How does the KW47 ROM Bootloader decide which image is newest?

manuvs014

Hi NXP Team,

I am working on the KW47 dual-image boot / OTA update concept, and I would like to clarify how the ROM bootloader selects the newest image during boot.

From my understanding, in a dual-image setup we may have two valid application images in internal flash, for example:

Primary Image -> Address configured by Boot Image Base Address in ROMCFG / IFR0
Secondary Image -> Address configured by FLW region / ABASE in ROMCFG / IFR0

During reset, the ROM bootloader checks both images and decides which one should be booted.

My doubt is mainly about this point:

How does the KW47 ROM bootloader know which image is newer?

sofiaurueta

Hello, hope you are doing well!

In a dual-image setup, the images are treated as primary (experimental or latest firmware image) and secondary (as a backup fallback image).

The KW47 ROM bootloader determines the newer image using the firmwareVersion field from each image’s metadata and boots the higher version. If both versions are equal, the Boot Image Base Address is considered for boot (as a tie-breaker), and if the newer version image fails validation/authentication or rollback protection, Boot ROM falls back to the older image.

In terms of firmware version enforcement, the Boot ROM provides rollback protection by preventing firmware updates if the update image version is older than the version allowed by the system, and by preventing boot (secure boot failure) if the firmware version is older than the minimum version permitted for execution.

More information is available on the KW47 Security Reference Manual.

Best regards,
Sofia.

manuvs014

Hello Sofia,

Thank you for the response.
"The KW47 ROM bootloader determines the newer image using the firmwareVersion field from each image’s metadata and boots the higher version. If both versions are equal, the Boot Image Base Address is considered for boot (as a tie-breaker), and if the newer version image fails validation/authentication or rollback protection, Boot ROM falls back to the older image."

I would like to clarify one implementation detail from the application/developer side.

How should we configure or place this image metadata, especially the firmwareVersion field, inside each firmware image so that the KW47 ROM bootloader can read it?

Specifically:

Is there a fixed metadata/header address inside each bootable image where the ROM bootloader expects to find the firmwareVersion?
Is this metadata located relative to the image start address, for example near the image vector table or image header?