Problem: Single-bank firmware: once written, permanent. A boot loop on a specific oscillator tolerance variant bricked 3,400 meters. No rollback mechanism. Recovery required physical site visit per meter.
Solution: Dual-bank flash: slots A and B plus a small immutable bootloader slot. Boot descriptor block tracks active slot and boot attempt count. After 3 failed attempts (no heartbeat in 30 seconds), bootloader flips to the other bank. ECDSA P-256 signature verification rejects unsigned updates before writing any flash byte. Update written to inactive slot while active firmware continues running — power-fail safe.
Technology: C · ARM Cortex-M · ECDSA P-256 · FreeRTOS · MQTT
Optimisation pattern: single-bank-permanent-write-to-dual-bank-signature-verified-watchdog-guarded-ota
Outcomes:
Zero meters bricked since rollback bootloader deployment across 120,000 units. 36 devices with hardware faults self-recovered via automatic rollback. Update success rate: 99.97%. Fleet update time: 3 days → 6 hours using parallel staged rollout.