Comment by dylan604
6 hours ago
I didn't ask what can you have. We could have whatever safety processes we wanted with multiple levels of redundancy. However, that's not what's available on COTS IoT devices though, so speculation does not help.
Flashing the firmware of a cheap IoT device remotely OTA is not without risk.
That actually is exactly how it works today with ESPHome flashed to the Tuya related chips. It's also the only way to do OTA: download into second partition, switch boot.
But more widely: you just don't need to flash devices very often.
Moreover OTA is just because that's something we used to be able to do till Tuya shutdown the cloud cutter hack which could do it (which also requires physical access - you have to reboot the device into flashing mode, you can still do it but you can't custom flash anymore OTA on most newer ones).
Surely the basic flashing mechanisms used nowadays will first check checksum (and hopefully a device magic), and then you have a relatively short time window when it actually does the flashing after which it reboots? Even small devices nowadays seem to have the memory for it. So there is a window of failure, but it's not a very long one.
Well, in addition to flashing the incorrect or buggy firmware.