CASE STUDY SNAPSHOT
Customer : Leading Global Automotive OEMSize : >1000 – 10000
Project vertical : Automotive
Challenge : Enable security in Telematics Control Unit.
Solution : Enable Production-Grade Secure Boot and HSM using Renesas Renesas RH850/F1KM-S1’s ICU-M core.
Services & Products Availed : Secure Boot for Embedded, Secure Firmware Updates, Security Consulting, Bootloader Optimization
Tools and Technologies :
- Key Hardware: Renesas RH850/F1KM-S1 (R7F701690) MCU
- Architecture: Intelligent Cryptographic Unit - Master (ICU-M) / HSM
- Software Stack: Embedded C, UDS (ISO 14229), Secure Bootloader
Introduction
A leading global Automotive OEM required a robust cybersecurity overhaul for their next-generation Telematics Control Unit (TCU). While the base telematics features were operational, the system lacked a hardware-anchored Secure Boot mechanism and an encrypted update pipeline. They partnered with Embien to design and implement a comprehensive security framework that leverages hardware-level isolation to protect critical vehicle data and ensure firmware integrity against unauthorized tampering.
Challenge
The primary challenge lay in the complexity of the Renesas RH850/F1KM-S1 architecture. Integrating the Intelligent Cryptographic Unit (ICU-M) required precise hardware-level domain separation between secure and non-secure memory zones. Furthermore, the OEM necessitated a complex encrypted data transfer protocol between the Master ECU and the Target TCU, as well as from the Diagnostic Control Module (DCM).
The system also needed to support "inactive bank" updates, allowing new software packages to be stored and verified in inactive memory without interrupting the vehicle's operation, all while ensuring the backend server remained protected from data overloads during mass fleet updates. Achieving this Production-Grade Secure Boot and HSM for Automotive TCU within a strict 8-week window demanded deep automotive domain expertise.
The Solution: A Multi-Layered Security Architecture
To enable the Production-Grade Secure Boot, Embien’s engineering team architected a multi-layered security strategy centered on the Renesas RH850/F1KM-S1’s dedicated secure CPU (G3K) and the ICU-M peripheral set.
Hardware-Anchored Root of Trust (ICU-M)
The heart of the solution was the configuration of the Intelligent Cryptographic Unit - Master (ICU-M). Embien leveraged this dedicated secure enclave to handle all cryptographic operations, ensuring that sensitive keys never leave the secure domain.
Domain Separation: We partitioned the Code Flash and Data Flash into Secure and Non-secure domains. Critical security functions, such as signature verification and key management, were isolated within the secure domain, protected by hardware-level access control mechanisms.
Cryptographic Acceleration: We integrated the on-chip AES Engines and Random Number Generator (RNG) to facilitate high-speed, hardware-accelerated encryption and decryption, which is vital for real-time secure boot cycles.
Production-Grade Secure Boot with Chain of Trust
Embien developed a custom Secure Bootloader that acts as the primary trust anchor. Upon reset, the ICU-M takes control, verifying the digital signature of the application image stored in the flash memory using pre-shared public keys.
Integrity Checks: If the verification fails, the system refuses to execute the binary, preventing "bootkit" or "rootkit" attacks.
Dual-Bank Verification: The system was configured to support A/B update logic. The bootloader intelligently identifies the "Active" vs. "Inactive" memory banks, allowing the system to verify a newly downloaded package in the background before committing to a swap.
Encrypted Data Pipeline via UDS
To secure the firmware update process using HSM for the Automotive TCU, Embien extended the UDS (ISO 14229) protocol stack with custom security routines:
Encrypted Transfer: We implemented an end-to-end encrypted channel for data transfers from the Master ECU and the Diagnostic Control Module (DCM).
Service 0x27 (Security Access): Enhanced the challenge-response mechanism, using the ICU-M's RNG to generate non-deterministic seeds, significantly hardening the system against replay attacks.
Service 0x34/0x36/0x37: Optimized the Request Download and Transfer Data services to handle encrypted chunks, which are decrypted on-the-fly by the HSM before being written to the inactive flash bank.
Operational Resilience & Backend Protection
Recognizing the risks of mass-scale telematics updates, Embien integrated logic to protect the OEM’s backend infrastructure:
Load Balancing: We implemented a "Throttling" logic within the TCU firmware that randomizes update check-ins and limits the frequency of requests to the backend, preventing accidental Distributed Denial of Service (DDoS) scenarios during fleet-wide rollouts.
Flash-Level Data Encryption: Even while "at rest," critical data stored in the Data Flash was encrypted using unique per-device keys generated by the ICUMD, ensuring that physical access to the MCU would not result in data theft.
Benefits
Production Readiness in 8 Weeks: Embien delivered a fully tested, compliant security stack within two months, meeting the OEM's aggressive production launch.
Hardware-Level Isolation: By offloading security to the ICU-M in the Renesas RH850/F1KM-S1, the main application CPU remains focused on telematics tasks without performance overhead.
Zero-Downtime Updates: The A/B bank storage strategy ensures that vehicles remain operational while updates are being downloaded and verified.
Enhanced Cybersecurity Compliance: The HSM for Automotive TCU implementation aligns with global automotive standards (ISO/SAE 21434), providing a future-proof foundation for the OEM.
Backend Stability: Integrated protection mechanisms prevent the TCU fleet from overwhelming the OEM’s servers during critical update cycles.
Conclusion
Embien’s deep expertise in Renesas RH850 architectures and Automotive HSM integration enabled this leading OEM to bridge the gap between basic telematics and a highly secure, resilient vehicle node. By transforming the TCU into a trusted endpoint with encrypted UDS capabilities and a hardware-anchored Production-Grade Secure Boot secure boot, Embien ensured the vehicle's long-term protection against evolving cyber threats.
If you are looking to secure your automotive assets or integrate production-grade HSM features into your ECUs, Contact Embien Technologies today to consult with our cybersecurity specialists.