2020-01-13 09:41 AM
Hi,
I am working on FOTA for STM32 MCU using external flash to store the downloaded FW from server.
The process should be upon complete download the FW, reset MCU to bootloader mode. Then read FW from external flash and write to starting address of app.
My question is there is no way to update the bootloader (say starting address 0x00) since the code is running.
My question is - is there any way to update the both bootloader and application FW? Should I need a co-MCU to do the work? If so, how to use JTAG to debug?
Thanks,
****
2020-01-13 10:06 AM
Generally you don't want to update the loader, its job really can be to validate other images and transfer control, and provide a means for you to unbrick your device short of using ST tools or JTAG.
Consider three firmwares, a primary loader, a secondary one which you might want to replace, and then your application code. Or provide for two applications.
The primary loader should be able to recover things from the image(s) in the external flash. You should sign things such that you only deliver functional code, and test things so you don't sign code which is broken. The loader can then just apply things with are checked/validated. If something isn't intacted, you don't transfer control to it.
2020-01-14 09:38 AM
Let's assume boot loader starting 0x00, application starting 0x08000800. New FW image is store in external flash.
I am thinking I should be able to start in bootloader then update the application 0x08000800 (get application hex from external flash), reset. Then run the application to update bootloader 0x00 (get bootloader hex from external flash).
Anything wrong with the scenario?
Thx
****
2020-01-14 10:16 AM
Well the real issue is if the update of the loader fails due to power, or something being wrong with the .HEX file.
HEX files don't have a longitudinal checksum/crc, you would need to double check the whole image is intact/valid in external memory.
The failure mode is you brick the device, and the end user has to fiddle with BOOT0 and use ST tools (or equivalents) to recover the situation. Depending on the device and it's location, this might not meet FOTA requirements. These might require the device to recover itself remotely.
2020-01-14 10:27 AM
I agree that trying not to update the bootloader but in a special case, this scenario works, right (assuming hex correct)? Thx
2020-01-21 12:34 AM
As Clive already said, if power fails during bootloader update, the device is bricked.