I noticed your question about how to manage firmware updates for devices in field in this week's newsletter. We have two solutions available with eCosPro!

Over a decade ago we developed our Robust Boot Loader. It has been used with applications as diverse as overnight updates on high-speed trains in France, refrigerated lorries in Scandinavia and building controllers in North America (and then around the world). In essence we extended RedBoot (our bootstrap code), removing the single points of failure and provided a mechanism to work similar to mirroring on an enterprise system. A fresh image is loaded into a redundant area, validated, started, re-validated and then once we're happy the "old" image's space becomes the reservoir for assembling a new update. Image integrity is critical, as was testing to ensure that the system was resilient if (for example) the power failed/was disconnected during the reprogramming stage. Versioning is managed to make sure that previous updates aren't written over a newer installed image, unless the application developer really, really, really wants to!

In the case of the refrigerated lorries, we worked with a tiny 16KiB buffer to collate inbound images (2-4MiB) over a very low-speed GSM link, over many days. For the building controllers we applied the same versioning to data as well as code, so different operating parameters/datasets could be used for the changing environmental conditions to reflect how the valve responses should change from summer through autumn (fall) etc.

We also provide a mechanism to hang a physical switch, dongle or even magic sequence of bytes on a serial link, for a technician to initiate a service update, as well as the software methods from an application.

You can find further details in our online documentation at the following URL:

More recently we've developed our eCosPro-BootUp framework, which is better suited to very small scale systems, such as SoC parts and Cortex-M3/4/7 class parts that have a finite amount of on-device flash. A design trade-off with the Robust Boot Loader is needing double the image space.

We've also seen devices emerge that need us to work in concert with a manufacturer's multi-stage and/or secure bootstrap routines, such as Cortex-A class microcontrollers. We also have clients that deploy groups of update files, which have to be written to sub-systems attached to the micro, such as DSP firmware, FPGA bitfiles or raw datasets. We include decompression and validation routines and images may be on external media.

Universally, eCosPro-BootUp is designed as the first code to run in the system and is intended to be left in-situ during any updates. It gets out of the way once the initial system is loaded, so doesn't add an overhead to a running system.

Again, the core documentation for the BootUp framework is available on our website, although some implementation issues are specific to our clients' proprietary hardware and/or restricted by NDA for some of the Secure Boot steps. The direct link to the public elements is:

http://www.ecoscentric.com/ecospro/doc/html/ref/bootup.html

Talking with potential customers over the years, one thing that does strike is me is that sometimes these design choices are made after the development phase. Some physical cases, such as being a few hundred feet up/down a lift shaft with limited access to a reset button, do drive these decisions further towards the front of the plan. In some cases, such as Set Top Box design, the immaturity of the tech means that an update mechanism has to be designed in from the outset.

The OpenBLT firmware update sequence is as follows:

(1) The flash memory, which is to be rewritten, is erased.
(2) The new firmware is communicated to the bootloader and programmed into flash memory in small chunks of data. Typically 7 - 64 bytes, depending on the used communication interface (CAN, UART, USB etc).
(3) As the last programming step, a 16-bit checksum value is programmed into flash memory at a fixed location. This is not a checksum of the entire firmware, but typically just a checksum of the vector table. It serves as a marker to determine if the firmware was completely programmed or not.
(4) Once done, the new software program is started after performing a checksum verification.

After a microcontroller reset, the bootloader is always first active. It will only start the user's firmware if it is present, by performing the checksum verification. Thanks to this checksum mechanism, problems during the firmware update procedure (communication lost/power failure) do not cause any problems. The worst case scenario is that the bootloader remains active, which allows the firmware update to be restarted.

Thanks to the feature that the firmware data is communicated is small chunks of data, the OpenBLT bootloader can also run on low-end microcontrollers with limited RAM.

Additional details regarding the design of the bootloader can be found
at: http://feaser.com/openblt/doku.php?id=manual:design.

We are using OpenBLT in our devices for firmware updates and never had a problem with it. It supports SD card, UART, CAN, TCP/IP, and USB.

Firmware update methods depend upon the type of embedded platform.

Bare-Metal: If you are in control of everything, say with an embedded RTOS and a little bit of boot-strap code (crt0.asm, perhaps), then my method is to have three code sets (with one of them duplicated):

Boot-Check -- This is a very small bit of code that uses the boot-strap to get the processor alive, then check the rest of the FLASH memory to see who is available to run. This thing must be absolutely bullet-proof when you deliver the product, as it cannot be updated! This code first tries to run the Run-Time code, then the Enhanced Boot-Load, and will finally fall back to the Factory Boot-Load, if nothing else works. You can also put in physical switches or special commands to force a particular set of code to run. Think of it as a "get out of jail free" card. If you totally FUBAR the Run-Time code, you can flip a switch to make the Boot-Load code run, so that you can load a new, better Run-Time code (or revert to an older, less broken one). In addition to the physical switches, the Boot-Check can use a combination of checksum calculation, version numbers, or "good markers" to know what code should be run.

Factory Boot-Load -- This is a slightly larger bit of code that interfaces to the outside world (Ethernet/USB/RS-232/etc.) to accept firmware updates, and little else. To create this code-set, usually strip out most of your Run-Time code down to just the bare external interface.
Enhanced Boot-Load -- When a product ships, this code segment is empty, allowing for future upgrades of the Factory Boot-Load, if you have some bug in it.

Run-Time -- This is the main body of code that makes the product do, whatever the product is supposed to do. It should include some command across the user interface to force it to reboot into the Boot-Load for firmware updates.

As for the updates themselves, you classically don't have enough space to hold two complete code-sets of your Run-Time code, so choose a download method that is chunky, like S-Records. When you go to start an update, erase the entire Run-Time FLASH allocation and then start downloading and burning one S-Record at a time. Checksum each record both at the incoming interface, and as it is burned into the FLASH. Flag an error back to the user on any checksum failure. Once the entire code is downloaded, checksum the entire Run-Time FLASH allocation and compare to the known checksum (obviously you'll have to have your boot-loader calculate it for you and report it to you as a developer). Assuming the checksum all matches, indicate that this code is "good to run" for the next time the Boot-Check is looking for code.

Linux-Distro: If you are developing an application on top of Embedded Linux, say with a U-Boot/X-Load boot-strap, then I have always opted for a "monolithic upgrade" path. I usually don't allow the boot-strap code to be updated in a fielded unit, but upgrade the Kernel, RootFS, and my applications as a single entity. Give the user one "upgrade.tar.gz" containing a manifest file (letting the upgrade engine know what is being upgraded, with MD5 checksums) and the files to upgrade. Then FTP/SCP the file onto the unit and issue a single command to start the upgrade.

The upgrade itself is either a single, or perhaps multiple staged shell scripts to erase FLASH, program FLASH and possibly reboot. For instance, if you are running from an NAND-based RootFS, you cannot upgrade the RootFS from which you are running, so you need to have "factory" and "enhanced" versions of the Kernel and RootFS so that you can "swap" between them during the upgrade process. During the upgrade, the upgrade.tar.gz contents will be copied to a non-volatile area, the "enhanced" kernel will be deleted, then system will be rebooted into the "factory" Kernel+RootFS. The "factory" code will see the upgrade files present and know that it has to erase and program the "enhanced" Kernel+RootFS images. After upgrading the images, the "factory" code removes the upgrade files and reboots back into the upgraded Kernel+RootFS.

The logic to switch between "factory" and "enhanced" can be supported by a series of U-Boot commands that first tries to load the "enhanced" Kernel, falling back to the "factory" when the "enhanced" fails.

There's a lot more detail that goes into this, but hopefully it gives you a rough idea of one way to accomplish firmware upgrades.