2.3.4 Device Firmware Update (DFU) over UART

The WINCS02IC is a secured part, and all traditional programming interfaces are disabled. These modules can only execute the firmwares which are authorized by Microchip’s signer. As all the programming interfaces are disabled, the WINCS02IC enables a special mode called the DFU mode to perform the firmware update. WINCS02IC provides fail-safe device firmware upgrade by having two image slots in the Flash map. The WINCS02IC on this PIC32WM-BW1 Wi-Fi® and Bluetooth® Low Energy Combo MCU Module shipped from Microchip use the image2 partition to store the default firmware.

For more details about the released standard WINCS02 firmware packages, go to WINCS02PE.

The WINCS02 firmware release package includes the following binary images:
  • All-in-One/Combined Image – Two firmware images (header1/image1 and header2/image2) + file system
  • OTA Image – A single firmware image (header/image) up to 960 KB
  • File-System – File system for storing certificates and key files up to 60 KB
Figure 2-5. WINCS02 Binary Images
Figure 2-6. Flash Map

These firmware images contain a 4-bytes sequence number in the header, which the boot ROM uses to determine which image to boot on every power-up. The boot ROM always chooses the firmware image with the lowest sequence number among the two partitions, but if both images have the same sequence number, it boots the one in the higher memory address (0x600F0000) or from image2 partition.

The sequence number with all zeros and all 0xFFs are reserved (invalid) sequence numbers. During the DFU programming, the boot ROM validates the firmware and checks the authenticity by verifying the signature. If the firmware is not authentic (in other words, not signed by Microchip), the boot ROM invalidates the image by setting the sequence number to zero and thereby rejects these firmware image.
Figure 2-7. Firmware Header

To implement a fail-safe mechanism, the image1 partition can be used for upgrading to a new firmware image, while the image2 partition serves as the default or backup firmware. In case of failure or issues with the new firmware, the device can revert to the default firmware in the high partition by erasing the low partition of the Flash memory.