Hi,

I'm working on a project with the MCXN947: Zephyr on Core0 and bare-metal on Core1 (embedded inside the Zephyr image). Total firmware size is ~800 KB in internal Flash, with the rest reserved for MCUboot + OTA slot.

I need to implement secure OTA updates compliant with the EU Cyber Resilience Act (CRA), preferably without external memory.

I looked into the SB3 format but I have some doubts:
- Is it compatible with Zephyr ?
- Does it require external memory to receive and validate the image?

What solution would you recommend for this setup?

Thanks

Hi @Jorini 

Thank you for the post!

1. Zephyr does not support SB3 files natively, you could use a ROM API to process it. 

2. It would depend on your implementation, the MCX N94x Over-The-Air (OTA) Update by Using SB3 File application note use the external flash to store and process the SB3 file before overwriting the secondary image area. 

If you only want to manage the version of your firmware signed firmware you could do it directly from mcuboot with zephyr: Building and using MCUboot with Zephyr

Hi,

It seems like a good alternative. Anyway, I'm interested to know if Mongoose supports SB3, and if it needs an external memory.

Hi,

For an MCXN947 + Zephyr project, you can use the Mongoose Web Server along with its OTA features. It has MCXN947 OTA support and writes the update directly to the inactive flash area.

Below is a sample project for MCXN947 on Zephyr, from which you can start:

https://mongoose.ws/wizard/#/output?board=mcxn947&ide=Zephyr&rtos=baremetal&file=README.md

To download it to your workstation, access that URL, go to the 'Settings' tab, select a directory in the `Source Code Generator` section and click the blue `Generate C/C++ code` button in the upper-right corner of the page.

The project features a modern dashboard, powered by Mongoose, which includes a button to upload the new firmware to your board.

Open the project, then add this to `mongoose_config.h`:

#define MG_OTA MG_OTA_MCXN
#define MG_IRAM __attribute__((noinline, section(".ramfunc")))

For signed firmware, generate a key and sign the image with Mongoose’s `resources/sign.js`, found here in the Mongoose official repo:

node sign.js keygen
node sign.js sign firmware.bin

`keygen` prints a public key define. Add that to `mongoose_config.h` too:

#define MG_OTA_PUBLIC_KEY { /* generated 64-byte public key */ }

That should be enough to generate a signed image. For more documentation on Mongoose OTA functionality and image signing, you can access this documentation page https://mongoose.ws/docs/guides/firmware-ota-updates/

Heads up: I am part of the Mongoose development team, I hope this helps you in your process.