Phase 6 — Deployment & OTA Updates
Deploy firmware and implement secure OTA updates using Nordic's DFU and MCUboot.
Proper deployment includes secure bootloading, over-the-air update capability, and protection against unauthorized access. Nordic's MCUboot integration provides a robust foundation for secure firmware updates.
Steps
Implement Device Firmware Update (DFU)
Set up Nordic's DFU for firmware updates over BLE, UART, or USB.
# prj.conf — DFU over BLE
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="path/to/key.pem"
CONFIG_NCS_SAMPLE_MCUMGR_BT_OTA_DFU=y
CONFIG_MCUMGR=y
CONFIG_MCUMGR_GRP_IMG=y
CONFIG_MCUMGR_GRP_OS=y- Use the MCUmgr protocol for a standardized update flow
- Test updates with the nRF Connect mobile app
- Plan partition sizes for the largest expected image
- Implement update progress indication in the UI
See the DFU/FOTA Guide.
Configure the secure bootloader (MCUboot)
Set up MCUboot for verified boot and secure update installation.
# prj.conf — MCUboot
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="priv-key.pem"
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
CONFIG_MCUBOOT_IMAGE_VERSION="1.0.0"Build a signed image:
west build -b nrf52840dk_nrf52840
# Output: build/zephyr/app_signed.hexStore signing keys securely (use an HSM for production), use different keys for development and production, and test the rollback protection mechanism.
See the MCUboot Guide.
Set up OTA infrastructure
Deploy backend infrastructure for managing and distributing firmware updates.
- Use nRF Cloud for quick prototyping
- Implement version checking before download
- Support delta updates to reduce bandwidth
- Track update success/failure rates
- Plan for fleet segmentation (staged rollouts)
Enable security features
Configure TrustZone, secure key storage, and access protection.
# TrustZone configuration for nRF5340 / nRF9160
CONFIG_ARM_TRUSTZONE_M=y
CONFIG_SPM=y # Secure Partition ManagerAccess protection:
-
APPROTECT — blocks debugger access
-
SECUREAPPROTECT — blocks secure domain access
-
Use the KMU (Key Management Unit) for secure key storage
-
Enable APPROTECT in production to prevent debugging
-
Use TF-M for advanced secure processing (nRF91)
-
Implement secure provisioning for keys
-
Test that protection cannot be bypassed
Create production firmware
Build optimized, protected firmware for production deployment.
# Production prj.conf settings
CONFIG_LOG=n
CONFIG_ASSERT=n
CONFIG_DEBUG=n
CONFIG_PRINTK=n
CONFIG_SIZE_OPTIMIZATIONS=y
CONFIG_STACK_CANARIES=y
CONFIG_HW_STACK_PROTECTION=yBuild with the release configuration:
west build -b <board> -- -DCONF_FILE=prj_release.conf- Create separate debug and release configurations
- Remove all debug output for production
- Enable hardware stack protection
- Verify the final image size fits in flash
- Store build artifacts with version tags
Establish monitoring and diagnostics
Implement logging and monitoring for deployed devices.
- Use nRF Cloud for device monitoring
- Implement error logging with persistence
- Add heartbeat / health-check functionality
- Plan for remote diagnostics capability
- Track key metrics (battery, connectivity, errors)
You're done
You've taken a Nordic nRF firmware project from initial planning through secure OTA deployment. From here:
- Bring this workflow into your terminal with the fwm CLI agent
- Review the Quick Start to scaffold your next project
- Browse Best Practices for embedded firmware quality guidance
Phase 5 — Testing & Validation
Test firmware using Nordic's tools and validate wireless performance, power, and long-term stability.
Hardware Platforms
Supported Nordic Semiconductor nRF MCUs and SoCs for FirmwareMaestro project generation — full nRF Connect SDK and Zephyr RTOS support across the nRF52, nRF53, nRF54, nRF70, and nRF91 families.