Firmware Updates Through the Mesh

Mechanism

A firmware bundle originates at a credentialing authority — typically a manufacturer, a fleet operator, or a regulatory authority with firmware-update standing — that signs the bundle, declares its compatibility scope (hardware revision, prior-firmware version range, jurisdictional scope), declares a validity window, and assigns it a lineage identifier. The signed bundle is then handed to an encoder that produces a stream of small fragments under a rateless code (a fountain code such as LT, Raptor, or RaptorQ). Each fragment is small enough to traverse the mesh's lossy links inside a single transmission opportunity and carries the lineage identifier, the bundle's public credential digest, and the encoder's degree information for the fragment.

The fragments propagate across the mesh substrate as ordinary credentialed observations. Relays do not need to know the fragments' contents are firmware; they treat them as opaque credentialed payloads governed by the same admissibility rules as any other observation. Because the code is rateless, any relay path that delivers a sufficient number of distinct fragments — typically slightly more than the number of source symbols — enables reconstruction. Receivers do not coordinate which fragments to fetch; they simply admit fragments that arrive, deduplicate by fragment identifier, and feed them into a belief-propagation decoder. When the decoder converges, the receiver has the original bundle.

The receiver then performs a credential check on the reconstructed bundle: signature verification against the admitted-authority set, compatibility match against the device's hardware revision and present firmware version, and validity-window check against the device's clock. A bundle that fails any check is discarded and its lineage identifier is recorded in a refusal log so that subsequent fragments of the same bundle are not redundantly reassembled. A bundle that passes is staged. Staging is not activation. Activation is governed by a separate per-target gate.

The activation gate evaluates whether the present moment is an admissible moment to swap the running firmware. It checks operating-mode constraints (the device must be in a mode that admits a reboot), policy constraints (an installed credentialed policy may forbid activation during certain windows), peer constraints (a fleet-coordination policy may require quorum among neighbors before activation), and operator constraints (an operator confirmation may be required for certain bundles). Only when the gate is satisfied does the receiver swap firmware and record the activation as a credentialed observation in its own lineage.

Operating Parameters

The fragment size is bounded by the mesh's per-link MTU and the desired traversal latency; representative deployments use fragments of 128 to 1024 bytes. The source symbol count per bundle determines reconstruction overhead and is typically chosen so that bundles of one to ten megabytes decompose into a few thousand to a few tens of thousands of source symbols. The encoding overhead factor — the ratio of fragments offered to source symbols — is configured per deployment based on link reliability; values between 1.05 and 1.5 are typical, with higher values used in deployments where links are particularly lossy or where retransmission round-trips are expensive.

The fragment time-to-live bounds how long a relay will continue to forward a given fragment after it first arrives; values from minutes (in dense urban deployments) to days (in sparse expeditionary deployments) are supported. The reassembly window bounds how long a receiver waits to accumulate enough fragments before timing out and discarding partial state; values are configured per bundle by the credentialing authority and typically range from a single hour to a full week. The refusal-log retention bounds how long the receiver remembers a refusal so that adversarial replay of refused bundles is suppressed; values from days to indefinite are supported.

The activation window is a credentialed parameter that the bundle's signer attaches to the bundle; activation is admissible only inside the window. The quorum size, where peer constraints apply, is the minimum number of neighbor devices that must report having staged the same bundle before activation is admissible. The rollback bound caps how far backward a credentialed bundle may move the device's firmware version; rollback to an unpatched-vulnerability state is typically disallowed at the bound.

Alternative Embodiments

A first embodiment uses a Luby Transform code as the fountain code, suitable for small bundles and low-end receivers where decoder simplicity dominates. A second embodiment uses RaptorQ for higher decoding efficiency on larger bundles. A third embodiment uses a systematic encoding in which the first k fragments are the source symbols themselves, allowing a well-positioned receiver near the origin to reassemble without decoding overhead while distant receivers still benefit from rateless redundancy.

A fourth embodiment supports differential bundles that carry only the delta against a named prior bundle; the bundle's lineage stamp identifies the prior bundle by digest, and a receiver that holds the prior bundle reconstructs the new one by patch application after fragment reassembly. A fifth embodiment supports staged rollouts in which the credentialing authority's activation window varies by target subgroup, expressed as a credentialed predicate over device attributes; canary subgroups receive earlier windows than the general fleet.

A sixth embodiment supports peer-quorum activation in which a device will not activate a staged bundle until q of its present neighbors confirm they have also staged the same bundle, providing fleet-level protection against an adversary who manages to inject a credentialed bundle into a single isolated device. A seventh embodiment supports operator-gated activation in which an operator credential must be co-presented at the moment of activation; this is appropriate for safety-critical platforms where firmware swap is itself a sensitive event.

An eighth embodiment supports A/B partitioning in which the staged bundle is written into an inactive partition and the activation gate atomically swaps active partitions, with a watchdog that reverts to the prior partition if the new firmware fails to assert health within a bounded time. A ninth embodiment supports multi-authority bundles in which the bundle is signed by multiple authorities (manufacturer plus regulator, or vendor plus fleet operator) and admissibility requires all signatures to verify; this supports regulatory regimes in which firmware updates require co-authorization. A tenth embodiment supports forward-secrecy by including in each bundle an authenticated key-rotation transcript that retires the key under which prior bundles were signed.

Composition With Other Primitives

The mechanism composes with the credentialed-observation primitive at every layer: each fragment is a credentialed payload, the reassembled bundle is itself a credentialed observation, and the activation event is recorded as a credentialed observation in the device's lineage. The mechanism composes with the recursive-admissibility property of the mesh substrate: the same admissibility evaluator that gates ordinary observations also gates incoming fragments, so an adversary who controls a relay can carry firmware traffic but cannot fabricate it.

The mechanism composes with the governed-actuation primitive when the bundle is itself a policy update — a new harm ordering, a new rules-of-engagement overlay, or a revised operator-role policy — because the same activation gate that supervises firmware swap also supervises live policy swap. The mechanism composes with the lineage primitive: a device's firmware history is a chain of credentialed activation events, each linked to its predecessor by lineage identifier, and the chain itself is auditable by any party that holds the credentialing authority's public credential.

Prior-Art Distinctions

Conventional over-the-air update systems depend on a centralized infrastructure stack: a manufacturer server, a telematics backend, a cellular modem, and an operator app, each of which is a deployment dependency and a single point of compromise. The mechanism here removes all of those dependencies. Any path through the mesh, including paths that pass through relays not under any single operator's control, suffices for delivery, because the credentialing model decouples integrity from path. Conventional store-and-forward firmware schemes assume a known set of relays and a known forwarding topology; the rateless coding here assumes neither, and the mesh's relay set may shift on every cycle.

Conventional secure-boot architectures verify firmware at boot but do not address the question of how the firmware reached the device or whether the moment of activation is admissible. The mechanism here treats those as first-class concerns: the credential chain extends from the signing authority through the fragments through the reassembled bundle through the activation event itself, and the activation gate consults policy at the moment of activation rather than relying solely on a static signature check. Conventional fountain-coded distribution schemes target throughput on lossy links but do not bind the encoded fragments to a credentialed source; the lineage stamp here makes that binding structural.

Disclosure Scope

The disclosure covers the rateless-coded fragment distribution; the lineage-stamp binding from fragment through bundle through activation; the per-target activation gate with its operating-mode, policy, peer, and operator constraints; the refusal log and its replay-suppression role; the differential, systematic, and multi-authority bundle embodiments; the staged-rollout, peer-quorum, operator-gated, and A/B-partition activation embodiments; and the compositional embodiments with credentialed observations, recursive admissibility, governed-actuation, and lineage.

The associated provisional, 64/049,409, situates this primitive among the spatial-mesh substrate cluster. The primitive is not limited to any particular device class. It applies to vehicles, drones, robots, sensors, industrial controllers, and any other field-deployed device that today depends on centralized over-the-air infrastructure to remain current.

Specifically contemplated are degenerate cases in which a deployment uses a single-fragment bundle (the rateless code reduces to identity), a single-receiver topology (the mesh reduces to a point-to-point link), or a single-authority signing configuration (no co-signature is required). The disclosed mechanisms continue to apply in each, and the same activation gate, refusal log, and lineage chain operate uniformly across these limits and the general case. Also contemplated are large-scale embodiments in which thousands of receivers reassemble a common bundle concurrently from a shared fragment cloud; the rateless code's property that any sufficiently large set of distinct fragments suffices for reconstruction makes large-scale embodiments natural extensions rather than separate architectures.

The disclosure further contemplates field-recovery embodiments in which a device whose firmware has been corrupted resumes update reception from a minimal recovery loader that implements only fragment admission, reassembly, signature verification, and partition swap. The recovery loader's small footprint allows it to be co-resident with even the smallest deployment configurations, and its behavior is identical in form to the full update path, which preserves the audit-trail property end-to-end through recovery.