EP0934563A1 - Procede a securite integree pour ameliorer un logiciel de base de coffret d'abonne a partir d'un serveur de reseau - Google Patents

Procede a securite integree pour ameliorer un logiciel de base de coffret d'abonne a partir d'un serveur de reseau

Info

Publication number
EP0934563A1
EP0934563A1 EP98905553A EP98905553A EP0934563A1 EP 0934563 A1 EP0934563 A1 EP 0934563A1 EP 98905553 A EP98905553 A EP 98905553A EP 98905553 A EP98905553 A EP 98905553A EP 0934563 A1 EP0934563 A1 EP 0934563A1
Authority
EP
European Patent Office
Prior art keywords
code
memory
segment
area
new
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP98905553A
Other languages
German (de)
English (en)
Inventor
Kamlesh Rath
James W. Wendorf
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips Electronics NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics NV filed Critical Koninklijke Philips Electronics NV
Publication of EP0934563A1 publication Critical patent/EP0934563A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1433Saving, restoring, recovering or retrying at system level during software upgrading
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This invention relates to the downloading of system software from a network server.
  • cable television providers supply "set-top” devices to manage and control the user access and capabilities. These devices are periodically upgraded by downloading the appropriate software from a network server at the local cable television substation.
  • This invention presents a robust, fail-safe, method for upgrading such set-top devices from a network server.
  • the downloading of software from a master station to a remote device is common. Protocols establish the specific details for such transfers, and both the master station and remote device must conform to the established protocol to effect the transfer. Traditionally, either the remote device requests the download, or the master station directs or mandates the download. In either event, the remote device must be placed in an appropriate mode to accept the download, after which the transfer of data from the master station to the remote device commences.
  • the downloaded software is placed in non-volatile memory, such as flash memory, so that it can be locally executed, after power outages or system resets, without reliance on communications with the master station.
  • the communications link may become disconnected, or so degraded so as to be effectively disconnected, after the transmission has started, but before all the data is received at the remote station.
  • the data being transferred is software code required for the effective operation of the remote device, the loss of part of the data is often more catastrophic than not having received the data at all.
  • the new data will be stored in memory, replacing the data that had been stored in that same memory location.
  • the new data will, in all likelihood, be incompatible with the segments of the older data which has not yet been replaced by additional new data. Similarly, the older data will be incompatible with the new segments which have been loaded.
  • each half of the memory contains a full copy of the data, the old data in one half and the new data in the other.
  • the "subsequent" data is placed in the memory half containing the "old” data, maintaining a full copy of the "new" data in the other memory half until it is ascertained that a full copy of the subsequent data has been received.
  • Alternatives have been proposed to minimize the amount of extra memory required to effect a reliable download.
  • the remote device contains a small core of software in permanent memory; if a download is unsuccessful, this small core software is executed to restart the download process. In this way, the only extra memory required is the amount of permanent memory required to contain the small core software.
  • This approach reduces the amount of additional memory required to that required to initiate and control the reboot process.
  • this approach requires that the small core software be kept to a minimum, sometimes at the cost of other capabilities. For example, in a typical device containing such a small core software, the device is effectively inoperative until a successful download can be accomplished, because the small core software only contains enough capability to accomplish the download.
  • the object of this invention is to provide a means of downloading data to a remote device without requiring any additional memory, and yet allowing for the preservation of the code required to initiate and control the reboot process, in the event of a disruption in the download process.
  • This invention is premised on the observation that downloaded code, such as system software, may be partitioned into two subsets of code: that code which is required for basic, fundamental operations, such as downloading, and that code which is required for non-fundamental operations, such as displaying help menus and the like. Further, by downloading the code in phases, the fundamental operations code can be preserved in full, provided that the fundamental operations code is designed to consume less than half the memory area.
  • the memory associated with the non- fundamental operations is used to store the new fundamental operations code.
  • the new fundamental operations code is ascertained to have been downloaded correctly, the new non- fundamental operations code is downloaded into the memory associated with the old fundamental operations code.
  • the download of the new fundamental operations code the old fundamental operations code will be in memory; and, should a disruption occur during the second phase, the download of the new non-fundamental operations code, the new fundamental operations code will be in memory.
  • a copy of the fundamental operations code including the code required to download either or both portions of the new code, is available for subsequent execution. Note that no additional memory is required to provide this fail-safe capability.
  • this method allows the use of a full half of the available memory for fundamental operations. This would allow the device to perform more functions than merely downloading code.
  • the processing of user commands, such as channel selection could be included in the fundamental operations code, thereby allowing the set-top box to be utilized despite a downloading problem.
  • Figure 1 shows a me ⁇ iod for system software upgrades in accordance with this invention.
  • FIG. 2 shows an alternative method for system software upgrades in accordance with this invention.
  • Figure 1 shows a method for system software upgrades in accordance with this invention.
  • Figures 1(a), 1(b), 1(c), and 1(d) display the state of the memory 100 at four sequential periods of time, respectively.
  • the memory 100 contains the old code, which is partitioned into a primary partition 110 and a secondary partition 120.
  • the primary partition 110 contains the fundamental operations code, including the code required to download a new primary partition.
  • Secondary partition 120 contains other, non fundamental operations code, which can be any code which is considered non-fundamental to the operation of the system, and specifically, non-fundamental to the download of new operations code.
  • the new primary partition 150 is loaded into memory 100 in the lower half of memory, including part of the area in which the old secondary partition 120 had occupied, by executing code in primary memory 110, as shown by program pointer 101b. Consistent with this process, a memory location within the old primary partition is updated to indicate that, upon commencement of this download, the old secondary partition is no longer valid, and is considered no longer present in memory 100. At the end of this stage (b), the memory 100 will contain the old primary partition 110, and the new primary partition 150. If a problem occurs during the download of the new primary partition, the old primary partition remains intact in memory 100, to provide for fundamental operations, including repeated attempts to download the new primary partition until the memory 100 contains a verified copy of the new primary partition 150.
  • FIG. 1 e means for setting the program pointer 101 (101a, 101b, 101c, and lOld).
  • the system will contain other non volatile memory which is used to control the fundamental aspects of system management, such as where to initiate program execution after a power outage, or system reset.
  • the appropriate starting location for each of the phases of the process shown as figures 1(a), 1(b), 1(c), and 1(d), would be contained in this system management memory.
  • Other parameters required to effect a proper restart of the system may also be stored in this memory.
  • this memory would typically contain the location in memory 100 where each partition is to be loaded, the extent of each partition, and the starting address for executing each partition.
  • a reset vector For ease of understanding, all the parameters required to effect a restart after a system reset will be termed herein as a reset vector.
  • the reset vector would contain the address within the primary partition of the start of the routines which provide for normal operation, and any other parameters required to facilitate the start of such normal operations.
  • the reset vector Upon commencement of a download (figure 1(b)), the reset vector would contain the address within the primary partition of the start of the routines and any other parameters, such as the location and extent of the memory partitions, which are required for the download operation. Should the download process go awry, a system reset will effect a restart of the download operation from the original location using these preset parameters.
  • the reset vector in accordance with this invention, is not changed until the system verifies that the current phase of the process has been completed successfully, and the next phase is to begin. This can be effected, for example, by loading the reset vector with the next phase starting parameters after the current phase is verified as having been completed, and then forcing a system reset. Thenceforth, each system reset will force the start of that next phase, until that phase is verified and the subsequent phases starting parameters are placed in the reset vector.
  • this updating of the reset vector must be performed as a single, all or nothing, operation. That is, to assure a fail safe download, the reset vector must either be updated with all the new starting parameters, or left as is, containing the old starting parameters.
  • Such all or nothing operations which either complete the entire operation oi have no effect if interrupted, are commonly termed atomic operations.
  • Multi-step, non-atomic, updates which could cause the reset vector to contain neither the full set of old nor the full set of new starting parameters should not be employed, for fear that a mishap during this non-atomic update will result in neither the old nor the new code being executed properly.
  • the minimum information to be contained in this reset vector is an indication of where to initiate the execution of code corresponding to the phases depicted as 1(a), 1(b), 1(c), and 1(d) in figure 1 ; and, as will be subsequent discussed, phases 2(a), 2(b), and 2(c) depicted in figure 2.
  • the implementation of an operation to update such a minimal reset vector in an atomic fashion is common in the art.
  • the memory 110 may be structured as banks, or blocks, of memory, the reset vector parameters corresponding to the execution of each partition could have a fixed location within one of the banks of the partition, and a reset operation could be structured so as to always start at that fixed location within a selected bank.
  • Changing the reset parameters, including the program pointer 101 would be effected by merely changing the bank which is selected to be active upon reset.
  • the reset vector is atomically updated, and the code in the new primary partition 150 is executed to continue with the download process, as shown in figure 1(c) by program pointer 101c.
  • a copy of the code 150 is loaded into the area of memory previously containing the old primary partition 110.
  • the downloaded code 150 is shown as 150a in figure 1(c)
  • the copy of downloaded code 150 is shown as 150b.
  • the code in 150b is executed to continue the downloading process, as shown by program pointer 10 Id in figure 1(d).
  • the new secondary partition 160 is downloaded into the memory 100, in the area previously occupied by the old secondary partition 120, and the downloaded new primary partition 150a.
  • each of the old and new partitions can be such that the boundaries between primary and secondary old and new partitions need not be the same. That is, the new and old partitions can be of differing sizes, provided only that the total memory consumed by the partitions shown at the states of time represented by figures 1(a), 1(b), 1(c), and 1(d) are each less than the total memory space available in memory 100.
  • the new primary partition must be less than or equal to half the total available memory.
  • FIG. 1(a), 1(b), 1(c), 1(d) At least one copy of a verified primary partition is available throughout the downloading process. Thus, should a problem develop during any of the downloading or copying processes between states, a verified primary partition is always available to repeat the corrupted or aborted process.
  • An alternative embodiment of the invention is shown in figure 2. Items in figure 2 having similar functions to those in figure 1 are referenced by the same numerals.
  • the new primary partition 150 is loaded into the opposite extreme of memory as the old primary partition 110. That is, in conventional terminology, if the old primary partition is loaded at the lower part of memory 100, the new primary partition is loaded at the upper part, and vice versa.
  • the memory constraint in this implementation is that the sum of the old and new primary partition sizes must not exceed the total memory available. Typically, each of the old and new primary partitions will be limited to half the total memory available, in order to conform to this constraint. As would be evident to one skilled in the art, however, configurations could be employed with greater than half the available memory being allocated to one of the old or new primary partitions, provided the corresponding new or old primary partitions are equivalently less than half the available memory.
  • the code in partition 150 is executed to download the new secondary memory partition 160 into the remaining available memory in memory 100, as shown in figure 2(c).
  • the sum of the primary and secondary partitions will have been designed to be less than or equal to the total memory available in memory 100.
  • a verified version of a primary partition is available in memory 100 at all times, so that an interrupted or aborted download can be reinitiated by executing the appropriate code in this verified primary partition.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un procédé et un dispositif permettant le téléchargement à sécurité intégrée d'un logiciel de base à partir d'un serveur de réseau, sans nécessiter une mémoire supplémentaire. Le logiciel de base est structuré de façon à comprendre une partition primaire et une partition secondaire. La partition primaire contient le logiciel requis pour télécharger la partition secondaire, ainsi que le logiciel pour télécharger une nouvelle partition primaire. A tout moment, une copie vérifiée soit d'une ancienne soit d'une nouvelle partition primaire est présente dans la mémoire, ce qui permet une réexécution du processus de téléchargement, au cas où ledit processus est interrompu, ou une partition reçue est altérée.
EP98905553A 1997-05-30 1998-03-12 Procede a securite integree pour ameliorer un logiciel de base de coffret d'abonne a partir d'un serveur de reseau Withdrawn EP0934563A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US86665197A 1997-05-30 1997-05-30
US866651 1997-05-30
PCT/IB1998/000334 WO1998054642A1 (fr) 1997-05-30 1998-03-12 Procede a securite integree pour ameliorer un logiciel de base de coffret d'abonne a partir d'un serveur de reseau

Publications (1)

Publication Number Publication Date
EP0934563A1 true EP0934563A1 (fr) 1999-08-11

Family

ID=25348073

Family Applications (1)

Application Number Title Priority Date Filing Date
EP98905553A Withdrawn EP0934563A1 (fr) 1997-05-30 1998-03-12 Procede a securite integree pour ameliorer un logiciel de base de coffret d'abonne a partir d'un serveur de reseau

Country Status (3)

Country Link
EP (1) EP0934563A1 (fr)
JP (1) JP2000515286A (fr)
WO (1) WO1998054642A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2150891B1 (fr) * 2007-05-21 2019-03-06 Thomson Licensing Mise à niveau robuste de micrologiciel dans un terminal de réseau

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6247126B1 (en) * 1999-01-25 2001-06-12 Dell Usa, L.P. Recoverable software installation process and apparatus for a computer system
US6640334B1 (en) * 1999-09-27 2003-10-28 Nortel Networks Limited Method and apparatus of remotely updating firmware of a communication device
US6704865B1 (en) * 1999-12-23 2004-03-09 Delphi Technologies, Inc. Microprocessor conditional deterministic reset vector method
EP1332434A2 (fr) * 2000-01-07 2003-08-06 Thomson Licensing S.A. Procede et appareil permettant de sauvegarder un code d'application lors d'une panne de courant pendant une mise a jour du code
US6601212B1 (en) 2000-03-29 2003-07-29 Hewlett-Packard Development Company, Lp. Method and apparatus for downloading firmware to a non-volatile memory
KR100440950B1 (ko) 2001-06-30 2004-07-21 삼성전자주식회사 네트워크 환경에 있어서 소프트웨어 업그레이드 방법 및그에 따른 네트워크 디바이스
US7500092B2 (en) 2003-01-17 2009-03-03 International Business Machines Corporation Hardware abstraction for set-top box operating systems
US7263648B2 (en) 2003-01-24 2007-08-28 Wegener Communications, Inc. Apparatus and method for accommodating loss of signal
US7171606B2 (en) 2003-03-25 2007-01-30 Wegener Communications, Inc. Software download control system, apparatus and method
US6978452B2 (en) * 2003-04-02 2005-12-20 Beach Unlimited Llc Upgrading digital media servers
EP1494119A1 (fr) * 2003-06-30 2005-01-05 Thomson Multimedia Broadband Belgium Equipement de réseau et procédé de surveillance du démarrage d'un tel équipement
US7376870B2 (en) 2004-09-30 2008-05-20 Intel Corporation Self-monitoring and updating of firmware over a network
US7512939B2 (en) 2004-10-05 2009-03-31 Neopost Technologies System and method of secure updating of remote device software
WO2007104899A1 (fr) * 2006-03-16 2007-09-20 Thomson Licensing Procede de mise a jour robuste de logiciel
US11210173B2 (en) * 2018-05-09 2021-12-28 Microsoft Technology Licensing, Llc Fault tolerant device upgrade

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5388267A (en) * 1991-05-29 1995-02-07 Dell Usa, L.P. Method and apparatus for updating and restoring system BIOS functions while maintaining BIOS integrity
US6131159A (en) * 1992-05-08 2000-10-10 Paradyne Corporation System for downloading programs

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO9854642A1 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2150891B1 (fr) * 2007-05-21 2019-03-06 Thomson Licensing Mise à niveau robuste de micrologiciel dans un terminal de réseau

Also Published As

Publication number Publication date
JP2000515286A (ja) 2000-11-14
WO1998054642A1 (fr) 1998-12-03

Similar Documents

Publication Publication Date Title
EP0934563A1 (fr) Procede a securite integree pour ameliorer un logiciel de base de coffret d'abonne a partir d'un serveur de reseau
US6928579B2 (en) Crash recovery system
US5937198A (en) Field configurable embedded computer system
EP0687975B1 (fr) Méthode et système pour le chargement de données vers des noeuds de réseau
US7934210B1 (en) System and method for updating one or more programs and their environment
USRE41162E1 (en) Method for providing scaleable restart and backout of software upgrades for clustered computing
US5764992A (en) Method and apparatus for automatic software replacement
EP1077407A1 (fr) Méthode pour mettre à jour un programme utilisant les données de configuration associées
US7185331B2 (en) Method and apparatus for downloading executable code in a non-disruptive manner
US20080196019A1 (en) Method and Apparatus for Generating an Update Package
CN100524219C (zh) 执行不同版本软件的冗余处理器的配置同步的方法和装置
US20060277281A1 (en) Updating information in network devices
JP2000357095A (ja) 埋込式システムにソフトウェアをダウンロードする方法および装置
WO2002013003A2 (fr) Systeme et procede de mise en oeuvre d'une application integree a auto-activation
US7222342B2 (en) Execution on a machine, the start of an auxiliary downloader when storage of new software memory fails during execution of a first downloader
US6832374B2 (en) System and method for updating an executing executable file
EP1049974A1 (fr) Mise a niveau de logiciel
US6438606B1 (en) Router image support device
US7991390B2 (en) Program updating method of wireless communication terminal and wireless communication terminal using the same
CN104503811A (zh) 基于单存储区的通信设备升级方法及系统
KR20200112137A (ko) Plc 시스템의 펌웨어 관리 장치 및 방법과, 그 plc 시스템
JP3589433B2 (ja) データベース保証方式
JP2735972B2 (ja) プログラムローディング制御システム
KR100186604B1 (ko) 데이터통신시스템의 중단없는 기능수행을 위한 프로그래밍 방법
JPH1097426A (ja) 通信制御装置におけるシステムファイルの更新方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 19990604

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): DE FR GB

17Q First examination report despatched

Effective date: 20030605

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20031016