Firmware Update Guide
The QUAC 100 implements a secure firmware update system with dual-partition failover, hardware-enforced anti-rollback protection, and atomic installation that guarantees either complete success or automatic reversion to the previous known-good firmware.
âš Important
Firmware updates are cryptographically signed by Dyber. Do not attempt to install unsigned or third-party firmware images — the device will reject them and the update will abort safely.
Firmware Version Format #
QUAC 100 firmware uses a structured version format: X.Y.Z.BBBBB-S
| Field | Size | Description |
|---|---|---|
| Major (X) | 16 bits | Breaking changes, API incompatibility |
| Minor (Y) | 16 bits | New features, backward compatible |
| Patch (Z) | 16 bits | Bug fixes, security patches |
| Build (BBBBB) | 32 bits | Unique build identifier |
| Security (S) | 8 bits | Anti-rollback monotonic counter |
# Check current firmware version
$ quac-info --firmware
QUAC 100 Firmware Information
Main Firmware: 1.2.0.18432-7
BMC Firmware: 1.1.0.5210-3
Boot Loader: 1.0.0 (factory)
Security Rev: 7 (monotonic counter)
Build Date: 2025-12-15T14:22:00Z
Signature: RSA-4096 / SHA-384 ✓ VALIDFlash Partition Layout #
| Partition | Size | Contents | Protection |
|---|---|---|---|
| Boot Loader | 2 MB | FSBL, SSBL, recovery code | Write-protected, factory programmed |
| Primary Firmware A | 128 MB | Active firmware images | Authenticated write only |
| Primary Firmware B | 128 MB | Backup firmware images | Authenticated write only |
| Configuration | 16 MB | User configuration, calibration data | Integrity protected |
| Audit Log | 16 MB | Security audit records | Append-only |
| Reserved | 222 MB | Future expansion | Not accessible |
The dual-partition layout enables atomic updates: new firmware is written to the inactive partition while the current firmware continues running. On successful verification, the boot loader switches to the new partition. If the new firmware fails to boot (detected by watchdog timeout), the boot loader automatically reverts to the backup partition.
Update Delivery Methods #
| Method | Interface | Speed | Use Case |
|---|---|---|---|
| Network Update | PCIe host interface | High (~200 MB/s) | Production deployment, datacenter fleet updates |
| SD Card Update | microSD card slot | Medium (~25 MB/s) | Field service, air-gapped environments |
| UART Update | Serial console (J2) | Low (~14 KB/s) | Emergency recovery when PCIe is non-functional |
| JTAG Update | JTAG header (J3/J4) | Low (~500 KB/s) | Development, factory programming |
Network Update (Recommended) #
# Step 1: Download the firmware package from Dyber
$ wget https://releases.dyber.org/quac100/firmware/quac100-fw-1.3.0.18500-8.dfw
# Step 2: Verify the package signature before installation
$ quac-fw verify quac100-fw-1.3.0.18500-8.dfw
Package Verification:
Signature: RSA-4096 / SHA-384 .............. VALID
Certificate: Dyber Firmware Signing CA ....... VALID
Integrity: SHA-384 hash .................... MATCH
Target: QUAC 100 ....................... COMPATIBLE
Version: 1.3.0.18500-8 .................. NEWER (current: 1.2.0)
Security Rev: 8 .............................. OK (current: 7)
# Step 3: Install the firmware (requires root/admin)
$ sudo quac-fw update quac100-fw-1.3.0.18500-8.dfw --device 0
[1/6] Validating firmware package .............. OK
[2/6] Checking version compatibility ........... OK
[3/6] Backing up current firmware .............. OK
[4/6] Writing to inactive partition ............ OK (128 MB, 0.6s)
[5/6] Verifying written image .................. OK (SHA-384 match)
[6/6] Activating new firmware .................. OK
Firmware update complete. Reboot required to activate.
Current: 1.2.0.18432-7 (Partition A — ACTIVE)
Pending: 1.3.0.18500-8 (Partition B — STAGED)
$ sudo quac-fw reboot --device 0
Rebooting QUAC 100 device 0... done.
Waiting for device... ready (2.1s)
Firmware: 1.3.0.18500-8 — ACTIVE
Self-test: PASSEDUpdate State Machine #
┌─────────┠┌──────────┠┌──────────┠┌───────────â”
│ IDLE │────►│RECEIVING │────►│VERIFYING │────►│INSTALLING │
└─────────┘ └──────────┘ └──────────┘ └───────────┘
▲ │
│ ▼
│ ┌─────────┠┌──────────┠┌──────────â”
└──────────│ ERROR │◄────│ ROLLBACK │◄────│ TESTING │
└─────────┘ └──────────┘ └──────────┘
│
â–¼
┌──────────â”
│ COMPLETE │
└──────────┘Firmware Validation #
Every firmware package undergoes multi-layer validation before installation:
| Mechanism | Algorithm | Purpose |
|---|---|---|
| Package Signature | RSA-4096 with SHA-384 | Verify Dyber origin and package authenticity |
| Image Hash | SHA-384 | Verify individual firmware image integrity |
| Encryption | AES-256-GCM | Protect confidentiality, provide authenticated encryption |
| Anti-Rollback | eFUSE monotonic counter | Prevent installation of older, vulnerable versions |
| Hardware Binding | Device-specific key | Ensure firmware runs only on authorized hardware |
| Runtime Verification | Secure boot chain | Verify firmware integrity at each boot |
Rollback Protection #
The QUAC 100 implements hardware-enforced rollback protection using eFUSE-based monotonic counters that cannot be decremented. Each firmware release includes a security revision level; the device will refuse to install any firmware with a security revision lower than the current counter value.
| Scenario | Response | Automatic | Manual |
|---|---|---|---|
| Update verification failure | Abort update, keep current firmware | Yes | — |
| Boot failure after update | Revert to backup partition | Yes | — |
| Functional test failure | Revert to backup partition | Configurable | Yes |
| User-initiated rollback | Revert to previous version | — | Yes |
| Factory reset | Restore golden image | — | Yes |
# Manual rollback to previous firmware
$ sudo quac-fw rollback --device 0
Rolling back to: 1.2.0.18432-7 (Partition A)
Security revision check: OK (rev 7 >= counter 7)
Activating backup partition... done.
Rebooting... ready (2.3s)
Firmware: 1.2.0.18432-7 — ACTIVE
# Note: Rollback is blocked if the backup version's security
# revision is lower than the eFUSE counter
$ sudo quac-fw rollback --device 0
ERROR: Rollback blocked — backup firmware security revision (5)
is lower than hardware counter (7). This prevents downgrade
to versions with known vulnerabilities.BMC Firmware Update #
The Board Management Controller (BMC) has its own firmware that is updated separately from the main FPGA firmware. The BMC provides out-of-band management and continues operating even when the main FPGAs are unresponsive.
| Step | Action | Details |
|---|---|---|
| 1 | Preparation | Verify system is stable, no critical operations in progress |
| 2 | Upload Image | Transfer BMC firmware via serial, web interface, or I2C |
| 3 | Verify Signature | Validate RSA-4096 signature using BMC root of trust |
| 4 | Version Check | Verify new version acceptable per update policy |
| 5 | Backup Current | Copy current BMC firmware to backup partition |
| 6 | Program New | Write new firmware to primary partition |
| 7 | Verify Program | Read back and compare with original image |
| 8 | Activate | Reset BMC to boot new firmware |
| 9 | Validation | Verify BMC boots and functions correctly |
| 10 | Commit | Mark update as successful for future boots |
# BMC firmware update via serial console
$ sudo quac-bmc update quac100-bmc-1.2.0.5300-4.dfw --port /dev/ttyS0
[1/5] Connecting to BMC via /dev/ttyS0 (115200 baud) ... OK
[2/5] Authenticating firmware package ................. OK
[3/5] Programming BMC flash ........................... OK (2.1 MB, 8.2s)
[4/5] Verifying flash contents ........................ OK
[5/5] Resetting BMC .................................. OK
BMC firmware updated: 1.1.0 → 1.2.0| Measure | Implementation |
|---|---|
| Authentication | RSA-4096 signature verification with hardware-stored public key |
| Encryption | AES-256-GCM encryption with device-unique key |
| Anti-Rollback | Monotonic counter in OTP memory prevents downgrade |
| Secure Storage | Firmware stored in protected flash region |
| Authorization | Requires administrator authentication before update |
| Audit Logging | All update attempts logged with timestamp and result |
| Tamper Detection | Hardware tamper sensors monitored during update |
Emergency Recovery #
If both firmware partitions are corrupted and the device fails to boot, the factory-programmed boot loader provides emergency recovery via UART:
# Emergency UART recovery — connect serial cable to J2 (DB9)
# Terminal settings: 115200 baud, 8N1, no flow control
# 1. Power cycle the device while holding the recovery button (SW1)
# 2. The boot loader enters recovery mode:
QUAC-100 Recovery Mode v1.0.0
> upload firmware
Ready to receive firmware via XMODEM...
[Use terminal's XMODEM send to transfer .dfw file]
Transfer complete: 134,217,728 bytes received
Signature: VALID
Installing to Partition A... done
Rebooting...
# 3. Alternatively, use JTAG for factory-level recovery:
$ sudo quac-jtag flash --file quac100-fw-1.3.0.dfw --target all
Programming Partition A: 128 MB .................. OK
Programming Partition B: 128 MB .................. OK
Resetting configuration to factory defaults ...... OK
Clearing audit log ............................... OK
Device ready.Was this page helpful? Send feedback to docs@dyber.org