Skip to main content

4.3 Firmware Loading & Device Programming

Tools, fixtures, and version tracking.

Firmware loading is the moment a bare build becomes that product—code plus identity, applied once and proven. It blends programming (images to MCU/SoC—microcontroller/system-on-chip) with provisioning (SN, MAC, keys) and locks it to the unit through MES (manufacturing execution system) records. Security isn’t an afterthought: keys come from an HSM (hardware security module), and fuses/OTP (one-time programmable settings) set the trust chain so updates and field service start from a known state. Order matters: program, sanity-test, provision, then lock—so speed never outruns traceability. Done well, the station becomes a quiet source of truth: right bits, right identity, right serial.

4.3.1 Purpose (in one line)

Put the right bits and the right identity into the unit—once, verifiably, and tied to the serial number.



4.3.2 What you’re actually doing

  • Programming: bootloader/app images into MCU/SoC internal flash, SPI/QSPI/NAND/NVMe/eMMC, CPLD/FPGA config, PMIC tables.
  • Provisioning: unique data—SN, MAC/IMEI, certificates/keys, region features, calibration constants.
  • Lifecycle steps: enable secure boot, burn fuses/OTP, and (later) lock debug—in the right order.


4.3.3 Transports & targets (cheat sheet)

Target

Common interface

Notes

MCU (ARM, etc.)

SWD/JTAG, UART ISP, USB DFU

SWD/JTAG fastest & robust; UART/DFU needs boot mode

External flash (SPI/QSPI)

Board CPU via bootloader or in-circuit SPI

Prefer via CPU to respect ECC/bad-block mgmt

eMMC/NAND/NVMe

USB/UART boot, bed-of-nails to CPU

Power stable, watch partition tables

FPGA/CPLD

JTAG, SPI flash behind it

Verify DONE/INIT pins post-program

Secure element/TPM

I²C/SPI with tool

Keys only from HSM; audit every inject


4.3.4 Fixtures that make success boring

  • Bed-of-nails with pogo for SWD/JTAG/UART/USB; prefer Tag-Connect pads or edge fingers over loose cables.
  • Interlocked lid, E-stop; target power from a clean supply (no shared lab bricks).
  • Guides & strain relief for any cabled connectors (no dangling USB-C).
  • ESD discipline: mat/strap; ionizer for films.
  • Power sense & reset lines under software control (hold in BOOT/ROM reliably).


4.3.5 Image management (one truth)

  • Golden image set = bootloader + app + option bytes/efuses + partition map + default NVM.
  • Every set has a Manifest: product PN/Rev, image hashes, toolchain versions, expected anti-rollback number, and signing cert ID.
  • Store in a versioned vault; station pulls by SKU/Variant scan (no drag-and-drop from desktop).
  • Hash verify before program and readback verify after (full or sampled per policy).


4.3.6 Security & keys (do it right the first time)

  • Keys, certs, IMEI/MAC blocks live in an HSM or secure server, not in the fixture PC.
  • Just-in-time provisioning: unit asks the server for one identity; server marks it used on success.
  • No duplicates: station blocks reuse; MES alarms on collision.
  • Lock sequence:
    1. Program bootloader/app.
    2. Run functional test sanity.
    3. Inject keys/IDs.
    4. Enable secure boot / readout protection.
    5. Disable debug (or move to restricted RMA mode) after all tests that need it.


4.3.7 Programming flow (station playbook)

  1. Scan unit SN / SKU / Variant → station fetches the right recipe (images + limits).
  2. Fixture clamps; ESD check; target power ON; force BOOT mode (strap/jumper/GPIO).
  3. Erase target region(s); program image(s); verify hash/readback.
  4. Provision: write SN/MAC/certs/region flags/cal constants; read back to confirm.
  5. Lifecycle: set fuses/OTP, secure-boot flags; lock debug if flow allows.
  6. Reboot to app; quick smoke test (USB enumerate, LED pattern, console ID).
  7. Record: push versions, hashes, fuses state, and IDs to MES bound to SN.
  8. Label: print any labels that mirror identities (MAC/IMEI) from MES only.


4.3.8 Timing & capacity (meet takt)

  • Use gang programmers or two fixtures (ping-pong) if program time > takt.
  • Pre-program modules (e.g., Wi-Fi/BT modules) offline when allowed; verify again in final box.
  • Cache large images locally with hash pinning to avoid network jitter; still verify against manifest.



4.3.9 Power integrity (no brownouts, no bricks)

  • Dedicated programmable PSU with current limit; log V/I during flash.
  • Hold reset during attach; release per tool script.
  • Don’t hot-plug debug headers not designed for it; use series resistors and keyed cables to avoid latch-up.



4.3.10 Calibration & regions (keep them separate)

  • Put calibration data and region options in a separate NVM partition so field updates don’t erase them.
  • Version cal tables; attach ambient temp to cal if relevant.
  • Region flags should match label kit and safety test selection.



4.3.11 Data to record (minimum that saves you later)

Attach to SN:

  • Recipe ID, image hashes, tool versions, programmer FW rev.
  • Provisioned fields: MAC/IMEI/SN, cert thumbprints, region flags.
  • Fuse/OTP map: RDP level, secure-boot, JTAG lock state.
  • Timestamps, operator, fixture ID, V/I trace during program.
  • Any retries and exact step of failure.

4.3.12 Acceptance cues (fast eyes)

Area

Accept

Reject

Attach/Mode

Target enters BOOT cleanly

Random connect/disconnect, mode not latched

Program/Verify

100% verify pass (hash/readback)

Verify mismatch, partial erase

Provision

IDs unique, readback match

Duplicate MAC/IMEI, blank fields

Security

Fuses set per recipe; debug state correct

Debug left open, wrong RDP/secure-boot

Reboot

Unit boots app, quick smoke OK

Boot loop, no USB/console


4.3.13 Common traps → smallest reliable fix

Trap

Symptom

Fix

Desktop drag-and-drop images

Wrong build on line

Scan-to-fetch from vault; manifest & hash check

Programming before power sanity

Bricked units

Current-limited PSU; verify V rails before erase

Locking too early

Can’t finish tests

Move debug lock to after FCT; use temp factory mode

Duplicated IDs

Network/field chaos

HSM-backed allocator; MES block on reuse; print from MES

“Verify skipped for speed”

Silent corruption

Keep readback/hash; speed with gang/ping-pong

Cal mixed with app

Field update wipes cal

Separate NVM partition; protect in updater

Loose pogo contacts

Flaky connect, retries

Pin maintenance counters; clean, replace, or add guide posts



4.3.14 Pocket checklists

Before

  • Scan SKU/Variant/SN → recipe pulled; images hashed OK
  • Fixture closed; ESD OK; target power stable; boot strap set
  • HSM/key service reachable; label printer tied to MES

Run

  • Erase → Program → Verify pass
  • Provision IDs/keys → Readback match
  • Set fuses/OTP as recipe; debug state per plan
  • Reboot to app; smoke test green

After

  • Results (hashes, IDs, fuses) to MES by SN
  • Labels (MAC/IMEI/etc.) printed from MES, applied per map
  • Any fail to NG-QUAR with exact step noted



Bottom line: fetch the right bits by scan, program with clean power and readback verify, inject unique identities from an HSM, and only then lock the device. Tie every detail to the serial number. Do that, and programming becomes a quiet, traceable step—not a reason for RMAs.

Back to top