Is bootloader update failsafe?

Hi,

Yes, the bootloader update should be 100% failsafe against power loss during the process.

Before the MBR starts the swap procedure, i.e. the new bootloader image is copied into the bootloader section, the MBR will write a “start update command” to a flash page in order to indicate that the swap procedure has been started.

If the device is reset or loses power during the swap procedure, then upon reboot the MBR will compare the image in bank 1 to the image in the bootloader section. If these images do not match, the swap procedure is restarted.

Once the swap procedure is completed, the MBR will verify that the flash write operation was successful by comparing the two flash sections. If the received firmware image and the copy now residing in the bootloader flash section are not identical, the MBR will redo the operation until the image is correctly written to the bootloader section. Only when verified, the MBR will clear the “start update command” and branch to the bootloader.

There is one failure scenario that affects most self-bootloaders. If the image you are loading is not functional you will brick the device. For an extreme example if you created an image that simply halted the processor but is in all other ways valid the bootloader will happily replace itself with that garbage. This issue can be mitigated by ALWAYS verifying the operability of any new software images released to the field.