Reply is the place to meet an incredible variety of enthusiastic, passionate, ideas-driven people, who want to make a difference and an impact.Would you like to know more?
One of the main requirements for a device as a component for the automotive industry was that an update should be installed during the runtime of a Linux platform and deployed into secondary bootloader, Linux kernel, and user land applications. An external watchdog device was also part of the update mechanism that controls the booting of the updated kernel to prevent possible downtime. Moreover, it was important to provide an unattended update process with an automatic recovery feature in the event of an update failure or interruption.
Three sets of NAND flash partitions were implemented to minimize system downtime during the update and provide an automatic rollback feature. Each set contains one partition for the Linux kernel and another for the root file system. When the system is running on partition set A, new kernel and root file system images are flashed into partition set B. Once the flashing is complete, the entire system reboots on partition set B. During the first boot, a functionality check is performed. In case of a failed check, the system reboots to partition set A again.
If it is not possible to boot from the partition set B – and also rollback to partition set A – a third partition set F is used, where F stands for "Factory Firmware". This partition set cannot be changed during the entire device life cycle and therefore contains firmware that was verified and flashed during factory production. Although the firmware in the F partition can be considered outdated, it guarantees that at least minimal system functionality will be available until a service technician arrives to pick up the broken device for further maintenance.
Even in the event that the firmware update cannot be performed completely, precautions have been taken: an external watchdog device is used to reset the device. During the reboot, the boot loader detects why the system has been rebooted: by watchdog device, due to a power outage, or because the system has been prompted to reboot after the update is complete. The boot loader then decides which partition set to select for the current boot, taking into account the reboot trigger. This is made possible by using a reboot matrix, where the same code can be retained and only the reboot matrix is modified in order to provide an extra or block an existing reboot path. All this makes the system an extremely flexible and at the same time portable solution.
Various implementations for FOTA updates already exist, which are based on two partition sets. However, Concept Reply has decided to develop its own solution with three partition sets to make customer systems more fault tolerant and robust than comparable solutions. This also makes the concept interesting for devices where reliability is the decisive criterion.