FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Failure recovery stratergy for UART Bootloader- STM32F446RET6

sneha_giby
Associate III

‎2026-04-08 6:32 AM - last edited on ‎2026-04-09 2:14 AM by

Hi

I have a project with STM32F446RET6 which has custom bootloader and application in user defined location. This project does UART Bootloader for firmware upgrade - issue faced is if the device loses power while in between the firmware upgrade then the device is neither in UART bootloader/DFU mode nor has a valid firmware.

The solution which i want to implement is keeping two image of the application in two slot A and B. Normal working in Slot A  and backup in Slot B. Firmware upgrade happens in Slot A and if fails copy the firmware from Slot B otherwise copy Slot A to Slot B.

can anyone provide a simple logic which can be implemented to check if the firmware upgrade is completed and successful in SlotA.

I would not like to add CRC check.

Labels:
0 Kudos
13 REPLIES 13
MM..1
Chief III
In response to sneha_giby

‎2026-04-09 7:17 AM

You start in ticket CUSTOM bootloader, then custom bootloader is in normal situation first started code. And always check fw A or B before start. Better is use A as factory and update only B. Less flash stress as copy delete A and B...

And primary code and VTOR is compiled for one place , you cant simply load it to A or B...

0 Kudos
Pavel A.
Super User
In response to sneha_giby

‎2026-04-09 9:24 AM

no i am using software jump to bootloader. BOOT0 is always at GND.

This is not good. Recovery should be very robust and reliable. What you do is less reliable. Then it could be a custom bootloader as well. Custom bootloaders have many advantages, but they occupy room in user flash and are less reliable for recovery purpose - just as you've seen.

 

0 Kudos
sneha_giby
Associate III
In response to MM..1

‎2026-04-09 11:24 AM

ok got your point.

Bootloader will switch to SLOT_A / SLOT_B after checking upgrade_status.

if upgrade_status is "testing" jump SLOT_B, if "confirmed" copy SLOT_B to SLOT_A and jump to SLOT_A

but as you mentioned VTOR

my app firmware is set "linker" file is have flash start address FLASH (rx) : ORIGIN = 0x8020000, LENGTH = 128K and size and  system_stm32f4 has #define VECT_TAB_OFFSET 0x00020000U

which are for SLOT_A 

what should be done for SLOT_B because this setting are done before compilation

what should i do change run time change for this values.

0 Kudos
sneha_giby
Associate III

‎2026-04-14 7:59 PM

So, I am stuck with this issue.

I have only one option to run the application in slot A and keep backup in slot B. Steps followed will be

1) when going for dfu, setting the metadata to upgrade status to updating and upgrade firmware in SLOT A.

2) SLOT A because we have VTOR to the SLOT A address in compile time, after upgrade when reset the device starts from bootloader and check the upgrade status if updating change to testing and jump to Application SLOT_A.

3)In Application in SLOT_A, after delay of 2sec the update status will change to COMFIRM but in between it crashes or reset bootloader check 5 times for failure with the status testing it will copy the SLOT_B to SLOT_A (previous version is copied).

4)when application in SLOT_A changes the status to CONFIRM, application will be copied from SLOT_A to SLOT_B.

@TDK @Saket_Om @MM..1 @Pavel A. do you people think this will be good to implement. Please provide suggestions.

0 Kudos
Top