eBootloader supports three firmware update strategies. This document describes the recommended OTA workflow (firmware-owned download, bootloader-owned activation).
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β Cloud / β β Application β β E-Boot β
β Server β β Firmware β β (Stage-1) β
ββββββββ¬ββββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ
β β β
β 1. New version β β
β available β β
β ββββββββββββββββββ>β β
β β β
β 2. Download β β
β image chunks β β
β ββββββββββββββββββ>β β
β β β
β β 3. Write to β
β β inactive slot β
β β (Slot B) β
β β β
β β 4. Request β
β β test boot β
β β eos_fw_request_ β
β β upgrade(B, TEST) β
β β β
β β 5. Reboot β
β β ββββββββββββββββββ>β
β β β
β β β 6. Verify Slot B
β β β image
β β β
β β β 7. Boot Slot B
β β β (test mode)
β β β
β β 8. Self-test β
β β<ββββββββββββββββββββ
β β β
β β 9. eos_fw_confirm_ β
β β running_image() β
β β β
β β ββ OR ββ β
β β β
β β 9b. Crash / β
β β watchdog β
β β β rollback β
β β β
int do_ota_update(const uint8_t *image_data, size_t image_len)
{
eos_slot_t target = EOS_SLOT_B;
uint32_t addr = eos_hal_slot_addr(target);
/* Erase target slot */
eos_hal_flash_erase(addr, eos_hal_slot_size(target));
/* Write image (header + payload) */
eos_hal_flash_write(addr, image_data, image_len);
/* Request test boot */
int rc = eos_fw_request_upgrade(target, EOS_UPGRADE_TEST);
if (rc != EOS_OK) return rc;
/* Reboot to apply */
eos_hal_system_reset();
return EOS_OK; /* unreachable */
}int app_startup(void)
{
if (eos_fw_is_test_boot()) {
if (self_test_passed()) {
eos_fw_confirm_running_image();
} else {
/* Don't confirm β let watchdog trigger rollback */
eos_fw_request_recovery();
eos_hal_system_reset();
}
}
return 0;
}| Trigger | Result |
|---|---|
| Unconfirmed test boot + reboot | boot_attempts incremented |
| boot_attempts β₯ max_attempts | Automatic rollback to Slot A |
| Watchdog reset during test boot | boot_attempts incremented |
| No valid image in active slot | Fallback to alternate slot |
| No valid image in either slot | Enter recovery mode |
The boot control block is written to two separate flash sectors (primary and backup). The write sequence is:
- Compute CRC32 of new boot control data
- Erase primary sector
- Write primary sector
- Erase backup sector
- Write backup sector
On load, if the primary copy fails CRC validation, the backup is used. This protects against power loss during metadata updates.