[FAQ] AM2432: Implementing Firmware Update Over Ethernet (ENETFOTA) on AM64X/AM243X

What is ENETFOTA?

ENETFOTA (Ethernet Firmware Over-The-Air) is a mechanism to update application firmware on TI AM64X / AM243X  devices using Ethernet as the transport medium.
It enables transferring, authenticating, and flashing a new application image without using UART, USB, or JTAG.

What are the components involved in ENETFOTA?

ENETFOTA consists of three main components:
1. PC / Host – Prepares, signs, and encrypts the application image and sends it over Ethernet
2. Ethernet Network – Used as the transport layer
3. EVM / Target Device – Receives, authenticates, and flashes the new application image

1. PC / Host Responsibilities :

The PC/Host is responsible for preparing the new application image before it is transferred to the target device over Ethernet. This preparation includes signing the application image using an x509 certificate and, depending on the device type, encrypting the image.
Based on the target device variant, ENETFOTA supports the following two modes:

• Encrypted ENETFOTA – Supported only on HS devices
• Decrypted ENETFOTA – Supported on GP devices

2. Encrypted ENETFOTA :

Encrypted ENETFOTA is used for HS devices that support Secure Boot. In this flow, the new application image is both encrypted and authenticated before being transferred over Ethernet.

Flow Description

1. The user/host encrypts the new application image.
2. The encrypted image is then signed using an x509 certificate.
3. The signed and encrypted image is transferred over Ethernet to the target device.
4. The ENETFOTA application running on the device receives the image, authenticates it, and proceeds with flashing.

This flow ensures confidentiality and authenticity of the firmware during Ethernet transfer.

• For HS-SE devices that use Secure Boot for encrypting images, use the following commands to perform the above flow:
  
  • Encrypting the new app image:
    
    • To encrypt the app image to be transferred, run the following python script with the mentioned arguments:

      • python ${MCU_PLUS_SDK_PATH}/source/security/security_common/tools/boot/signing/appimage_x509_cert_gen.py) --bin ${Path to app image} --authtype 1 --key $(APP_SIGNING_KEY) --enc y --enckey $(APP_ENCRYPTION_KEY) --output $(Name of the modified image)
      • $(APP_SIGNING_KEY) and $(APP_ENCRYPTION_KEY) is found in devconfig.mak and choose the appropriate keys based on the device being used
  • Signing the new app image with a x509 certificate:
    • To sign the original app image with an extra x509 certificate, Run the following python script with the mentioned argument

      python ${MCU_PLUS_SDK_PATH}/source/security/security_common/tools/boot/signing/appimage_x509_cert_gen.py) --bin ${Path to app image} --authtype 1 --key $(APP_SIGNING_KEY) --output $(Name of the modified image)

    • This command is found in the Makefile under ti-arm-clang of the example you are building
    • $(APP_SIGNING_KEY) is found in devconfig.mak and choose the key based on the device being used

3. Decrypted ENETFOTA :

Decrypted ENETFOTA is used for GP devices, which do not support encrypted firmware images.

Flow Description

1. The user/host signs the new application image using an x509 certificate.
2. The signed (but non-encrypted) image is transferred over Ethernet to the target device.
3. The ENETFOTA application receives the image, authenticates it, and flashes it to memory.

• Note: Encryption is not supported on GP devices, so there is no encryption being done in this flow
• Signing with a x509 certificate:
  • Refer the above signing command in the Encrypted ENETFOTA case

4. Ethernet Setup :

For Linux System:

• Connect an Ethernet cable between the PC and the EVM.
• Assign IP Address having the same subnet as the EVM, using the following command:

  • sudo ifconfig eno1 192.168.0.193 netmask 255.255.255.0

    • eno1 is the name of the network interface
    • run the ip link or ifconfig command to find the name of your network interface.
• Add a static ARP entry with the below command:

  • sudo arp -i (interface-name) -s (IP-Address) (MAC-Address)

  • Example: 

    sudo arp -i eno1 -s 192.168.0.195 1c:63:49:28:61:1e

• In the fota_enet.h file, make sure to set the value of enet_host_pc_mac_address, enet_port, enet_source_ip_address, enet_destination_ip_address, based on your setup
• In enet_uniflash.py, make sure to assign the correct IP Addresses and Port Numbers in the arguments: hostIP, hostPort, boardIP, boardPort
• Add the location of the new app image in default_fotaenet_app.cfg file, and save it.
• Run the following command after Powering ON the EVM:

  • python enet_uniflash.py --cfg=sbl_prebuilt/am64x-sk/default_sbl_enet_app.cfg

For Windows System:

• Connect an Ethernet cable between the PC and the EVM.
• Open Ethernet settings on your PC >> select corresponding Ethernet adapter.
• Edit the IP settings with the IP address as 192.168.0.193, Subnet Prefix Length as 24 and Gateway as
  192.168.0.195
• Make sure to set the connection as private and metered connection is set to off.
• Creating a static ARP entry requires admin privileges. Run the following commands in PowerShell as
  admin.

  • New-NetNeighbor -InterfaceIndex (ifIndex) -IPAddress '192.168.0.195' -LinkLayerAddress '(EVM MAC Addr)' -State Permanent

• Replace <ifIndex> with the interface index of the connection between PC and EVM.
  
  • To find out the interface index corresponding to the Ethernet interface between the PC and the EVM, use the
    following PowerShell command. This does not require admin privileges

  • Get-NetAdapter

• Replace <EVM MAC Addr> with the MAC Address of the EVM, as a continuous string like 70ff761decf2.
• An example command to set the ARP looks as below

  • New-NetNeighbor -InterfaceIndex 11 -IPAddress '192.168.0.195' -LinkLayerAddress '70ff761decf2' -State Permanent

• In the fota_enet.h file, make sure to set the value of enet_host_pc_mac_address, enet_port, enet_source_ip_address, enet_destination_ip_address, based on your setup
• In enet_uniflash.py, make sure to assign the correct IP Addresses and Port Numbers in the arguments: hostIP, hostPort, boardIP, boardPort
• Add the location of the new app image in default_fotaenet_app.cfg file, and save it.
• Run the following command after Powering ON the EVM:

  • python enet_uniflash.py --cfg=sbl_prebuilt/am64x-sk/default_sbl_enet_app.cfg

5. Application Setup :

• SBL OSPI Boot Mode is supported to run the project.
• Configure the Compiler with the same Include Options as the Compiler configurations present in enet_l2_cpsw example in the MCU+ SDK.
• Configure the Linker with the same File Search Options (include library files and directory paths) as the Linker configurations present in enet_l2_cpsw example in the MCU+ SDK.
• Note: For successful Authentication, perform the following steps:
  • In

     ${MCU_PLUS_SDK_PATH}/source/drivers/bootloader/soc/am64x_am243x/bootloader_soc.c

    :
    • Comment the line:

       status = Bootloader_socSecHandover();

    • Rebuild all the libraries in the MCU+ SDK
• If HS-FS device is being used, make the following changes before building the projects and flashing to the SOC, in devconfig.mak file:
  • set 

    DEVICE_TYPE?=GP

• If HS-SE device is being used, make the following changes before building the projects and flashing to the SOC, in devconfig.mak file:
  • set 

    DEVICE_TYPE?=HS

6. Time Profile :
For a File Size of approx. 214 KB, In PROFILE = release mode,

Input Clock Frequency : 166 MHz, Input Clock Division : 4 , Protocol : 8D-8D-8D

• Time Taken for Ethernet Setup:                           12.035277s
• Time Taken for Transferring New App Image:     0.066410s
• Time Taken for Authenticating New App Image:  0.000176s
• Time Taken for Flashing New App Image:           1.584044s

Note: Time Taken for Ethernet Setup is independent of File Size

7. ENETFOTA Implementation code :

Link is in progress