I build secure & reliable firmware for connected devices.

I’m Bruno Esquivel, a firmware engineer focused on secure bootloaders, OTA updates, TLS, and resilient networking on resource-constrained hardware. I like turning system design and security ideas into working, testable firmware.

Contact for roles View selected projects

Based in Bay Area · Open to remote/hybrid Secure boot · OTA · RTOS (Zephyr/FreeRTOS) · C Networking: TLS · SSH · IPSec/IKE

Recent work snapshot

Secure OTA demo on STM32/Zephyr

Dual-slot firmware with MCUboot, signed images, and staged rollbacks.

Secure boot · OTA

Zephyr · MCUboot · TLS HTTP(S) firmware fetch from hardened server

Strongswan IPSec/IKE test lab

Hands-on tunnel setup, keying, and failure modes for embedded clients.

Network security

IPSec/IKEv2 · Linux Useful for secure firmware update channels

Rate limiting in a bootloader

Token-bucket limiter to reduce brute-force & DoS attempts on update paths.

Defensive design

C · bare metal Maps cloud rate-limiter patterns to MCUs

Selected Projects

A few focused projects that combine secure boot, OTA, networking, and embedded constraints.

Secure OTA Update Pipeline (Zephyr + MCUboot + STM32)

End-to-end demo that fetches signed firmware from a hardened web server, stages it into a secondary slot, and hands off verification to MCUboot with rollback on failure.

Zephyr RTOS MCUboot STM32 TLS Dual-slot firmware

GitHub repo Architecture notes

nRF + W5500 Ethernet Bring-Up with Secure Updates

Brought up an nRF-based board with a W5500 Ethernet shield, implemented robust reconnect logic, and used it as a testbed for secure firmware download flows.

nRF W5500 DeviceTree Network resilience

GitHub repo Bring-up log & pitfalls

IPSec/IKE Strongswan Lab for Firmware Engineers

Designed a small Strongswan lab to experiment with key exchange, certificate-based auth, and failure scenarios relevant to devices establishing secure tunnels to a backend.

IPSec/IKEv2 Strongswan Linux Secure channels

Lab scripts & configs Notes for firmware use-cases

Bootloader Rate Limiter (Token Bucket on MCU)

Implemented a token-bucket rate limiter in a custom bootloader to throttle update attempts and reduce brute-force behaviour, adapting patterns from large-scale systems to small MCUs.

C Bare metal Rate limiting Defensive design

GitHub repo Design write-up

Articles & Notes

Short, focused notes on topics I’ve implemented or debugged in real firmware.

MCUboot, in practice: how image verification really works A pragmatic walkthrough of how MCUboot chooses slots, validates signatures, and recovers from failures — from the perspective of a device actually in the field.

Topic: Secure boot · Length: ~7 min read

Mapping system-design rate limiters to microcontrollers Taking token-bucket and leaky-bucket patterns from system design interviews and implementing them inside a resource-constrained bootloader.

Topic: Rate limiting · Length: ~6 min read

Zephyr networking gotchas: timeouts, reconnection, and W5500 quirks Notes from bringing up Ethernet on Zephyr, focusing on what actually breaks under bad networks and how to make it boring again.

Topic: Zephyr · Length: ~5 min read

Resume & Skills

Quick view of what I work with most often. For the full story, grab the PDF.

Core: C, embedded systems, ARM Cortex-M, RTOS (Zephyr, FreeRTOS), secure boot, OTA update pipelines.
Security & protocols: TLS, X.509, IPSec/IKE, SSH, key management, rate limiting, basic threat modeling.
Networking & Linux: TCP/IP, DNS, HTTP(S), Linux networking tools, Strongswan, Nginx, basic hardening.
Tooling: Git, CMake, GDB, logic analyzers, oscilloscopes, Wireshark.
Bonus: System design concepts translated to firmware rate limiting consistent hashing key-value stores

Download resume (PDF) View on LinkedIn

The best way to reach me for roles, chats, or collaboration.

Email: TODO_your_email@example.com
GitHub: github.com/TODO
Location: Bay Area, CA (open to remote/hybrid)
Interests: secure OTA, resilient networking, bootloaders, and making embedded systems observable & testable.