FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32H563 Dual-Bank OTA — Recovery When New Firmware Corrupted and Reset_Handler Never Executes

Deepika_Sivakumar
Visitor

‎2026-05-20 2:09 AM

Device

STM32H563ZIT6, single binary (no separate bootloader), dual-bank OTA

Setup

 
Bank1: Current running firmware (original)Bank2: New OTA firmware (potentially corrupted)IWDG: Started in Bank1 before swapOTABootSafetyCheck: In Reset_Handler of every binary buildBKP0R: Boot counter set before swap

Problem

After bank swap, if Bank2 firmware is corrupted and Reset_Handler never executes:

 
 
Bank swap → resetCPU reads 0x08000000 → SP    (may be valid)CPU reads 0x08000004 → Reset vector (may be valid)CPU jumps to Reset_Handler addressReset_Handler code is corrupted → garbage instructions → crashOTABootSafetyCheck never runsBoot counter never incrementsIWDG fires → reset → same crash → infinite loopRollback never happensBank1 original firmware never recoversDevice is permanently stuck

What We Have Tried

1. OTABootSafetyCheck in Reset_Handler

 
 
asm
Reset_Handler:    ldr r0, =_estack    mov sp, r0    bl  OTABootSafetyCheck  ; before SystemInit and main    bl  SystemInit    bl  __libc_init_array    bl  main

Works when Reset_Handler body executes. Does not help when Reset_Handler code itself is corrupted.

2. IWDG Started in Bank1 IWDG survives bank swap reset. Bank2 must feed it. If Bank2 never feeds IWDG → reset. But reset always goes back to corrupted Bank2 → same crash → infinite loop.

3. Pre-swap Vector Table Check

 
 
c
uint32_t sp    = *(uint32_t *)0x08100000;
uint32_t reset = *(uint32_t *)0x08100004;

Catches completely empty or garbage vector table. Does not catch valid vector table pointing to corrupted Reset_Handler body.

Core Question

Without a separate bootloader, is there any STM32H563 hardware mechanism that can force a bank reswap when:

  • Bank2 Reset_Handler is corrupted
  • IWDG keeps firing
  • No code from Bank2 ever executes successfully
  • Bank1 original firmware needs to be restored

Specifically:

  1. Is there an option byte or hardware register that automatically reverts bank swap after N resets without a successful boot?
  2. Can IWDG reset be distinguished from other resets in a way that hardware automatically acts on it?
  3. Is there any RDP/TrustZone mechanism that can trigger bank reswap based on reset count without executing code from the corrupted bank?
  4. What is ST's recommended approach for single-binary dual-bank OTA rollback when the new firmware's Reset_Handler itself is corrupted?

Constraint

  • Single binary — no separate bootloader
  • No CRC validation (trying to avoid storing expected CRC)
  • Bank1 original firmware must be recoverable in all corruption scenarios
Labels:
0 Kudos
0 REPLIES 0
Top