2387347_en-US

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

2387347_en-US

2387347_en-US

S32K342 FOTA Bootloader Architecture Guidance Required (UART-Based Update)

Hello NXP Team,

We are developing a custom Firmware Over-The-Air (FOTA) solution for the S32K342 and would like guidance on the recommended flash architecture and boot flow.

MCU Details
Device: S32K342

PFlash: 2 MB

Bank 0: 1 MB

Bank 1: 1 MB

DFlash: 128 KB

Current Status
We are using UART as the firmware update interface.

So far, we have successfully:

Receive the firmware (.bin) over UART

Store the complete binary into flash memory

Verify that the received image is stored correctly

Our remaining challenge is implementing the bootloader architecture and application switching mechanism.

We would like clarification on the following:
1. Recommended FOTA Flash Layout
What is the recommended memory layout for an S32K342 dual-image FOTA implementation?

Specifically, we would like to know the recommended locations for:

Bootloader

Application Slot A

Application Slot B

Metadata / Boot flags

Version information

CRC

Rollback information

An example memory map with addresses would be extremely helpful.

2. Recommended Boot Flow
Could someone explain the complete boot sequence recommended by NXP?

For example:

Reset

Bootloader starts

Check boot flags

Select active application

Validate image (CRC/signature)

Jump to application

We would appreciate a flow diagram or explanation of the complete process.

3. Bootloader to Application Jump
For S32K342, is the standard Cortex-M7 jump sequence sufficient?

For example:

Read MSP from application base address

Read Reset_Handler from base + 4

Set MSP

Update VTOR

Jump to Reset_Handler

Are there any S32K342-specific requirements or initialization steps before transferring control?

4. Dual Application Images
If App A and App B are located at different flash addresses:

Should each application have its own linker script?

Or is there a recommended NXP approach for building dual-slot applications?

5. Flash Bank Usage
Since S32K342 has two 1 MB PFlash banks:

Is the recommended approach to:

Execute the bootloader from Bank 0

Program the new firmware into Bank 1

Switch execution after successful verification

Are there any Read-While-Write or erase/programming restrictions between the two PFlash banks?

6. Metadata Storage
Where is the preferred location to store:

Active image flag

Image validity

Firmware version

CRC

Rollback status

Should these be stored in:

Reserved PFlash

DFlash

Another dedicated region?

7. UART-Based FOTA
Since our update interface is UART, we would like to know the recommended workflow.

Is the following flow correct?

PC

UART

Bootloader receives .bin

Store firmware into inactive flash slot

Verify CRC

Update boot metadata

Reset MCU

Bootloader selects new image

Jump to application
Or does NXP recommend a different approach?

8. AB_SWAP vs Custom Bootloader
Is HSE AB_SWAP mandatory for production FOTA on S32K342?

Or is a fully custom bootloader with dual application slots also a supported and commonly used architecture?

If there are any application notes, reference projects, bootloader examples, or documentation specifically covering S32K342 FOTA, UART firmware updates, or dual-image bootloaders, we would greatly appreciate the references.

Thank you for your support.
S32K3 S32DS-ARM 

Re: S32K342 FOTA Bootloader Architecture Guidance Required (UART-Based Update)

Hi @bavinkumar_02 

1. In case of S32K342, there’s only one possible setup for AB_SWAP. See “3.5.3.2 Illustrations of Flash memory layout in AB_SWAP” in HSE Firmware reference manual which can be downloaded from Documentation -> Secure files: https://www.nxp.com/products/S32K3

In your case, the most convenient and most common layout is:

lukaszadrapa_0-1782731189993.png


It’s necessary to install AB_SWAP version of HSE firmware (the swap is a feature of HSE, it’s not possible to do that without HSE firmware). The firmware is installed to both partitions and it occupies last 176KB in both blocks as shown on the picture.
Because whole blocks are swapped, it’s necessary to have exact copy of the bootloader in both blocks. The rest is allocated for applications.
The code is always running from active block, so the bootloader and all applications are compiled for addresses in active block.
When bootloader updates an application, it programs the application to passive block, so there’s no problem with read-while-write issues during flash programming. Once the application is programmed, you can trigger HSE_SRV_ID_ACTIVATE_PASSIVE_BLOCK HSE service. After next reset, the partitions will be swapped and bootloader will jump to application as usual (to new application which is in active block now).

2. The flow is application dependent. In modern automotive applications, simple CRC-based validation is no longer considered sufficient. Integrity and authenticity of the software are typically ensured using Secure Boot mechanisms. On S32K3 devices, this is handled by the Hardware Security Engine (HSE), which performs cryptographic verification (e.g. signature-based) autonomously during boot. Production automotive systems are expected to leverage these hardware-backed security features rather than relying on CRC-only validation.
We provide Secure Boot application note including demo projects. It can be downloaded from:
https://www.nxp.com/products/S32K3
Application note can be found here:
Documentation -> Secure Files -> Secure Boot Application note v0.1.1.0 (AN744511)
Associated demo project can be downloaded here:
Design Resources -> Software -> Secure Files -> SecureBootAppNoteDemo (SW745310)

Other examples for secure boot can be found in HSE Demo Examples:
https://www.nxp.com/webapp/Download?colCode=S32K3_HSE_DemoExamples
There are examples for all three modes – advanced secure boot, basic secure boot and SHE secure boot. Advanced secure boot is recommended.
See Readme.md file which is included in all projects.

3. Yes, that’s standard jump sequence. It’s just highly recommended to de-initialize all resources initialized by bootloader before the jump.

4. As mentioned above, the code is always executed from active partition, so the application always uses the same linker file.

5. Already discussed above.

6. This is up to user. You can store the data behind the application image or to data flash.

7. For a production automotive use case, the proposed flow is generally correct from the data-transfer point of view, but as already mentioned, I would not recommend relying on CRC as the main validation mechanism.
In automotive applications, the received image is typically protected cryptographically - for example, the image may be encrypted and its authenticity/integrity is verified using a digital signature, not only by CRC.
Also, when using the HSE AB_SWAP mechanism, the bootloader does not simply select the new image by software metadata after reset. After the new image is programmed into the passive partition and successfully verified, the application/bootloader should call the HSE service HSE_SRV_ID_ACTIVATE_PASSIVE_BLOCK. This activates the passive block, so after reset the device boots from the newly activated partition.


8. HSE AB_SWAP is not strictly mandatory, but for a production automotive FOTA solution on S32K342 it is strongly recommended.
Implementing FOTA without HSE would mean you are not leveraging one of the key advantages of the S32K3 platform. The main benefit of these devices is the built-in support for A/B swap (partition remapping) handled by HSE. Without it, the bootloader would have to manage everything manually.
Specifically, without HSE AB_SWAP:
You would need to implement your own mechanism for selecting between A/B images
You would have to carefully manage the address space and link each application to different fixed locations
The swap between images would not be handled autonomously by the hardware, but entirely in your software
There is no alternative hardware-supported remapping mechanism available outside of HSE AB swap feature

In addition, you would lose the simplicity and robustness of Secure Boot integrated with AB_SWAP. With HSE, image activation, validation, and switching between partitions are handled in a much more controlled and efficient way, aligned with automotive security requirements.
In summary, doing this without HSE is possible, but it significantly increases complexity and removes key benefits of the platform.

You can take a look at “S32K3XX HSE and OTA Advance Training [TR744101]” which can be downloaded Documentation -> Secure files: https://www.nxp.com/products/S32K3

Regards,
Lukas

标记 (1)
无评分
版本历史
最后更新:
2 周之前
更新人: