Modern ecosystem for secure firmware updates in embedded systems

The project consists of three integrated applications forming a complete secure firmware distribution pipeline for embedded devices.

The ecosystem was designed to provide a lightweight and practical secure boot solution for resource-constrained microcontrollers.

One of the primary goals was minimizing bootloader size while still providing a reasonable level of firmware protection.

The security model was intentionally simplified to keep the implementation lightweight and portable even for small MCU platforms.

The ecosystem was designed with focus on:

  • 🔒 firmware protection
  • ⚡ fast firmware updates
  • 🧩 modular architecture
  • 🤖 automation workflows
  • 🌍 full crossplatform support
  • 🏭 easy production and CI/CD integration

🧱 Ecosystem Architecture

┌─────────────────┐
│   Firmware BIN  │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│   EncryptBIN    │
│ Encrypt package │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│  SecureLoader   │
│ Upload utility  │
└────────┬────────┘
         │ UART / Serial
         ▼
┌─────────────────┐
│SECURE_BOOTLOADER│
│ Secure boot     │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│   Application   │
└─────────────────┘

🔐 SECURE_BOOTLOADER

Lightweight and modular MCU bootloader

The primary goal of the project was to create the smallest possible bootloader that still provides a reasonable level of firmware protection while maintaining minimal Flash/RAM footprint and simple integration.

SECURE_BOOTLOADER is responsible for secure firmware reception and application startup in embedded systems.

The project was designed with strong modularity in mind — hardware-specific code is fully separated from the bootloader core logic, making it easy to port the project to new MCU families.

The project intentionally uses a relatively simple security model based on AES-128 encryption and firmware validation, allowing it to run even on resource-constrained microcontrollers.

For commercial products or high-security environments it is recommended to additionally consider:

  • firmware signing
  • stronger authentication mechanisms
  • secure key storage
  • more advanced cryptographic algorithms
  • full secure boot chain implementation

✨ Key features

  • 🔐 AES-128 firmware encryption
  • ⚡ hardware CRC support when MCU provides CRC peripheral
  • 🧩 separated hardware abstraction layer
  • 🌍 crossplatform architecture
  • 🚀 fast startup
  • 📦 UART firmware updates
  • 🛡️ firmware validation
  • ⚙️ multiple hardware configurations support
  • 🧠 optimized Flash and RAM usage

🧱 Currently implemented platforms

  • STM32G07x
  • STM32G474
  • ATmega328

The repository also includes ready-to-use templates for adding new MCU families and hardware configurations.

Thanks to the separated hardware abstraction layer, porting the bootloader to new targets mainly requires implementing the low-level hardware layer.

🚀 SecureLoader

Crossplatform firmware upload utility

SecureLoader handles communication with the bootloader and transfers firmware packages to the target device.

The application was designed both for end users and production environments.

✨ Key features

  • 🌍 full crossplatform support
  • 🖥️ GUI + CLI
  • 🤖 full automation through CLI
  • 📡 UART/Serial communication
  • 📦 encrypted firmware package support
  • ⚡ fast data transfer
  • 🧾 update process logging
  • 🔍 automatic device detection

🤖 Automation-first approach

CLI mode allows seamless integration with:

  • CI/CD pipelines
  • production lines
  • automated testing systems
  • device provisioning workflows
  • deployment scripts

GUI mode provides a convenient interface for manual firmware updates during development and maintenance.

🔑 EncryptBIN

Secure firmware package generator

EncryptBIN is responsible for generating encrypted...

Read more »