The promise of the software-defined vehicle — new features and fixes after the car has shipped — depends entirely on a trustworthy over-the-air (OTA) update system. Done well, it is invisible. Done poorly, it can brick a fleet. The architecture is about delivering change safely, reversibly and at scale.
Updates split into software OTA (SOTA) — applications and services on high-performance computers — and firmware OTA (FOTA) — low-level ECU images, often delivered through the gateway via UDS. SOTA tends to be frequent and app-like; FOTA is rarer, heavier and safety-sensitive. A complete platform handles both behind one campaign and policy engine.
You never ship to a whole fleet at once. Updates roll out in waves — a canary group, then widening cohorts — with health telemetry gating each step. A/B (dual-bank) partitions let an ECU boot the new image while keeping the old one intact, so a failed update rolls back automatically. Pre-conditions (parked, charged, owner consent) protect the user during installation.
Every package is cryptographically signed and verified on the vehicle before it is applied, so only authentic, untampered images install. Frameworks like Uptane harden the supply chain against compromised servers and rollback attacks. The HSM holds the verification keys; the gateway enforces who may push what. Update security and vehicle security are the same problem.