23  Over-the-Air Updates

23.1 Learning Objectives

By the end of this chapter, you will be able to:

• Design OTA Architecture: Plan secure firmware update infrastructure for IoT deployments
• Implement OTA Updates: Add wireless firmware update capability to ESP32 and similar devices
• Secure Update Process: Apply code signing, verification, and encrypted transport
• Handle Rollback: Implement automatic recovery from failed updates

For Beginners: Over-the-Air Updates

Prototyping is building rough, working versions of your IoT device to test ideas quickly and cheaply. Think of it like building a model airplane before constructing the real thing – a prototype reveals problems when they are still easy and inexpensive to fix. Modern prototyping tools make it possible to go from idea to working device in days rather than months.

Sensor Squad: Updating Without Touching

“Imagine having to drive to every single sensor to update its software,” groaned Max the Microcontroller. “If you have 1,000 sensors spread across a city, that is impossible! That is why we need OTA – Over-the-Air updates. New firmware beamed wirelessly to every device.”

Sammy the Sensor asked how it works. “The device connects to an update server, checks if a newer firmware version exists, downloads it, verifies it is not corrupted or tampered with, writes it to a backup partition, and reboots into the new code. If anything goes wrong, it rolls back to the previous working version.”

“Security is critical!” warned Lila the LED. “Every update must be digitally signed so devices only accept genuine firmware from the real manufacturer. Without code signing, a hacker could push malicious firmware to your entire fleet of devices. That would be a disaster.”

Bella the Battery raised a practical concern. “OTA downloads use energy! A full firmware update might take several minutes of active radio time. Plan your updates for when devices are on mains power or fully charged. And always keep enough battery reserve for the rollback – if the update fails mid-download and the device cannot recover, it becomes a brick.”

Key Concepts

• Firmware: Low-level software stored in a device’s non-volatile flash memory that directly controls hardware peripherals.
• SDK (Software Development Kit): Collection of libraries, tools, and documentation provided by a platform vendor to accelerate application development.
• RTOS (Real-Time Operating System): Lightweight OS providing task scheduling and timing guarantees for embedded systems with concurrent requirements.
• Over-the-Air (OTA) Update: Mechanism for delivering new firmware to deployed devices without physical access or a cable connection.
• Unit Test: Automated test verifying a single function or module in isolation, catching bugs before hardware integration.
• CI/CD Pipeline: Automated build, test, and deployment workflow that validates firmware quality on every code change.
• Hardware Abstraction Layer (HAL): Software interface decoupling application code from specific hardware, enabling portability across MCU variants.

23.2 Prerequisites

Before diving into this chapter, you should be familiar with:

• Libraries and Version Control: Firmware dependency management
• Software Architecture Patterns: State machine design

---

Interactive: ESP32 Wi-Fi Connection State Machine

23.3 Why OTA Updates Matter

Moving from prototype to production requires planning for the entire device lifecycle, including how you’ll update firmware after deployment. OTA updates are essential for fixing bugs, patching security vulnerabilities, and adding features without physical access to devices.

Plan for OTA from Day One

Security patches: Fix vulnerabilities discovered after deployment (essential for internet-connected devices)

Feature updates: Add capabilities based on user feedback without hardware recall

Bug fixes: Resolve issues in the field without customer support visits

Compliance: Meet regulations like EU Cyber Resilience Act (mandatory for devices sold in EU after 2027)

Real-world example: A smart thermostat deployed in 2025 may still operate in 2035. Security standards from 2025 will be obsolete by then - OTA updates are the only way to keep devices secure over their 10+ year lifespan.

23.4 OTA Architecture Overview

A complete OTA system involves infrastructure beyond just the device firmware:

OTA System Components:

Component	Purpose	Example Technologies
Build Server	Compile firmware, run CI/CD	GitHub Actions, Jenkins
Signing Service	Cryptographically sign firmware	espsecure.py, OpenSSL, AWS KMS
Distribution	Store firmware files	AWS S3, Azure Blob, Firebase Storage
Update Server	Manage versions, orchestrate rollouts	AWS IoT Jobs, Azure IoT Hub
Device Agent	Download and install updates	ESP-IDF OTA library, Arduino OTA

23.5 Security Requirements Checklist

OTA updates are a critical attack surface. Implement these security controls:

Secure OTA Implementation Checklist

Mandatory Security Controls:

• Code signing: All firmware signed with private key (keep private key secure!)
• Signature verification: Device verifies signature before installing
• Secure boot: Only signed code can run (prevents malware persistence)
• Rollback protection: Prevent downgrade to older vulnerable versions
• A/B partitions: Dual firmware slots for safe update with fallback
• Encrypted transport: TLS for firmware download (prevent man-in-the-middle)
• Version tracking: Monotonic version numbers prevent replay attacks
• Integrity check: SHA-256 hash verification of downloaded firmware

Best Practices:

• Staged rollout: Update 1% -> 10% -> 100% to detect issues early
• Health checks: Verify device operational before marking update successful
• Automatic rollback: Revert to previous firmware if boot fails 3 times
• Update windows: Schedule updates during low-usage periods
• Audit logging: Log all update attempts for debugging

23.6 ESP32 OTA Implementation

23.6.1 Arduino OTA (Simple, for Prototypes)

#include <WiFi.h>
#include <ArduinoOTA.h>

void setup() {
  Serial.begin(115200);
  WiFi.begin("SSID", "PASSWORD");

  // Wait for connection
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }

  // Configure OTA
  ArduinoOTA.setHostname("esp32-sensor");
  ArduinoOTA.setPassword("update-password");

  ArduinoOTA.onStart([]() {
    Serial.println("OTA Update Starting...");
  });

  ArduinoOTA.onEnd([]() {
    Serial.println("\nOTA Update Complete!");
  });

  ArduinoOTA.onProgress([](unsigned int progress, unsigned int total) {
    Serial.printf("Progress: %u%%\r", (progress / (total / 100)));
  });

  ArduinoOTA.onError([](ota_error_t error) {
    Serial.printf("Error[%u]: ", error);
    if (error == OTA_AUTH_ERROR) Serial.println("Auth Failed");
    else if (error == OTA_BEGIN_ERROR) Serial.println("Begin Failed");
    else if (error == OTA_CONNECT_ERROR) Serial.println("Connect Failed");
    else if (error == OTA_RECEIVE_ERROR) Serial.println("Receive Failed");
    else if (error == OTA_END_ERROR) Serial.println("End Failed");
  });

  ArduinoOTA.begin();
  Serial.println("OTA Ready");
}

void loop() {
  ArduinoOTA.handle(); // Must call in loop

  // Your application code here
}

Usage: Upload new firmware wirelessly via Arduino IDE (Tools -> Port -> Network Port)

Putting Numbers to It

OTA Update Data Cost Calculation: For 1,000 devices with 500KB firmware over cellular (LTE-M):

Single update transmission: \[\text{Data per device} = 500KB \times 1.15 \text{ (overhead)} = 575KB = 0.562MB\]

Fleet-wide data cost (at \(\$0.10/MB\) for IoT cellular plan): \[\text{Cost} = 1,000 \text{ devices} \times 0.562MB \times \$0.10 = \$56.15\]

Annual cost with monthly updates: \[\text{Annual} = \$56.15 \times 12 = \$673.80\]

Delta updates (only changed code, avg 80KB): \[\text{Annual} = 1,000 \times 0.078MB \times \$0.10 \times 12 = \$93.75\]

Delta updates save \(\$580/year\) (86% reduction) for 1,000 devices. Critical for cellular deployments where data costs dominate. Wi-Fi deployments care less about size but still benefit from faster updates and less network congestion.

Interactive: OTA Data Cost Calculator

Calculate the annual cost of OTA updates for your device fleet:

viewof num_devices = Inputs.range([100, 100000], {value: 1000, step: 100, label: "Number of devices"})
viewof firmware_size_kb = Inputs.range([50, 5000], {value: 500, step: 50, label: "Firmware size (KB)"})
viewof updates_per_year = Inputs.range([1, 52], {value: 12, step: 1, label: "Updates per year"})
viewof data_cost_per_mb = Inputs.range([0.01, 1.0], {value: 0.10, step: 0.01, label: "Data cost ($/MB)"})
viewof use_delta = Inputs.checkbox(["Use delta updates (85% size reduction)"], {label: "Update strategy"})

ota_calc = {
  const overhead = 1.15;
  const delta_reduction = use_delta.length > 0 ? 0.15 : 1.0;
  const effective_size_mb = (firmware_size_kb * delta_reduction * overhead) / 1024;
  const cost_per_update = num_devices * effective_size_mb * data_cost_per_mb;
  const annual_cost = cost_per_update * updates_per_year;
  const full_size_mb = (firmware_size_kb * overhead) / 1024;
  const full_annual = num_devices * full_size_mb * data_cost_per_mb * updates_per_year;
  const savings = full_annual - annual_cost;
  return {
    effective_size_mb: effective_size_mb,
    cost_per_update: cost_per_update,
    annual_cost: annual_cost,
    full_annual: full_annual,
    savings: savings,
    savings_percent: ((savings / full_annual) * 100)
  };
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.5rem; border-radius: 8px; border-left: 4px solid #16A085; margin-top: 0.5rem;">
<table style="width:100%; border-collapse:collapse;">
<tr style="background: #2C3E50; color: white;">
  <td style="padding:8px; border:1px solid #ddd;"><strong>Metric</strong></td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>Value</strong></td>
</tr>
<tr>
  <td style="padding:8px; border:1px solid #ddd;">Effective firmware size</td>
  <td style="padding:8px; border:1px solid #ddd;">${ota_calc.effective_size_mb.toFixed(2)} MB</td>
</tr>
<tr>
  <td style="padding:8px; border:1px solid #ddd;">Cost per update (all devices)</td>
  <td style="padding:8px; border:1px solid #ddd;">$${ota_calc.cost_per_update.toFixed(2)}</td>
</tr>
<tr style="background: ${use_delta.length > 0 ? '#d4edda' : '#fff'};">
  <td style="padding:8px; border:1px solid #ddd;"><strong>Annual cost</strong></td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>$${ota_calc.annual_cost.toFixed(2)}</strong></td>
</tr>
${use_delta.length > 0 ? `<tr style="background: #d1ecf1;">
  <td style="padding:8px; border:1px solid #ddd;">Annual savings vs full updates</td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>$${ota_calc.savings.toFixed(2)} (${ota_calc.savings_percent.toFixed(1)}%)</strong></td>
</tr>` : ''}
</table>
</div>`

23.6.2 ESP-IDF OTA (Production-grade, with Rollback)

#include "esp_https_ota.h"
#include "esp_ota_ops.h"

void check_for_update() {
  esp_http_client_config_t config = {
    .url = "https://your-server.com/firmware.bin",
    .cert_pem = server_cert_pem,  // Server certificate for TLS
    .timeout_ms = 30000,
  };

  esp_https_ota_config_t ota_config = {
    .http_config = &config,
  };

  ESP_LOGI(TAG, "Starting OTA update...");
  esp_err_t ret = esp_https_ota(&ota_config);

  if (ret == ESP_OK) {
    ESP_LOGI(TAG, "OTA successful! Rebooting...");
    esp_restart();
  } else {
    ESP_LOGE(TAG, "OTA failed: %s", esp_err_to_name(ret));
  }
}

void app_main() {
  // Check if this is first boot after OTA
  const esp_partition_t *running = esp_ota_get_running_partition();
  esp_ota_img_states_t ota_state;

  if (esp_ota_get_state_partition(running, &ota_state) == ESP_OK) {
    if (ota_state == ESP_OTA_IMG_PENDING_VERIFY) {
      // First boot after update - run health checks
      if (run_health_checks()) {
        ESP_LOGI(TAG, "OTA update successful, marking as valid");
        esp_ota_mark_app_valid_cancel_rollback();
      } else {
        ESP_LOGE(TAG, "Health checks failed, rolling back");
        esp_ota_mark_app_invalid_rollback_and_reboot();
      }
    }
  }
}

Key Features:

• Downloads firmware over HTTPS (TLS 1.3)
• Verifies signature against public key
• Writes to inactive partition
• Automatically rolls back if boot fails 3 times

Try It: A/B Partition OTA Simulator

viewof partition_a_ver = Inputs.text({value: "2.3.1", label: "Partition A firmware version"})
viewof partition_b_ver = Inputs.text({value: "2.3.0", label: "Partition B firmware version"})
viewof active_partition = Inputs.radio(["A", "B"], {value: "A", label: "Currently active partition"})
viewof ota_action = Inputs.select(["Idle", "Downloading to inactive", "Verifying signature", "Rebooting into new firmware", "Health check running", "Rollback triggered"], {value: "Idle", label: "OTA action"})

ab_sim = {
  const inactive = active_partition === "A" ? "B" : "A";
  const inactiveVer = active_partition === "A" ? partition_b_ver : partition_a_ver;
  const activeVer = active_partition === "A" ? partition_a_ver : partition_b_ver;
  const actionColors = {
    "Idle": "#7F8C8D",
    "Downloading to inactive": "#3498DB",
    "Verifying signature": "#E67E22",
    "Rebooting into new firmware": "#9B59B6",
    "Health check running": "#16A085",
    "Rollback triggered": "#E74C3C"
  };
  const actionDescriptions = {
    "Idle": "No OTA activity. Device running normally from partition " + active_partition + " (v" + activeVer + ").",
    "Downloading to inactive": "New firmware being written to partition " + inactive + ". Partition " + active_partition + " (v" + activeVer + ") continues running undisturbed.",
    "Verifying signature": "Download complete. Verifying ECDSA signature and SHA-256 hash on partition " + inactive + " before marking it bootable.",
    "Rebooting into new firmware": "Signature valid. Boot flag set to partition " + inactive + ". Device rebooting. If boot fails 3 times, hardware watchdog reverts to partition " + active_partition + ".",
    "Health check running": "Booted into partition " + inactive + ". Running sensor, Wi-Fi, and MQTT checks. Must call esp_ota_mark_app_valid() within 10 minutes or automatic rollback occurs.",
    "Rollback triggered": "Health check failed or boot loop detected. Reverting to partition " + active_partition + " (v" + activeVer + "). Device is safe."
  };
  return {
    active: active_partition,
    inactive: inactive,
    activeVer: activeVer,
    inactiveVer: inactiveVer,
    color: actionColors[ota_action],
    description: actionDescriptions[ota_action],
    isRollback: ota_action === "Rollback triggered"
  };
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.5rem; border-radius: 8px; border-left: 4px solid ${ab_sim.color}; margin-top: 0.5rem;">
<h4 style="margin-top:0; color: #2C3E50;">ESP32 Partition Layout</h4>
<div style="display: flex; gap: 1rem; margin-bottom: 1rem;">
  <div style="flex:1; padding: 1rem; border-radius: 6px; border: 3px solid ${ab_sim.active === 'A' ? '#16A085' : '#ddd'}; background: ${ab_sim.active === 'A' ? '#d4edda' : '#f8f9fa'};">
    <strong style="color: #2C3E50;">Partition A</strong><br/>
    <span style="font-family: monospace;">v${partition_a_ver}</span><br/>
    <span style="font-size: 0.85em; color: ${ab_sim.active === 'A' ? '#16A085' : '#7F8C8D'};">
      ${ab_sim.active === 'A' ? 'ACTIVE (running)' : 'INACTIVE'}
    </span>
  </div>
  <div style="flex:1; padding: 1rem; border-radius: 6px; border: 3px solid ${ab_sim.active === 'B' ? '#16A085' : '#ddd'}; background: ${ab_sim.active === 'B' ? '#d4edda' : '#f8f9fa'};">
    <strong style="color: #2C3E50;">Partition B</strong><br/>
    <span style="font-family: monospace;">v${partition_b_ver}</span><br/>
    <span style="font-size: 0.85em; color: ${ab_sim.active === 'B' ? '#16A085' : '#7F8C8D'};">
      ${ab_sim.active === 'B' ? 'ACTIVE (running)' : 'INACTIVE'}
    </span>
  </div>
</div>
<p style="margin: 0; padding: 0.75rem; background: white; border-radius: 4px; border-left: 3px solid ${ab_sim.color};">
  <strong style="color: ${ab_sim.color};">${ota_action}:</strong> ${ab_sim.description}
</p>
${ab_sim.isRollback ? '<p style="margin-top: 0.5rem; margin-bottom: 0; padding: 0.5rem; background: #f8d7da; border-radius: 4px; font-size: 0.9em;">The A/B partition scheme ensures the device always has a known-good firmware to fall back to. Without dual partitions, a failed update could permanently brick the device.</p>' : ''}
</div>`

23.7 Rollback Scenarios

Your OTA system must handle failures gracefully:

Rollback Triggers:

1. Boot failure: Watchdog timeout -> automatic rollback
2. Health check failure: Sensor offline, Wi-Fi fails, cloud unreachable
3. Manual rollback: Operator command via device management
4. Timeout: No “update successful” confirmation within 10 minutes

Health Check Implementation:

bool run_health_checks() {
  // Test 1: Can we read sensors?
  if (!test_sensor_readings()) {
    ESP_LOGE(TAG, "Health check failed: Sensors not responding");
    return false;
  }

  // Test 2: Can we connect to Wi-Fi?
  if (WiFi.status() != WL_CONNECTED) {
    ESP_LOGE(TAG, "Health check failed: Wi-Fi not connected");
    return false;
  }

  // Test 3: Can we reach cloud server?
  if (!test_cloud_connection()) {
    ESP_LOGE(TAG, "Health check failed: Cloud unreachable");
    return false;
  }

  ESP_LOGI(TAG, "All health checks passed!");
  return true;
}

Try It: Health Check Timeout Budget

viewof sensor_check_ms = Inputs.range([100, 5000], {value: 500, step: 100, label: "Sensor test timeout (ms)"})
viewof wifi_check_ms = Inputs.range([1000, 30000], {value: 5000, step: 500, label: "Wi-Fi reconnect timeout (ms)"})
viewof cloud_check_ms = Inputs.range([1000, 30000], {value: 10000, step: 500, label: "Cloud connection timeout (ms)"})
viewof mqtt_check_ms = Inputs.range([1000, 20000], {value: 8000, step: 500, label: "MQTT publish test timeout (ms)"})
viewof max_boot_attempts = Inputs.range([1, 10], {value: 3, step: 1, label: "Max boot attempts before rollback"})

hc_budget = {
  const total_ms = sensor_check_ms + wifi_check_ms + cloud_check_ms + mqtt_check_ms;
  const total_sec = total_ms / 1000;
  const worst_case_sec = total_sec * max_boot_attempts;
  const rollback_window_min = 10;
  const fits = worst_case_sec < (rollback_window_min * 60);
  const utilization = (worst_case_sec / (rollback_window_min * 60)) * 100;
  return {
    total_ms: total_ms,
    total_sec: total_sec,
    worst_case_sec: worst_case_sec,
    fits: fits,
    utilization: utilization,
    rollback_window_min: rollback_window_min
  };
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.5rem; border-radius: 8px; border-left: 4px solid ${hc_budget.fits ? '#16A085' : '#E74C3C'}; margin-top: 0.5rem;">
<h4 style="margin-top:0; color: #2C3E50;">Health Check Timing Analysis</h4>
<div style="margin-bottom: 1rem;">
  <div style="display: flex; gap: 4px; height: 28px; border-radius: 4px; overflow: hidden;">
    <div style="flex: ${sensor_check_ms}; background: #3498DB;" title="Sensor: ${sensor_check_ms}ms"></div>
    <div style="flex: ${wifi_check_ms}; background: #16A085;" title="Wi-Fi: ${wifi_check_ms}ms"></div>
    <div style="flex: ${cloud_check_ms}; background: #E67E22;" title="Cloud: ${cloud_check_ms}ms"></div>
    <div style="flex: ${mqtt_check_ms}; background: #9B59B6;" title="MQTT: ${mqtt_check_ms}ms"></div>
  </div>
  <div style="display: flex; gap: 1rem; font-size: 0.8em; margin-top: 4px; flex-wrap: wrap;">
    <span><span style="color: #3498DB;">&#9632;</span> Sensor ${sensor_check_ms}ms</span>
    <span><span style="color: #16A085;">&#9632;</span> Wi-Fi ${wifi_check_ms}ms</span>
    <span><span style="color: #E67E22;">&#9632;</span> Cloud ${cloud_check_ms}ms</span>
    <span><span style="color: #9B59B6;">&#9632;</span> MQTT ${mqtt_check_ms}ms</span>
  </div>
</div>
<table style="width:100%; border-collapse:collapse;">
<tr>
  <td style="padding:8px; border:1px solid #ddd;">Single check pass</td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>${(hc_budget.total_sec).toFixed(1)}s</strong> (${hc_budget.total_ms.toLocaleString()} ms)</td>
</tr>
<tr>
  <td style="padding:8px; border:1px solid #ddd;">Worst case (${max_boot_attempts} attempts)</td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>${(hc_budget.worst_case_sec).toFixed(1)}s</strong></td>
</tr>
<tr style="background: ${hc_budget.fits ? '#d4edda' : '#f8d7da'};">
  <td style="padding:8px; border:1px solid #ddd;">Rollback window usage</td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>${hc_budget.utilization.toFixed(1)}%</strong> of ${hc_budget.rollback_window_min}-minute window</td>
</tr>
</table>
<p style="margin-top: 0.75rem; margin-bottom: 0; padding: 0.5rem; background: ${hc_budget.fits ? '#d1ecf1' : '#f8d7da'}; border-radius: 4px; font-size: 0.9em;">
${hc_budget.fits
  ? 'All ' + max_boot_attempts + ' boot attempts complete within the 10-minute rollback window. The device has ' + ((hc_budget.rollback_window_min * 60) - hc_budget.worst_case_sec).toFixed(0) + 's of margin before automatic rollback triggers.'
  : 'Warning: ' + max_boot_attempts + ' boot attempts (' + hc_budget.worst_case_sec.toFixed(0) + 's) exceed the 10-minute rollback window. Reduce timeouts or boot attempts to ensure the device can complete health checks before the watchdog triggers rollback.'}
</p>
</div>`

23.8 OTA Update Strategies

Strategy	Pros	Cons	Best For
Full image	Simple, guaranteed consistency	Large download (1-5 MB)	Prototypes, good bandwidth
Delta/diff	Small download (10-100 KB)	Complex, requires base version	NB-IoT, LoRaWAN, cellular
Staged rollout	Safe, detect issues early	Slow, version fragmentation	Production deployments
Immediate	Fast, all devices updated	Risky if update is broken	Development/testing only

Interactive: Staged Rollout Impact Calculator

Explore how staged rollouts reduce risk when firmware updates have bugs:

viewof total_fleet = Inputs.range([1000, 100000], {value: 10000, step: 1000, label: "Total devices"})
viewof bug_rate = Inputs.range([0, 20], {value: 2, step: 0.5, label: "Bug rate (%)"})
viewof recovery_cost = Inputs.range([50, 500], {value: 200, step: 10, label: "Recovery cost per device ($)"})
viewof rollout_strategy = Inputs.select(["Immediate (100%)", "Staged (1% → 10% → 100%)"], {value: "Staged (1% → 10% → 100%)", label: "Rollout strategy"})

rollout_impact = {
  const bug_probability = bug_rate / 100;

  if (rollout_strategy === "Immediate (100%)") {
    const affected = Math.round(total_fleet * bug_probability);
    const total_cost = affected * recovery_cost;
    return {
      stage: "Immediate deployment",
      affected: affected,
      total_cost: total_cost,
      detected_at: "100% rollout",
      can_abort: false
    };
  } else {
    // Staged: detect at 1% canary
    const canary_size = Math.round(total_fleet * 0.01);
    const affected = Math.round(canary_size * bug_probability);
    const total_cost = affected * recovery_cost;
    return {
      stage: "Canary (1%)",
      affected: affected,
      total_cost: total_cost,
      detected_at: `${canary_size} devices`,
      can_abort: true,
      avoided_devices: total_fleet - canary_size,
      avoided_cost: Math.round((total_fleet - canary_size) * bug_probability * recovery_cost)
    };
  }
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.5rem; border-radius: 8px; border-left: 4px solid ${rollout_impact.can_abort ? '#16A085' : '#E67E22'}; margin-top: 0.5rem;">
<h4 style="margin-top:0; color: #2C3E50;">Impact Analysis</h4>
<table style="width:100%; border-collapse:collapse;">
<tr>
  <td style="padding:8px; border:1px solid #ddd;"><strong>Detection stage</strong></td>
  <td style="padding:8px; border:1px solid #ddd;">${rollout_impact.detected_at}</td>
</tr>
<tr>
  <td style="padding:8px; border:1px solid #ddd;"><strong>Affected devices</strong></td>
  <td style="padding:8px; border:1px solid #ddd;">${rollout_impact.affected.toLocaleString()}</td>
</tr>
<tr style="background: ${rollout_impact.can_abort ? '#fff3cd' : '#f8d7da'};">
  <td style="padding:8px; border:1px solid #ddd;"><strong>Recovery cost</strong></td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>$${rollout_impact.total_cost.toLocaleString()}</strong></td>
</tr>
${rollout_impact.can_abort ? `<tr style="background: #d4edda;">
  <td style="padding:8px; border:1px solid #ddd;"><strong>Cost avoided</strong></td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>$${rollout_impact.avoided_cost.toLocaleString()}</strong></td>
</tr>
<tr style="background: #d4edda;">
  <td style="padding:8px; border:1px solid #ddd;"><strong>Protected devices</strong></td>
  <td style="padding:8px; border:1px solid #ddd;"><strong>${rollout_impact.avoided_devices.toLocaleString()}</strong></td>
</tr>` : ''}
</table>
<p style="margin-top:1rem; padding:0.75rem; background:${rollout_impact.can_abort ? '#d1ecf1' : '#f8d7da'}; border-radius:4px; margin-bottom:0;">
${rollout_impact.can_abort ?
  `✓ Staged rollout detected the bug at 1% and aborted deployment, protecting ${((rollout_impact.avoided_devices / total_fleet) * 100).toFixed(1)}% of your fleet.` :
  `✗ Immediate deployment affected all ${total_fleet.toLocaleString()} devices. A staged rollout would have saved $${rollout_impact.total_cost.toLocaleString()} in recovery costs.`}
</p>
</div>`

23.9 Real-World OTA Failure: The Lockitron Smart Lock (2017)

Lockitron, an early smart lock startup, pushed a firmware update to approximately 10,000 deployed locks in December 2017 that introduced a timing bug in the Bluetooth pairing sequence. The consequences illustrate why staged rollouts and health checks are non-negotiable:

Timeline	Event	Impact
Day 0 (Friday 6 PM)	Update pushed to 100% of fleet simultaneously	No staged rollout – all devices updated within 2 hours
Day 0 (8 PM)	First user reports: lock accepts Bluetooth connection but fails to actuate deadbolt	Support ticket volume: 12 tickets/hour (vs. normal 2/day)
Day 1 (Saturday)	800+ users locked out of homes	Emergency locksmiths called; Lockitron pays $150-300 per lockout
Day 2 (Sunday)	Rollback firmware pushed, but 15% of devices fail to download (battery depleted during repeated BLE retry loops)	1,500 devices require manual USB firmware recovery
Day 7	Field technicians dispatched to 1,500 homes for manual recovery	Cost: $200/visit average (travel + labor + replacement battery)
Total cost		$450K+ in direct costs (locksmith fees, field visits, customer credits, lost subscribers)

What went wrong (and the fix for each):

1. No staged rollout: A 1% canary release to 100 devices would have caught the bug from 1-2 reports instead of 800+
2. Friday evening deployment: No engineering team available to monitor. Best practice: deploy Tuesday-Wednesday mornings
3. No battery-aware update scheduling: Devices with <40% battery should defer updates until charged
4. No automatic rollback: The lock had A/B partitions but no health check to trigger rollback. A simple “can I actuate the deadbolt within 10 seconds of boot?” test would have reverted to the working firmware automatically

23.10 Common OTA Pitfalls

Mistake	Why It’s Bad	Solution
No rollback mechanism	Broken update bricks all devices	Implement A/B partitions + automatic rollback
Unsigned firmware	Attackers can install malicious code	Always sign firmware, verify on device
Update all devices immediately	Broken update affects entire fleet	Staged rollout (1% -> 10% -> 100%)
No health checks	Device boots but doesn’t work properly	Validate sensors, Wi-Fi, cloud connectivity
Hardcoded update server URL	Can’t change server after deployment	Use configurable endpoint or DNS
Large firmware binaries	Slow downloads, high bandwidth costs	Optimize binary size, use delta updates
No version tracking	Can’t identify which firmware is running	Embed version in firmware, report to cloud

Try It: OTA Security Readiness Scorecard

viewof sec_code_signing = Inputs.checkbox(["Code signing (firmware signed with private key)"])
viewof sec_sig_verify = Inputs.checkbox(["Signature verification on device"])
viewof sec_secure_boot = Inputs.checkbox(["Secure boot enabled"])
viewof sec_tls = Inputs.checkbox(["TLS encrypted transport"])
viewof sec_ab_partitions = Inputs.checkbox(["A/B dual partitions"])
viewof sec_rollback = Inputs.checkbox(["Automatic rollback on failure"])
viewof sec_health_checks = Inputs.checkbox(["Post-update health checks"])
viewof sec_version_tracking = Inputs.checkbox(["Monotonic version tracking"])
viewof sec_staged_rollout = Inputs.checkbox(["Staged rollout (canary releases)"])
viewof sec_audit_log = Inputs.checkbox(["Audit logging of update attempts"])

sec_score = {
  const weights = [
    {name: "Code signing", checked: sec_code_signing.length > 0, points: 15, category: "critical"},
    {name: "Signature verification", checked: sec_sig_verify.length > 0, points: 15, category: "critical"},
    {name: "Secure boot", checked: sec_secure_boot.length > 0, points: 10, category: "critical"},
    {name: "TLS transport", checked: sec_tls.length > 0, points: 10, category: "critical"},
    {name: "A/B partitions", checked: sec_ab_partitions.length > 0, points: 10, category: "safety"},
    {name: "Automatic rollback", checked: sec_rollback.length > 0, points: 10, category: "safety"},
    {name: "Health checks", checked: sec_health_checks.length > 0, points: 10, category: "safety"},
    {name: "Version tracking", checked: sec_version_tracking.length > 0, points: 8, category: "operations"},
    {name: "Staged rollout", checked: sec_staged_rollout.length > 0, points: 7, category: "operations"},
    {name: "Audit logging", checked: sec_audit_log.length > 0, points: 5, category: "operations"}
  ];
  const earned = weights.filter(w => w.checked).reduce((s, w) => s + w.points, 0);
  const critical_earned = weights.filter(w => w.checked && w.category === "critical").reduce((s, w) => s + w.points, 0);
  const critical_total = weights.filter(w => w.category === "critical").reduce((s, w) => s + w.points, 0);
  const missing_critical = weights.filter(w => !w.checked && w.category === "critical").map(w => w.name);
  let grade = "F";
  let gradeColor = "#E74C3C";
  if (earned >= 90) { grade = "A"; gradeColor = "#16A085"; }
  else if (earned >= 75) { grade = "B"; gradeColor = "#3498DB"; }
  else if (earned >= 60) { grade = "C"; gradeColor = "#E67E22"; }
  else if (earned >= 40) { grade = "D"; gradeColor = "#E67E22"; }
  return {
    earned: earned,
    grade: grade,
    gradeColor: gradeColor,
    critical_earned: critical_earned,
    critical_total: critical_total,
    missing_critical: missing_critical,
    production_ready: earned >= 75 && missing_critical.length === 0
  };
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.5rem; border-radius: 8px; border-left: 4px solid ${sec_score.gradeColor}; margin-top: 0.5rem;">
<div style="display: flex; align-items: center; gap: 1.5rem; margin-bottom: 1rem;">
  <div style="width: 70px; height: 70px; border-radius: 50%; background: ${sec_score.gradeColor}; display: flex; align-items: center; justify-content: center; color: white; font-size: 2em; font-weight: bold; flex-shrink: 0;">${sec_score.grade}</div>
  <div>
    <div style="font-size: 1.3em; font-weight: bold; color: #2C3E50;">${sec_score.earned}/100 Points</div>
    <div style="color: #7F8C8D;">Critical security: ${sec_score.critical_earned}/${sec_score.critical_total} | ${sec_score.production_ready ? 'Production ready' : 'Not production ready'}</div>
  </div>
</div>
<div style="background: #ddd; border-radius: 4px; height: 12px; margin-bottom: 1rem;">
  <div style="background: ${sec_score.gradeColor}; border-radius: 4px; height: 12px; width: ${sec_score.earned}%; transition: width 0.3s;"></div>
</div>
${sec_score.missing_critical.length > 0 ? '<p style="margin: 0; padding: 0.75rem; background: #f8d7da; border-radius: 4px; font-size: 0.9em;"><strong style="color: #E74C3C;">Missing critical controls:</strong> ' + sec_score.missing_critical.join(", ") + '. These are mandatory for any production deployment. Without code signing and verification, attackers can push malicious firmware to your entire fleet.</p>' : '<p style="margin: 0; padding: 0.75rem; background: #d4edda; border-radius: 4px; font-size: 0.9em;"><strong style="color: #16A085;">All critical security controls implemented.</strong> Your OTA system meets minimum security requirements for production deployment.</p>'}
</div>`

Worked Example: Designing a Secure OTA Update System for ESP32 Fleet (5,000 Devices)

Project: Smart building sensor network with 5,000 ESP32-based devices deployed across 12 office buildings. Devices measure temperature, humidity, CO2, and occupancy. Current firmware version: 2.3.1. Critical bug discovered: MQTT reconnection loop drains battery in 48 hours (should last 6 months). Immediate OTA update required.

Step 1: Build and Sign Firmware (CI/CD Pipeline)

# build-and-sign.sh - runs on GitHub Actions
#!/bin/bash
set -e

# Build firmware
cd firmware/
platformio run --environment esp32-prod

# Generate version metadata
VERSION="2.3.2"
BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
git_commit=$(git rev-parse --short HEAD)

# Create manifest
cat > firmware_manifest.json <<EOF
{
  "version": "$VERSION",
  "build_date": "$BUILD_DATE",
  "git_commit": "$git_commit",
  "min_previous_version": "2.0.0",
  "size_bytes": $(stat -f%z .pio/build/esp32-prod/firmware.bin)
}
EOF

# Sign firmware with private key (stored in GitHub Secrets)
# Uses ECDSA P-256 (ESP32 bootloader supports this)
espsecure.py sign_data \
  --keyfile $SIGNING_KEY_PATH \
  --version 2 \
  .pio/build/esp32-prod/firmware.bin \
  --output firmware_v2.3.2_signed.bin

# Compute SHA-256 hash for integrity check
sha256sum firmware_v2.3.2_signed.bin > firmware_v2.3.2_signed.sha256

# Upload to S3 distribution bucket
aws s3 cp firmware_v2.3.2_signed.bin s3://iot-firmware-prod/esp32/
aws s3 cp firmware_manifest.json s3://iot-firmware-prod/esp32/latest_manifest.json

Step 2: Staged Rollout Configuration

// rollout_config.json - AWS IoT Jobs configuration
{
  "rollout_version": "2.3.2",
  "stages": [
    {
      "stage_name": "canary",
      "device_count": 50,
      "success_criteria": {
        "min_success_rate": 0.95,
        "max_rollback_rate": 0.05,
        "monitoring_duration_hours": 24
      }
    },
    {
      "stage_name": "pilot",
      "device_count": 500,
      "success_criteria": {
        "min_success_rate": 0.98,
        "max_rollback_rate": 0.02,
        "monitoring_duration_hours": 48
      }
    },
    {
      "stage_name": "full_deployment",
      "device_count": 4450,
      "success_criteria": {
        "min_success_rate": 0.99,
        "monitoring_duration_hours": 168
      }
    }
  ],
  "abort_conditions": {
    "boot_failure_threshold": 3,
    "health_check_timeout_minutes": 10,
    "mqtt_reconnect_failure_count": 5
  }
}

Step 3: Device-Side Update Handler

// ota_manager.cpp - ESP32 device code
#include "esp_https_ota.h"
#include "esp_ota_ops.h"

void OTAManager::checkForUpdate() {
  HTTPClient http;
  http.begin("https://iot-firmware.s3.amazonaws.com/esp32/latest_manifest.json");
  if (http.GET() == 200) {
    JsonDocument manifest;
    deserializeJson(manifest, http.getString());
    if (manifest["version"] != FIRMWARE_VERSION)
      performOTA(manifest["url"]);
  }
}

void OTAManager::performOTA(const char* firmwareURL) {
  esp_http_client_config_t config = {
    .url = firmwareURL,
    .cert_pem = AWS_ROOT_CA,
    .timeout_ms = 30000,
  };
  esp_https_ota_config_t ota_config = { .http_config = &config };

  esp_err_t ret = esp_https_ota(&ota_config);
  if (ret == ESP_OK) { esp_restart(); }
  else { reportOTAFailure(ret); }
}

After OTA, the device validates the update on first boot and rolls back automatically if health checks fail:

void OTAManager::validateUpdate() {
  const esp_partition_t *running = esp_ota_get_running_partition();
  esp_ota_img_states_t ota_state;

  if (esp_ota_get_state_partition(running, &ota_state) == ESP_OK
      && ota_state == ESP_OTA_IMG_PENDING_VERIFY) {
    if (runHealthChecks()) {
      esp_ota_mark_app_valid_cancel_rollback();
    } else {
      esp_ota_mark_app_invalid_rollback_and_reboot();
    }
  }
}

bool OTAManager::runHealthChecks() {
  return sensorController.testAllSensors()
      && WiFi.status() == WL_CONNECTED
      && mqttClient.connect()
      && mqttClient.publish("health/test", "OK");
}

Step 4: Rollout Timeline and Results

Stage	Start Time	Device Count	Success Rate	Failures	Rollbacks	Duration
Canary	Day 1, 02:00 UTC	50	100% (50/50)	0	0	24 hours
Pilot	Day 2, 02:00 UTC	500	98.4% (492/500)	8	8	48 hours
Full	Day 4, 02:00 UTC	4,450	99.1% (4,410/4,450)	28	12	7 days

Failure Analysis (36 total failures across all stages):

Failure Mode	Count	Root Cause	Resolution
Download timeout	18	Poor Wi-Fi signal, temporary network outage	Devices retried successfully within 24 hours
Health check failed (MQTT)	12	Incorrect MQTT credentials in firmware config	Emergency hotfix firmware v2.3.3 pushed to rollback devices
Boot loop (rollback)	4	Corrupt partition table from prior manual firmware flash	Manual factory reset required on-site
Battery dead during update	2	Battery <20% when update started	Added battery check: defer update if <40%

Total Cost & Timeline:

• Development time: 2 weeks (OTA infrastructure, testing)
• Cloud costs: $45/month (S3 storage + CloudFront distribution)
• Failed updates requiring on-site visit: 4 devices @ $200/visit = $800
• Total rollout duration: 11 days from build to 99% deployment
• Battery drain bug eliminated: Saved estimated $180,000 in battery replacement costs over 2 years

Key Lessons:

1. Staged rollout is non-negotiable: The 12 MQTT credential failures (2.4% of pilot stage) would have bricked 120 devices if deployed to all 5,000 immediately
2. Health checks must test actual functionality: Boot-up success != operational device. Must verify sensors, Wi-Fi, and MQTT
3. Automatic rollback saves field visits: 12 devices auto-rolled back, saving $2,400 in tech visits vs. manual recovery
4. Battery state matters: 2 devices bricked during update due to low battery. Always check battery level and defer updates if insufficient charge

Decision Framework: Choosing an OTA Update Strategy

Strategy	Delta/Diff Updates	Full Image Updates	Modular Updates	On-Demand Updates
Download Size	10-100 KB (patch file)	1-5 MB (complete firmware)	50-500 KB (single module)	Variable (user-triggered)
Update Speed	Fast (30 sec on cellular)	Slow (5-15 min on cellular)	Medium (1-3 min)	Fast (cached locally)
Complexity	High (diff generation, patch algorithm)	Low (simple binary replacement)	Medium (module versioning)	Low (standard OTA)
Risk	High (patch errors = brick)	Low (verified complete image)	Medium (module compatibility)	Low (user controls timing)
Bandwidth Cost	Very low ($0.01/device on cellular)	High ($0.50/device on cellular)	Low ($0.05/device)	Variable
Rollback	Complex (undo patch)	Simple (swap partitions)	Moderate (revert module)	Simple (user re-downloads)
Best For	NB-IoT, LoRaWAN (severely constrained bandwidth)	Wi-Fi, Ethernet (good bandwidth)	Microservices architecture	Consumer devices (user control)

Decision Criteria:

1. What is your network bandwidth?
   • <10 kbps (NB-IoT, LoRaWAN): Use delta updates
   • 100 kbps - 1 Mbps (cellular): Use full image with compression

   • 10 Mbps (Wi-Fi, Ethernet): Use full image

2. How often do you update?
   • Daily/weekly (frequent): Delta updates save bandwidth
   • Monthly/quarterly (infrequent): Full image is simpler
3. What is your firmware architecture?
   • Monolithic single binary: Full image
   • Microservices/plugin architecture: Modular updates
   • Security-critical only: Delta updates for patches
4. What is your acceptable downtime?
   • Zero tolerance: A/B partitions with instant rollback (full image)
   • Minutes acceptable: Delta updates (longer to apply)
   • User-controlled: On-demand updates
5. What is your team’s expertise?
   • Limited embedded experience: Full image (simpler)
   • Strong embedded team: Delta updates (complex but efficient)

Recommended Starting Point for 90% of IoT Projects: Full image OTA with A/B partitions, staged rollout (1% → 10% → 100%), and automatic health-check-based rollback. This balances simplicity, safety, and flexibility. Optimize to delta updates only if bandwidth costs exceed $10,000/year or network is severely constrained (<10 kbps).

Common Mistake: Friday Evening OTA Deployments

The Scenario: Your team has been working hard to fix a critical bug in your smart thermostat firmware. Version 3.2.5 is ready on Friday at 5 PM. The QA team tested it all week and everything looks good. Your VP of Engineering wants the fix deployed immediately to stop customer complaints over the weekend.

You click “Deploy to All Devices” at 5:30 PM on Friday and head home for the weekend.

What Happens Next:

Friday 6:00 PM - 8:00 PM: 12,000 thermostats worldwide download and install firmware v3.2.5. Update appears successful - devices reboot and report “v3.2.5” to the cloud.

Friday 9:00 PM: Customer support tickets start trickling in. “My thermostat shows ERROR 0x45 on the screen and won’t respond to the app.”

Saturday 8:00 AM: 340 support tickets. All report the same error code. Your support team doesn’t know what 0x45 means (it’s not documented).

Saturday 10:00 AM: You wake up to 47 missed Slack messages and 12 phone calls. You remote into a test device and discover the issue: The new firmware’s MQTT client library has a critical bug when connecting to MQTT brokers running mosquitto version 2.0.18 (the version used by 15% of your customers who self-host). It triggers an infinite reconnection loop that eventually crashes the device’s network stack, displaying error 0x45.

Your staging environment used mosquitto 2.0.15, which didn’t trigger the bug.

Saturday 10:30 AM: You try to push a rollback to firmware v3.2.4. But the OTA infrastructure requires 2-factor authentication from two senior engineers (security policy). Your colleague is on a plane to Hawaii with no internet.

Saturday 2:00 PM: After 3.5 hours of emergency coordination, you finally push the rollback. But the bricked devices can’t receive OTA updates - they’re stuck in the crash loop and never connect to the update server.

Saturday - Sunday: You spend the entire weekend writing a special “recovery” firmware that bypasses MQTT and uses HTTP fallback to check for updates. You push it to the 15% of devices that are still online and can relay the recovery firmware to bricked neighbors via Bluetooth mesh (a feature you’re glad you built 8 months ago). By Sunday night, 87% of affected devices have recovered. 13% (1,564 devices) require manual USB recovery or replacement.

The Damage:

Cost Category	Amount
Customer support overtime (weekend emergency staffing)	$8,500
Field technician visits for manual recovery (1,564 devices @ $150/visit)	$234,600
Replacement units shipped (devices unreachable for recovery)	$62,000
Cloud infrastructure costs (excess MQTT reconnection attempts, 2M requests/hour)	$3,200
Customer goodwill loss (estimated churn + discounts)	$180,000
Total cost of Friday evening deployment	$488,300

What Should Have Been Done:

1. Tuesday-Wednesday deployments only: Deploy early in the week when your entire team is available to monitor. Never deploy on Friday/holidays.

2. Staged rollout: Deploy to 1% (120 devices) on Tuesday morning. Monitor for 24 hours. If no issues, deploy to 10% (1,200 devices) on Wednesday. Monitor 48 hours. Deploy to 100% on Friday morning (not evening).

3. Test environment parity: Your staging environment must mirror production exactly, including all major mosquitto versions in use. Run a matrix test (firmware v3.2.5 x [mosquitto 2.0.15, 2.0.18, 2.0.22]).

4. Automatic rollback: The device should detect error 0x45 (network stack crash) as a health check failure and automatically rollback to v3.2.4 after 3 boot attempts. This would have self-healed 98% of devices within 10 minutes.

5. Emergency access: OTA rollback should have a “break-glass” single-approver path for critical incidents (logged and audited).

Industry Data (2023 IoT Firmware Survey, n=340 companies):

• 68% of companies have experienced at least one major OTA incident requiring emergency rollback
• Deployment day correlation: 41% of incidents occurred on Friday deployments, 8% on Tuesday deployments
• Average cost of a botched OTA rollout: $120,000 - $850,000 depending on fleet size
• Recovery time: Staged rollouts with automatic rollback resolve 95% of issues within 4 hours. Full-fleet deployments without rollback average 38 hours to recover

In 60 Seconds

This chapter covers over-the-air updates, explaining the core concepts, practical design decisions, and common pitfalls that IoT practitioners need to build effective, reliable connected systems.

The Golden Rule: Never deploy OTA updates when you won’t be available to monitor and respond. Deploy Tuesday-Wednesday mornings, staged rollout with health checks, automatic rollback, and comprehensive testing across all production environment variations.

Try It: Deployment Window Risk Estimator

viewof deploy_day = Inputs.select(["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"], {value: "Tuesday", label: "Deployment day"})
viewof deploy_hour = Inputs.range([0, 23], {value: 10, step: 1, label: "Deployment hour (24h format)"})
viewof team_available = Inputs.radio(["Full team on-call", "Partial team available", "Skeleton crew only"], {value: "Full team on-call", label: "Team availability"})
viewof has_auto_rollback = Inputs.checkbox(["Automatic rollback enabled"])
viewof has_staged_rollout = Inputs.checkbox(["Staged rollout (canary releases)"])

deploy_risk = {
  const dayRisks = {"Monday": 15, "Tuesday": 8, "Wednesday": 10, "Thursday": 18, "Friday": 41, "Saturday": 55, "Sunday": 50};
  const dayRisk = dayRisks[deploy_day];
  const hourRisk = (deploy_hour >= 9 && deploy_hour <= 14) ? 0 : (deploy_hour >= 15 && deploy_hour <= 17) ? 10 : 25;
  const teamRisks = {"Full team on-call": 0, "Partial team available": 15, "Skeleton crew only": 30};
  const teamRisk = teamRisks[team_available];
  const rollbackReduction = has_auto_rollback.length > 0 ? 0.5 : 1.0;
  const stagedReduction = has_staged_rollout.length > 0 ? 0.6 : 1.0;
  const baseRisk = Math.min(100, dayRisk + hourRisk + teamRisk);
  const finalRisk = Math.round(baseRisk * rollbackReduction * stagedReduction);
  const mitigations = [];
  if (has_auto_rollback.length > 0) mitigations.push("auto-rollback (-50%)");
  if (has_staged_rollout.length > 0) mitigations.push("staged rollout (-40%)");
  let level = "Critical";
  let color = "#E74C3C";
  if (finalRisk <= 15) { level = "Low"; color = "#16A085"; }
  else if (finalRisk <= 35) { level = "Moderate"; color = "#E67E22"; }
  else if (finalRisk <= 60) { level = "High"; color = "#E74C3C"; }
  const recommendation = finalRisk <= 15 ? "Good deployment window. Proceed with standard monitoring."
    : finalRisk <= 35 ? "Acceptable risk. Ensure monitoring dashboards are active and team is reachable."
    : finalRisk <= 60 ? "Elevated risk. Consider rescheduling to Tuesday-Wednesday morning with full team."
    : "Do not deploy. Reschedule to a lower-risk window with full team availability and safety controls enabled.";
  return {
    baseRisk: baseRisk,
    finalRisk: finalRisk,
    level: level,
    color: color,
    mitigations: mitigations,
    recommendation: recommendation,
    hourLabel: deploy_hour.toString().padStart(2, "0") + ":00"
  };
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1.5rem; border-radius: 8px; border-left: 4px solid ${deploy_risk.color}; margin-top: 0.5rem;">
<h4 style="margin-top:0; color: #2C3E50;">Deployment Risk: ${deploy_day} at ${deploy_risk.hourLabel}</h4>
<div style="display: flex; align-items: center; gap: 1rem; margin-bottom: 1rem;">
  <div style="flex: 1; background: #ddd; border-radius: 4px; height: 20px;">
    <div style="background: ${deploy_risk.color}; border-radius: 4px; height: 20px; width: ${deploy_risk.finalRisk}%; transition: width 0.3s;"></div>
  </div>
  <div style="font-weight: bold; color: ${deploy_risk.color}; white-space: nowrap;">${deploy_risk.finalRisk}% - ${deploy_risk.level}</div>
</div>
<table style="width:100%; border-collapse:collapse; font-size: 0.9em;">
<tr>
  <td style="padding:6px 8px; border:1px solid #ddd;">Base risk (day + hour + team)</td>
  <td style="padding:6px 8px; border:1px solid #ddd;">${deploy_risk.baseRisk}%</td>
</tr>
${deploy_risk.mitigations.length > 0 ? '<tr><td style="padding:6px 8px; border:1px solid #ddd;">Mitigations applied</td><td style="padding:6px 8px; border:1px solid #ddd;">' + deploy_risk.mitigations.join(", ") + '</td></tr>' : ''}
<tr style="background: ${deploy_risk.finalRisk <= 15 ? '#d4edda' : deploy_risk.finalRisk <= 35 ? '#fff3cd' : '#f8d7da'};">
  <td style="padding:6px 8px; border:1px solid #ddd;"><strong>Adjusted risk score</strong></td>
  <td style="padding:6px 8px; border:1px solid #ddd;"><strong>${deploy_risk.finalRisk}%</strong></td>
</tr>
</table>
<p style="margin-top: 0.75rem; margin-bottom: 0; padding: 0.75rem; background: white; border-radius: 4px; border-left: 3px solid ${deploy_risk.color}; font-size: 0.9em;">
<strong>Recommendation:</strong> ${deploy_risk.recommendation}
</p>
</div>`

23.11 Knowledge Check

Quiz: OTA Updates

Matching Quiz: OTA Update Concepts

Ordering Quiz: OTA Update Deployment Pipeline

Common Pitfalls

1. Over-Engineering the Initial Prototype

Adding too many features before validating core user needs wastes weeks of effort on a direction that user testing reveals is wrong. IoT projects frequently discover that users want simpler interactions than engineers assumed. Define and test a minimum viable version first, then add complexity only in response to validated user requirements.

2. Neglecting Security During Development

Treating security as a phase-2 concern results in architectures (hardcoded credentials, unencrypted channels, no firmware signing) that are expensive to remediate after deployment. Include security requirements in the initial design review, even for prototypes, because prototype patterns become production patterns.

3. Ignoring Failure Modes and Recovery Paths

Designing only for the happy path leaves a system that cannot recover gracefully from sensor failures, connectivity outages, or cloud unavailability. Explicitly design and test the behaviour for each failure mode and ensure devices fall back to a safe, locally functional state during outages.

23.12 What’s Next

If you want to…	Read this
Explore application domains for this technology	Application Domains Overview
Learn about UX design for connected devices	UX Design for IoT
Start prototyping with the concepts covered	Prototyping Essentials

Label the Diagram