The present invention relates to electronic devices, in particular electronic embedded devices, which may include a microcontroller and a nonvolatile memory storing software or application code, i.e. firmware. More particularly, the present invention relates to methods for programming or re-programming firmware in electronic embedded devices, such as power supply systems, controllers, sensors and other devices.
In the field of producing, programming and installing embedded electronic devices, it is well known that, even after a test or production period, a need can arise to re-program the devices to update them to new functionalities or because of the presence of faults or failures not previously detected in the code.
The conventional re-programming solution is to physically remove the board and to update the firmware by means of a conventional external programming device.
A bootloader is a software layer which manages the basic functions of the device to update the application code without using a programmer and without touching the device itself. Typically, this operation is performed by using a communication channel, e.g. RS232, RS485, 12CBus, SPI, or USB. This procedure is carried out remotely. Furthermore, it is necessary to consider that an embedded environment is typically an environment with few resources, and that the bootloader must necessarily ha code.
In an embedded environment (e.g., power supply systems, controllers, and sensors) this software layer is used for reprogramming the firmware with no need to shut down the machine, to remove the board from its support, or to disconnect it from one or more parts of the device. In this manner, savings can be obtained in a variety of ways, including the following:
1. There is no need for the customer to return the devices to be reprogrammed.
2. The customer himself can update the firmware received through any means, even through the same management program for managing the device, i.e. “friendly” interface produced and tested ad hoc by the manufacturing company.
3. The customer does not incur service interruptions due to the “traditional” management of reprogramming.
4. The manufacturing company can provide stronger support to the customer without logistics and management costs of reprogramming, by making the new firmware available for the customer through whatever means (e.g. via electronic mail).
European Patent Publication EP-A-1,701,262 describes a method for re-programming a device, in which a memory is present, comprising a sector storing a bootloader and one or more sectors storing the application programs. This publication relates in particular to a method that allows optimal exploitation of the available memory without leaving unused spaces but rather guaranteeing the integrity of the bootloader during the reprogramming phase.
U.S. Pat. No. 6,925,365 describes a system for updating applications by means of a flashloader in a vehicle control unit for controlling electronic devices. The described system provides for the automatic update from an existing version of application code to a new version by using the flashloader.
One of the problems that can occur in conventional updating or re-programming procedures is management of the critical operations, which can result in a malfunction of the device. These critical operations can include: management of the communication channel; receipt of the new firmware fragmented into a plurality of messages; power outage during the procedure; corruption of the new firmware (during transmission, during saving, or corruption of a memory cell, because of external factors due to damage to the device); minimal management of the device in the case of absence of the application code so as to avoid device damage; and certainty that the application code to be executed is the code “desired” by the person who updated the device.
Data corruption or loss during the reprogramming phase controlled by the bootloader can result in a non-functioning device. Errors in data transmission, reading or writing, an accidental power outage, or other external factors may lead to the corruption of the application code and, therefore, to a failure in the device.