4.3 Firmware Loading and Device Programming

Firmware loading isand wheredevice hardwareprovisioning gainsare mandatory final assembly steps that configure the electronic system for its trueintended identity, transforming from a blank assembly into a functional, trusted device.function. This stageprocess notinvolves onlyinstalling installsthe applicationembedded codecode, but also provisions each unit withsetting unique credentials, secure keys,identifiers, and configurationconfiguring datacalibration thattables. defineErrors howhere it— behavesloading the wrong revision or failing security verification — result in thenon-functional field. By combining controlled programming flows, guarded fixtures,products and HSM-backedexposure provisioning, the process ensures every unit boots with the right software, the rightto security posture,vulnerabilities. Strict revision control, automated verification, and asecurity traceable lineage. Order and disciplinesequencing are crucial—when images, identities, and fuses are applied in sequence, the result is a reliable product foundation that resists both errors and tampering.mandatory.

4.3.1 PurposeProgramming (inTargets oneand line)Transports

~~Put~~The programming method and interface are dictated by the target hardware and the required speed.

A) Targets and Interfaces

The programming process must target all embedded memory types:

MCU/SoC Internal Flash: Programmed via ~~right~~SWD/JTAG ~~bits~~(fastest and most robust) or UART ISP/USB DFU (requires setting a boot mode).
External Flash (SPI/NAND/eMMC): Programmed via the main CPU bootloader or a dedicated in-circuit SPI connection. Power stability is critical for eMMC/NAND.
Secure Elements (TPM): Keys are injected via I²C/SPI and ~~the~~must be audited by an external tool.~~right~~

~~identity~~

B) into the unit—once, verifiably,Fixture and tiedPower toIntegrity the serial number.

4.3.2 What you’re actually doing

Mandates

~~Programming:~~Fixtures: ~~bootloader/app~~Use ~~images into~~ ~~MCU/SoC internal flash~~, ~~SPI/QSPI/NAND/NVMe/eMMC~~, ~~CPLD/FPGA~~ ~~config,~~ ~~PMIC~~ ~~tables.~~
~~Provisioning:~~ ~~unique data—~~~~SN, MAC/IMEI, certificates/keys, region features~~, ~~calibration constants~~.
~~Lifecycle steps:~~ ~~enable~~ ~~secure boot~~~~, burn~~ ~~fuses/OTP~~~~, and (later)~~ ~~lock debug~~~~—in the right order.~~

4.3.3 Transports & targets (cheat sheet)

~~Target~~	~~Common interface~~	~~Notes~~
~~MCU (ARM, etc.)~~	~~SWD/JTAG~~, ~~UART ISP~~, ~~USB DFU~~	~~SWD/JTAG fastest & robust; UART/DFU needs boot mode~~
~~External flash (SPI/QSPI)~~	~~Board CPU via bootloader~~ or ~~in-circuit SPI~~	~~Prefer via CPU to respect ECC/bad-block mgmt~~
~~eMMC/NAND/NVMe~~	~~USB/UART boot~~,robust bed-of-nails towith ~~CPU~~	~~Power~~pogo ~~stable, watch partition tables~~
~~FPGA/CPLD~~	~~JTAG~~pins, ~~SPI flash behind it~~	~~Verify DONE/INIT pins post-program~~
~~Secure element/TPM~~	~~I²C/SPI~~ ~~with tool~~	~~Keys only from HSM; audit every inject~~

4.3.4 Fixtures that make success boring

~~Bed-of-nails~~ ~~with~~ ~~pogo~~ for SWD/JTAG/~~UART/USB~~;UART ~~prefer~~and preferred Tag-Connect pads or edge fingers over loose cables. The fixture must have an interlocked lid and E-stop.
~~Interlocked lid~~Power:, ~~E-stop;~~ ~~target~~Target power must come from a ~~clean~~dedicated ~~supply~~programmable ~~(no~~PSU with current limiting, not shared lab ~~bricks).~~supplies. Log V/I during flash to prevent units from being "bricked" by brownouts.
~~Guides~~Reset ~~& strain relief~~Control: ~~for~~The ~~any~~fixture ~~cabled~~must ~~connectors~~hold ~~(no dangling USB-C).~~
~~ESD discipline~~~~: mat/strap; ionizer for films.~~
~~Power sense &~~ reset ~~lines~~or ~~under~~force BOOT mode via software control (~~hold~~GPIO) into ~~BOOT/ROM~~reliably ~~reliably).~~prepare the target for erasing and writing.

4.3.52 Image managementManagement (oneand truth)Security Protocol

The process must ensure the correct code is loaded and permanently secured before the unit leaves the factory.

A) Image Integrity and Control

Golden ~~image~~Image Set: The complete image set =(bootloader, ~~bootloader + app +~~app, option ~~bytes/efuses +~~bytes, partition ~~map +~~map, default ~~NVM.~~
NVM) must be treated as a single unit. Every set ~~has~~requires a Manifest: ~~product~~detailing ~~PN/Rev,~~ image ~~hashes~~,hashes, toolchain versions, ~~expected~~and signing certificate IDs.
~~anti-rollback~~Storage Mandate: ~~number,~~Images ~~and~~must ~~signing~~be ~~cert ID~~.
~~Store~~stored in a versioned vault;. The station ~~pulls~~must pull the image by SKU/Variant scan (no desktop drag-and-~~drop~~drop) ~~from~~and ~~desktop).~~verify the image hash against the Manifest before programming.
~~Hash verify before program~~Verification: ~~and~~After programming, a readback ~~verify after~~verification (full or ~~sampled~~sampled) ~~per~~must ~~policy).~~be performed to confirm the loaded data matches the manifest hash.

~~4.3.6~~
B) Security &and ~~keys~~Locking ~~(do~~Sequence
it
Security ~~right~~features must be enabled at the ~~first~~correct ~~time)~~

~~Keys, certs, IMEI/MAC blocks live~~point in the manufacturing flow.

Program: Load bootloader and application image(s).
Test Sanity: Run a quick functional smoke test (e.g., LED pattern, USB enumerate).
Provision (HSM): Inject unique data (MAC, IMEI, certificates/keys) from an HSM (Hardware Security Module) or secure server. The server, ~~not~~must inmark the ~~fixture~~ID ~~PC.~~as used upon successful injection (
~~Just-in-time~~ ~~provisioning: unit asks the server for~~ ~~one~~ ~~identity; server marks it~~ ~~used~~ ~~on success.~~
No duplicates: ~~station~~are ~~blocks reuse; MES alarms on collision.~~permitted).
~~Lock sequence~~:
~~Program bootloader/app.~~
~~Run~~ ~~functional test~~Lock: ~~sanity.~~
~~Inject~~Set ~~keys/IDs.~~
~~Enable~~fuses/OTP, enable secure ~~boot /~~ boot/readout protection (RDP). flags, and
~~Disable~~disable debug (ore.g., ~~move~~JTAG ~~to restricted RMA mode)~~lock) after all ~~tests~~testing ~~that~~is ~~need it.~~complete.

4.3.3 Throughput, Data, and Audit

Flow design must minimize programming time, and all unique data must be logged for traceability.

~~4.3.7~~
A) ~~Programming~~Capacity ~~flow~~and ~~(station~~Timing
~~playbook)~~

~~Scan~~Takt Time: ~~unit~~If SNprogram /time ~~SKU~~exceeds /Takt ~~Variant~~Time, ~~→ station fetches the right~~ ~~recipe~~ ~~(images + limits).~~
~~Fixture clamps~~~~; ESD check; target power~~ ON~~; force~~ ~~BOOT mode~~ ~~(strap/jumper/GPIO).~~
~~Erase~~ ~~target region(s);~~ ~~program~~ ~~image(s);~~ ~~verify~~ ~~hash/readback.~~
~~Provision~~~~: write SN/MAC/certs/region flags/cal constants;~~ ~~read back~~ ~~to confirm.~~
~~Lifecycle~~~~: set fuses/OTP, secure-boot flags;~~ ~~lock~~ ~~debug if flow allows.~~
~~Reboot~~ ~~to app; quick~~ ~~smoke test~~ ~~(USB enumerate, LED pattern, console ID).~~
~~Record~~~~: push versions, hashes, fuses state, and IDs to~~ ~~MES bound to SN~~.
~~Label~~~~: print any labels that mirror identities (MAC/IMEI) from MES only.~~

~~4.3.8 Timing & capacity (meet takt)~~

~~Use~~use gang programmers or two fixtures (ping-pong) to maintain production pace.
Cache: ~~if program time > takt.~~
~~Pre-program~~ ~~modules~~ ~~(e.g., Wi-Fi/BT modules) offline when allowed; verify again in final box.~~
Cache large images locally with hash pinning to avoid network ~~jitter;~~jitter, but verification must still ~~verify~~occur against the remote manifest.

~~4.3.9 Power integrity (no brownouts, no bricks)~~

~~Dedicated~~ ~~programmable PSU~~ ~~with current limit; log V/I during flash.~~
~~Hold~~Offline ~~reset~~Prep: ~~during~~Pre-program ~~attach;~~large ~~release~~modules ~~per~~(Wi-Fi/BT) ~~tool~~offline ~~script.~~
~~Don’t~~when ~~hot-plug~~allowed, ~~debug~~but ~~headers not designed for it; use~~a ~~series~~final ~~resistors~~verification must still be done in the Box Build fixture.

B) Data Separation and Traceability

~~keyed~~NVM ~~cables~~Partitioning: ~~to avoid latch-up.~~

~~4.3.10~~ Calibration ~~& regions (keep them separate)~~

~~Put~~ ~~calibration~~ data and region options must reside in a separate NVM partition sofrom the application image. This prevents field firmware updates ~~don’t~~from ~~erase~~accidentally ~~them.~~wiping calibration constants.
Required Log Data:~~Version~~ ~~cal~~The ~~tables;~~final ~~attach~~MES record must be bound to the unit SN and include: ~~ambient temp~~ ~~to cal if relevant.~~
~~Region flags should match~~ ~~label kit~~ ~~and~~ ~~safety test~~ ~~selection.~~

~~4.3.11 Data to record (minimum that saves you later)~~

~~Attach to~~ SN:

Recipe ~~ID,~~ ~~image hashes~~ID, ~~tool~~image ~~versions,~~hashes, ~~programmer~~provisioned FWfields ~~rev.~~
~~Provisioned fields:~~(MAC/IMEI), ~~MAC/IMEI/SN~~fuse/OTP lock state, ~~cert~~and ~~thumbprints,~~tool ~~region~~IDs/firmware ~~flags.~~revisions.
~~Fuse/OTP~~Labeling: ~~map:~~Any ~~RDP~~labels ~~level,~~mirroring ~~secure-boot,~~electronic ~~JTAG~~identities ~~lock~~(MAC/IMEI) ~~state.~~
~~Timestamps~~,must ~~operator,~~be ~~fixture~~printed ~~ID,~~from the ~~V/I~~MES ~~trace~~only ~~during~~after ~~program.~~verification.
~~Any~~ ~~retries~~ ~~and exact step of failure.~~

Final
~~4.3.12 Acceptance cues (fast eyes)~~Checklist

~~Area~~Mandate
~~Accept~~Criteria
~~Reject~~Verification Action
Code Integrity
~~Attach/Mode~~Programmer uses the latest Golden Image; checksum verified before and after write.
~~Target~~Log ~~enters~~confirms ~~BOOT~~100% ~~cleanly~~
~~Random~~verify ~~connect/disconnect,~~pass ~~mode~~(bit-for-bit ~~not latched~~readback).
Security Sequence
~~Program/Verify~~Debug lock/RDP set after functional test; fuses set per recipe.
~~100%~~Audit ~~verify~~confirms ~~pass~~security state is correct (~~hash/readback)~~
~~Verify~~e.g., ~~mismatch,~~JTAG ~~partial erase~~disabled).
Provisioning
~~Provision~~Unique IDs (MAC/IMEI) are non-duplicated, injected from a secure source.
MES blocks reuse of IDs ~~unique,~~and ~~readback~~records ~~match~~
~~Duplicate MAC/IMEI, blank~~provisioned fields against the SN.
Power Integrity
~~Security~~Dedicated programmable PSU used; V/I logged during flash.
~~Fuses~~Tool ~~set~~script ~~per~~controls ~~recipe;~~reset/boot ~~debug~~mode ~~state~~to ~~correct~~
~~Debug~~prevent ~~left open, wrong RDP/secure-boot~~soft-bricking.
Fixturing
~~Reboot~~Bed-of-nails or Tag-Connect pads used; ESD discipline maintained at the cell.
~~Unit~~Fixture ~~boots~~guides ~~app,~~and ~~quick~~strain ~~smoke~~relief OKare present for cabled connectors.
NVM Partitioning
Calibration data separated from the application code.
~~Boot~~Prevents ~~loop,~~field noupdates ~~USB/console~~from erasing essential calibration constants.

~~4.3.13 Common traps → smallest reliable fix~~

~~Trap~~
~~Symptom~~
~~Fix~~
~~Desktop drag-and-drop images~~
~~Wrong build on line~~
~~Scan-to-fetch~~ ~~from vault; manifest & hash check~~
~~Programming before power sanity~~
~~Bricked units~~
~~Current-limited PSU; verify V rails before erase~~
~~Locking too early~~
~~Can’t finish tests~~
~~Move~~ ~~debug lock~~ ~~to after FCT; use temp factory mode~~
~~Duplicated IDs~~
~~Network/field chaos~~
~~HSM-backed allocator; MES block on reuse; print from MES~~
~~“Verify skipped for speed”~~
~~Silent corruption~~
~~Keep~~ ~~readback/hash~~~~; speed with gang/ping-pong~~
~~Cal mixed with app~~
~~Field update wipes cal~~
~~Separate NVM~~ ~~partition; protect in updater~~
~~Loose pogo contacts~~
~~Flaky connect, retries~~
~~Pin maintenance counters; clean, replace, or add guide posts~~

~~4.3.14 Pocket checklists~~

~~Before~~

~~Scan SKU/Variant/SN →~~ ~~recipe pulled~~~~; images hashed OK~~
~~Fixture closed; ESD OK; target power stable; boot strap set~~
~~HSM/key service reachable; label printer tied to MES~~

~~Run~~

~~Erase → Program →~~ ~~Verify~~ ~~pass~~
~~Provision IDs/keys →~~ ~~Readback~~ ~~match~~
~~Set fuses/OTP as recipe;~~ ~~debug state per plan~~
~~Reboot to app; smoke test green~~

~~After~~

~~Results (hashes, IDs, fuses)~~ ~~to MES by SN~~
~~Labels (MAC/IMEI/etc.) printed from MES, applied per map~~
~~Any fail to~~ ~~NG-QUAR~~ ~~with exact step noted~~

When handled with this rigor, firmware programming becomes a stable and invisible cornerstone of manufacturing—quietly ensuring that every shipped device is consistent, secure, and trusted from the very first boot.

4.3 Firmware Loading and Device Programming

4.3.1 PurposeProgramming (inTargets oneand line)Transports

A) Targets and Interfaces

B) into the unit—once, verifiably,Fixture and tiedPower toIntegrity the serial number.

4.3.2 What you’re actually doing

4.3.3 Transports & targets (cheat sheet)

4.3.4 Fixtures that make success boring

4.3.52 Image managementManagement (oneand truth)Security Protocol

A) Image Integrity and Control

4.3.6
B) Security &and keysLocking (doSequence
it
Security rightfeatures must be enabled at the firstcorrect time)

B) Security &and keysLocking (doSequence

4.3.3 Throughput, Data, and Audit

4.3.7
A) ProgrammingCapacity flowand (stationTiming
playbook)

A) ProgrammingCapacity flowand (stationTiming

4.3.8 Timing & capacity (meet takt)

4.3.9 Power integrity (no brownouts, no bricks)

B) Data Separation and Traceability

4.3.10 Calibration & regions (keep them separate)

4.3.11 Data to record (minimum that saves you later)

Final

4.3.12 Acceptance cues (fast eyes)Checklist

4.3.13 Common traps → smallest reliable fix

4.3.14 Pocket checklists

When handled with this rigor, firmware programming becomes a stable and invisible cornerstone of manufacturing—quietly ensuring that every shipped device is consistent, secure, and trusted from the very first boot.

~~Area~~Mandate	~~Accept~~Criteria	~~Reject~~Verification Action
Code Integrity	~~Attach/Mode~~Programmer uses the latest Golden Image; checksum verified before and after write.	~~Target~~Log ~~enters~~confirms ~~BOOT~~100% ~~cleanly~~	~~Random~~verify ~~connect/disconnect,~~pass ~~mode~~(bit-for-bit ~~not latched~~readback).
Security Sequence	~~Program/Verify~~Debug lock/RDP set after functional test; fuses set per recipe.	~~100%~~Audit ~~verify~~confirms ~~pass~~security state is correct (~~hash/readback)~~	~~Verify~~e.g., ~~mismatch,~~JTAG ~~partial erase~~disabled).
Provisioning	~~Provision~~Unique IDs (MAC/IMEI) are non-duplicated, injected from a secure source.	MES blocks reuse of IDs ~~unique,~~and ~~readback~~records ~~match~~	~~Duplicate MAC/IMEI, blank~~provisioned fields against the SN.
Power Integrity	~~Security~~Dedicated programmable PSU used; V/I logged during flash.	~~Fuses~~Tool ~~set~~script ~~per~~controls ~~recipe;~~reset/boot ~~debug~~mode ~~state~~to ~~correct~~	~~Debug~~prevent ~~left open, wrong RDP/secure-boot~~soft-bricking.
Fixturing	~~Reboot~~Bed-of-nails or Tag-Connect pads used; ESD discipline maintained at the cell.	~~Unit~~Fixture ~~boots~~guides ~~app,~~and ~~quick~~strain ~~smoke~~relief OKare present for cabled connectors.
NVM Partitioning	Calibration data separated from the application code.	~~Boot~~Prevents ~~loop,~~field noupdates ~~USB/console~~from erasing essential calibration constants.

~~Trap~~	~~Symptom~~	~~Fix~~
~~Desktop drag-and-drop images~~	~~Wrong build on line~~	~~Scan-to-fetch~~ ~~from vault; manifest & hash check~~
~~Programming before power sanity~~	~~Bricked units~~	~~Current-limited PSU; verify V rails before erase~~
~~Locking too early~~	~~Can’t finish tests~~	~~Move~~ ~~debug lock~~ ~~to after FCT; use temp factory mode~~
~~Duplicated IDs~~	~~Network/field chaos~~	~~HSM-backed allocator; MES block on reuse; print from MES~~
~~“Verify skipped for speed”~~	~~Silent corruption~~	~~Keep~~ ~~readback/hash~~~~; speed with gang/ping-pong~~
~~Cal mixed with app~~	~~Field update wipes cal~~	~~Separate NVM~~ ~~partition; protect in updater~~
~~Loose pogo contacts~~	~~Flaky connect, retries~~	~~Pin maintenance counters; clean, replace, or add guide posts~~

4.3 Firmware Loading and Device Programming

4.3.1 PurposeProgramming (inTargets oneand line)Transports

A) Targets and Interfaces

B) into the unit—once, verifiably,Fixture and tiedPower toIntegrity the serial number.

4.3.2 What you’re actually doing

4.3.3 Transports & targets (cheat sheet)

4.3.4 Fixtures that make success boring

4.3.52 Image managementManagement (oneand truth)Security Protocol

A) Image Integrity and Control

4.3.6B) Security &and keysLocking (doSequence itSecurity rightfeatures must be enabled at the firstcorrect time)

B) Security &and keysLocking (doSequence

4.3.3 Throughput, Data, and Audit

4.3.7A) ProgrammingCapacity flowand (stationTiming playbook)

A) ProgrammingCapacity flowand (stationTiming

4.3.8 Timing & capacity (meet takt)

4.3.9 Power integrity (no brownouts, no bricks)

B) Data Separation and Traceability

4.3.10 Calibration & regions (keep them separate)

4.3.11 Data to record (minimum that saves you later)

Final

4.3.12 Acceptance cues (fast eyes)Checklist

4.3.13 Common traps → smallest reliable fix

4.3.14 Pocket checklists

When handled with this rigor, firmware programming becomes a stable and invisible cornerstone of manufacturing—quietly ensuring that every shipped device is consistent, secure, and trusted from the very first boot.

4.3.6
B) Security &and keysLocking (doSequence
it
Security rightfeatures must be enabled at the firstcorrect time)

4.3.7
A) ProgrammingCapacity flowand (stationTiming
playbook)