The invention relates to updating firmware in embedded devices. Specifically, the invention relates to failsafe systems and methods for updating firmware in embedded devices with a minimal memory footprint.
An embedded device is a computer system where all necessary hardware and mechanical components to achieve a specific purpose are integrated into a dedicated hardware assembly. The executable code in an embedded system is referred to as “firmware.” The firmware is written to non-volatile storage, such as flash storage or other block-based, electrically erasable, programmable random access memory (EEPROM) technology.
It is common practice to update the firmware in these devices in the field without using any special hardware. The firmware is either read from a removable media or received over a communication path from another microprocessor-based system.
The act of updating firmware in an embedded device involves the embedded device erasing a block of storage, and then writing that storage with replacement firmware. A block can store a significant portion of the overall executable firmware. The replacement firmware is read from a removable media or a communication stream from an external system.
During the update process, if power is removed or communication with the external system or removable media is lost, the device is left without valid firmware, and therefore may be in an unusable state. As a consequence, the device needs to be returned to a service center, or discarded.
There are two commonly used approaches to prevent the problem of devices being rendered unusable by failures during firmware update. The first approach is to buffer the received firmware in another memory, such as random-access memory (RAM). This image can then be verified prior to erasing the existing firmware. Although this protects against an interruption of the firmware stream to the device, this approach is not fully failsafe. Any power loss from the time the device has erased its previous firmware until it has completed writing the new firmware would leave the device unusable. This approach also requires a large enough external buffer to receive and verify the firmware, making it undesirable in cost sensitive applications.
The second approach is to maintain a fully redundant firmware copy. The original firmware is only erased after the new firmware is verified to be correctly programmed. This approach can be made fully failsafe, but requires the device to have approximately twice the amount of storage that would be required over the first approach. This is unacceptable in cost sensitive or storage constrained systems.