ESP32 OTA Updates — Amazon FreeRTOS

Mahavir Jain
Oct 1, 2018 · 3 min read

ESP32 now supports secure Over-the-Air firmware updates with Amazon FreeRTOS. This enables users of ESP32 with Amazon FreeRTOS to:

  • Deploy new firmware on ESP32 in secure manner (single or group of devices, along with dynamic addition of new/re-provisioned device)
  • Verify authenticity and integrity of new firmware after its deployed
  • Extend OTA update security scheme to take leverage of hardware security features in ESP32


At a high level,

  • The firmware image (or any other partition’s content: filesystem, configuration data), is initially uploaded to an S3 bucket on AWS.
  • An AWS OTA Job with the required certificates (for demo purpose can be self-signed) and code-signing profile (security scheme for ESP32 is ECDSA + SHA256) is setup.
  • On the device side, the OTA agent from Amazon FreeRTOS needs to be enabled in the firmware, along with the certificate that is responsible for verifying the firmware update image (essentially ECDSA public key).
  • The AWS OTA Job then takes the firmware image from the S3 bucket, signs it, and sends it over MQTT+TLS channel in small chunks to the OTA agent on the device.
  • The OTA agent on the device then writes the newly received firmware to its storage and manages the state.
  • At the end, firmware signature gets validated on the device and it gets approved for boot-up.
  • Post boot-up, the OTA agent again interacts with AWS OTA Job for verifying sanity of firmware, and finally the firmware image gets marked as legitimate one, notifying the boot-loader to erase all older firmware instances from the device storage (for not allowing forced rollback).


Lets quickly walk over the steps for getting the OTA update demo functional on ESP32:

AFR OTA Job Creation
  • Select “Sign a new firmware image for me” option,
AFR OTA Job Creation
  • Create code signing profile, please select ESP32 platform here and provide certificates created earlier,
AFR OTA Code Signing Profile
AFR OTA Code Signing Profile

Enabling Hardware Security

The ESP32 port is so structured that the same secure firmware verification mechanism can be used by the ESP32 chipset for enabling secure boot.

ESP32’s secure boot scheme uses the same ECDSA + SHA256 algorithm. Hence the same public key that is used for the OTA firmware image verification can also be used by the bootloader to validate the firmware image on boot-up.

It is highly recommended that you use secure boot in conjunction with the OTA firmware updates in your products.

The ESP Journal

Unofficial Blog for Best Practices and Announcements about Espressif

Mahavir Jain

Written by

Embedded Professional | Open Source Enthusiast | Technology Explorer.

The ESP Journal

Unofficial Blog for Best Practices and Announcements about Espressif