A system on chip (SoC) is a computer system implemented on a single chip. An SoC includes a processing unit connected to a memory unit and operable to execute one or more instructions stored in the memory unit. The instructions may be provided at least partly by program code residing in a programmable region of the memory unit, referred to herein as the program region.
From time to time, it may be desirable to update program code in the program region. Such updates can take the form of radio transmitted updates (e.g., over the air or “OTA” updates) to the SoC. For example, an SoC may be located in a vehicle (e.g., a motor car). Today, the connected car is becoming a reality. The connected car covers various applications, including over the air updates to vehicle electronics.
During an update to the SoC, an unexpected incident (e.g., an error) may occur on the SoC. The incident may be related or unrelated to the update in progress. The incident may be software related, hardware related, or due to specific operating conditions being outside a normal operating range. Such operating conditions may be related to power supplies, clock frequencies, or temperature, to name a few. Even when the incident is not directly related to the update in progress, it may be seen as an indicator of an increased risk that something may go wrong during the update.
Formally, various kinds of events on an SoC can be treated as faults. Faults may be logical or physical in nature. For example, a temperature sensor detecting that a temperature of the SoC is above a certain threshold may be considered a physical fault. In contrast, lack of free memory, arithmetic exceptions, or stack overflows are examples of logical errors. A fault occurring while the SoC is installing the new program code in the program region can thus be an indicator of an increased risk that new program code will not be installed correctly in the program region, even if the fault by itself does not affect the update process.
The program region may have associated with it a normal access mode in which the program code can be read and executed and an update access mode in which new code can be written to the program region. The SoC may be arranged to switch from the normal access mode to the update access mode in response to an update request and to return to the normal access mode when the update has been completed. The invention described in greater detail below is based on the insight that the SoC can be made more reliable by impeding the SoC to return to the normal access mode if a fault has occurred during the update process.