Over-the-air software download in wireless-sensor networks

A characteristic of wireless-sensor networks is their lack of physical connectivity (wiring) between the sensor/actuator array and the network. Although the absence of wires simplifies placing hardware in hard-to-reach locations, when software upgrades become necessary, you can't fall back on wires for downloading the new code. OAD (over-air downloading) solves this problem, but you must address several issues to successfully implement OAD. Texas Instruments supports OAD with the Chipcon Wireless OAD product.
In a layered transport architecture, such as ZigBee/802.15.4, support for a scheme such as OAD is a matter of writing an application. The layer at which this application exists is a design choice, and the choice has implications. For example, writing OAD support as a ZigBee application allows use of the entire stack as infrastructure to support multihop routing, thus eliminating the need for proximity between the source and the target. Using a MAC (media-access control)-layer application would sacrifice this network-routing support to reduce the size of the file-transfer-support code. All methods require a repository of some size to store the downloaded code.
OAD support must be fail-safe. It must be robust enough to survive transmission errors, interrupted file transfers, and interrupted enabling of the new code—that is, interrupted flashing of the new image. If any of these steps fail, the device's remaining software must be able to recover. The file transfer itself must also be secure.
To deal with interrupted transfers, the software must meet two conditions. First, the software entity that supports the transfer on the target must remain intact until the transfer succeeds. Second, you cannot expect the portion being transferred to operate until the transfer is complete. These two requirements together imply that the downloaded-code repository must store the transferred portion of the new code, and this portion cannot disrupt the code that implements the transfer. If the code meets these conditions, the code supporting an interrupted transfer can retry the transfer at its next opportunity.

Mitigating errors
Frame-check sequences in the ZigBee stack mitigate transmission errors. Various layers each use these sequences to provide their own level of guaranteed-delivery support. In addition, you can apply a mechanism such as CRC (cyclic redundancy check) over the entire transferred file for a final check and to detect incomplete flashing of the newly downloaded code entity. Both ZigBee and the 802.15.4 MAC and PHY (physical) layers also support file-transfer security.
The file-upgrade-distribution architecture addresses how the target platform "knows" that an upgrade is necessary. TI's approach uses a managed client-server technique in which a management tool determines the code versions on each platform and assigns client and server roles depending on the platform's location and the code's availability. The penetration of the new code increases as more target platforms receive the code. Each upgraded client can then become a server to another client. The management tool assigns these roles on the fly. This technique works because these networks, though often large, are well-defined and reasonably stable. A management tool makes sense in this environment.