Custom Bootloader Integration on STM32H747IIT6 for FOTA Application

Dear ST Community/Support Team,

We are developing a Firmware Over-The-Air (FOTA) solution for an IoT asset tracking device using the STM32H747IIT6 microcontroller (LQFP176 package, dual-core Cortex-M7/M4, 2MB dual-bank Flash). The system integrates a SIMCOM cellular/GNSS module for connectivity and location services, with firmware downloads staged via AT commands (e.g., HTTP for files like fwv1.bin) and processed using STM32 HAL UART/Flash APIs.

Project Overview:

• Hardware: STM32H747IIT6 as main MCU; SIMCOM module on UART1 for AT commands (e.g., AT+FSOPEN/FSREAD for file staging); GNSS NMEA parsing on UART2 (offloaded to M4 core).
• Software Stack: STM32CubeH7 HAL (v1.13+), FreeRTOS on M7 for multitasking, dual-bank Flash for safe updates (Bank1: Bootloader + Active App; Bank2: New Firmware).
• FOTA Flow:
  • Poll server for update manifest (version, URL, checksum).
  • Download chunks to SIMCOM FS or SD card.
  • Verify (CRC/SHA256), copy to inactive bank, set flag, reset.
  • Bootloader validates and swaps banks on boot.
• Current Progress: We have working app code for download (using custom SendAT and read_http_chunk functions) and GNSS position acquisition. Dual-core IPC via HSEM is set up.

Specific Request: Bootloader Integration Assistance We need technical guidance to implement and integrate a custom bootloader for seamless FOTA on the STM32H747IIT6. Key challenges include:

• Dual-Bank Flash Management: Configuring option bytes for dual-bank mode (via CubeMX/STM32CubeProgrammer); handling bank swap (HAL_FLASHEx_OBProgram) without bricking; vector table relocation for Bank2 app.
• Bootloader Structure:
  • Size: ~32-64KB in Bank1 start (address 0x08000000).
  • Features: CRC/signature verification of active app; check update flag (e.g., in RTC backup register or Bank1 end); jump to app (modify VTOR, set MSP); optional GNSS query for geo-validation during boot.
  • No RTOS in bootloader (lean C/Assembly); use HAL Flash API for programming Bank2.
• Integration with Application:
  • From app: Erase/program Bank2 (HAL_FLASHEx_Erase, HAL_FLASH_Program), set flag, call NVIC_SystemReset().
  • Post-Reset: Bootloader detects flag, swaps (option bytes), jumps to new app entry (e.g., 0x08100000 for Bank2).
  • Dual-Core Handling: Ensure M4 firmware is updated (copy to M4 Flash area); sync via RPC/HSEM.
• Security and Reliability:
  • Basic secure boot (public key in OTP); handle partial updates/power loss (checkpointing).
  • Rollback: If new app fails (e.g., watchdog), revert to previous bank.
• Tools/Environment: STM32CubeIDE 1.14+, CubeMX for code gen, Arm GCC compiler. We've enabled dual-bank in RCC/Flash settings but face issues with [briefly describe any specific errors, e.g., "option byte programming hangs" or "vector table misalignment after swap"].

What We Need Help With:

• Sample code/skeleton for the bootloader (e.g., full .c/.s files for verification, swap, and jump).
• Best practices for H747IIT6-specific pitfalls (e.g., cache invalidation during Flash ops, M7/M4 vector tables).
• Troubleshooting: Common errors in dual-bank FOTA (e.g., HAL return codes, linker script mods for Bank2).
• References: Beyond AN5347/UM2854, any H7-specific app notes or examples (e.g., from STM32CubeH7 repo).
• If possible, a walkthrough or debug tips for testing on [our board, e.g., custom PCB or STM32H747IIT6.

Thank you for your expertise!

Best regards,
Rahul Temkar