Oh, and just for fun don't forget the execution environment is SPI NOR Flash XIP.
Has anyone actually made this scenario actually work?
Hi @Littell
First of all, this topic is still on validation, so please do not consider this yet as an official document. As you already saw, we still do not have official documentation in English, but we are working on this. I thank you for your interest and apologize for any inconvenience. Please take a look at the below and let me know your feedback, if you get any issues or find any inconsistency.
I tested this with the i.MX RT1170 EVKB and MCUXpresso Secure Provisioning Tool v9.
The bootROM plays an important role on this. Before getting started please check your bootROM version. Below an snapshot of how to do it.
My RT1170 contained a bootROM with version T2.0.0. Please help me to check yours by setting the MCU in serial downloader mode and calling the below command.
blhost u VID,PID -- get-property 24 command.
If you have an older or different bootloader version please let me know.
Preparation :
1 Download and install latest version of the MCUXpresso Secure Provisioning Tool.
2 Make a mass erase to EVK flash.This is to avoid any previous version numbers. A mass erase can be done with the MCUXpresso IDE with ease.
Project creation Steps:
Secure Provisioning Tool Steps:
Then, you will see that the OTP config will turn green.
Note: With this setup the SPT will write the image version of 5 and the same image to both address space of imageL and imageH of 0x3000_2000 and 0x3040_0000 respectively
This way image L will be written to memory but twice, because image L will be written on the offset and space of image H. This is considered as redundant boot.
This way the SPT will only write to the offset and space of imageH (or image 1)
Note: we discovered a bug in the SPT: When creating FCB block by "convert to FCB" button, region around the FCB is erased. Size of erased region is dependent on the minimal erasable block of memory. This can erase user data or image version that is placed immediately after FCB block for RT10xx/RT11xx devices. The solution for this bug is prepared for SPT v10. If you see any strange behavior review write again the image L and image H.
The below image shows the ability to boot different applications.
According to my tests, I could define the following:
The below table shows boot image criteria when two images are programmed into the flash.
L image version |
H image version |
Boot image criteria |
Boot type |
valid |
valid |
BootROM will boot the image with the higher valid version number. |
Dual image boot |
0xFFFF_FFFFF |
valid |
BootROM will boot image L first. |
Redundant boot |
valid |
0xFFFF_FFFF |
BootROM will boot image L first. |
Redundant boot |
Invalid |
valid |
BootROM will boot the image with the valid image version only. |
Redundant boot |
valid |
invalid |
BootROM will boot the image with the valid image version only. |
Redundant boot |
Where:
L : When there are two images in the flash memory, L image is the image located at the lowest physical address on the memory. Consider an image located at 0x3000_0000 and another one at 0x3040_000 , L is the image located at 0x3000_0000.
H: When there are two images in the flash memory , H image is the image located on the highest physical address on the memory. Consider an image located at 0x3000_0000 and another one at 0x3040_000 , H is the image located at 0x3040_0000.
image version: Is a four-byte tag. The first two less signficative bytes represent the real image version( ranging from 0x0000 to FFFF) and the next two more signficant bytes represent the inverse value of the two real image version bytes.
valid or valid image version : Is an image version where the real version number bytes and the inverse value bytes match . For example, 0xFFFE_0001, where 0001 is the real version number and 0xFFFE the inverse value of 0x0001.
Invalid or invalid image version : Is an image version where the real version number bytes and the inverse value bytes do not match For example : 0x0000_0001.
0xFFFF_FFFF: This a special case where all four bytes contain F’s, and it is also considered a valid version number. Is is an special version value useful to test redundant boot.
Redundant boot: The bootROM will always attempt to boot first image L if the below conditions are met:
If above conditions are not met, or if image L boot fails, the bootROM will attempt to boot image H.
Dual boot : the bootROM will always select to boot first the image with the highest version number if the below conditions are met.
If above conditions are not met, or selected image boot fails, the bootROM will attempt to boot from the other image, performing redundant boot.
I hope this could help,
Diego
I will certainly go through this with a fine-toothed comb. At first reading it does appear to match my understanding of Image Version behavior.
Notes from a first reading:
The bootROM version on my EVKB is K3.0.1. I extracted it using the information in the RT1170 Reference Manual Section 10.13.1.
This is good information and it's a shame I had to push so hard for it to become available. But it's only one part of the overall issue we face: the execution environment of the application is XIP from the SPI NOR Flash. A critical feature of our project is dependent on being able to download and program Flash with a new image then reboot into that image. How is this to be mechanized in this execution environment?
Hi @Littell
Thank you for your quick feedback and interest! I do appreciate your patience and help as well. I will wait for any further comments from you.
Btw, could you explain further the mechanization on execution environment?
Diego
What are the steps needed to program the SPI NOR Flash with a new image then reboot into that image when utilizing XIP on the SPI NOR Flash?
Hi @Littell
Thank you for your reply!
I understand that you are making a reference to update an image with a newer version, like an OTA. If not let me know otherwise.
In this scenario we are manually booting the MCU into serial downloader mode and programming the image over SPT ( which implements BLHOST at a low level). I think that if you need some sort of automation. There is a raw and simple scenario where you would need to re-invoke the bootloader from SW, and this is possible, using the runBootloader() API, and then send the new image over BLHOST, with a different SW version, to benefit from the dual image feature.
For a more sophisticated way, I suggest looking at our SBL reference project and documentation. The SBL user guide details dual image use cases, but here we are not making any use of the ROM bootloader.
Diego
No, the image update cannot involve any external entities other than the one that provides a downloaded image.
Think of it this way, on a dual-image-configured XPI SPI NOR Flash: <app image in a file on a mounted filesystem> ==> <the area in XIP NOR Flash that is not being actively executed> ==> <reboot into the newly written image in Flash>
I'm not sure how to make it more clear or simpler.
Hi @Littell
Thank you for your reply!
I am afraid that I do not have such implementation steps, but for what I understand, your idea is interesting.
I have not tested reboot to execute the updated image with the higher version number. I think this is the most critical step. Because you can implement a custom way of receving and writting the image, this seems to be independent to dual boot feature from the bootROM. Also writting while executing the image is dependant on the features of your flash memory, for reference check this app note AN12564 Implement RWW on i.MX RT Series
Diego