2.1 Modes of Operation

The basic mode bootloader resides at the starting location of the Flash memory. It performs Flash erase, program, or verify operations on the binary sent from the host. Once the firmware upgrade and verification are completed, it jumps to the starting address of the application.

For a detailed explanation on the basic mode bootloader, refer to the documents specified in the References section.

One of the challenges with a basic mode bootloader is the failure of the booting process. The booting process could fail during the firmware upgrade stage. The bootloader may not be able to complete the ongoing firmware upgrade due to several reasons, for example, interface disconnect, power cut, and so on. When the firmware upgrade process is aborted in between, the embedded device goes into an unstable state and may not work as expected.

A fail-safe bootloader overcomes the limitation of the basic bootloader. A fail-safe bootloader is designed on the premise that even if there is a firmware upgrade failure during the booting process, the system is still have a stable application image to run.

A fail-safe update is supported on devices which have the dual-bank Flash memory. Typically, memory in a microcontroller is organized in one or more banks. While most of the microcontrollers have single bank memory, there are some high-end microcontrollers that have dual bank. The dual-bank Flash memory enables the user to program one bank without affecting the application code of the other bank.

The boot failure situation is addressed by a dual-bank bootloader (Fail-safe update mode). With a dual-bank bootloader, whenever the device is running in one memory bank, the user can upgrade the firmware with the new features into the other bank and swap the firmware once the upgrade completes. If the upgrade process fails, the working copy of the firmware which is running in the first memory bank will help the device to work normally.

In a dual-bank bootloader the memory is distinguished into two banks. Each bank holds the bootloader code residing at the beginning location of the respective bank, and the firmware (application code) follows as shown in the following figure.

When booting from one bank, another bank is used as an upgrade buffer to accept the new firmware. After the new firmware is received and verified, the boot banks are switched. Therefore, there can be two workable firmware versions in the memory. The bootloader can perform a Flash operation in either of the banks based on the address sent by the host application. It performs a bank swap and resets the system to run the application programmed in the opposite bank after the verification is completed.

The following figure shows the memory layout of dual-bank bootloader:

The SAM E54 Flash memory is configured to two banks: Bank A and Bank B. At the start of both the banks, the bootloader is situated and then followed by an application image as shown in the figure above.

By default, Bank A is mapped to the address 0x00000000 and Bank B is mapped to the address 0x00080000. The bank mapped to the address 0x00000000 is referred to as the active bank (by default Bank A), whereas the other bank mapped to the address 0x00080000 is referred to as the inactive bank.

The bootloader in an active bank can receive the following upgrade requests:

• Upgrade the active bank application image at address 0x00002000
• Upgrade the inactive bank application image at address 0x00082000
• Upgrade the inactive bank merged image (bootloader + application) at address 0x00080000