2
votes

I am using the 32bit ARM STM32F439ZI microcontroller for my project. The microcontroller has 2 megabytes of flash memory organized into 2 banks of 1 megabytes each for simultaneous read and write/erase, as the datasheets points out.

I want to introduce Over The Air (OTA) firmware updates for the microcontroller.

I am using around 200-400 KB of flash storage for the firmware.

Of course, I could just only flash the download update binary using the boot loader. However, I would like to introduce a safety net by using the two 1 megabyte flash banks as a fail safe feature.

For example:

  1. The application downloads the new OTA firmware package onto an external storage.
  2. The application sets an flag with the internal flash (emulated EEPROM) as information to the boot loader to load an OTA firmware package from the external storage.
  3. The boot loader checks which "partition" (flash bank A or B) is active, switches the states and flashes the OTA firmware package onto the just activated flash bank.
  4. The boot loader resets the microcontroller.
  5. The boot loader detects, that bank B is the active bank and loads it contents as firmware.
  6. When there is a watchdog event or a crash, the boot loader detects the register flag and switches to the flash bank, which contains the previous firmware version.

I could not find resources if the "dual boot" is possible with the STM32F4 (there was something about the STM32F7 series, but that was advertised as an dedicated "feature").

Is the process possible or recommended with the STM32F4 series? Is there a better approach? And how the boot loader dispatch call (to the main function of the active flash bank) would looks like (Ansi C)?

2
yes doable, on the right track for the most part, basically you want to have redundant features. ANSI-C has nothing to do with it though, not a C language thing, doesnt mean you wont use C, just means C is not relevant.old_timer
I fact C has relevance, as I write the boot loader in C and the application in C and as the boot loader, which I write in C, I have to tell the machine that either flash bank A or B has to load - in C. And the last part is where I have no clue about.burnersk
This sounds like it is not about dual redundant at all but instead a way to allow for updates. but you need to think through failed updates, bad images. You are relying on some percentage of good code to never be bad in order for this to work.old_timer
Understood you are using C but C has nothing to do with this task, there is no C magic calls or anything to do with the C language that makes this work or not work any more than this conversation is happening in English, doesnt mean the English language is the key that unlocks this mystery, it is just a transport a means to the end.old_timer
dual boot is something you have with an operating system and common/stock bootloaders for those platforms, this is your platform your bootloader so you define how things boot, its your design.old_timer

2 Answers

0
votes

I'm not sure, If I understand the "Dual boot" completely, but if it is about having two versions of Firmware (Current working one to be replaced and the new firmware) in the flash, then the simplest method is to let the bootloader take a backup of the application firmware in a separate area of the flash memory before kicking-off OTA, however this reduces the total amount of usable flash. My master's thesis (Fail-proof over the air firmware upgrade for embedded systems) was on a very similar topic. You may want to take a look.

0
votes
  1. The OTA with failover is implemented by Mongoose OS, https://mongoose-os.com for STM32 (including STM32F4). Mongoose OS repo is at https://github.com/cesanta/mongoose-os. The bootloader repo is at https://github.com/mongoose-os-apps/bootloader

  2. For STM32 setup without built-in connectivity, another approach would be to use https://vcon.io . That is, an ESP32 / ESP8266 communication module (Ethernet, WiFi, Cellular) which can OTA any attached STM32 microcontroller, and provide connectivity via varirous modes (e.g. transparent UART bridge).

Disclaimer: I represent both Mongoose OS and VCON products.