Creating Tamperproof Firmware

It is possible to create highly tamper-proof firmware for your vehicles using signed bootloaders and signed firmware. Once loaded, only firmware signed with one of the public-private key pairs will run on the autopilot, preventing unsigned firmware from being loaded and run. Only firmware created with your private key will run (ArduPilot also has its own private key, that would allow only a selected senior ArduPilot developer to provide “rescue” services to our partners in emergencies.)


It is possible to render the autopilot inoperative if the procedures below are not followed exactly!

The information on signing bootloaders and firmware is provided in a README file at

A video is also provided:

Overview of Steps

Study the above video and README!

  1. Make sure you have a build environment setup and working for normal firmware builds.

  2. Make sure you have the latest MAVProxy installed.

  3. Create a branch to develop the firmware locally.

  4. Create your public-private key pairs (normally up to two are allowed for your use).

  5. Build a securely signed bootloader for the autopilot.

  6. Build a securely signed firmware and load it onto the autopilot.

  7. Use MAVProxy to flash the securely signed bootloader contained in the firmware you just loaded as the new bootloader.

  8. Verify that the new secure bootloader has been installed.

At this point only securely signed firmware built using one of the key pairs will boot and run on the autopilot.

Reverting to UnSigned Bootloader

Instructions are provided in above referenced file for reverting to a normal bootloader using a private key whose corresponding public key is included in the bootloader.