Secure Bootloader

A secure, scalable and integration-ready solution for firmware updates across different MCU architectures – designed with CRA and future security requirements in mind.  

Accelerate device development, reduce the risk of faulty updates and meet security and compliance demands – without building a bootloader from scratch. 

Talk to an expert

Trusted by Leading Innovators

Secure firmware updates for your embedded devices

Your embedded devices are increasingly distributed, connected and exposed to growing regulatory pressure, including the Cyber Resilience Act.  
Every firmware update is no longer just about functionality – it is about security, remote rollout capability and a repeatable, auditable process.  
Codelab’s Secure Bootloader gives you a proven, flexible foundation so you can focus on developing your product instead of reinventing the update mechanism.  

Sounds familiar?

With over 30 years of experience in embedded projects, we are well aware of the challenges our customers face:

failure

No standardized firmware update process

Different device generations, different MCU platforms and no single, unified update mechanism
downtime

Risk of failed updates and “bricked” devices

Devices deployed in the field, costly service visits and downtime.
regulatory-compliance

Growing security and compliance requirements (e.g. CRA)

Need for authentication, encryption, process documentation and formal conformity. 
ram

Limited hardware resources

Devices with tight memory constraints where every kilobyte matters.
disorder (2)

Heterogeneous communication channels

UART, CAN, Ethernet, USB, WiFi/LAN – maintaining multiple update variants becomes complex over time.

How we address these challenges?

You can expect effective solutions to the above issues through:

secure_bootloader-2

Ready, verified bootloader for different MCU architectures

One functional core with the option to adapt it to specific microcontrollers and products.

Secure firmware update

Use of public/private key infrastructure (PKI), optional cloud key management on the customer side, RSA signatures with configurable key length and encrypted transmission (e.g. AES‑256).

OTA and local update capability

Support for standard industrial protocols (UART, CAN, Ethernet, USB, file system such as SD card) with remote updates on demand.

Dedicated recovery mechanisms

Recovery algorithms that restore devices after failed updates, reducing downtime and service costs.

Small footprint and modular architecture

Only the communication and feature modules you need, making it suitable for memory‑constrained devices.

Support for quality and compliance (e.g. CRA readiness)

Beyond software we deliver documentation, test results and security artefacts to support formal requirements.

Flexible licensing model

Per‑product licensing with optional adaptation services (feature extensions, ports, integrations).

What you get with Secure Bootloader

Secure Bootloader is not just code – it is a complete engineering package ready for production integration. 

  • Bootloader software ready to integrate with your application.
  • Software Requirements Specification and Software Architecture description.
  • Integration guide describing step‑by‑step rollout and integration.
  • Unit test reports and/or unit test code (on demand).
  • Integration test reports.
  • Security report (including vulnerabilities) and Software Bill of Materials (SBOM).
wykres new-1

CASE STUDY: Multi-MCU Platform with Security and CRA Compliance Built-In

EMBEDDED BOOTLOADER DEVELOPMENT

difficulties (3)

CHALLENGE

 Customers needed a reliable, secure bootloader that not only handles software startup and upgrades but also meets increasingly strict regulatory requirements like the Cyber Resilience Act (CRA), with support across multiple MCU platforms and diverse communication channels. 

mission (2)

GOAL

Deliver a production-ready, security-focused bootloader platform that supports regulatory compliance (CRA), works across multiple MCU families, and reduces time-to-market through comprehensive documentation and testing.

robot-arm (1)
CUSTOMER CONTEXT

 A global leader in material handling solutions for intralogistics, warehouse automation, and manufacturing logistics across multiple continents. 

The customer develops intelligent conveyor and automation systems operating 24/7
in mission-critical environments. With strict safety and cybersecurity requirements, they needed secure firmware updates, traceability, and comprehensive compliance documentation meeting CRA standards.

Our approach 

  • We prepared bootloaders for several MCUs, including NXP - S32K3, NXP - S32K1, STM32F1, STM32G0 and TI MSPM0G3519 – all built on a single functional base.  

  • We provided configurable modules, including:  

    • security: RSA signatures with variable key lengths, AES‑256 encryption, 

    • update channels: UART, CAN, Ethernet, file system (e.g. SD card), 

    • flexible storage interface to exchange data between the application and bootloader (e.g. software version, update status).  

  • We implemented additional, product‑specific features requested by the customer, with estimated effort and cost for each change. 

Results

  • Extended platform lifetime through modular, maintainable architecture that scales across MCU families.
  • Faster time-to-market thanks to reusable functional base and comprehensive documentation (SW Requirements, Architecture, Integration Instructions).
  • Higher security and compliance with built-in RSA signing, AES-256 encryption, and Security Reports addressing CRA.
  • Reduced risk through extensive testing: Unit Test reports/code, Integration Test reports, and Software Bill of Materials (SBOM).

Our Audit Process – Step by Step

We follow a methodical process designed for efficiency, with sufficient detail to ensure transparency while respecting your time constraints: 

Discovery Call (~1 hour)

A focused meeting to map your business objectives, technical stack and modernization goals. It allows to better understand key deadlines, pain points and define a tailored approach.

Technical & Process Assessment

Based on the discovery phase, our experts conduct a focused audit tailored to your challenges. It covers software, data flows, integrations, architecture, and delivery practices.

Deep-Dive Workshops (~4 hours)

Session that brings stakeholders together to discuss team dynamics and the development process. It helps uncover tools, blockers, and communication gaps.

Reporting & Recommendations

We compile findings into an executive summary and detailed technical report delivering a report with clear, business-aligned next steps.

Deliverables and Timeline

Executive Summary

High-level overview of findings and business implications.

Deep Technical Report

Clear, actionable report highlighting key issues, inefficiencies, and risks.

Improvement Plan

Prioritized recommendations and a structured improvement roadmap, combining quick wins with long-term strategies. All delivered within business days from project start.

PARTNERSHIPS

nxp_semiconductors

Codelab is part of the NXP Semiconductors Partner Ecosystem, which strengthens our capabilities in embedded software, system integration and security‑focused solutions built on NXP platforms.  


Together we support customers in automotive, industrial and IoT domains, with a strong focus on security‑driven initiatives such as CRA readiness and secure bootloader implementations.  

By combining NXP’s advanced semiconductor technologies with Codelab’s 20+ years of experience in embedded systems, we help our clients accelerate development, reduce time‑to‑market and build scalable, production‑ready solutions with high reliability. 

Prepared for the next step?

Related Services