Indian defence electronics, medical devices, and automotive Tier-1 firmware teams all face the same procurement problem sooner or later: the contract manufacturer programming the boards at volume should not see the plaintext firmware image, and the IP owner needs a cryptographically verifiable limit on how many units the CM can program.
The open questions in that problem statement are the hard ones. How do you deliver an encrypted image to a Flasher programmer in a way the programmer, but not the CM operator, can decrypt? How do you enforce a per-batch authorization count that the CM cannot exceed without the IP owner’s explicit permission? How do you prove to an auditor (CDSCO for medical, DGQA for defence, IATF for automotive) that every programmed unit was authorized and every over-run attempt produced a non-functional brick? And how do you deploy all of this on an Indian EMS floor without adding three months of bring-up work?
SEGGER’s answer is Flasher Secure paired with the Flasher Secure Server (FSS), and the two components together deliver authorized flashing, a workflow designed from the ground up for the exact procurement model Indian defence, medical, and premium automotive buyers increasingly require. This post walks through what authorized flashing actually is, how Flasher Secure and FSS fit together, the 5-step workflow from IP-owner sign-off to programmed unit, and the specific compliance hooks that matter for Indian buyers operating under iDEX, DGQA, CDSCO, and IATF 16949. GSAS Micro Systems is India’s authorized SEGGER partner, Flasher Secure and FSS are available with INR invoicing, commercial licensing, and on-site deployment support at Indian OEM R&D centres and EMS floors.
The problem stated cleanly
An Indian OEM, say, a Bengaluru medical device company, a Pune automotive Tier-1, or a Hyderabad defence electronics firm, owns firmware IP that represents years of development and, in many cases, is itself a trade secret or is covered by export-control rules. The same OEM does not have its own electronics manufacturing capacity at the required volume. It outsources PCB assembly, populated board test, and programming to a contract manufacturer in Chennai, Noida, or Pune.
The OEM’s problem:
- The CM cannot see plaintext firmware. The binary represents IP; once it sits on an unencrypted USB stick or a flash card at the CM’s receiving dock, the IP owner has lost control of it. For defence-grade electronics this is a legal problem. For commercial medical devices this is a trade-secret problem. For automotive Tier-1 work this is a competitive problem.
- The CM cannot program more units than the OEM authorized. Over-programming is the classic contract manufacturing grey-market story, the line runs 12,000 units on a 10,000-unit order, 2,000 units walk out the side door, and 6 months later an OEM’s customer receives a support call about a device they did not sell. This has to be impossible, not merely discouraged.
- Every programmed unit must produce an audit trail. The OEM needs cryptographic evidence that each programmed unit was authorized and programmed from an approved image. The CM needs evidence that it did not over-program. Auditors for CDSCO, DGQA, IATF, and the OEM’s own quality system all need evidence they can review.
- The whole arrangement has to deploy in days, not months. A 3-month bring-up project kills the commercial case for Flasher Secure on lower-volume programs.
Flasher Secure + FSS is designed specifically against this problem statement.
What authorized flashing is
SEGGER’s Authorized Flashing technology has four components that work together:
- Flasher Secure Server (FSS). A Windows or Linux service hosted at the OEM’s premises (typically the R&D centre in Bengaluru or Pune). FSS is the keeper of the signing key and the source of truth for how many units can be programmed. FSS never leaves the OEM’s premises.
- Flasher Secure hardware. A production-grade Flasher (ATE, Hub, or Compact variant) with secure-boot firmware. The Flasher Secure lives on the CM’s floor. It can connect to FSS over a network link (typically an outbound TCP connection to the OEM’s VPN endpoint) but has no other path to plaintext firmware, the encrypted image is all it ever receives.
- Encrypted image. The OEM signs and encrypts the firmware image using FSS’s key pair. The encrypted image is delivered to the CM (via any channel, email, FTP, USB stick, physical courier; it does not matter, because the image is encrypted). The CM loads it into its Flasher Secure.
- Authorizations. A finite, cryptographically-bound count of programming events issued from FSS to the Flasher Secure. An authorization says “you may program N units of image X between time A and time B.” When N is reached, or when time B passes, the Flasher Secure stops programming. To get more authorizations, the CM asks the OEM, and the OEM issues another batch from FSS.
The CM operator experiences this as a normal Flasher workflow, load the image project, run the line, programmer reports pass or fail per unit. What the operator cannot do is see the plaintext image, over-program past the authorization count, or re-use an expired authorization.
The 5-step workflow
A typical Indian deployment of Flasher Secure + FSS runs on this lifecycle:
Step 1, OEM builds and signs the image. The OEM’s firmware engineering team in Bengaluru (or wherever the R&D centre sits) produces a release candidate binary. FSS ingests the binary, encrypts it with the FSS key pair, and produces an opaque encrypted image file that only Flasher Secure can decrypt, and even then, only to internal hardware registers, not to any host-readable buffer.
Step 2, OEM authorizes a programming batch. The OEM issues an authorization from FSS: 5,000 units of image release-3.2.1, valid from 14 April 2026 to 15 May 2026. This authorization is a signed token that only the specific target Flasher Secure on the CM floor can consume.
Step 3, Encrypted image and authorization travel to the CM floor. Both can travel over any channel, FTP, email, manual upload, sneakernet, because they are useless to anyone except the specific Flasher Secure they are addressed to. The CM operator loads the encrypted image into their Flasher Secure using J-Flash Secure and loads the authorization token the same way.
Step 4, The line runs. For each board programmed, Flasher Secure internally decrypts the image into its hardware programming engine, programs the target, decrements the authorization count by one, and produces a per-unit record, the target’s unique device ID, the programming timestamp, the Flasher Secure serial number, and the authorization batch this unit was charged against. This record flows into the CM’s Manufacturing Execution System (MES) on the CM side and also flows back to FSS on the OEM side for independent accounting.
Step 5, Over-run attempt produces bricks. If the CM operator tries to program unit 5001 on a 5,000-unit authorization, the Flasher Secure refuses. If the operator clones the Flasher Secure, the clone does not have the matching private key and cannot decrypt the image. If the operator tries to modify the encrypted image or the authorization token, signature verification fails and the programmer reports a hard error.
Compliance hooks that matter for Indian buyers
Defence (iDEX / DGQA). Under iDEX (the Indian government’s Innovations for Defence Excellence framework), and under DGQA (Directorate General of Quality Assurance) inspections, programming accountability is now a checklist item for qualified defence electronics production. Authorized flashing with Flasher Secure + FSS produces exactly the cryptographic audit trail DGQA inspectors are looking for: every programmed unit tied to a signed authorization batch, every authorization batch tied to a signed image, every image tied to a specific design baseline. For Indian defence electronics firms building for Tejas, Arjun, ALH, or naval platforms, this workflow maps directly onto the procurement process and reduces audit findings to near zero.
Medical (CDSCO / ISO 13485 / IEC 62304). For Indian medical device OEMs filing with CDSCO, the device history record needs to demonstrate that every programmed unit contained the exact approved firmware version. Flasher Secure’s per-unit record (image hash, authorization batch, device ID, timestamp) becomes the programming step’s contribution to the DHR. For ISO 13485 process validation, the authorized-flashing workflow eliminates a class of DHR data-integrity questions that are currently painful to answer when programming happens at a CM.
Automotive (IATF 16949 / customer-specific requirements). Indian automotive Tier-1s supplying to Japanese, German, and Korean OEMs are increasingly being asked for programming-evidence workflows similar to what Flasher Secure delivers. Several global OEM customer-specific requirements (CSR) documents now reference “authenticated programming evidence” as a qualification criterion for new suppliers. Deploying Flasher Secure proactively puts Indian Tier-1s ahead of this curve and simplifies their qualification audits.
Silicon-specific provisioning hooks
Flasher Secure is not just an encrypted-image-delivery mechanism. For silicon families that expose hardware secure-boot hooks, Flasher Secure integrates directly with the silicon vendor’s secure provisioning APIs:
- STMicroelectronics STM32: integration with STM32 Secure Firmware Install (SFI), supported on STM32H5, STM32H7, STM32U5, and STM32N6. The SFI handshake happens inside Flasher Secure; the plaintext SFI image never touches the CM floor.
- NXP i.MX RT: integration with NXP’s HAB (High Assurance Boot) fuse provisioning, enabling one-time-programmable SRK (Super Root Key) burn-in at programming time. Relevant for RT1050/RT1060/RT1170 crossover products used in Indian edge-AI vision, industrial HMI, and medical applications.
- Renesas RA: integration with the Renesas RA Secure Bootloader, for RA6M4, RA6M5, and RA8M1 parts that support TrustZone and secure provisioning.
- Microchip SAM: integration with SAM L11 and SAM E54 TrustZone provisioning.
For product families where the silicon vendor does not expose a formal secure-provisioning API, Flasher Secure still provides the authorized-flashing layer, the image and authorization count are protected even if the target silicon itself has no secure boot.
Deployment path: from zero to line-live in a week
The practical GSAS deployment sequence for Flasher Secure in India:
- Day 1, OEM side. GSAS engineers install Flasher Secure Server at the OEM’s Bengaluru, Pune, or wherever R&D centre. Configure the key pair, generate the initial signing material, document the internal process for issuing authorizations.
- Day 2, CM side. Ship Flasher Secure hardware to the CM’s facility (Chennai, Noida, Pune, or wherever). GSAS engineer travels to the CM floor for bring-up. Register the Flasher Secure with FSS over the OEM’s VPN. Run a dummy image through the authorization flow to verify the round-trip.
- Day 3, Integration with the CM’s existing ICT bench. Wire Flasher Secure into whatever test equipment the CM line already uses (SPEA, Teradyne, custom Python rig). Validate pass/fail reporting, MES integration, and the per-unit record format.
- Day 4-5, Pilot production run. Run 500-2,000 units through the line end-to-end. Verify that the per-unit records match on the FSS side and the CM MES side. Audit the authorization decrement behavior.
- Day 6-7, Handoff and training. Train the CM operators, hand off the runbook, establish the ongoing authorization-issuance cadence between the OEM and the CM.
After that, the CM line runs Flasher Secure as a standing production tool. New authorizations issue when the CM needs them. New image versions from the OEM replace the encrypted image file on the Flasher Secure, with the previous authorizations cleanly closing out. The CM operator never sees the plaintext firmware.
Flasher Secure alongside Flasher ATE2: they are not alternatives
One question that comes up regularly in Indian sales conversations: “Do I need Flasher Secure, or do I need Flasher ATE2 for volume?” The answer is that many Indian EMS lines deploy both. Flasher ATE2 handles the 10-up parallel programming throughput on high-volume consumer builds where plaintext is acceptable. Flasher Secure handles the encrypted-image path on the defence, medical, and premium automotive builds that share the same line infrastructure but cannot use plaintext programming. A mid-tier Indian EMS that wants to grow into higher-IP-sensitivity work typically starts with a Flasher ATE2 rack for its baseline volume builds and adds a Flasher Secure + FSS deployment when its first high-trust OEM customer requires authorized flashing.
Further reading
- SEGGER Flasher Secure product page, authoritative product documentation
- SEGGER Authorized Flashing technology page, detailed technology explanation
- SEGGER Flasher ATE2 for Indian EMS production, companion post on non-secure high-volume Flasher deployments
- SEGGER production tools overview, full Flasher family
- SEGGER at GSAS
- GSAS aerospace and defence solutions
Also appears in:
Interested in SEGGER tools?
Talk to our application engineers for personalized tool recommendations.
More from SEGGER
View all →