Firmware over-the-air (FOTA) updates are required to remotely fix bugs and make enhancements to systems, including introducing new features and services. FOTA updates are ideal for applications that are fielded in remote areas or may need ongoing updates due to the nature of the application, including wireless infrastructure, smart factories, and connected cars. A typical system will include a processing unit with nonvolatile memory to boot and configure the processing unit. The use of FOTA is gaining momentum, thanks to advances in system connectivity and an industry shift toward more programmable silicon architectures that allow seamless FOTA as nonvolatile memories become more reliable, safe, and secure.
A Requirement for Mission-Critical Systems
A reliable FOTA update process is required for mission-critical applications that cannot afford to fail during the update process. Thus, the update process must be immune to communication errors and require very few system pauses during updating. For many applications, it is not economically feasible to send a technician out to a system in the field for reprogramming. Similarly, automakers cannot afford to recall all affected vehicles to update software. For these and other reasons, over-the-air updating continues to gain momentum. To ensure reliability, the ability to implement this feature at the system level is mandatory and requires the silicon inside the system to have reliable FOTA features. Figure 1 details the advantages of FOTA technology.
click for larger image
Figure 1. Advantages of FOTA (Source: Cypress)
Flash memory devices are commonly used in systems to store software/firmware code. The primary purpose of the FOTA process is to update the code in the Flash memory. Current-generation host devices typically use only internal Flash or a combination of internal and external Flash to store the data and code. However, modern semiconductor technology faces challenges in scaling and cost as system complex continues to rise, making it increasingly difficult to embed Flash memory within the host MCU, as has been typically done in automotive and industrial applications. Embedded Flash will likely hit a wall at 28nm or 22nm. Beyond that, external Flash will become necessary and the host will need to be able to perform FOTA updates with external Flash devices only.
FOTA Update Methods
There are several ways to implement FOTA updates using NOR Flash. The first is the FOTA update without software/firmware backup.
In this architecture, the system uses a single Flash device or partition to store application software. With this approach, the application needs to be paused during the software update procedure because the system can either run the application from the Flash or update the software. Such applications typically have a host MCU with basic features and limited memory.
A second FOTA update option includes software/firmware backup. In this scenario, a higher-end MCU and additional Flash memory are used to overcome the drawback of needing to pause the system during updating. With this architecture, the system uses two Flash devices or partitions where it can run the application from one Flash/partition and update the other in parallel.
A third update method includes a “golden” software/firmware backup copy. With this FOTA update method, the system uses three Flash memory devices or partitions. Typically, one partition (or die) contains the current software. A second partition is reserved for the code to be updated (or that has been updated by FOTA). A third partition is used to store a “golden” copy of the software that the system can be revert back to if the current and new software become corrupted. Table 1 summarizes the advantages and disadvantages of each of these approaches.
Table 1. Advantages & Disadvantages of Different FOTA Architectures
|FOTA Update Without Software/Firmware Backup||
|FOTA Update with Software/Firmware Backup||
||System needs an advanced host (e.g. MCU with bootloader) and additional memory to store the previous software|
|FOTA Update with “Golden” Software/Firmware Backup Copy||System needs an advanced host such as an MCU with bootloader, and additional memory to store both the previous software and the golden software copy|
NOR Flash Designed for FOTA
NOR Flash devices are more advanced than ever, with innovations designed to enable reliable FOTA updating. Some of these features include:
Simultaneous Read/Write Operation
Some of the industry’s most advanced NOR flash devices have a flexible bank architecture (i.e., group of sectors) where data can be continuously read from one bank while executing Erase/Program functions in another bank. This feature is called Simultaneous Read/Write operation and is an ideal feature for the FOTA update process. During an Erase/Program operation, any idle banks may be read from. The device can improve overall system performance by allowing a host system to program or erase in one bank, then immediately and simultaneously read from another bank. This feature can prevent a system from stalling due to indefinite waiting for the completion of Program or Erase operations
Some vendors also offer NOR flash devices with a multi-die package (for example, SPI NOR S70FL-S) supporting simultaneous operation between the die. Some applications need higher-density Flash memory to store the application software, and these devices support simultaneous operation with high-density Flash memory devices. The system can perform the same update process sequence as the Simultaneous Operation feature but, in this case, the system reads or updates the respective die instead of the bank.
The waveforms in Figure 2 show the sequence of software updating in the NOR flash device. They ensure concurrent Bank1 or Die 1 read operation and Bank 2 or Die 2 Erase/Program operation.
click for larger image
Figure 2. FOTA Update Using Simultaneous Operation (Source: Cypress)
Program/Erase Resume/Suspend is another important feature of NOR Flash that can greatly improve the reliability of FOTA operations. The Program/Erase Suspend command allows the system to interrupt an embedded Program/Erase operation so that data can be read from any non-Program/Erase suspended sector. After the read operation is completed, the system can Resume to continue the Program/Erase operation. This feature is useful for architectures with single-die NOR flash devices where simultaneous operations are not supported. It also provides priority to the running application; therefore, the system does not need to be paused and software update processes can be completed idle times. Figure 3 demonstrates the FOTA method using the Erase/Program Suspend/Resume feature.
click for larger image
Figure 3. FOTA Update Using Program/Erase Suspend/Resume Feature (Source: Cypress)
GUID Partition Table (GPT) Method
Another NOR Flash feature enhancing reliability is the use of a Globally Unique Identifiers (GUID) Partition Table (GPT) to perform FOTA using a single device. To use this method with a NOR flash device, the host needs to partition the Flash memory as shown in Figure 4. The top and bottom parts of the Flash device contain the partition tables (primary and secondary) that describe how the Flash memory is divided and partitioned. The secondary partition table is used when the primary partition table is corrupted. The rest of the partitions (sectors) will be divided between the two applications. The partition table requires less storage capacity; therefore, a smaller sector architecture at the top and bottom of the NOR Flash device is an advantage in this type of application.
click for larger image
Figure 4. FOTA Updates using a GUID Partition Table (Source: Cypress)
NOR Flash Plus
Another FOTA update method that leverages advanced NOR Flash technology is often called “SnD – Store and Download”, or “shadowing”. With this approach, the system copies the NOR Flash data to a RAM device immediately after power up. After the MCU copies and stores the data from the NOR flash device to the RAM device, it reads the software from the RAM device for the application and can perform the FOTA update in the Flash using any of the three FOTA update approaches. RAM is typically used to provide high-speed random access. However, there are high-performance NOR Flash devices available on the market that can perform the equivalent operation with their Execute-in-Place (XiP) feature.
NOR Flash technology offers many features that enable robust, fast, flawless, and power-loss-tolerant FOTA updating. Mission-critical applications can leverage NOR Flash features such as high performance, density, multi-die package solution, simultaneous operation, and Erase/Program Suspend/Resume to perform highly reliable FOTA updates while saving board space, using fewer hardware and software resources, and reducing overall cost. Devices like Cypress’ Semper NOR flash devices can further improve system performance by adding a layer of functional safety and reliability to FOTA update implementations. In this way, systems can use the high performance, sectored architecture, and superior interface speed of NOR Flash to read application software directly from the Flash and reduce or eliminate the need for external RAM.
Pritesh Mandaliya is a Staff Applications Engineer in the Memory Product Division of Cypress Semiconductor. He holds a Master’s degree in electrical engineering from San Jose State University, USA. He can be reached at firstname.lastname@example.org.