by an external tool.

B) Fixture and Power Integrity Mandates

  • Fixtures: Use robust bed-of-nails with pogo pins for SWD/JTAG/UART and preferred Tag-Connect pads or edge fingers over loose cables. The fixture must have an interlocked lid and E-stop.
  • Power: Target power must come from a dedicated programmable PSU with current limiting, not shared lab supplies. Log V/I during flash to prevent units from being "bricked" by brownouts.
  • Reset Control: The fixture must hold reset or force BOOT mode via software control (GPIO) to reliably prepare the target for erasing and writing.

4.3.2 Image Management and Security Protocol

The process must ensure the correct code is loaded and permanently secured before the unit leaves the factory.

A) Image Integrity and Control

  • Golden Image Set: The complete image set (bootloader, app, option bytes, partition map, default NVM) must be treated as a single unit. Every set requires a Manifest detailing image hashes, toolchain versions, and signing certificate IDs.
  • Storage Mandate: Images must be stored in a versioned vault. The station must pull the image by SKU/Variant scan (no desktop drag-and-drop) and verify the image hash against the Manifest before programming.
  • Verification: After programming, a readback verification (full or sampled) must be performed to confirm the loaded data matches the manifest hash.

B) Security and Locking Sequence

Security features must be enabled at the correct point in the manufacturing flow.

  1. Program: Load bootloader and application image(s).
  2. Test Sanity: Run a quick functional smoke test (e.g., LED pattern, USB enumerate).
  3. Provision (HSM): Inject unique data (MAC, IMEI, certificates/keys) from an HSM (Hardware Security Module) or secure server. The server must mark the ID as used upon successful injection (No duplicates are permitted).
  4. Lock: Set fuses/OTP, enable secure boot/readout protection (RDP) flags, and disable debug (e.g., JTAG lock) after all testing is complete.

4.3.3 Throughput, Data, and Audit

Flow design must minimize programming time, and all unique data must be logged for traceability.

A) Capacity and Timing

  • Takt Time: If program time exceeds Takt Time, use gang programmers or two fixtures (ping-pong) to maintain production pace.
  • Cache: Cache large images locally with hash pinning to avoid network jitter, but verification must still occur against the remote manifest.
  • Offline Prep: Pre-program large modules (Wi-Fi/BT) offline when allowed, but a final verification must still be done in the Box Build fixture.

B) Data Separation and Traceability

  • NVM Partitioning: Calibration data and region options must reside in a separate NVM partition from the application image. This prevents field firmware updates from accidentally wiping calibration constants.
  • Required Log Data: The final MES record must be bound to the unit SN and include: Recipe ID, image hashes, provisioned fields (MAC/IMEI), fuse/OTP lock state, and tool IDs/firmware revisions.
  • Labeling: Any labels mirroring electronic identities (MAC/IMEI) must be printed from the MES only after verification.

Final Checklist

Mandate

Criteria

Verification Action

Code Integrity

Programmer uses the latest Golden Image; checksum verified before and after write.

Log confirms 100% verify pass (bit-for-bit readback).

Security Sequence

Debug lock/RDP set after functional test; fuses set per recipe.

Audit confirms security state is correct (e.g., JTAG disabled).

Provisioning

Unique IDs (MAC/IMEI) are non-duplicated, injected from a secure source.

MES blocks reuse of IDs and records provisioned fields against the SN.

Power Integrity

Dedicated programmable PSU used; V/I logged during flash.

Tool script controls reset/boot mode to prevent soft-bricking.

Fixturing

Bed-of-nails or Tag-Connect pads used; ESD discipline maintained at the cell.

Fixture guides and strain relief are present for cabled connectors.

NVM Partitioning

Calibration data separated from the application code.

Prevents field updates from erasing essential calibration constants.


Back to top