Embedded Devices: Always up to date with FOTA updates

The Firmware-Over-the-Air-Update (FOTA-Update) is one of the most important features for the vast majority of modern embedded devices used, for example, by manufacturers in the automotive, consumer electronics and healthcare industries. The FOTA update functionality enables manufacturers to fix bugs in software components of the existing system on the one hand and to install updates remotely on the other hand. This means that the devices always remain up-to-date, even if new functions and features are only introduced after the purchase of a device.

Modification of a running system

One of the main requirements for a device as a component for the automotive industry was that an update should be installed during the runtime of a Linux platform and deployed into secondary bootloader, Linux kernel, and user land applications. An external watchdog device was also part of the update mechanism that controls the booting of the updated kernel to prevent possible downtime. Moreover, it was important to provide an unattended update process with an automatic recovery feature in the event of an update failure or interruption.

Minimized downtime and a
rollback feature

Three sets of NAND flash partitions were implemented to minimize system downtime during the update and provide an automatic rollback feature. Each set contains one partition for the Linux kernel and another for the root file system. When the system is running on partition set A, new kernel and root file system images are flashed into partition set B. Once the flashing is complete, the entire system reboots on partition set B. During the first boot, a functionality check is performed. In case of a failed check, the system reboots to partition set A again.

If it is not possible to boot from the partition set B – and also rollback to partition set A – a third partition set F is used, where F stands for "Factory Firmware". This partition set cannot be changed during the entire device life cycle and therefore contains firmware that was verified and flashed during factory production. Although the firmware in the F partition can be considered outdated, it guarantees that at least minimal system functionality will be available until a service technician arrives to pick up the broken device for further maintenance.

Three Partition Sets

Maximum Fault Tolerance and Resilience

Even in the event that the firmware update cannot be performed completely, precautions have been taken: an external watchdog device is used to reset the device. During the reboot, the boot loader detects why the system has been rebooted: by watchdog device, due to a power outage, or because the system has been prompted to reboot after the update is complete. The boot loader then decides which partition set to select for the current boot, taking into account the reboot trigger. This is made possible by using a reboot matrix, where the same code can be retained and only the reboot matrix is modified in order to provide an extra or block an existing reboot path. All this makes the system an extremely flexible and at the same time portable solution.

Various implementations for FOTA updates already exist, which are based on two partition sets. However, Concept Reply has decided to develop its own solution with three partition sets to make customer systems more fault tolerant and robust than comparable solutions. This also makes the concept interesting for devices where reliability is the decisive criterion.