Safe bootloader self-update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Safe bootloader self-update

Jump to solution
2,530 Views
matyas_gasko
Contributor I

Hello,

we're planning to use an S32K (probably S32K148) controller in our project but I'm unsure if it has any built-in support or recommended way for updating the bootloader on the field in a safe way, i.e. boot remains possible in case of even a power failure during the update.

A possible approach would be to have a bootloader updater code on the flash (downloaded on-demand or permanently) and this code would overwrite the bootloader. The boot sequence in this case must be set to start with the bootloader updater code during the process, so that if the update is incomplete and the bootloader is invalid the system still boots and restarts the update.

The question is, is it possible to force the controller to boot from an alternative start address, set by a code running from the flash, in a way that this setting remains even in case of a power failure?

What other approaches are recommended, if there are any?

Thanks and best regards

Matyas

Labels (1)
Tags (1)
0 Kudos
Reply
1 Solution
2,017 Views
dianabatrlova
NXP TechSupport
NXP TechSupport

Hi Matyas,

I suppose this could work as follows:

It’s needed to preserve the first sector in the flash memory because there is the reset vector, which should not be rewritten.

After that, you will have two places in the flash memory which includes new (updated) bootloader and permanent bootloader. After reset the MCU decide whether Bootloader or User Application will be executed. Before jumping to the bootloader, the application checks if a new bootloader is loaded right (checksum). If yes, the application jumps to the new bootloader if not the application jumps to the permanent bootloader.

I hope it helps you.

Best regards,

Diana

View solution in original post

0 Kudos
Reply
2 Replies
2,018 Views
dianabatrlova
NXP TechSupport
NXP TechSupport

Hi Matyas,

I suppose this could work as follows:

It’s needed to preserve the first sector in the flash memory because there is the reset vector, which should not be rewritten.

After that, you will have two places in the flash memory which includes new (updated) bootloader and permanent bootloader. After reset the MCU decide whether Bootloader or User Application will be executed. Before jumping to the bootloader, the application checks if a new bootloader is loaded right (checksum). If yes, the application jumps to the new bootloader if not the application jumps to the permanent bootloader.

I hope it helps you.

Best regards,

Diana

0 Kudos
Reply
2,017 Views
matyas_gasko
Contributor I

Hello Diana,

so the bottom line is that I need a kind of non updateable pre-loader to see which code sections are valid, because there is no safe way to change the reset vector in a non volatile way.

Thanks for pointing it out!

Best regards

Matyas

0 Kudos
Reply