Software Update in Embedded Systems – Stefano Babic, DENX

Why is embedded SW different to upgrade?

  • power failure
  • bad firmware
  • communication errors
  • + often there is no direct access so you need to recover automatically from failure
  • SW is not on a plain disk, but on a variety of media (NOR, NAND, eMMC, FPGA, …)

Take into account who will do the update. The mechanic may not even have a computer with him when he goes on-site! For instance, give him a USB stick, but remember to give feedback about failure.

Solutions for system upgrade

  • Bootloader: is severely limited (drivers), limited UI
  • Package manager: not atomic, hard to know exactly what is installed, more places where things can go wrong; but advantage: smaller update images
  • Rescue image
  • From the application: requires double copy of the application software to enable atomic update; if there is a rescue system as well, then that one doesn’t get tested well…

The upgrade systems that are used in reality are 95% similar, so Stefano started swupdate for this common stuff. Features:

  • Can recover from failure: this is not really generic, but offers a toolbox in which you need to enable things, e.g. watchdog, bootcounter, …
  • Checks hardware and software compatibility
  • Check image integrity, but not signature!
  • Can repartition the storage
  • Local and remote upgrade possible
  • In case new features have to be added: lua interpreter so can be extended on the fly
  • Single image for multiple devices, so a single release image applies to all devices in the system – this makes sure things stay consistent. So a single image for all devices, and each device extracts the part that is for them.
  • General API to interact with the UI and transport frontends (built-in or custom).
  • Possible to write a custom image parser in lua.
  • Handler depending on the device/partition on which a sub-image has to be installed. Custom lua handler is possible.
  • Mainly intended for rescue system scenario, but could be extended to double copy (needs change to the way bootloader flags are set).