Firmware, or computer readable program code stored in non-volatile memories, is employed for microprocessors, for example, of embedded systems which implement specialized functions or service. Modems, answering machines, automobile controls, disk drives, tape drives, digital cameras, medical drug infusion systems, and storage automation products are all examples of systems that may comprise embedded systems. The processor control in these systems allows a level of flexibility that can reduce costs while improving product quality.
It may be advantageous to provide the capability to upgrade the system firmware of the embedded system. This simplifies the task of providing enhancements and fixes to the product. For example, it is common to provide product enhancements in the form of new features and functions. As one example, after the 56K modem technology was introduced, many modem manufacturers provided firmware updates to existing customers. The updates allowed existing modems to support the new technology for increased communication speeds. As another example, the IBM 3584 Ultra Scalable Tape Library was first introduced with LTO (Linear Tape Open) drive and media support, and subsequently, an enhancement was made to support “Quantum DLT” (Digital Linear Tape) drives and media. Especially with expensive systems, customers expect to be able to upgrade their products many years into the future with minimal cost and disruption.
It may be desirable, and in some cases crucial, to provide a failsafe firmware update to the embedded system. “Failsafe” means that even if the update step is disrupted, the embedded system will continue to operate to at least the level that it operated at, before the firmware update. For example, many embedded systems will become nonfunctional if the firmware update is disrupted. In U.S. Pat. No. 6,357,021, the firmware is stored in an updateable part and a fixed part. The fixed part comprises default tasks, and the updateable part stores any updates. Thus, the firmware stored in the fixed part will not be lost or corrupted by incomplete downloading of the updates. The problem is that if the firmware update is disrupted, the system must go back to the original defaults, and the most recent previous update will be lost, possibly making the embedded system nonfunctional.
Embedded systems then may require special procedures to get them operational again, for example, requiring authorized repair specialists, or requiring that the product be returned to the factory.
The incorporated '844 U.S. patent application provides a non-volatile memory having a plurality of separately erasable sectors or memory areas for storing at least two separate copies of operational code, and a boot program stored separately from the operational code. Any copy of the operational code may be updated without requiring an update of the boot code. For example, in the case of two copies, both copies may be the most recent update, or one copy may be more recent than the other. Any new update will be made to the downlevel operational code. Thus, the operational code which was successfully operating the system prior to the new update is preserved, and, in the case of disruption to the new update, the successfully operating code will simply resume its place.
Both copies, or images, of the operational code are independently executable. Some processors and compilers do not support position independent code, preventing execution of more than one copy of operational code. Additional memory may be used to copy either of the two code images into a RAM or other memory area for execution, and the firmware would be compiled to run at the address of the newly copied code in RAM. However, existing embedded systems may not have additional memory to hold a copy of the code image, and new systems would have to incur the additional cost and board space of the copy memory.