201007577 九、發明說明: 【發明所屬之技術領域】 本發明係關於一種可復原作業系統之嵌入式系統及其復原方 法,特別是有關於一種具有複數個作業系統的嵌入式系統中,若 有作業系統毀損時,可以復原毁損的作業系統之嵌入式系統以及 其復原作業系統之方法。 【先前技術】 嵌入式系統'般包含有一微處理器、一非揮發性記憶體以及 一揮發性記憶體。其中,微處理器用來控制整個嵌入式系統的運 ®作以及資料處理;非揮發性記憶體,例如快閃記憶體等,係用來 儲存一開機管理程式以及一作業系統映像樓;揮發性記憶體則是 用來暫存嵌入式系統運作時所需要使用到的程式碼以及微處理器 所使用到的運算資料。當嵌入式系統啟動後,首先執行開機管理 程式來載入作業系統映像檔中的核心映像標,藉由該核心映像標 的載入’可以載入作業系統映像檔之根檔案系統映像檔,以完成 嵌入式系統的作業系統啟動程序,並進行嵌入式系統後續功能程 序的執行。 如上所述’嵌入式系統是透過非揮發性記憶體來儲存作業系 統映像標等資料’若作業系統映像播中的核心映像槽或根槽案系 ,映像檔發生毀損時,嵌入式系統便無法啟動作業系統,而進行 後續功能程序的執行’尤其是當嵌入式系統在進行韌體升級時, 經常需要更新作業系統映像檔的核心映像槽及根檔案系統映像 槽’也因此更增加作業系統映像檔的核心映像檔及根檔案系統映 像檔發生毀損的機會。 因此’本發明之範疇在於提供一種具有多個作業系統的嵌入 式系統以及其作業系統復原的方法,使得嵌入式系統中的作業系 統發生毀損的時候,嵌入式系統仍然可以載入及啟動作業系統, 201007577 並且復原毁損的作業系統,以解決上述問題。 【發明内容】 本發明之一種可復原作業系統之嵌入式系統,包含複數個作 業系統及一開機管理單元。其中,每一該些作業系統包含一映像 擋、一映像檔檔頭資訊、一映像檔檢查單元以及一映像檔復原單 元;該映像檔檔頭資訊係紀錄該映像檔之檔案大小;該映像檔檢 查單元’係用以檢查每一該些作業系統之映像播實際大小是否符 合每一該些作業系統之映像檔檔頭資訊中所紀錄之映像檔檔案大 t,並判斷每一該些作業系統之映像檔是否毀損;該映像檔復原 單元,係用以將該映像檔覆寫每一經由該映像檔檢查單元判斷為 毀損之該些作業系統之映像檔;以及該開機管理單元,係用以依 序檢查每一該些作業系統是否正確,並將一最先檢查到之正確作 業系統載入。 此外,本發明之該嵌入式系統,其中當該開機管理單元檢查 ,每一該些作業纽料正確,則產生—作㈣統毀損訊息;另^ t發明之該嵌入式系統中,每一該些作業系統之該映像檔更包含 映Ϊ檔ΐ 一根檔案系統映像檔’該核心映像檔是由該開 ΐIf皁兀載入並進而載入該根檔案系統映像檔,而該根檔案系 統映像檔可由該開機管理單元載入而執行該映像檔檢查單元。、、 日fH人式系統中復原作㈣統之方法,該嵌入式 係is複數個作業系統及一開機管理單元,包含下列 公該開機管理單元;該開機管理單L序 杳^正確作,統載入;該正確作業系統載 統中毀損的作業线。_復原單减復原該些作業系 本發明之在-嵌入式系射復原作業系統之方法,其中該映 201007577 if Ϊ查單元係檢查每—該些作業綠之触像檔實際大小是否 ί;ί:Τ些該映像檔檔頭資訊中所紀錄之該映像檔 S 查單糾斷為毀損之該些作業系統之映 若嵌入式系統中復原作業系統之方法中, ί::該些作業系統之結果皆不正確,則該 開機官理早70產生一作業系統毀損訊息。 ❹ _ ^ ^ί發^伽與精神可靖由以Τ所舉的實施例並配合 所附圖式可以付到進一步的瞭解。 【實施方式】 第1圖為本發明實施例之可復原作業系統之嵌入式系統之系 統不意圖。於此一實施例中,嵌入式系統100包含一開機管理單 元110以及兩個作業系統120a、120b,其中每一作業李统12〇a、 瓢包含有一,像⑴21a、121b、一映像播播頭資訊、;瓜、㈣、 一映像檔檢查單兀123a、123b以及一映像擋復原單元124a、124b。 *首先,啟動嵌入式系統1〇〇後,嵌入式系統1〇〇會先載入開 機管理單元110來載入作業系統,開機管理單元11〇中已紀錄作 業系統12〇a、120b在非揮發性記憶體中的儲存位置。 ®管理單元U0會依照作業系統隐、12Gb在非揮^二= ,存位置依雜查作㈣統·、隱,騎作業祕^體;^ 是否正確。若開機管裡單元11〇先檢查作業系統12〇a,則開機管 理單元110會將作業系統120a的映像檔121a在非揮發性記憶體 中的實際槽案大小,與作業系統12〇a的映像播檔頭資訊122a中 所紀錄的映像檔122a檔案大小比對是否符合,若符合,作業系統 120a為正確作業系統’則開機管理單元11()會停止檢查並將作 業系統120a載入;若比對不符合’作業系統12〇a為不正確作業 系統’則開機管理單元會檢査作業系統12〇b是否正確。若開機;^ 201007577 理單元110檢查作業系統120b之結果正確,則開機管理單元110 會將作業系統120b載入;若作業系統120b亦不正讀,表示嵌入 式系統100中的兩個作業系統120a、120b皆不正確,則開機管理 單元110會產生一作業系統毀損訊息,表示嵌入式系統10〇中的 作業系統120a、120b皆已毀損。 於此實施例中’若開機管理單元110檢查作業系統12〇a為正 確作業系統後’則載入作業系統120a,作業系統120a於載入後便 會啟動,作業系統120a啟動後會先執行映像播檢查單元i23a,映 像權檢查單元123a會去檢查嵌入式系統中每一作業系統12〇a、 120b是否毀損。映像檔檢查單元123a將作業系統120a的映像檔 © 12la在非揮發性記憶體中的實際檔案大小,與作業系統120a的映 像檔檔頭資訊122a中所紀錄的映像檔122a檔案大小比對是否符 合’以及將作業系統120b的映像標121b在非揮發性記憶體中的 實際檔案大小,與作業系統120b的映像槽槽頭資訊122b中所紀 錄的映像檔122b檔案大小比對是否符合。若映像槽檢查單元123a 比對作業系統120b的映像檔121b在非揮發性記憶體中的實際檔 案大小,與作業系統120b的映像檔檔頭資訊122b中所紀錄的映 像槽122b標案大小不符合’映像標檢查單元i23a會判斷作業系 統120b為毀損的作業系統,並且執行映像檔復原單元12如來復 原毀損的作業系統120b。 ❹ 映像檔復原單元124a被映像檔檢查單元123a啟動執行後, 會將開機管理單元110所載入的正確作業系統之映像檔,直接覆 寫經由映像檔檢查單元123a判斷為毀損的作業系統之映像檔。於 此實施例中二若開機管理單元11〇載入的正確作業系統12〇a執行 映像檔檢查單元123a檢查作業系統i2〇a、i2〇b後,判斷作業系 統120b為毁損的作業系統,則映像檔復原單元124a會將正確作 業系統120a的映像檔I21a直接覆寫作業系統12〇b 121b,以復原毀損的作業系統120b。 象播 201007577 此外,於此實施例中,作業系統120a、120b之 咏ί 一映像檔121a、12比可包含有一核心映像槽ϊ-根^ ,系統映⑽。賴機管理單元UG載人作㈣統12=與= 中之一正確作業系統後,開機管理單元11() , ,而載入_緣續㈣;_齡料元 統映像樓而執行映像播檢查單元。 戰入根標案系 之步本欽式纽巾復树_統之方法 機營採ΐ細’ ί巾嵌人式系統包含有複數個作業系統以及一開 機管理單70,而復原作業系統之方法包含下列步驟: 開 ❹ /先,於步驟S100,啟動嵌入式系統;嵌入式 仃步驟S110,嵌入式系統會載入開機管理單元。、* 拾杏Ξ機^單元被嵌入式系統載入後’便執行步驟_,依序 =嵌j系統中的作業系統是否正確。由於開機管理單元已纪 ^入式彡統巾每-作㈣統在非揮發性記紐 Ξ判依:作業系統的儲存位置依 S之if疋t確。開機管理單元會將作業系統之映像 擔糖宏ί ^ 小,與作業系統之映像檔檔頭資訊所紀錄之映像 比對’若比對符合的話,則此作業系統為一正確 ί s理單元停止比對下—儲存位置的作業系統; 此作業系統為—毁損作業系統,且該機管理 單7G繼續比對下一儲存位置的作業系統。 社果理檢查嵌入式作業系統中每一作業系統的比對 ί 懷行步驟S121,開機管理單元會產生一作業系 的正載^機管理單元會將最先檢查到之比對結果符合 於步驟Sl3〇 ’作業系統中包含有一映像槽檢查單元,於作業 9 .201007577 系統被開機管理單元載入後便會執行映像檔檢查單元β …於步驟S140 ’作業系統執行映像擋檢查單元後,映像檔檢查 單凡會去檢查嵌入式系統中的每一作業系統,以判斷作業系統是 否發生毀損。映像槽檢查單元檢査每一作業系統時,會將作業系 統之映像檔之實際檔案大小,與作業系統之映像檔檔頭資訊所紀 ,之映像檔檔案大小進行比對,若比對符合的話,則此作業系統 為正確作業系統,並繼續比對下一作業系統;若比對不符合的話 ϊ此ϋ?系統為毀損作業系統,則映像檔檢查單元執行一映像檔 複原東开.。 © S141,若映像檔檢查單元檢查作業系統之結果為毁損 作業系統,便會執行映像檔復原單元。 行步驟S150,映像檔復原單元會將正確作業系統之映 虽覆寫毀損作業系統之映像檔,以復原毀損作業系統。 播〜ί查單元完成嵌人式祕中每—作業系統的檢查後, 式系統的作業系統啟動程序,作業系統完成啟動後, 嵌入式系統便可以執行其所要的功能程序。 多個知的嵌人式祕,本發明所提出触人式系統具有 能夠自‘祕私紅可以使得嵌入式系統中的作業系統發生毀損時, ®使縣入式系統’並且自動地復原作業系统, .201007577 【圖式簡單說明j 統示^料本㈣實施例之可復鱗衫統之叙#統之系 第2圖為本發明實施例之嵌入式系統中復原作業系統之方法 之步驟流程圖。 【主要元件符號說明】 100 欲入式系統 110 開機管理單元 120a、120b 作業系統 121a、121b 映像樓 122a ' 122b 映像檔檔頭資訊 123a ' 123b 映像樓檢查♦元 124a ' 124b 缺像檔復原單元 S100〜S150 流輕步驟 11201007577 IX. Description of the Invention: [Technical Field] The present invention relates to an embedded system of a recoverable operating system and a method for restoring the same, and more particularly to an embedded system having a plurality of operating systems, if there is an operation When the system is damaged, it is possible to recover the embedded system of the damaged operating system and its method of restoring the operating system. [Prior Art] An embedded system generally includes a microprocessor, a non-volatile memory, and a volatile memory. Among them, the microprocessor is used to control the operation of the entire embedded system and data processing; non-volatile memory, such as flash memory, is used to store a boot management program and an operating system image building; volatile memory The body is used to temporarily store the code used by the embedded system and the computing data used by the microprocessor. After the embedded system is started, the boot management program is first executed to load the core image mark in the operating system image file, and the core image target load can be loaded into the root file system image file of the operating system image file to complete The operating system of the embedded system starts the program and executes the subsequent functional programs of the embedded system. As mentioned above, 'embedded system uses non-volatile memory to store operating system image data.' If the image file is corrupted in the core image slot or root slot system in the operating system image, the embedded system cannot Start the operating system and perform the subsequent function program 'especially when the embedded system is performing firmware upgrade, it is often necessary to update the core image slot of the operating system image file and the root file system image slot', thus increasing the operating system image. The core image file of the file and the root file system image file are damaged. Therefore, the scope of the present invention is to provide an embedded system having multiple operating systems and a method for restoring the operating system thereof, so that the embedded system can still load and start the operating system when the operating system in the embedded system is damaged. , 201007577 and restored the damaged operating system to solve the above problems. SUMMARY OF THE INVENTION An embedded system of a recoverable operating system of the present invention includes a plurality of operating systems and a boot management unit. Each of the operating systems includes an image file, an image file header information, an image file checking unit, and an image file recovery unit; the image file header information records the file size of the image file; The checking unit is configured to check whether the actual image size of each of the operating systems meets the image file size recorded in the image file header information of each of the operating systems, and determines each of the operating systems. Whether the image file is damaged; the image file restoring unit is configured to overwrite the image file of each of the operating systems determined to be corrupted by the image file checking unit; and the booting management unit is used to Check each of these operating systems in sequence and load the correct operating system that was first checked. In addition, the embedded system of the present invention, wherein when the boot management unit checks that each of the job feeds is correct, a message is generated for (four) system damage; and the embedded system of the invention is each The image file of some operating systems further includes a file file 一根 a file system image file. The core image file is loaded by the ΐ ΐ 兀 并 and then loaded into the file system image file, and the root file system image The file can be loaded by the boot management unit to execute the image check unit. And the method of restoring (4) in the fH human system, the embedded system is a plurality of operating systems and a boot management unit, and includes the following public boot management unit; the boot management list L sequence 正确 ^ correct Load; the correct operating system carries the damaged line in the system. _Recovery reduction operation is the method of the present invention in the embedded system recovery operation system, wherein the projection 201007577 if the inspection unit checks whether the actual size of each of the green touch files is ί; : The image file S recorded in the image header information is corrected to be corrupted. The operating system is reflected in the embedded system. In the method of restoring the operating system in the embedded system, ί:: the results of the operating systems If it is not correct, then the booting authority will generate an operating system damage message. ❹ _ ^ ^ ί ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ [Embodiment] FIG. 1 is a schematic diagram of a system of an embedded system of a recoverable operating system according to an embodiment of the present invention. In this embodiment, the embedded system 100 includes a boot management unit 110 and two operating systems 120a, 120b, wherein each of the operating systems 12a, scoop includes one, like (1) 21a, 121b, an image broadcast header. Information, melon, (4), an image check unit 123a, 123b, and an image recovery unit 124a, 124b. * First, after the embedded system is started, the embedded system 1 will be loaded into the boot management unit 110 to load the operating system, and the recorded operating system 12〇a, 120b in the boot management unit 11 is non-volatile. Storage location in sexual memory. ® Management Unit U0 will be hidden according to the operating system, 12Gb in non-sweeping ^=, and the storage location will be checked (4), and hidden, riding the job secret; ^ is correct. If the unit 11 in the boot pipe first checks the operating system 12〇a, the boot management unit 110 will map the actual slot size of the image file 121a of the operating system 120a in the non-volatile memory to the image of the operating system 12A. Whether the file size comparison of the image file 122a recorded in the broadcast header information 122a is consistent, if the operation system 120a is the correct operating system, then the boot management unit 11 () will stop checking and load the operating system 120a; If the operating system 12〇a is an incorrect operating system, the power-on management unit checks whether the operating system 12〇b is correct. If the power is turned on; ^ 201007577, the processing unit 110 checks that the result of the operating system 120b is correct, the booting management unit 110 loads the operating system 120b; if the operating system 120b is not read, it indicates that the two operating systems 120a in the embedded system 100, If the 120b is not correct, the boot management unit 110 generates an operating system damage message indicating that the operating systems 120a, 120b in the embedded system 10 are damaged. In this embodiment, if the booting management unit 110 checks that the operating system 12〇a is the correct operating system, the operating system 120a is loaded, the operating system 120a is started after loading, and the operating system 120a executes the image after startup. The broadcast check unit i23a, the image right check unit 123a checks whether each of the work systems 12a, 120b in the embedded system is damaged. The image file checking unit 123a compares the actual file size of the image file © 12la of the operating system 120a in the non-volatile memory with the file size of the image file 122a recorded in the image file header information 122a of the operating system 120a. And whether the actual file size of the image mark 121b of the operating system 120b in the non-volatile memory matches the file size of the image file 122b recorded in the image slot header information 122b of the operating system 120b. If the image slot check unit 123a compares the actual file size in the non-volatile memory of the image file 121b of the operating system 120b, it does not match the size of the image slot 122b recorded in the image header information 122b of the operating system 120b. The image mark inspection unit i23a judges that the work system 120b is a damaged work system, and executes the image file restoration unit 12 to restore the damaged work system 120b.启动 After the image file restoration unit 124a is activated by the image file checking unit 123a, the image file of the correct operating system loaded by the power-on management unit 110 is directly overwritten with the image of the operating system determined to be corrupted by the image file checking unit 123a. files. In this embodiment, if the correct operating system 12〇a loaded by the booting management unit 11〇 executes the image file checking unit 123a to check the operating systems i2〇a, i2〇b, and determines that the operating system 120b is a damaged operating system, The image file restoration unit 124a directly overwrites the image file I21a of the correct operating system 120a with the operating system 12〇b 121b to restore the damaged operating system 120b. Image broadcast 201007577 In addition, in this embodiment, the image files 121a, 12 of the operating system 120a, 120b may include a core image slot, the system image (10). Lai machine management unit UG manned (four) system 12 = and = one of the correct operating system, boot management unit 11 (), and load _ edge (four); _ age material element image building and perform image broadcast check unit. The step of the war into the roots of the standard is the method of the Qin Dynasty, the method of the operation of the operating system. The method includes the following steps: opening/first, in step S100, starting the embedded system; embedded in step S110, the embedded system loads the boot management unit. , * After picking up the apricot machine unit is loaded by the embedded system, the step _ is executed, and the operating system in the embedded system is correct. Since the boot management unit has been used in the non-volatile memory, the storage location of the operating system is determined according to S. The boot management unit will compare the image of the operating system to the image recorded by the image file header information of the operating system. If the comparison is met, the operating system is a correct unit. The operating system is compared to the storage location; the operating system is a damaged operating system, and the machine management sheet 7G continues to compare the operating system of the next storage location. The social property check checks the comparison of each operating system in the embedded operating system. In step S121, the booting management unit generates a working system, and the operating unit matches the first checked result to the step. The Sl3〇' operating system includes an image slot checking unit. After the system 9 .201007577 is loaded by the boot management unit, the image file checking unit β is executed. In step S140, the operating system executes the image block checking unit, and the image file is executed. The inspection unit will check each operating system in the embedded system to determine if the operating system is damaged. When the image slot inspection unit checks each operating system, it compares the actual file size of the image file of the operating system with the image file size of the operating system image file, and if the comparison matches, Then the operating system is the correct operating system, and continues to compare the next operating system; if the comparison does not match, if the system is a damaged operating system, the image checking unit performs an image file recovery. © S141. If the image file inspection unit checks that the result of the operating system is a corrupted operating system, the image file recovery unit is executed. In step S150, the image file restoration unit overwrites the image of the damaged operating system with the image of the correct operating system to restore the damaged operating system. After the broadcast system is completed, the embedded system can start its function program. After the operation system is started, the embedded system can execute its desired function program. A plurality of known embedded human secrets, the touch system of the present invention has the ability to automatically damage the operating system when the operating system in the embedded system is damaged by the 'private red'. , .201007577 [Simple diagram of the drawing, j, and the material (4), the embodiment of the squash, the syllabus, the syllabus, the second embodiment of the present invention, the step of the method for restoring the operating system in the embedded system of the embodiment of the present invention. Figure. [Main component symbol description] 100 Into-type system 110 Power-on management unit 120a, 120b Operating system 121a, 121b Image building 122a ' 122b Image file header information 123a ' 123b Image building inspection ♦ Element 124a ' 124b Image file restoration unit S100 ~S150 Stream Light Step 11