As automobiles accelerate towards electrification, cars are transitioning away from mechanically driven machines towards software-driven electronic products. Industry insiders generally believe that automobiles will become the next mobile intelligent terminal. Under this trend, the competitive rules of automotive products and internal systems will be rewritten. The technology and engineering core of entire vehicle enterprises was previously the engine and transmission. However, looking to the future, it becomes increasingly important to equip vehicles with powerful sensors, SoC-level chips, and matching computing capabilities on the platform of the connected car.
The number of lines of software code on cars is constantly increasing like a snowball effect. Currently, production cars on the market typically run 20-30 million lines of code on 50-60 ECUs, and luxury models can even double this amount. These codes control all functions from entertainment systems to safety and power systems, meaning that the complexity of the entire vehicle is increasing. Compared with hardware, software iteration is much faster, making personalized design easy and systematic management necessary.
OTA Technology Overview
If consumers are still unfamiliar with automotive OTA (Over-The-Air) technology, they are certainly familiar with and have used online upgrade functions of smartphones. In short, automotive OTA technology upgrades vehicle-mounted software remotely, enabling defects to be quickly repaired and new functions to be enabled, etc.
Traditional vehicle maintenance and software updates adopt offline store maintenance and recall models. However, OTA technology has many advantages such as reducing recall costs, responding quickly to security needs, and improving user experience. From the perspective of expanding coverage and reducing management complexity, it is undoubtedly the inevitable choice for future smart cars.
As shown below, OTA technology has developed from the budding stage, to entertainment systems and connectivity modules, to powertrains and safety systems, and to the core computing unit (domain controller) of possible future cars.
OTA technology requires a large-scale adjustment of the entire vehicle’s electrical architecture, which poses great challenges to the original architecture. Additionally, network security issues are also a concern factor that currently prevents the immediate implementation of this technology.
OTA Architecture and Process for Automotive IndustryThe OTA (Over-The-Air) technology in the automotive industry is mainly divided into two categories: FOTA (Firmware-Over-The-Air) for firmware updates and SOTA (Software-Over-The-Air) for software updates. The former is a systematic update for firmware installation through downloading images, while the latter is an iterative update for some application software at the application level. In the field of automotive electronics, FOTA and SOTA have a blurred boundary, and usually the updates for the apps in the head-up display (HUD) are referred to as SOTA, while updates for other ECUs or even all updates are collectively referred to as OTA.
The OTA architecture for vehicles mainly consists of two parts: a cloud server and a vehicle terminal component, as shown in the following figure:
(1) OTA cloud server: provides OTA services for in-vehicle terminals, mainly managing the original firmware upgrade software of various software vendors. For security reasons, an independent submodule needs to be constructed to ensure the security of the OTA service platform, including services for key certificate management, data encryption, and digital signature.
(2) Vehicle terminal OTA component: performs legitimate verification of upgrade packages and adapts to secure upgrade processes.
The automotive OTA process mainly consists of three steps: management and generation of update packages, distribution of update packages, and installation of update packages. Specifically as follows:
(1) Management and generation of relevant update package files: The cloud server is the main unit responsible for monitoring the entire OTA process. It is not only responsible for determining which vehicles to update, whether to establish a reliable connection with the vehicles (establish a reliable trustworthy channel), and keeping track of messages in real-time. It also extracts firmware or update packages from the software library, determines the update order for distribution packages, manages the entire process, and verifies upon completion.
(2) Distribution and checking: The server encrypts and distributes update packages through channels. At the vehicle end, a controller with powerful computing abilities and sufficient storage space performs downloading, verification, and decryption. In response, there is also the task manager responsible for reporting the current status and error information to the server. Each update task has a job ID for tracking usage.(3) Updating and Refreshing Installations: In order to prevent vehicle crashes during refreshing, it is common for automotive companies to develop backup plans before making decisions on FOTA. For example, using connected modules (such as dashboards, central consoles, etc.) to monitor the ECU process of inserting the entire update file, each step of the operation will monitor the entire mechanism to ensure completeness and ensure that it can be stopped and rewritten at any time. As long as the corresponding ECU has a runnable guide program, it guarantees the control of the vehicle and the server on the entire process, and minimizes the risk of crashing.
After completing the final preparations, the ECU will restart, the connection between the agent and the server will continue, and the server can obtain the latest information on the current update status.
Automakers’ Push for OTA and Standard Promotion
Automakers are working hard to build their own OTA architecture and functions, forming their own standards. Tesla first used OTA technology in 2012 to upgrade entertainment, automatic driving, power, battery and other modules. From then on until around 2018, Toyota, Volkswagen, Ford, Volvo successively adopted OTA online system updates for entertainment systems, navigation, and upgraded them to warning reminders based on real-time vehicle condition diagnosis.
Since 2019, SAIC, GAC, FAW, Changan, Toyota, Volkswagen, BMW, and other domestic and foreign vehicle manufacturers have successively established their own software departments (companies) to promote intelligent driving and digital businesses, as shown in the table below.
Since 2020, with the emergence of many new car manufacturers represented by Tesla, OTA technology has been widely used in upgrading car computer systems in new models. For example, Tesla has conducted 19 OTA updates from the beginning of 2020 to the present, with the highest frequency of upgrades among all automakers. The latest one was implemented through OTA in June of this year to optimize cruise control functions.
Representatives of new domestic car manufacturers, such as NIO, Ideal, and XPeng, have also pushed new features through OTA updates, such as improving charging efficiency, optimizing driving assistance, repairing car computer system bugs, etc.
In the future, with the continuous improvement of automotive intelligence, it is expected that more than 50% of recall issues will be software-related, and the construction of an OTA ecosystem will significantly reduce the cost of this part of the recall. Consulting firm IHS predicted that the cost savings for car manufacturers due to OTA software updates will increase from $2.7 billion in 2015 to $35 billion in 2022.From a global perspective, various countries, regions, and major international alliances are trying to develop OTA standards. In December 2016, the UN Task Force on Cybersecurity and OTA issues (CS/OTA) was established with the UK and Japan as chair countries, carrying out the international regulatory and standard-setting work around three parts: automotive network security, data protection, and OTA software upgrades. The International Telecommunication Union (ITU-SG17) has also been fully involved in the work of this task force. Chinese industry experts have also participated in some of the work of the task force organized by the China Automotive Technology Research Center, and have made relevant international standard proposals.
Starting from January 1, 2017, the national standard “Technical specification for electric vehicle remote service and management system” (GB/T 32960.1-2016) stipulates that all newly produced new energy vehicles shall be equipped with on-board terminals, and the enterprise monitoring platform shall monitor and manage the safe operation status of the whole vehicle and key systems such as power batteries. According to the national standard for public service vehicles, relevant security status information of the vehicle must be uploaded to the local monitoring platform, which will also generate OTA demand.
In November 2020, the State Administration for Market Regulation issued the “Notice on Further Strengthening the Supervision of Automotive Remote Upgrade (OTA) Technical Recalls”, which clearly pointed out that car companies that “carry out technical service activities for sold vehicles through OTA methods” should file with the State Administration for Market Regulation. For those who “use OTA methods to eliminate automobile product defects and carry out recalls”, they should formulate a recall plan, file with the State Administration for Market Regulation, and fulfill the recall main responsibility in accordance with the law. On June 4, 2021, the State Administration for Market Regulation issued a “Supplementary Notice on the Filing of Automotive Remote Upgrade (OTA) Technical Recalls”.
What are the risks of OTA?
Many people’s understanding of automotive OTA comes from mobile phone OTA. There are indeed similarities in terms of technical characteristics, but there are still significant differences between the two, especially in terms of security issues. For example, when a mobile phone is upgraded OTA, if the upgrade fails, the worst case is that the phone becomes a “brick”, while the situation for cars is different, with slight mistakes leading to vehicle damage and personal injury.
In the FOTA process, there are mainly transmission risks and upgrade package tampering risks. During the transmission process of the terminal downloading the upgrade package, attackers can use network attack methods, such as man-in-the-middle attacks, to send tampered and forged upgrade packages to the on-board terminal. If there is no verification mechanism for the terminal during the upgrade process, the tampered upgrade package can complete the upgrade process smoothly, achieving the purpose of tampering with the system and implanting malicious programs such as backdoors. Attackers may also unpack and analyze the upgrade package to obtain some useful information, such as vulnerability patches. The exposure of key information in the upgrade package will increase the risk of being attacked.
Therefore, OTA updates for automobiles must be carried out at an appropriate time, in an appropriate place, and when the vehicle is in an appropriate condition. This requires automotive companies to formulate corresponding upgrade strategies to carry out this operation as safely and economically as possible. For vehicle companies, there is actually a risk of taking on problems after the promotion of OTA technology. As mentioned earlier, this is a major obstacle that constrains the development of OTA technology on vehicles. With the introduction of information security technology, this part of the work will become the development of the combination of vehicle companies and network technology.
Conclusion
The significance of OTA is to provide continuously updated services, and through the download and update of software, more and more possibilities can be realized. OTA itself is not a new concept and technology, and has been widely used in entertainment electronic products such as mobile phones. For smart cars, it is still a key development direction for future technology, which is needed by both user demand and after-sales maintenance of car companies. If automobile manufacturers do not grasp the solution of OTA, they will soon be marginalized because they are unable to continuously update software, unable to do two-way communication and exchange, and unable to quickly provide services and applications for car owners to choose to use. This technology will become more and more important as automotive companies grasp software capabilities, network capabilities, and product lifecycle needs.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.