Build an OTA firmware update pipeline for a fleet of IoT devices with A/B partition rollback

Verified steps

1. Partition device flash into two firmware slots (A and B) plus a bootloader that tracks which slot is active and whether the current boot has been confirmed; on unconfirmed boot the bootloader retries then rolls back to the last confirmed slot
2. Host firmware binaries in cloud storage (e.g., S3 or Azure Blob); publish a new firmware manifest (version, SHA-256 hash, download URL) to a dedicated MQTT topic or device twin desired property when a rollout begins
3. On the device, validate the manifest signature before downloading; download the binary in chunks to the inactive slot, verifying the SHA-256 hash of each chunk and the full image after completion
4. Instruct the bootloader to attempt booting from the new slot on next restart; after successful startup, run application-level health checks (connectivity, sensor readings, watchdog ping) before sending a confirm-boot command to the bootloader
5. Report the new firmware version via the device twin reported properties or a status MQTT topic; the backend marks the device as successfully updated only after receiving the confirmed version report
6. For staged rollouts, deploy to a canary group (e.g., 5% of fleet) first; monitor error rates and rollback reports before widening the rollout; maintain the ability to push a rollback manifest that reinstates the previous version