I am using the 32bit ARM STM32F439ZI microcontroller for my project. The microcontroller has 2 megabytes of flash memory organized into 2 banks of 1 megabytes each for simultaneous read and write/erase, as the datasheets points out.
I want to introduce Over The Air (OTA) firmware updates for the microcontroller.
I am using around 200-400 KB of flash storage for the firmware.
Of course, I could just only flash the download update binary using the boot loader. However, I would like to introduce a safety net by using the two 1 megabyte flash banks as a fail safe feature.
For example:
- The application downloads the new OTA firmware package onto an external storage.
- The application sets an flag with the internal flash (emulated EEPROM) as information to the boot loader to load an OTA firmware package from the external storage.
- The boot loader checks which "partition" (flash bank A or B) is active, switches the states and flashes the OTA firmware package onto the just activated flash bank.
- The boot loader resets the microcontroller.
- The boot loader detects, that bank B is the active bank and loads it contents as firmware.
- When there is a watchdog event or a crash, the boot loader detects the register flag and switches to the flash bank, which contains the previous firmware version.
I could not find resources if the "dual boot" is possible with the STM32F4 (there was something about the STM32F7 series, but that was advertised as an dedicated "feature").
Is the process possible or recommended with the STM32F4 series? Is there a better approach? And how the boot loader dispatch call (to the main function of the active flash bank) would looks like (Ansi C)?