[U-Boot-Users] Safe firmware updates

[U-Boot-Users] Safe firmware updates

[Ian Ridge]

Hi,

 

Power disconnect during firmware update:

 

We are implementing facility for automatic firmware upgrades (either the
Linux uImage or cramfs) on our embedded device. However there is a
requirement that the device is not broken by (the user for example)
disconnecting the power supply at any stage during the flash update.

 

In the absence of a backup battery, I guess the boot loader would have
to be modified to cope with this. Has anybody produced a solution
already?

 

If not I'm considering adding a command to u-boot. 'update' could work
as follows:

 

1) Linux application / scripts are responsible for downloading the
firmware upgrade, then erasing and copying into an image in free area of
the flash with CRC.

2) Linux reboots the device, so u-boot can take over.

3) 'update' command is called early in bootcmd script. 

4) 'update' routine checks specified flash location for new upgrade
image with valid CRC. If no image found or has bad CRC it returns,
control passes to next command in bootcmd, and Linux boots normally.

5) 'update' routine erases target area of flash, and then copies content
of upgrade image to target location.

6) 'update' routine erases upgrade image to prevent upgrade attempt on
subsequent boots.

 

Power cut during stage 1 would result in original firmware remaining.

Power cut during stages 2 to 5 would result in firmware upgrade when
power is restored.

Power cut during state 6 would result in new firmware remaining. (as
partial erase of update image would have bad CRC).

 

Maybe the upgrade (cramfs, kernel uImage, etc) could be stored in
another uImage with a new type. 

 

Any comments?

 

Ian
 
DISCLAIMER: 
 
The information contained in this message is for the intended addressee only  
and may contain confidential and/or privileged information. If you are not the  
intended addressee, please delete this message and notify the sender; do not  
copy or distribute this message or disclose its contents to anyone. This email  
has been scanned by our Anti Virus software before leaving the premises. APD  
Communications takes no responsibility for any damage or loss caused by any  
undetected virus being inadvertently transmitted with this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.denx.de/pipermail/u-boot/attachments/20060216/e64c91dd/attachment.htm 

[U-Boot-Users] Re: Safe firmware updates

[do]

...
> 3) ?update? command is called early in bootcmd script.
...
>  
> Any comments?


IMHO there is a possibility of problems with this early routines, how to 
upgrade them? What with reset vector? Shouldn't this be two stage 
bootloader?

Best regards!

[U-Boot-Users] Safe firmware updates

[Wolfgang Denk]

In message <9D8FC3304AA0924E9CD0A211DFEDCBAB0164D7AF@bespin.apdcomms.co.uk> you wrote:
> 
> We are implementing facility for automatic firmware upgrades (either the
> Linux uImage or cramfs) on our embedded device. However there is a
> requirement that the device is not broken by (the user for example)
> disconnecting the power supply at any stage during the flash update.

This is not new. It's actually a astandrard requirement.

> In the absence of a backup battery, I guess the boot loader would have
> to be modified to cope with this. Has anybody produced a solution
> already?

There is no need to change anything. U-Boot is perfectly  capable  of
supporting such requirements.

> 4) 'update' routine checks specified flash location for new upgrade
> image with valid CRC. If no image found or has bad CRC it returns,
> control passes to next command in bootcmd, and Linux boots normally.
> 
> 5) 'update' routine erases target area of flash, and then copies content
> of upgrade image to target location.

Why would you do that if the new image is already in flash? Just swap
boot addresses...

> Any comments?

Your design is much too complicated. Keep it simple.

Best regards,

Wolfgang Denk

-- 
Software Engineering:  Embedded and Realtime Systems,  Embedded Linux
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
"Data is a lot like humans: It is  born.  Matures.  Gets  married  to
other  data, divorced. Gets old. One thing that it doesn't do is die.
It has to be killed."                                 - Arthur Miller

[U-Boot-Users] Re: Safe firmware updates

[Wolfgang Denk]

In message <dt2j7g$8qd$1@sea.gmane.org> you wrote:
>
> IMHO there is a possibility of problems with this early routines, how to 
> upgrade them? What with reset vector? Shouldn't this be two stage 
> bootloader?

What are you talking about? either me or you misunderstood something.

Best regards,

Wolfgang Denk

-- 
Software Engineering:  Embedded and Realtime Systems,  Embedded Linux
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
What was sliced bread the greatest thing since?

[U-Boot-Users] Re: Safe firmware updates

[do]

Wolfgang Denk napisa?(a):
> In message <dt2j7g$8qd$1@sea.gmane.org> you wrote:
>> IMHO there is a possibility of problems with this early routines, how to 
>> upgrade them? What with reset vector? Shouldn't this be two stage 
>> bootloader?
> 
> What are you talking about? either me or you misunderstood something.
> 
> Best regards,
> 
> Wolfgang Denk
> 

Yes of course, my mistake - sorry. But by the way, is there a 
possibility for safely update u-boot?

Best regards!

[U-Boot-Users] Re: Safe firmware updates

[Wolfgang Denk]

In message <dt527p$arr$1@sea.gmane.org> you wrote:
>
> Yes of course, my mistake - sorry. But by the way, is there a 
> possibility for safely update u-boot?

Yes, if you have hardware to support this (i. e. two flash banks that
can be swapped, where the "switch" can  be  controlled  by  software,
remembers  it's state when powered off *and* has some kid of watchdog
function to toggle back to the other position in case the system does
not come up). Not many systems support this ;-)

Best regards,

Wolfgang Denk

-- 
Software Engineering:  Embedded and Realtime Systems,  Embedded Linux
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
If I don't document something, it's usually either for a good reason,
or a bad reason.  In this case it's a good reason.  :-)
                 - Larry Wall in <1992Jan17.005405.16806@netlabs.com>