CN113434166A - Double backup method containing fixed flash area and capable of rolling back - Google Patents
Double backup method containing fixed flash area and capable of rolling back Download PDFInfo
- Publication number
- CN113434166A CN113434166A CN202110656293.9A CN202110656293A CN113434166A CN 113434166 A CN113434166 A CN 113434166A CN 202110656293 A CN202110656293 A CN 202110656293A CN 113434166 A CN113434166 A CN 113434166A
- Authority
- CN
- China
- Prior art keywords
- area
- software
- program
- download
- downloading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1448—Management of the data involved in backup or backup restore
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
Abstract
A software backup method comprising a fixed flash area and capable of rolling back comprises (1) when updating software data, firstly judging the running zone bit of a download area A/B and updating the software data to the corresponding download area; (2) verifying according to the current program operation zone bit and the software states of the two downloading zones A/B, refreshing the program switching zone bit according to the verified result, and selecting corresponding downloading zone software to decompress and transmit the software to the operation zone by combining the judgment of the program switching zone bit and the program operation zone bit; (3) refreshing the program switching zone bit and the program operation zone bit; (4) after receiving an external command to set the program switching flag bit, the software state of the downloading area A/B is verified, and software data operated in the current operation area is switched to realize software rollback. The method can avoid the condition of upgrading failure at the same time, reduce backup operation, reduce the occupied space of the partitions and improve the software flashing efficiency.
Description
Technical Field
The invention relates to the technical field of software control, in particular to a software upgrading backup and rollback technology.
Background
At present, the functions of the embedded device are more and more abundant, the space occupied by the software is more and more, and the upgrading time is longer and longer. Meanwhile, during upgrading, due to an emergency or a software upgrading problem, the equipment is restarted or even crashed, so that the use of the equipment is influenced.
Patent document CN110399152A proposes a dual backup upgrade method, in which the device is divided into two operation areas, a non-current operation area is upgraded each time an upgrade is performed, and a software in the current operation area is checked once after the upgrade is completed; if the upgrade is successful, converting the upgraded non-operation area into an operation area for operating the software in the sub-area, and converting the original operation area into the non-operation area; if the upgrading fails due to some reasons, the original operation area is kept and the software is operated in the operation area, and the original non-operation area is continuously used as a non-operation area.
The method has several problems, firstly, the equipment is divided into two operation areas in the method, each operation area contains complete software, and when the software function is increased and the size of the software is increased, the space of the operation area is tense; secondly, the method can only change the software in the operation area when the software is upgraded, and does not support the rollback of the software; thirdly, if the partition is halted due to software upgrading twice continuously, the equipment can be directly and normally not used, and two partitions of the equipment need to be restored by other tools.
Disclosure of Invention
Aiming at solving the problems and disadvantages of the background technology, the invention provides a double backup method which comprises a fixed flash area and can roll back, thereby avoiding the situation of simultaneous upgrade failure, reducing backup operation, reducing the occupied space of partitions and improving the software flash efficiency.
The technical scheme of the invention is as follows:
a double backup method comprising a fixed flash area and capable of rolling back, the method needs to fixedly divide a program storage area in a controller into a software operating area and two software downloading areas A/B, wherein the software operating area is only used for operating upgraded software, and the software downloading areas A/B are only used for receiving and storing the upgraded software, the method comprises the following steps:
1. when updating the software data, firstly judging the running zone bit of the download area A/B and updating the software data to the corresponding download area;
2. after the software data is updated, the software states of the current program operation zone bit and the two downloading zones A/B are verified, the program switching zone bit is refreshed according to the verified result, then the corresponding downloading zone software is selected to be decompressed and transmitted to the operation zone in combination with the judgment of the program switching zone bit and the program operation zone bit, and the software is updated in the operation zone.
3. After the software in the operating area is updated, refreshing the flag bit of the program switching and the flag bit of the program operating area;
4. after receiving an external command to set the flag bit of program switching, the software state of the download area A/B is verified, and the software data operated in the current operation area is switched by combining the flag bit state of the program operation area, so that software rollback is realized.
In the method, the upgrading software needs to exist in a form of a compressed packet, and the data can be transmitted to the operation area to operate only after being decompressed and successfully verified after being upgraded into the download area A/B, so that the size of the space occupied by the upgrading packet can be reduced, the space of the two download areas is saved to expand the space of the operation area, and the upgrading speed of the software is further accelerated; the verification during decompression can further improve the success rate of software upgrading.
In the method, the download area A/B can respectively store two different versions of software (a new version and an old version), and the software version of the operation area is switched according to the requirement (or external command) of the operation area so as to realize the software rollback function.
The invention has the following advantages:
1. in the invention, the upgrading is preferentially carried out in the non-currently used partition, namely after the upgrading fails, the upgrading can still be continued in the failed partition, and the situation that the upgrading fails simultaneously in two partitions can not occur. For example, the software of the partition a that is currently judged to be used is upgraded in the partition B until the partition B is upgraded successfully and the software to be used is switched to the partition B.
2. In the invention, the partition can be judged directly during the flash, the flash coverage of the partition where the original software is located can not be carried out, namely, the backup operation is reduced and the software flash efficiency is improved under the condition of keeping the original software.
3. In the invention, double partitions work in turn, and two download partitions work in turn instead of working in partition A or partition B all the time, so that the fault caused by continuous work of a certain partition is avoided.
4. The invention can directly switch the software of other partitions by a certain command (on the premise that the partition software meets the requirement), thereby realizing the software rollback function.
5. The upgrading software package is in a compressed state, so that the occupied space of the partition can be reduced, and the upgrading efficiency is improved.
Drawings
FIG. 1 is a schematic diagram of a program flash;
FIG. 2 is a flowchart for reference in determining a running area;
FIG. 3 is a flow chart of handover procedure determination and operation.
Detailed Description
The technical scheme of the invention is further explained by combining the attached drawings and the embodiment.
Referring to fig. 1, 2 and 3, the software backup method including a fixed flash area and capable of rolling back according to the present invention needs to fixedly divide a program storage area in a controller into a software operating area and two software downloading areas a/B, wherein the software operating area is only used for operating upgraded software, and the software downloading areas a/B are only used for receiving and storing the upgraded software, and the method includes the following steps:
(1) when updating the software data, firstly judging the running zone bit of the download area A/B and updating the software data to the corresponding download area;
(2) after the software data is updated, verifying according to the current program operation zone bit and the software states of the two downloading zones A/B, refreshing the program switching zone bit according to the verified result, and then selecting corresponding downloading zone software to decompress and transmit the software to the operation zone by combining the judgment of the program switching zone bit and the program operation zone bit;
(3) after the software in the operating area is updated, refreshing the flag bit of the program switching and the flag bit of the program operating area;
(4) after receiving an external command to set the flag bit of program switching, the software state of the download area A/B is verified, and the software data operated in the current operation area is switched by combining the flag bit state of the program operation area, so that software rollback is realized.
Specifically, in the step (1), each time FBL downloading/software upgrading is performed, that is, when the software data in the step (1) is updated, the controller determines that the currently used downloading area is the operation flag bit of the downloading area a/B (for example, determines that the currently used software is the software in the downloading area a), and then downloads the new version of the program to the non-current downloading area, that is, if it is determined that the currently used software is the software in the downloading area a, the non-current downloading area refers to the downloading area B, and then downloads (or updates or writes) the new software to the downloading area B, and the downloaded program segments are all stored in the program downloading area.
Specifically, after the software data update in step (2) is completed, that is, after the program download is successful, validity check of the downloaded file is required, that is, the software state is verified, and the program valid flag bit of the download area is set, the program switching flag bit can judge whether to set according to the validity of the download area program, after the program switching flag bit is set, the program operation area flag bit and the download area program validity can be judged again, and the upgrade data corresponding to the download area is decompressed and transmitted to the operation area according to the value of the last program operation area flag bit.
Specifically, when the program switching is performed in step (4), the operation area judgment Flag (RunningArea _ Flag) needs to be judged first, the operation area that needs to be used is confirmed, then whether the application program in the operation area is valid is checked, and if the application program in the operation area is valid, the program is skipped to the program operation area to operate the program after the checking is delayed. That is, the present invention can directly perform software switching (rollback) by an external instruction, rather than performing rollback when software update fails, and does not need to perform a step of software flashing/downloading, provided that the downloading areas a/B have software and can pass verification.
Specifically, in the step (4), when the power is off during the flashing because the software is not normal, the programs in the download area a/B cannot pass the validity detection, at this time, the program switching is performed, a negative reply is generated, the program switching is rejected, and the current operable state of the software in the operation area is maintained. That is, when it is found that the software to be switched cannot pass the verification, there is a negative response reply (to remind the user of software update/download failure), and the current software operating area will be kept to continue to run the software in the old download area (if it is desired to switch from a to B, but B cannot pass the verification, it is kept at a).
Further, after the step (4) receives the external command to switch the program each time, after the program is switched, the program switching flag bit and the program running area flag bit are updated no matter whether the switching is successful or not.
The practice of the method is described in further detail below.
Defining a program switch Flag (Exchange _ Flag) for determining whether the controller needs to execute a program
Handover
A Flag (RunningArea _ Flag) of the program operation area is defined, the Flag is used for judging which partition the currently operating program belongs to, and the specific definition is shown in table 1
TABLE 1 download area judgment truth table
As shown in fig. 1, compared with a general programmable controller, the fixed-flashing-area (rollback-capable) backup controller adds two program downloading areas, an area a and an area B, a program switching Flag (Exchange _ Flag) and a program running area Flag (RunningArea _ Flag), and each time FBL downloading/software upgrading is performed, the controller determines a currently used downloading area, and then downloads a new version of a program to a non-current downloading area, and all downloaded program segments are stored in the program downloading area. When the program is switched, after the controller detects that the program switching flag is set, after the program is downloaded and receives a program switching command sent by the upper computer, the program is transmitted to the operation area from the corresponding downloading area, and then the program enters the program operation area to operate a new program. The judgment Flag bit (RunningArea _ Flag) of the running area is used for distinguishing the old version from the new version so as to be used for program transfer to the running area and rollback operation
In the diagnostic management of the program, the basic process of session mode switching between a boot program (Bootloader) and an Application program (Application) in a server/controller (ECU) includes that, after power-on/reset occurs, the ECU executes the boot program first, the boot program executes some basic initializations in which initialization of the CAN must be completed, and then checks whether an external reprogramming request flag is set, if the flag is set, the boot program continues to be further executed even if the Application program is valid; if the flag is not set, the switching program is judged and operated.
As shown in fig. 2 and fig. 3, when performing program switching judgment, it is necessary to first judge the operation area judgment Flag (RunningArea _ Flag), confirm the operation area that needs to be used, then check whether the application program in the operation area is valid, and jump to the program operation area after delaying to execute the program if the application program in the operation area is valid.
Since the external reprogramming request Flag and the program switch Flag (Exchange _ Flag) are required to be accessed in both Bootloader and Application, both of them need to be stored in a fixed address where the controller is protected (requiring power-off without loss).
When software upgrading/program downloading is performed, the program operation flag needs to be determined first, and the program is downloaded to the corresponding downloading area, and the determination truth table is shown in table 2
TABLE 2 download area judgment truth table
| RunningArea _ Flag value | Download area |
| Default | Zone A |
| App_A | Zone B |
| App_B | Zone A |
After the program is downloaded successfully, the validity of the downloaded file needs to be checked, and the program valid flag bit of the download area is set, and the program switching flag bit can judge whether to set according to the validity of the program of the download area, as shown in table 3.
TABLE 3 switching program judgment truth table
After the flag bit of program switching is set, the flag bit of program operation area and the validity of program of download area are judged again, the truth table of switching operation is shown as table 4, and the upgrade data of corresponding download area is decompressed and transmitted to the operation area according to the value of the flag bit of the last program operation area.
Table 4 truth table for software switching operation
When the upper computer requests to perform program switching (an external command requests program switching/software rollback request), after the controller receives a program switching routine, the controller needs to judge program validity in a downloading area and a program operation area flag bit similarly to the work after program downloading, and the difference is that the program switching flag bit is directly set at the moment and is judged according to a truth table in table 4
As shown in table 4, during program switching, if the program switching is successful, a positive response is replied; if the program switch fails, a negative response 02 is returned.
If the programs in the downloading area A/B cannot pass the validity detection of the programs due to some reasons, such as irregular software, power failure during flash and the like, program switching is carried out, a negative response 01 is replied, the current operable state of the software in the operating area is maintained, and the equipment is ensured to operate correctly. The measure can avoid the situation that the device/controller is dead and cannot be used directly when similar situations occur.
Claims (8)
1. A double backup method which comprises a fixed flash area and can roll back is characterized in that the method needs to fixedly divide a program storage area in a controller into a software operating area and two software downloading areas A/B, wherein the software operating area is only used for operating upgraded software, and the software downloading areas A/B are only used for receiving and storing the upgraded software, and the method comprises the following steps:
(1) when updating the software data, firstly judging the running zone bit of the download area A/B and updating the software data to the corresponding download area;
(2) after the software data is updated, verifying according to the current program operation zone bit and the software states of the two downloading zones A/B, refreshing the program switching zone bit according to the verified result, and then selecting corresponding downloading zone software to decompress and transmit the software to the operation zone by combining the judgment of the program switching zone bit and the program operation zone bit;
(3) after the software in the operating area is updated, refreshing the flag bit of the program switching and the flag bit of the program operating area;
(4) after receiving an external command to set the flag bit of program switching, the software state of the download area A/B is verified, and the software data operated in the current operation area is switched by combining the flag bit state of the program operation area, so that software rollback is realized.
2. The dual backup method with fixed flash area and rollback function as claimed in claim 1, wherein the upgrade software exists in a compressed package, and the data is transmitted to the running area for running after the upgrade software is decompressed and successfully verified after the upgrade software enters the download area a/B.
3. The dual backup method comprising a fixed flash area and capable of rolling back as claimed in claim 1, wherein the download area a/B stores two different versions of software, and the software version of the run area is switched according to the requirement of the run area or an external command to implement the software rolling back function.
4. The dual backup method with fixed flash area and rollback function as claimed in claim 1, wherein in step (1), each time FBL download/software upgrade is performed, the controller determines the currently used download area, and then downloads the new version of program to the non-current download area, and all the downloaded program segments are stored in the program download area.
5. The dual backup method with fixed flash area and rollback function as claimed in claim 1, 2 or 3, wherein after the software data update in step (2) is completed, i.e. after the program is successfully downloaded, the validity check of the downloaded file is required, i.e. the software status is checked, and the program valid flag bit of the download area is set, the program switching flag bit will determine whether to set according to the validity of the program in the download area, after the program switching flag bit is set, the program running area flag bit and the validity of the program in the download area will be determined again, and the upgrade data corresponding to the download area will be decompressed and transmitted to the running area according to the value of the last program running area flag bit.
6. The dual backup method with fixed flash area and rollback capability as claimed in claim 1, 2 or 3, wherein when the program is switched in step (4), the operation area judgment flag needs to be judged first to confirm the operation area that needs to be used, and then whether the application program in the operation area is valid is checked, and if the application program in the operation area is valid, the program is skipped to the program operation area after a delay.
7. The dual backup method with fixed flash area and rollback function as claimed in claim 6, wherein in step (4), when power is off during flash due to non-standard software, no program in download area a/B can pass its validity check, at this time, program switching is performed, there is a negative response 01 reply, and the current operable state of the software in the operating area is maintained.
8. The dual backup method with fixed flash area and rollback capability as claimed in claim 1, 2 or 3, wherein said step (4) updates the program switch flag and the program run area flag after the program switch is completed after receiving the external command switch program each time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110656293.9A CN113434166B (en) | 2021-06-11 | 2021-06-11 | Double backup method containing fixed flash area and capable of rolling back |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110656293.9A CN113434166B (en) | 2021-06-11 | 2021-06-11 | Double backup method containing fixed flash area and capable of rolling back |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113434166A true CN113434166A (en) | 2021-09-24 |
| CN113434166B CN113434166B (en) | 2022-10-11 |
Family
ID=77755815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110656293.9A Active CN113434166B (en) | 2021-06-11 | 2021-06-11 | Double backup method containing fixed flash area and capable of rolling back |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113434166B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050144651A1 (en) * | 2000-02-04 | 2005-06-30 | Bohdand Prus | Settop cable television control device and method including bootloader software and code version table for maintaining and updating settop receiver operating system software |
| CN101557583A (en) * | 2009-03-19 | 2009-10-14 | 珠海银邮光电技术发展股份有限公司 | Remote-updating and version-switching method of repeater equipment embedded software |
| EP2453352A1 (en) * | 2010-11-08 | 2012-05-16 | Gemalto SA | Software updating process for an embedded device |
| CN105930236A (en) * | 2016-07-15 | 2016-09-07 | 深圳市沃特玛电池有限公司 | Application program version returning method based on BMS Bootloaderupgrade |
| CN109032846A (en) * | 2018-08-08 | 2018-12-18 | 京信通信系统(中国)有限公司 | Equipment remote backup upgrade method, device, computer storage medium and equipment |
| CN110134415A (en) * | 2019-04-12 | 2019-08-16 | 深圳市致宸信息科技有限公司 | A kind of controller and its method for upgrading software and device |
| CN110633091A (en) * | 2019-08-28 | 2019-12-31 | 西安超霸电气科技有限公司 | Electronic module and software wireless upgrading method thereof |
-
2021
- 2021-06-11 CN CN202110656293.9A patent/CN113434166B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050144651A1 (en) * | 2000-02-04 | 2005-06-30 | Bohdand Prus | Settop cable television control device and method including bootloader software and code version table for maintaining and updating settop receiver operating system software |
| CN101557583A (en) * | 2009-03-19 | 2009-10-14 | 珠海银邮光电技术发展股份有限公司 | Remote-updating and version-switching method of repeater equipment embedded software |
| EP2453352A1 (en) * | 2010-11-08 | 2012-05-16 | Gemalto SA | Software updating process for an embedded device |
| CN105930236A (en) * | 2016-07-15 | 2016-09-07 | 深圳市沃特玛电池有限公司 | Application program version returning method based on BMS Bootloaderupgrade |
| CN109032846A (en) * | 2018-08-08 | 2018-12-18 | 京信通信系统(中国)有限公司 | Equipment remote backup upgrade method, device, computer storage medium and equipment |
| CN110134415A (en) * | 2019-04-12 | 2019-08-16 | 深圳市致宸信息科技有限公司 | A kind of controller and its method for upgrading software and device |
| CN110633091A (en) * | 2019-08-28 | 2019-12-31 | 西安超霸电气科技有限公司 | Electronic module and software wireless upgrading method thereof |
Non-Patent Citations (2)
| Title |
|---|
| Y. KANG 等: "Generic Bootloader Architecture Based on Automatic Update Mechanism", 《2018 IEEE 3RD INTERNATIONAL CONFERENCE ON SIGNAL AND IMAGE PROCESSING (ICSIP), 2018》 * |
| 康文军 等: "在内核下的bootloader自动更新方法", 《计算机工程》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113434166B (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| USRE41162E1 (en) | Method for providing scaleable restart and backout of software upgrades for clustered computing | |
| US6684396B1 (en) | Method for upgrading running software processes without compromising fault-tolerance | |
| US8225037B2 (en) | Apparatus and method for incremental package deployment | |
| US7750676B2 (en) | Embedded system and control method therefor | |
| CN102214113B (en) | Method, device and terminal for upgrading operating system | |
| US20040153846A1 (en) | Flash memory system including a duplicate booting program and apparatus and method for protecting the same flash memory | |
| US20160085538A1 (en) | Over-the-air updates for ble devices | |
| WO2010025669A1 (en) | Updating firmware with multiple processors | |
| US20020194532A1 (en) | Communication control device and control method | |
| WO2019156062A1 (en) | Information processing system, information processing device, bios updating method for information processing device, and bios updating program for information processing device | |
| CN107566169A (en) | A kind of firmware upgrade method and router based on openwrt | |
| CN102193780A (en) | Affair implementation method and affair implementation device | |
| CN111026417A (en) | Embedded equipment upgrading method and embedded equipment | |
| US20070050612A1 (en) | Boot program update and restoration system and method thereof | |
| US11604635B2 (en) | Online program updating method | |
| CN113434166B (en) | Double backup method containing fixed flash area and capable of rolling back | |
| CN114035831B (en) | CPLD upgrading method, system and computer readable storage medium | |
| US8793446B2 (en) | Writing program types onto system boards in a partitioned computer system | |
| CN101546281A (en) | Method and device for improving reliability of embedded system | |
| CN1845468B (en) | N+1 redundant backup method, processing board and multi processing board system | |
| CN104375863A (en) | Program online upgrading method in embedded system | |
| JP2003228490A (en) | Terminal equipment connected to network, and network system using the same | |
| CN113031981A (en) | Vehicle software upgrading method and system and vehicle | |
| CN113923173B (en) | Quick starting recovery method for data surface of network switching equipment | |
| US20070169077A1 (en) | Replacing a ROM image in a computer's ROM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |