30.2.17.2 Dual Boot Mode

The Dual Boot scheme allows the old boot code to be preserved in one flash panel until the new boot code is successfully programmed and verified in the other Flash panel. Which Flash panel is used is controlled by the BootROM.

Each panel's BFM region has a sequence number (SeqNum) located in the USER_CFG page for that panel. After reset and during the Flash configuration period (i.e. prior to system execution from BFM), SeqNum for each BFM region is read by the Boot ROM and compared. The Boot region with the higher SeqNum is selected as the Lower Boot region.

Each sequence number stored into the Flash consists of a ‘true’ and ‘complement’ 16-bit (halfword) value held in a single 32-bit word. The ‘true’ portion is held in the LS-halfword and the complement portion is held in the MS-halfword.

Note: All configuration data held in Flash and read by the Boot ROM at start up must be programmed, by software, using Quad Write in order to for the configuration data to have ECC protection.

In the event of an invalid Boot sequence number, the Boot ROM defaults to map the panel with the valid sequence number to Lower Boot. A Boot sequence number is considered to be invalid if:

- TrueValue != ~(ComplementValue) or TrueValue^ComplementValue != 0xFFFF

Or

An ECC DED error has occurred

In the following cases:

  • The sequence numbers are equal
  • Both sequence numbers are invalid

The Boot ROM selects Panel 1 to be the Lower Boot region.

The Flash Controllers, FCR (for reads) and the FCW (for writes/erases), use SWAP.BFSWAP to map the BFM of each panel into the Lower and Upper regions of the device memory map (refer to the example in Device Memory Map Example) according to the settings implemented by the BootROM.

Boot Loader Operation

Updating boot code is the responsibility of the Boot Loader. The Upper Boot region is always the target of the update. The Boot Loader must verify the erase status, typically done by erasing the Upper Boot region before programming it with the new Boot code.

If the new code successfully verifies, the Boot Loader assigns a sequence number, SeqNum, higher than that of the old boot code. On a subsequent reset, the Boot ROM selects the new Boot code to be the Lower Boot region (and the old Boot code appears in the Upper Boot region).

If a failure occurs during the process of updating the Upper Boot region with new boot code, the old boot code remains valid in the Lower Boot region. As long as the new boot code does not receive a successful write of a SeqNum greater than the old boot code’s, the old boot code is selected on a reset.

Dual Boot and Boot Page Protection

Although the BWP registers allow for different protection of Upper and Lower boot, in a Dual Boot situation it is desirable for them to protect the same page offsets.

Boot Panel Manual Swap

As discussed in Dual Boot Mode, the Dual Panel Lower Boot region selection is handled automatically at reset/boot time. The bit SWAP.BFSWAP shows the SeqNum controlled state of the Lower Boot order.

In addition to automatic control of boot, the user has the ability to change the Lower Boot panel manually with BFSWAP. The likely scenario for manual override is when both boot regions are programmed with identical code (which is recommended). Doing so allows write and erase of either Lower or Upper PFM without interruption of access to the boot region. For example, if Lower Boot is in Panel 1 and the Lower PFM address region is also in Panel 1, programming Panel 1’s PFM region causes accesses to the Lower Boot region to be stalled until the programming operation finishes. If both Boot regions are programmed identically, the user can simply invert BFSWAP so boot code is fetched from the other panel.