Strategies for comprehensive cyber resilience and recovery are quickly becoming a requirement. Modern, embedded connected devices are an attractive target for cyber attacks, which can open opportunities for ransom demands and result in the shutdown of entire factories. Recovery of compromised devices is challenging because malware can override the original software and often requires manual intervention. Furthermore, many embedded devices do not implement remote recovery procedures.


Recovery mechanisms can be built in the hardware root of trust of a system-on-chip (SoC). An SoC recovery module can remotely manage devices even when their OS is unresponsive or completely erased. This enables the remote administrator to quickly and reliably recover all devices back to a trusted working state without requiring any local human intervention.

Recovery States

The write-latch protected recovery image allows it to return to a trusted state after a reboot. The recovery image is write-latched in an early boot phase before the network is enabled by a trusted entity. Write-latches are software-enabled hardware write protection mechanisms. They can only be disabled through a reset of the whole SoC. The recovery image allows to boot into the recovery mode which contains only basic functionality allowing connection to the trusted services. From the recovery mode, it is possible to bootstrap the device and restore a persistently corrupted device to a functional state.

Recovery States Image