RE: [U-Boot-Users] Fail Safe: Redundant U-boot Images in Flash??? ?
It is impossible - there is only one reset entry point. How would you determine which image to boot?
What you typically do (assuming the hardware supports it) is to have two banks of flash memory that can be swapped using some jumper or switch or so.
The code at the entry point needs to be small, reliable and never require an upgrade in the field. This code would run a CRC on the primary U-boot image to determine if it's safe to boot, upon CRC failure verify then run the backup image.
For remote systems we need to resolve the issue of upgrade failure without human intervention - or perhaps remote human intervention.
-John Roberts (Engineer, not Judge)
--- "Roberts, John" john.e.roberts@siemens.com wrote:
It is impossible - there is only one reset entry point. How would you determine which image to boot?
What you typically do (assuming the hardware supports it) is
to have
two banks of flash memory that can be swapped using some
jumper or
switch or so.
The code at the entry point needs to be small, reliable and never require an upgrade in the field. This code would run a CRC on the primary U-boot image to determine if it's safe to boot, upon CRC failure verify then run the backup image.
For remote systems we need to resolve the issue of upgrade failure without human intervention - or perhaps remote human intervention.
-John Roberts (Engineer, not Judge)
So what happens if the CRC is correct, but the new image has a bug (functional ?) in it....
SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ U-Boot-Users mailing list U-Boot-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/u-boot-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Roberts, John wrote:
The code at the entry point needs to be small, reliable and never require an upgrade in the field. This code would run a CRC on the primary U-boot image to determine if it's safe to boot, upon CRC failure verify then run the backup image.
For remote systems we need to resolve the issue of upgrade failure without human intervention - or perhaps remote human intervention.
We have done this on our board "gth". We use a pre-loader called miniboot: http://opensource.se/projects/miniboot/index.html
Miniboot choose which of two u-boot images to boot by checking CRC.
Regards, /Thomas
In message 5F98E47AD7B1C349895ED4E2EDF3918B01F291FF@stca209a you wrote:
The code at the entry point needs to be small, reliable and never require an upgrade in the field. This code would run a CRC on the primary U-boot image
THe code at the entry point that is small, reliable and never requires an upgrade in the field is U-Boot. Just don't touch it. You don't have to.
Best regards,
Wolfgang Denk
participants (4)
-
Frank -
Roberts, John -
Thomas Lange -
Wolfgang Denk