OTA Lab

Release. Reject. Recover.

A clickable proof of the A/B OTA story: the device chooses the inactive slot, verifies signed policy, rejects bad bytes, and returns safely when a trial fails.

Interactive release playground

Switch the active slot. Then choose a release outcome.

The same release policy has to behave correctly from A to B, from B to A, and under negative security tests.

Watch real OTA reels View release-tool proof

Valid OTA

A signed release reaches the inactive slot and survives reset.

The normal path verifies policy, verifies payload identity, trial boots, and confirms.

Running image
A

confirmed firmware

Inactive target
B

download target

Manifest signature

Ed25519 signature matches the embedded public key.

pass

Payload SHA256

Downloaded RPS bytes match the signed sha256 field.

pass

Inactive slot write

Package is written to the opposite A/B slot.

pass

Trial boot

Firmware boots the new slot and reaches confirmation runtime.

pass

Final state

V1.0.26 remains active after hardware reset.

pass

Outcome

New slot confirmed after reset

Running slot A; release package targets inactive slot B.