Secure Boot & Firmware Update

About This Project

Demonstrate secure boot with a hardware root of trust, then perform an authenticated firmware update in orbit. Verify rollback protection, version pinning, and recovery behavior after an interrupted update.

Overview

Software bugs are inevitable, and on a satellite you cannot plug in a USB cable to reflash the firmware. Secure boot and firmware-over-the-air update capability together solve two critical problems: ensuring that only authorized software runs on the satellite, and providing the ability to fix bugs and add features after launch. Secure boot uses a hardware chip that stores cryptographic keys and verifies the firmware signature every time the satellite powers on — if the firmware has been corrupted by radiation or tampered with, the system refuses to boot and falls back to a known-good recovery image. Firmware update allows the ground team to upload new software during ground station passes, with the satellite verifying the update's authenticity before installing it. The experiment demonstrates this full lifecycle in orbit: boot verification, successful update, rollback after a deliberately corrupted update, and recovery from an interrupted transfer. For most student missions, a firmware bug means living with a degraded satellite for the rest of its operational life. This payload eliminates that constraint and produces a reference implementation that advances the state of practice for university CubeSat programs.

Technical Details

ATECC608B or STSAFE-A110 (~$5-10) as hardware root of trust storing firmware signing keys. Bootloader verifies firmware signature (ECDSA-P256) before execution — reject unsigned or tampered images. Implement FOTA (firmware over-the-air) update: ground station uploads signed firmware chunks via uplink, satellite reassembles, verifies full image signature, then swaps boot partition. Rollback protection: maintain previous known-good image, revert automatically if new firmware fails health check within N boot cycles. Version pinning prevents downgrade attacks.

Research & Notes

Over-the-air firmware update is critical for long-duration missions but rarely demonstrated by student teams. Most student CubeSats fly single firmware images with no update capability — any bug is permanent. Secure boot prevents unauthorized firmware from executing even if command link is compromised. ATECC608B secure boot flow is documented in Microchip application notes (AN-SecureBoot). Key challenge: reliable FOTA over unreliable UHF links with limited contact windows (~10 min per pass). Need robust chunked transfer with checksums and resume capability. Cost: $50-$200. Complexity: intermediate — firmware architecture challenge more than hardware challenge.

Required Disciplines

This project spans 2 disciplines, making it suitable for interdisciplinary student teams.

Next Steps

Ready to take on this project? Here's a general roadmap that applies to most CubeSat missions:

1. Build your foundation: Complete the core modules in the CubeSat Academy to understand spacecraft subsystems, mission design, and development workflows.
2. Form a team: Recruit students across the required disciplines and identify a faculty advisor. Plan for knowledge transfer between graduating and incoming members.
3. Write a mission concept: Draft a 1–2 page document outlining your objectives, target orbit, payload requirements, and success criteria.
4. Connect with a chapter: Join a Blackwing chapter for mentorship, shared resources, and access to the platform ecosystem.
5. Explore the developer tools: Visit the Developer Portal for platform documentation, SDKs, and hardware specs.
6. Plan your timeline: Map milestones to your academic calendar. Most projects align well with a 2–4 semester capstone or research sequence.
7. Reach out: Contact us to discuss your project goals, platform selection, and path to orbit.