Secure Flash Bootloader for Off-Board Charger ECU
Client
Indian Tier-1 Supplier
OEM
Indian Electric Vehicle OEM
ECU
Off-Board Charger
How ElectRay's Secure Flash Bootloader delivered Secure Boot, OEM-compliant ECU reprogramming, and a complete flashing solution on a Microchip SAM C platform, from integration to production.
Technologies
| MCU Platform | Microchip SAM C Series, ARM Cortex-M0+ (bare-metal non-AUTOSAR environment) |
| Compiler Toolchain | GNU C Compiler (GCC) for ARM |
| Communication | CAN (ISO 11898), ISO 15765-2 CAN Transport Protocol |
| Diagnostic Protocol | UDS ISO 14229-1, ECU Reprogramming Services |
| Security | UDS Seed/Key authorized ECU reprogramming access; CRC-based firmware integrity verification during boot |
| ECU Flashing Tool | Windows-based ECU Flashing Tool |
| Documentation | User Manual, Test Reports, ready-to-run example application |
Business Need
The Tier-1 supplier was developing an Off-Board Charger ECU for an Indian Electric Vehicle OEM's fast-charging infrastructure program. The Off-Board Charger is a safety-critical unit in the EV charging chain: it manages high-voltage power conversion, communicates charging state to the vehicle, and must remain field-updatable throughout its operational life for firmware enhancements, safety patches, and OEM-mandated without requiring ECU return to the factory.
The program required a production-grade flash bootloader that could handle in-field reprogramming reliably, enforce authenticated access, and verify application firmware integrity at every power-on before handing over execution. Firmware integrity validation during boot was a hard requirement: a unit operating in a high-voltage environment cannot be permitted to boot corrupted or tampered firmware under any circumstances. The ECU software was built on a lightweight bare-metal framework for the Microchip SAM C ARM Cortex-M0+ using the GNU C Compiler, without an AUTOSAR OS or BSW stack.
Beyond the bootloader, the OEM and the client's field service team needed a PC-based ECU Flashing Tool for reprogramming at manufacturing end-of-line and service stations. ElectRay was engaged to deliver Flash Bootloader, port it to the SAM C platform using GCC, and build and deliver the companion ECU Flashing Tool as part of a complete solution package.
Description
ElectRay’s Secure Flash Bootloader is a lightweight, ANSI C secure Flash Bootloader for automotive and off-highway ECUs in both AUTOSAR and bare-metal non-AUTOSAR environments. Its modular architecture separates the bootloader executive, flash driver, UDS/transport layer, and security module, allowing each layer to be configured independently per platform and OEM requirement without modifying core logic.
For this program, the Flash Bootloader was ported to the Microchip SAM C ARM Cortex-M0+ using the GCC toolchain and operates with two distinct responsibilities. First, at every power cycle, it executes a firmware integrity validation sequence during boot: computing a CRC over the application firmware partition and comparing it against a stored reference value. Only a firmware image that passes this check is permitted to run; a failed check blocks execution and keeps the ECU in bootloader mode, awaiting a valid firmware download session. Second, on receiving a UDS programming session request over CAN, it manages the full erase, download, verify, and exit sequence, followed by a Secure Boot re-check before returning to normal operation.
Alongside the Flash Bootloader, ElectRay developed and delivered a PC-based ECU Flashing Tool: a Windows application that interfaces with the ECU over CAN, orchestrates the complete UDS reprogramming sequence, and provides a simple operator interface for manufacturing end-of-line and field service use.
Key Technical Elements Delivered
- Software-based Secure Boot with CRC-based firmware integrity verification at every power-on; corrupted or tampered images are blocked from execution, with the bootloader retaining control until a valid image is flashed
- UDS reprogramming session handling: $10 Programming Session, $27 Security Access, $31 Routine Control, $34 Request Download, $36 Transfer Data, $37 Transfer Exit, and post-flash $31 RoutineControl-based memory verification, aligned to OEM diagnostic specification
- ISO 15765-2 CAN Transport Layer (CanTp) for reliable large-block firmware transfer over standard CAN frames on the SAM C CAN peripheral
- Seed/Key security access ($27) as an authenticated reprogramming gate, preventing unauthorized firmware modifications on deployed charger units
- Flash driver for SAM C internal flash: sector erase, data write, and read-back verification using GCC-compatible memory-mapped access
- PC-based ECU Flashing Tool: Windows application managing the end-to-end UDS reprogramming workflow over CAN, suitable for manufacturing EOL and field service use
- Bootloader memory map and configuration covering bootloader partition, application partition, Secure Boot CRC reference area, and OEM-specific timing and session parameters
Challenges
| Challenges | Detail |
|---|---|
| New Platform Port: SAM C with GCC | eLite.FBL required a clean port to the Microchip SAM C ARM Cortex-M0+ using the GCC toolchain, covering startup code integration, CAN peripheral driver adaptation, and flash driver development for the SAM C’s internal flash memory. |
| Non-AUTOSAR Integration | The charger ECU’s application software ran on bare-metal without an AUTOSAR OS or BSW stack. The bootloader had to share CAN peripheral access and startup routines within this environment. |
| Software-based Secure Boot | The OEM required firmware integrity verification at every power-on before granting execution. The Secure Boot mechanism had to be reliable, add negligible startup latency, and block execution entirely on a CRC failure, holding the ECU in bootloader mode until a valid image was reflashed. |
| Off-Board Charger Safety Constraints | Operating in a high-voltage power environment, the charger ECU required a strict guarantee that no partial or corrupted firmware update could leave it in an undefined state. The consequences of a malfunction in a live charging scenario made this a non-negotiable safety requirement. |
| OEM Reprogramming Specification | The OEM’s specification defined session sequences, P2/P2* timing windows, NRC response handling, and Seed/Key algorithm requirements that had to be precisely mapped into the bootloader configuration. |
| End-to-End Flashing Tool Delivery | The client needed a PC-side ECU Flashing Tool capable of orchestrating the full UDS reprogramming sequence over CAN, robust enough for manufacturing end-of-line and field service deployment. |
| Production Readiness | The solution had to meet production quality standards: field-deployable firmware validated against OEM tools, with User Manual and Test Reports to support the client’s production release and PPAP activities. |
Solution Approach
- SAM C Platform Port and GCC Toolchain Alignment
The Flash Bootloader was ported to the Microchip SAM C ARM Cortex-M0+ using the GCC compiler and linker, covering startup code integration, CAN peripheral driver adaptation for the SAM C's CAN controller, and flash driver development aligned to the SAM C's internal flash sector boundaries, erase granularity, and programming timing.
- Software-Based Secure Boot Implementation
The Secure Boot mechanism is the first code executed after reset. The bootloader computes a CRC over the application firmware partition in SAM C internal flash and compares it against a reference value in a dedicated protected memory area. A passing check transfers execution to the application; a failing check withholds execution and waits for a valid reprogramming session over CAN. This guarantees the Off-Board Charger cannot boot into an unsafe firmware state under any condition, including power interruptions mid-flash.
- Bootloader Memory Map and Configuration
Flash memory was partitioned into bootloader, application, and shared-data regions, with a dedicated area for the Secure Boot CRC reference value. Timing parameters (P2/P2* server response windows) and session lifecycle logic were configured per the OEM's reprogramming specification and validated against OEM diagnostic tooling before integration.
- UDS Reprogramming Workflow
The complete OEM reprogramming sequence was implemented: $10 Programming Session entry, $27 Seed/Key security unlock, $31 erase routine, $34 download request, $36 block transfer, $37 transfer exit, and $31 RoutineControl-based memory verification post-flash verification. After a successful flash sequence, the bootloader re-executes the Secure Boot CRC check before returning to normal operation, closing the loop between reprogramming and boot integrity.
- Security Access: Seed/Key Implementation
The Seed/Key algorithm was implemented as a modular, replaceable component in the bootloader's security layer, with the algorithm logic kept under client control as a configurable function. Together with Secure Boot, this provides a two-layer security posture: only authenticated sessions can initiate a firmware update, and only integrity-verified images are permitted to execute.
- Windows-Based ECU Flashing Tool
ElectRay developed and delivered a Windows-based ECU Flashing Tool that connects to the ECU over CAN and orchestrates the full UDS reprogramming sequence on the host side. It handles firmware image parsing, session management, block transfer sequencing, and post-flash verification, giving the client's manufacturing and field service teams a self-contained reprogramming workflow without requiring third-party diagnostic tools.
- Integration, Validation and Production Handover
ElectRay supported the client through full ECU bringup: from first bootloader boot on SAM C hardware and Secure Boot validation, through integration with the application software, to end-to-end flash validation using the delivered Flashing Tool and the OEM's own diagnostic tooling. User Manual and Test Reports were delivered to support PPAP. The program reached SOP and is in active production.
Outcomes
| Outcome Area | Result | Impact |
|---|---|---|
| Production Deployment | In Production | The Flash Bootloader is live in deployed Off-Board Charger ECUs, confirming reliability and OEM acceptance for production programs. |
| Secure Boot | Boot Integrity Maintained | Software-based Secure Boot has prevented any corrupted or invalid firmware image from executing since SOP, a critical safety outcome for a high-voltage charging ECU. |
| Platform Port | Successful First-Hardware Bring-Up | SAM C ARM Cortex-M0+ port using GCC was operational on target hardware from the first bringup session, delivered on schedule. |
| OEM Compliance | First-Pass Accepted | UDS reprogramming sequence, timing, and Seed/Key security access validated against OEM diagnostic tools without protocol-level rework. |
| Flash Integrity | Zero ECU Bricking Events | CRC-based Secure Boot and verified flash write sequence ensured no ECU bricking during development, validation, or field reprogramming cycles. |
| Flashing Tool Delivery | Full EOL Deployment | PC-based ECU Flashing Tool deployed at client’s manufacturing end-of-line and field service network, without dependency on third-party tooling. |
| Program Scalability | Program Scalability | The Flash Bootloader and the Flashing Tool are reusable across ECU variants and future programs on the SAM C platform. |