WO2000079390A1 - Updating microprocessor boot software - Google Patents

Updating microprocessor boot software Download PDF

Info

Publication number
WO2000079390A1
WO2000079390A1 PCT/FI2000/000552 FI0000552W WO0079390A1 WO 2000079390 A1 WO2000079390 A1 WO 2000079390A1 FI 0000552 W FI0000552 W FI 0000552W WO 0079390 A1 WO0079390 A1 WO 0079390A1
Authority
WO
WIPO (PCT)
Prior art keywords
microprocessor
boot software
watchdog timer
connection
software
Prior art date
Application number
PCT/FI2000/000552
Other languages
French (fr)
Inventor
Marko Holappa
Tommi Huhtala
Original Assignee
Nokia Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Networks Oy filed Critical Nokia Networks Oy
Priority to AU54095/00A priority Critical patent/AU5409500A/en
Publication of WO2000079390A1 publication Critical patent/WO2000079390A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1433Saving, restoring, recovering or retrying at system level during software upgrading
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs

Definitions

  • the invention relates to two methods of updating boot software in a microprocessor, and to systems using the methods.
  • the boot software in a microprocessor refers to software that is executed during start-up of the microprocessor.
  • BIOS Basic Input/Output System
  • BIOS Basic Input/Output System
  • the term kernel may also be associated with boot software.
  • the kernel refers to, for example, the Input/Output Handler software of the MS-DOS operating system, which uses BIOS services for implementing disk management, memory management and other input/output operations.
  • boot software is to be understood broadly, since the terminology is not necessarily established, i.e. the term refers to parts of the software or the entire software carrying out the start-up of a microprocessor.
  • Updating boot software refers to an operation during which the old boot software in the memory of a microprocessor is replaced with new boot software obtained over a data transmission connection.
  • a data transmission connection refers to, for example, the transmission of new boot software locally by means of a communication port or a disk drive.
  • a data transmission connection may also be implemented over long distances by using a data transmission device connected to a communication port of the microprocessor. Consequently, data transmission can be implemented over telecommunication networks, from a distance of, for example, hundreds or thousands of kilometres, if need be.
  • a microprocessor can be placed for example in a telecommunica- tion device in the field; for example a base station used in mobile communication systems usually comprises several microprocessors.
  • Software updates in devices in the field can be performed over a telecommunication network connected to the device.
  • a service person has to perform software updates on site or, alternatively, parts of the device have to be sent to a factory or service centre to be updated.
  • Usually only the application software is updated, but at times the boot software has to be updated, too. If problems occur during the update of boot software, the worst outcome is that the microprocessor no longer properly boots or, alternatively, remains in what is known as a reset loop, i.e. keeps on booting.
  • An object of the invention is to provide a method and an apparatus for implementing the method so as to solve the above problems. This is achieved by the method to be described next.
  • the method of updating the boot software of a microprocessor comprises: replacing the old boot software in the microprocessor's memory with new boot software obtained over a data transmission connection; rebooting the microprocessor by the new boot software; starting a watchdog timer for monitoring the microprocessor.
  • the boot software update is assumed to have been successful and the watchdog timer is restarted; if the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, the watchdog timer reboots the microprocessor; if at least a predetermined number of microprocessor reboots are performed by the watchdog timer within a given time, the boot software update is assumed to have failed and the microprocessor is rebooted by using recovery boot software in the microprocessor's write-protected mem- ory, the boot software in the microprocessor's memory is replaced with the new boot software obtained over the data transmission connection, and the method continues from the second step where the microprocessor is rebooted by using the new boot software.
  • the invention also relates to a second method of updating the boot software of a microprocessor, comprising: replacing the old boot software in the microprocessor's memory with new boot software obtained over a data transmission connection.
  • the method comprises starting a time counter; rebooting the microprocessor by the new boot software; starting a watchdog timer for monitoring the microprocessor; if the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, the boot software update is assumed to have been successful and the watchdog timer is restarted and the time counter is switched off; if the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, the watchdog timer reboots the microprocessor; if the time counter indicates that a predetermined time has lapsed, the boot software update is assumed to have failed and the microprocessor is rebooted by recovery boot software in the microprocessor's write-protected memory, the boot software in the microprocessor's memory is replaced with the new boot software obtained
  • the invention further relates to an update system for a microprocessor's boot software, comprising: a microprocessor; an erasable memory in which the boot software is stored and which is connected to the microprocessor; a watchdog timer connected to the microprocessor, whereby the micro- processor sends a toggle signal after successful start-up to the watchdog timer over a toggle signal connection and the watchdog timer is restarted; a connection from the watchdog timer to the microprocessor, whereby the watchdog timer sends a reset signal for rebooting the microprocessor over said connection to the microprocessor when the watchdog timer expires; a data transmission connection connected to the microprocessor for receiving new boot software; pointer means for indicating to the microprocessor which boot software is to be used; copying means for copying the new boot software obtained over the data transmission connection to replace the old boot software in the erasable memory.
  • the system further comprises: a write-protected memory in which recovery boot software is stored for booting the microprocessor in problem situations; a reset counter, which is connected to the microprocessor by the toggle signal connection and which is reset to zero when a toggle signal is received from the toggle signal connection; a time counter, which is connected to the microprocessor by the toggle signal connection and which is reset to zero when a toggle signal is received from the toggle signal connection; a connection from the time counter to the reset counter, over which connection the time counter gives to the reset counter, after a predetermined time has expired, a signal that resets the reset counter to zero; a connection from the reset counter to the pointer means, over which connection the reset counter, when the reset counter indicates at least a predetermined number of occurred resets, sets the pointer means to indicate the recovery boot software in the write-protected memory; a connection from the copying means to the pointer means, over which connection the copying means, after copying has taken place, set the pointer means to indicate the new boot software in the erasable memory
  • the invention also relates to a second update system for a microprocessor's boot software, comprising: a microprocessor; an erasable memory in which the boot software is stored and which is connected to the microprocessor; a watchdog timer connected to the microprocessor, whereby the microprocessor sends a toggle signal after successful start-up to the watchdog timer over a toggle signal connection and the watchdog timer is restarted; a connection from the watchdog timer to the microprocessor, whereby the watchdog timer sends a reset signal for rebooting the microprocessor over said connection to the microprocessor when the watchdog timer has expired; a data transmission connection connected to the microprocessor for receiving new boot software; pointer means for indicating to the microprocessor which boot software is to be used; copying means for copying the new boot software obtained over the data transmission connection to replace the old boot software in the erasable memory.
  • the second system further comprises: a write- protected memory in which recovery boot software is stored for booting the microprocessor in problem situations; a time counter, which is connected to the microprocessor by the toggle signal connection and which is reset to zero when a toggle signal is received from the toggle signal connection; a connection from the time counter to the pointer means, over which connection the time counter, after a predetermined time has expired, sets the pointer means to indicate the recovery boot software in the write-protected memory; a connection from, the copying means to the pointer means, over which connection the copying means, after copying has taken place, set the pointer means to indicate the new boot software in the erasable memory.
  • the invention is based on providing a device, which uses a micro- processor, already in the factory with a special recovery boot program including at least the necessary software parts for booting the processor.
  • the recovery boot program is stored in a write-protected memory, whereby it cannot be accidentally made inoperative.
  • the method and system of the invention provide a plurality of ad- vantages.
  • a service person does not have to travel to the device, but the device is able to automatically re- cover. This eliminates travel expenses. Neither does the device have to be delivered to service. The interruption in the use of the device will be short compared with a situation where a new device component would have to be delivered from the service centre.
  • Figure 1 shows an example of the structure of an update system
  • Figure 2 shows a second example of the structure of an update system
  • Figures 3A and 3B are flow diagrams of an update method; Figure 3C shows a second update method.
  • the system comprises a microprocessor 100 and an erasable non-volatile memory 102, which is connected to the microprocessor 100 and in which boot software 104 is stored.
  • the memory is erasable to allow updating of its contents. Examples of erasable memories that can be used include FLASH memory circuits or (electronically) erasable programmable read-only- memories ((E)EPROM).
  • the boot software 104 usually serves to load other software 106 on the memory circuits 102, i.e. usually the actual application software, to a random access memory (RAM) after the microprocessor has been started up 100.
  • Figure 1 does not show the random access memory separately, as it is thought to be included in the parts of the microprocessor 100 that are not shown herein.
  • a watchdog timer 112 is connected to the microprocessor 100 by a toggle signal connection 122.
  • Watchdogs are generally used in real time systems, which have to have a means of dealing with intra-system problems, for example when a program goes into an endless loop, or hardware problems that prevent the software from operating correctly.
  • the name 'watchdog' indicates that it has to be 'stroked' in order for it not to 'bite'. This means that a program has to restart the watchdog timer at regular intervals; otherwise the watchdog timer expires, leading to hardware reset.
  • the watchdog is so stroked that after a successful start-up the microprocessor 100 sends over the toggle signal connection 122 a toggle signal to the watchdog timer 112, whereby the watchdog timer 112 is restarted, and no hardware reset occurs. If problems arise during start-up of the microprocessor 100, the watchdog is not stroked, and when the watchdog timer 1 12 expires, the watchdog timer 112 sends over a connection 120 from the watchdog timer 112 to the microprocessor 100 a reset signal causing microprocessor (100) reset to the microprocessor 100.
  • the boot software 104 can for instance calculate a check sum for the kernel, and if the check sum is incorrect, the microprocessor 100 will not boot.
  • a data transmission connection refers, for example, to the transmission of new boot software locally by means of a communication port or a disk drive.
  • a data transmission connection can also be implemented over long distances by the use of a data transmission device connected to a communication port in the microprocessor. Consequently, data transmission can be implemented over telecommunication networks, for example from a distance of hundreds or thousands of kilometres, if need be. For example in product development it may be advantageous to use a communication port, whereas, when the device is located in the field, the boot software 124 can be transmitted over the telecommunication network.
  • Telecommunication devices such as base stations, generally have what is known as a master/slave structure.
  • One of the circuit cards of the device is defined as a master card, in which the software of all slave cards is stored.
  • the software is updated by transmission of new software over a telecommunication network to the master card, which then updates the slave cards. If the software update fails in a slave card, the software does not have to be retransmitted over the telecommunication network, but the old or new software is obtained from the master card.
  • an apparatus using the master/slave structure can automatically recover from problems occurring in the update of boot software.
  • the microprocessor 100 comprises pointer means 118 for indicating the boot software 104, 110 to be used to the microprocessor 100.
  • the microprocessor also comprises copying means 128 for copying the new boot software 124 obtained over the data transmission connection 126 to replace the old boot software 104 in the erasable memory 102.
  • arrow 124 denotes this update, i.e. the new boot software 124 is copied onto the original old boot software 104.
  • the microprocessor 100 comprises a write-protected memory 108, in which the recovery boot software 110 is stored, and the recovery boot software 1 10 is used to boot the microprocessor 100 when problems arise.
  • the write-protected memory 108 is part of the read-only memory (ROM) in the processor 100 or of a read-only memory connected to the processor 100, but it can also be part of the erasable memory 102, for example a FLASH memory, part of which is protected by software so that it is write-protected, i.e. said part of the memory operates as a write-protected memory.
  • Software stored in the write-protected memory 102 is sometimes called firmware.
  • FLASH memory circuits are usually surface-mounted to a circuit board, and therefore very difficult or impossible to change under field conditions, which means that a device having corrupt boot software always has to be taken to a service centre or even to the factory to be repaired.
  • the apparatus also comprises a connection 134 from the copying means 128 to the pointer means 118, over which connection 134 the copying means 128 set, after copying, the pointer means 118 to indicate the new boot software 124 in the erasable memory 104.
  • a reset counter 116 which counts resets, is connected to the microprocessor 100 by means of the toggle signal connection 122. The reset counter 116 is reset to zero when a toggle signal is re- ceived from the toggle signal connection 122.
  • a time counter 114 is connected to the microprocessor 100 by means of the toggle signal connection 122, and the time counter 114 is reset to zero when a toggle signal is received from the toggle signal connection 122.
  • connection 130 from the time counter 114 to the reset counter 116, and over the connection 130 the time counter 114 gives a signal for resetting the reset counter 116 to zero to the reset counter 116 after a pre- determined time has expired.
  • connection 132 from the reset counter 116 to the pointer means 118, and over the connection 132 the reset counter 116 sets the pointer means 118 to indicate the recovery boot software 110 in the write-pro- tected memory 108 when the reset counter 116 indicates at least a predetermined number of occurred resets.
  • the above-described mechanism enables the recovery boot software 110 to be changed as the boot software to be used when the device performs a given number of resets within a predetermined time, i.e. for example three resets in five minutes indicates that the boot software may be corrupt.
  • a predetermined time i.e. for example three resets in five minutes indicates that the boot software may be corrupt.
  • said predetermined limits are set such that they allow detection of problems occurring in booting the microprocessor 100.
  • FIG. 2 A second preferred embodiment of the system is presented next in Figure 2.
  • the embodiment of Figure 2 is identical to that shown in Figure 1 , except that the mechanism for changing the boot software to be used in booting the microprocessor 100 in failure, i.e. when the microprocessor 100 does not start up properly by the new boot software 124, is different.
  • a time counter 114 for counting time is connected to the microproc- essor 100 by means of the toggle signal connection 122, and the time counter 114 is reset to zero when a toggle signal is received from the toggle signal connection 122.
  • connection 200 from the time counter 114 to the pointer means 118, and over the connection 200 the time counter 114 sets the pointer means 118 to indicate the recovery boot software 110 in the write-protected memory 108 after a predetermined time has expired.
  • the mechanism described is slightly simpler than that presented in the embodiment of Figure 1.
  • the mechanism of Figure 2 allows the recovery boot software 110 to be replaced as the boot software to be used when the device does not boot properly within a predetermined time, i.e. within for example five minutes.
  • a predetermined time limit is set such that it allows the detection of problems in booting the microprocessor.
  • the old boot software in the microprocessor's memory is replaced with new boot software obtained over the data transmission connection.
  • the microprocessor is rebooted by using the new boot software.
  • a watchdog timer for monitoring the microprocessor is started up.
  • the success of the start-up is then tested in block 308.
  • the test is: did the watchdog timer receive, before expiration, a signal from the microprocessor, which caused the watchdog time to be restarted. If the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, the process moves to block 310, where the boot software update is assumed to have been successful, and the watchdog timer is restarted. If the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, the process moves to block 314, where the watchdog timer reboots the microprocessor.
  • the crucial test is then carried out in block 316, i.e. if at least a given number of microprocessor reboots have occurred within a given time. If at least a predetermined number of microprocessor reboots performed by the watchdog timer occur within a predetermined time, then the boot software up- date is assumed to have failed, and the recovery measures are carried out in accordance with block 318.
  • FIG. 3B shows the contents of block 318 in greater detail.
  • the functionality of block 318 is composed of two blocks, 330 and 332.
  • the microprocessor is rebooted by using the recovery boot software in the write-protected memory of the microprocessor.
  • the boot software in the microprocessor's memory is replaced with new boot software obtained over the data transmission connection, i.e. the boot software is updated again.
  • the process then continues with another measure, i.e. block 304, by rebooting the microprocessor by the new boot software. If the microprocessor does not boot properly by the new boot software, the recovery can be repeated a few times. There is naturally a limit at some point, i.e.
  • An alternative is to use some diagnostics software over the data transmission connection after the microprocessor has been booted by the recovery boot software. This may allow the fault to be remote diagnosed, and the service person is able to take along the necessary tools when starting for the field.
  • Figure 3C shows a second preferred embodiment of the method corresponding to the second preferred embodiment of the update system.
  • the meanings of the blocks are the same as in the first embodiment shown Figure 3A and 3B, except that between blocks 302 and 304 is a new block 340, between blocks 306 and 308 a new block 342, and between blocks 310 and 312 a new block 344.
  • the time counter is started.
  • the test of block 342 is performed after the microprocessor has been rebooted and the watchdog timer started. If the time counter indicates that a predetermined time has lapsed, the assumption is that the boot software update has failed, and the microprocessor is rebooted in block 330 by using the recovery boot software in the microprocessor's write-protected memory; in block 332, the boot software in the microprocessor's memory is replaced with new boot software ob- tained over the data transmission connection, and the process continues from the second step of the method, i.e. block 340, where the time counter is started.
  • the test of block 308 is performed. If the microprocessor sends a signal to the watchdog timer before the watchdog timer has expired, the process continues in block 310, where an assumption is made that the boot software update has been successfully carried out, and the watchdog timer is restarted; and, finally, in block 344, the time counter is switched off. If the microprocessor does not send a signal to the watchdog timer before the watchdog timer has expired, then in block 314, the watchdog timer reboots the microprocessor.
  • Parts of the devices according to the invention are preferably implemented as software to be executed in the microprocessor 100.
  • Parts of the network part of the invention are also implemented by hardware, e.g. as ASIC (Application Specific Integrated Circuit) or by separate logic, such as PLD (Programmable Logic Device).
  • the pointer means 1 18, the reset counter 116, and the timer counter 114 are preferably implemented by hardware, and the copying means 128 by software.

Abstract

The invention relates to two methods of updating boot software in a microprocessor, and to update systems using the methods. The method comprises: (302) replacing the old boot software in the microprocessor's memory with new boot software obtained over a data transmission connection; (304) rebooting the microprocessor by the new boot software; (306) starting a watchdog timer for monitoring the microprocessor; (308 YES) if the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, then (310) the boot software update is assumed to have been successful and the watchdog timer is restarted; (308 NO) if the micropressor does not send a signal to the watchdog timer before the watchdog timer expires, then (314) the watchdog timer reboot the microprocessor; (316 YES) if at least a predetermined number of microprocessor reboots are performed by the watchdog timer within a given time, the boot software update is assumed to have failed and (330) the microprocessor is rebooted by using recovery boot software in the microprocessor's write-protected memory, the boot software in the microprocessor's memory is (332) replaced with the new boot software obtained over the date transmission connection, and the method continues from the second step (304) where the microprocessor is rebooted by using the new boot soft-ware.

Description

UPDATING MICROPROCESSOR BOOT SOFTWARE
FIELD OF THE INVENTION
The invention relates to two methods of updating boot software in a microprocessor, and to systems using the methods.
BACKGROUND OF THE INVENTION
The boot software in a microprocessor refers to software that is executed during start-up of the microprocessor. Another term that can be used is BIOS (Basic Input/Output System), which is usually stored in the read memory of a computer's mainboard. During start-up, the BIOS manages the pa- rameters of the mainboard and various interfaces, such as synchronization of the device, arrangement of memory, communication ports and disk drives. The term kernel may also be associated with boot software. The kernel refers to, for example, the Input/Output Handler software of the MS-DOS operating system, which uses BIOS services for implementing disk management, memory management and other input/output operations. In the present application, the term boot software is to be understood broadly, since the terminology is not necessarily established, i.e. the term refers to parts of the software or the entire software carrying out the start-up of a microprocessor.
Updating boot software refers to an operation during which the old boot software in the memory of a microprocessor is replaced with new boot software obtained over a data transmission connection. Herein, a data transmission connection refers to, for example, the transmission of new boot software locally by means of a communication port or a disk drive. A data transmission connection may also be implemented over long distances by using a data transmission device connected to a communication port of the microprocessor. Consequently, data transmission can be implemented over telecommunication networks, from a distance of, for example, hundreds or thousands of kilometres, if need be.
A microprocessor can be placed for example in a telecommunica- tion device in the field; for example a base station used in mobile communication systems usually comprises several microprocessors. Software updates in devices in the field can be performed over a telecommunication network connected to the device. When problems arise, a service person has to perform software updates on site or, alternatively, parts of the device have to be sent to a factory or service centre to be updated. Usually only the application software is updated, but at times the boot software has to be updated, too. If problems occur during the update of boot software, the worst outcome is that the microprocessor no longer properly boots or, alternatively, remains in what is known as a reset loop, i.e. keeps on booting. Currently the only solution is for a service person to travel to the site of the device and repair the fault there or to deliver the device to a service centre. When surface-mounted components are used, repairs on site are almost impossible, or, at any rate, the reliability of the repair is low.
BRIEF DESCRIPTION OF THE INVENTION An object of the invention is to provide a method and an apparatus for implementing the method so as to solve the above problems. This is achieved by the method to be described next. The method of updating the boot software of a microprocessor comprises: replacing the old boot software in the microprocessor's memory with new boot software obtained over a data transmission connection; rebooting the microprocessor by the new boot software; starting a watchdog timer for monitoring the microprocessor. If the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, the boot software update is assumed to have been successful and the watchdog timer is restarted; if the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, the watchdog timer reboots the microprocessor; if at least a predetermined number of microprocessor reboots are performed by the watchdog timer within a given time, the boot software update is assumed to have failed and the microprocessor is rebooted by using recovery boot software in the microprocessor's write-protected mem- ory, the boot software in the microprocessor's memory is replaced with the new boot software obtained over the data transmission connection, and the method continues from the second step where the microprocessor is rebooted by using the new boot software.
The invention also relates to a second method of updating the boot software of a microprocessor, comprising: replacing the old boot software in the microprocessor's memory with new boot software obtained over a data transmission connection. The method comprises starting a time counter; rebooting the microprocessor by the new boot software; starting a watchdog timer for monitoring the microprocessor; if the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, the boot software update is assumed to have been successful and the watchdog timer is restarted and the time counter is switched off; if the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, the watchdog timer reboots the microprocessor; if the time counter indicates that a predetermined time has lapsed, the boot software update is assumed to have failed and the microprocessor is rebooted by recovery boot software in the microprocessor's write-protected memory, the boot software in the microprocessor's memory is replaced with the new boot software obtained over the data transmission connection, and the method continues from the second step where the time counter is started.
The invention further relates to an update system for a microprocessor's boot software, comprising: a microprocessor; an erasable memory in which the boot software is stored and which is connected to the microprocessor; a watchdog timer connected to the microprocessor, whereby the micro- processor sends a toggle signal after successful start-up to the watchdog timer over a toggle signal connection and the watchdog timer is restarted; a connection from the watchdog timer to the microprocessor, whereby the watchdog timer sends a reset signal for rebooting the microprocessor over said connection to the microprocessor when the watchdog timer expires; a data transmission connection connected to the microprocessor for receiving new boot software; pointer means for indicating to the microprocessor which boot software is to be used; copying means for copying the new boot software obtained over the data transmission connection to replace the old boot software in the erasable memory. The system further comprises: a write-protected memory in which recovery boot software is stored for booting the microprocessor in problem situations; a reset counter, which is connected to the microprocessor by the toggle signal connection and which is reset to zero when a toggle signal is received from the toggle signal connection; a time counter, which is connected to the microprocessor by the toggle signal connection and which is reset to zero when a toggle signal is received from the toggle signal connection; a connection from the time counter to the reset counter, over which connection the time counter gives to the reset counter, after a predetermined time has expired, a signal that resets the reset counter to zero; a connection from the reset counter to the pointer means, over which connection the reset counter, when the reset counter indicates at least a predetermined number of occurred resets, sets the pointer means to indicate the recovery boot software in the write-protected memory; a connection from the copying means to the pointer means, over which connection the copying means, after copying has taken place, set the pointer means to indicate the new boot software in the erasable memory. The invention also relates to a second update system for a microprocessor's boot software, comprising: a microprocessor; an erasable memory in which the boot software is stored and which is connected to the microprocessor; a watchdog timer connected to the microprocessor, whereby the microprocessor sends a toggle signal after successful start-up to the watchdog timer over a toggle signal connection and the watchdog timer is restarted; a connection from the watchdog timer to the microprocessor, whereby the watchdog timer sends a reset signal for rebooting the microprocessor over said connection to the microprocessor when the watchdog timer has expired; a data transmission connection connected to the microprocessor for receiving new boot software; pointer means for indicating to the microprocessor which boot software is to be used; copying means for copying the new boot software obtained over the data transmission connection to replace the old boot software in the erasable memory. The second system further comprises: a write- protected memory in which recovery boot software is stored for booting the microprocessor in problem situations; a time counter, which is connected to the microprocessor by the toggle signal connection and which is reset to zero when a toggle signal is received from the toggle signal connection; a connection from the time counter to the pointer means, over which connection the time counter, after a predetermined time has expired, sets the pointer means to indicate the recovery boot software in the write-protected memory; a connection from, the copying means to the pointer means, over which connection the copying means, after copying has taken place, set the pointer means to indicate the new boot software in the erasable memory.
The invention is based on providing a device, which uses a micro- processor, already in the factory with a special recovery boot program including at least the necessary software parts for booting the processor. The recovery boot program is stored in a write-protected memory, whereby it cannot be accidentally made inoperative.
The method and system of the invention provide a plurality of ad- vantages. When an update of the boot software fails, a service person does not have to travel to the device, but the device is able to automatically re- cover. This eliminates travel expenses. Neither does the device have to be delivered to service. The interruption in the use of the device will be short compared with a situation where a new device component would have to be delivered from the service centre.
BRIEF DESCRIPTION OF THE FIGURES
The invention will now be described in greater detail in conjunction with preferred embodiments and with reference to the attached drawings, in which:
Figure 1 shows an example of the structure of an update system, Figure 2 shows a second example of the structure of an update system,
Figures 3A and 3B are flow diagrams of an update method; Figure 3C shows a second update method.
DETAILED DESCRIPTION OF THE INVENTION Referring to Figure 1 , the general structure of an update system will be described. The system comprises a microprocessor 100 and an erasable non-volatile memory 102, which is connected to the microprocessor 100 and in which boot software 104 is stored. The memory is erasable to allow updating of its contents. Examples of erasable memories that can be used include FLASH memory circuits or (electronically) erasable programmable read-only- memories ((E)EPROM). The boot software 104 usually serves to load other software 106 on the memory circuits 102, i.e. usually the actual application software, to a random access memory (RAM) after the microprocessor has been started up 100. Figure 1 does not show the random access memory separately, as it is thought to be included in the parts of the microprocessor 100 that are not shown herein.
A watchdog timer 112 is connected to the microprocessor 100 by a toggle signal connection 122. Watchdogs are generally used in real time systems, which have to have a means of dealing with intra-system problems, for example when a program goes into an endless loop, or hardware problems that prevent the software from operating correctly. The name 'watchdog' indicates that it has to be 'stroked' in order for it not to 'bite'. This means that a program has to restart the watchdog timer at regular intervals; otherwise the watchdog timer expires, leading to hardware reset. In the example of Figure 1 , the watchdog is so stroked that after a successful start-up the microprocessor 100 sends over the toggle signal connection 122 a toggle signal to the watchdog timer 112, whereby the watchdog timer 112 is restarted, and no hardware reset occurs. If problems arise during start-up of the microprocessor 100, the watchdog is not stroked, and when the watchdog timer 1 12 expires, the watchdog timer 112 sends over a connection 120 from the watchdog timer 112 to the microprocessor 100 a reset signal causing microprocessor (100) reset to the microprocessor 100. The boot software 104 can for instance calculate a check sum for the kernel, and if the check sum is incorrect, the microprocessor 100 will not boot. A data transmission connection 126, over which new boot software
124 is obtained, is connected to the microprocessor 100. As was explained above, a data transmission connection refers, for example, to the transmission of new boot software locally by means of a communication port or a disk drive. A data transmission connection can also be implemented over long distances by the use of a data transmission device connected to a communication port in the microprocessor. Consequently, data transmission can be implemented over telecommunication networks, for example from a distance of hundreds or thousands of kilometres, if need be. For example in product development it may be advantageous to use a communication port, whereas, when the device is located in the field, the boot software 124 can be transmitted over the telecommunication network.
Telecommunication devices, such as base stations, generally have what is known as a master/slave structure. One of the circuit cards of the device is defined as a master card, in which the software of all slave cards is stored. The software is updated by transmission of new software over a telecommunication network to the master card, which then updates the slave cards. If the software update fails in a slave card, the software does not have to be retransmitted over the telecommunication network, but the old or new software is obtained from the master card. When using the method of the in- vention, an apparatus using the master/slave structure can automatically recover from problems occurring in the update of boot software.
The microprocessor 100 comprises pointer means 118 for indicating the boot software 104, 110 to be used to the microprocessor 100. In accordance with the invention, this means that the pointer means indicate from which address in the memory space the boot software to be used is found.
The microprocessor also comprises copying means 128 for copying the new boot software 124 obtained over the data transmission connection 126 to replace the old boot software 104 in the erasable memory 102. In Figure 1 , arrow 124 denotes this update, i.e. the new boot software 124 is copied onto the original old boot software 104. The microprocessor 100 comprises a write-protected memory 108, in which the recovery boot software 110 is stored, and the recovery boot software 1 10 is used to boot the microprocessor 100 when problems arise. Typically the write-protected memory 108 is part of the read-only memory (ROM) in the processor 100 or of a read-only memory connected to the processor 100, but it can also be part of the erasable memory 102, for example a FLASH memory, part of which is protected by software so that it is write-protected, i.e. said part of the memory operates as a write-protected memory. Software stored in the write-protected memory 102 is sometimes called firmware. Currently, FLASH memory circuits are usually surface-mounted to a circuit board, and therefore very difficult or impossible to change under field conditions, which means that a device having corrupt boot software always has to be taken to a service centre or even to the factory to be repaired.
The apparatus also comprises a connection 134 from the copying means 128 to the pointer means 118, over which connection 134 the copying means 128 set, after copying, the pointer means 118 to indicate the new boot software 124 in the erasable memory 104. Once the boot software 124 is updated, attempts are made to boot the apparatus by using the new boot software 124.
In the following a mechanism will be described, which is used when problems arise, i.e. when the microprocessor 100 does not start up properly by the new boot software 124, to change the boot software to be used during start-up of the microprocessor 100. A reset counter 116, which counts resets, is connected to the microprocessor 100 by means of the toggle signal connection 122. The reset counter 116 is reset to zero when a toggle signal is re- ceived from the toggle signal connection 122. In addition, a time counter 114 is connected to the microprocessor 100 by means of the toggle signal connection 122, and the time counter 114 is reset to zero when a toggle signal is received from the toggle signal connection 122.
There is a connection 130 from the time counter 114 to the reset counter 116, and over the connection 130 the time counter 114 gives a signal for resetting the reset counter 116 to zero to the reset counter 116 after a pre- determined time has expired.
There is a connection 132 from the reset counter 116 to the pointer means 118, and over the connection 132 the reset counter 116 sets the pointer means 118 to indicate the recovery boot software 110 in the write-pro- tected memory 108 when the reset counter 116 indicates at least a predetermined number of occurred resets.
The above-described mechanism enables the recovery boot software 110 to be changed as the boot software to be used when the device performs a given number of resets within a predetermined time, i.e. for example three resets in five minutes indicates that the boot software may be corrupt. Depending on the characteristics of the microprocessor and the software, said predetermined limits are set such that they allow detection of problems occurring in booting the microprocessor 100.
A second preferred embodiment of the system is presented next in Figure 2. The embodiment of Figure 2 is identical to that shown in Figure 1 , except that the mechanism for changing the boot software to be used in booting the microprocessor 100 in failure, i.e. when the microprocessor 100 does not start up properly by the new boot software 124, is different.
A time counter 114 for counting time is connected to the microproc- essor 100 by means of the toggle signal connection 122, and the time counter 114 is reset to zero when a toggle signal is received from the toggle signal connection 122.
There is a connection 200 from the time counter 114 to the pointer means 118, and over the connection 200 the time counter 114 sets the pointer means 118 to indicate the recovery boot software 110 in the write-protected memory 108 after a predetermined time has expired.
In other words, the mechanism described is slightly simpler than that presented in the embodiment of Figure 1. The mechanism of Figure 2 allows the recovery boot software 110 to be replaced as the boot software to be used when the device does not boot properly within a predetermined time, i.e. within for example five minutes. Depending again on the characteristics of the microprocessor and the software, said predetermined time limit is set such that it allows the detection of problems in booting the microprocessor.
Since the basic principle of the invention can be implemented in other ways, a method of updating the boot software of a microprocessor according to the invention will be described next with reference to Figures 3A and 3B. The method starts in block 300.
In block 302, the old boot software in the microprocessor's memory is replaced with new boot software obtained over the data transmission connection. Then, in block 304, the microprocessor is rebooted by using the new boot software. At the same time, in block 306, a watchdog timer for monitoring the microprocessor is started up.
The success of the start-up is then tested in block 308. The test is: did the watchdog timer receive, before expiration, a signal from the microprocessor, which caused the watchdog time to be restarted. If the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, the process moves to block 310, where the boot software update is assumed to have been successful, and the watchdog timer is restarted. If the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, the process moves to block 314, where the watchdog timer reboots the microprocessor.
The crucial test is then carried out in block 316, i.e. if at least a given number of microprocessor reboots have occurred within a given time. If at least a predetermined number of microprocessor reboots performed by the watchdog timer occur within a predetermined time, then the boot software up- date is assumed to have failed, and the recovery measures are carried out in accordance with block 318.
Figure 3B shows the contents of block 318 in greater detail. The functionality of block 318 is composed of two blocks, 330 and 332. In block 330, the microprocessor is rebooted by using the recovery boot software in the write-protected memory of the microprocessor. Then, in block 332, the boot software in the microprocessor's memory is replaced with new boot software obtained over the data transmission connection, i.e. the boot software is updated again. The process then continues with another measure, i.e. block 304, by rebooting the microprocessor by the new boot software. If the microprocessor does not boot properly by the new boot software, the recovery can be repeated a few times. There is naturally a limit at some point, i.e. the conclusion is made that the device is faulty and requires the presence of a service person or the device has to be delivered to service. An alternative is to use some diagnostics software over the data transmission connection after the microprocessor has been booted by the recovery boot software. This may allow the fault to be remote diagnosed, and the service person is able to take along the necessary tools when starting for the field.
Figure 3C shows a second preferred embodiment of the method corresponding to the second preferred embodiment of the update system. The meanings of the blocks are the same as in the first embodiment shown Figure 3A and 3B, except that between blocks 302 and 304 is a new block 340, between blocks 306 and 308 a new block 342, and between blocks 310 and 312 a new block 344.
In block 340, the time counter is started. The test of block 342 is performed after the microprocessor has been rebooted and the watchdog timer started. If the time counter indicates that a predetermined time has lapsed, the assumption is that the boot software update has failed, and the microprocessor is rebooted in block 330 by using the recovery boot software in the microprocessor's write-protected memory; in block 332, the boot software in the microprocessor's memory is replaced with new boot software ob- tained over the data transmission connection, and the process continues from the second step of the method, i.e. block 340, where the time counter is started.
If the condition of block 342 is not fulfilled, the test of block 308 is performed. If the microprocessor sends a signal to the watchdog timer before the watchdog timer has expired, the process continues in block 310, where an assumption is made that the boot software update has been successfully carried out, and the watchdog timer is restarted; and, finally, in block 344, the time counter is switched off. If the microprocessor does not send a signal to the watchdog timer before the watchdog timer has expired, then in block 314, the watchdog timer reboots the microprocessor.
Parts of the devices according to the invention are preferably implemented as software to be executed in the microprocessor 100. Parts of the network part of the invention are also implemented by hardware, e.g. as ASIC (Application Specific Integrated Circuit) or by separate logic, such as PLD (Programmable Logic Device). The pointer means 1 18, the reset counter 116, and the timer counter 114 are preferably implemented by hardware, and the copying means 128 by software.
Even though the invention was described in the above with reference to the example according to the attached drawings, it is obvious that the invention is not restricted thereto, but may be modified in many ways within the inventive idea disclosed in the attached claims.

Claims

1. A method of updating the boot software of a microprocessor, comprising:
(302) replacing the old boot software in the microprocessor's mem- ory with new boot software obtained over a data transmission connection; (304) rebooting the microprocessor by the new boot software; (306) starting a watchdog timer for monitoring the microprocessor; c h a r a c t e r i z e d in that
(308 YES) if the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, then (310) the boot software update is assumed to have been successful and the watchdog timer is restarted;
(308 NO) if the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, then (314) the watchdog timer reboots the microprocessor; (316 YES) if at least a predetermined number of microprocessor reboots are performed by the watchdog timer within a given time, the boot software update is assumed to have failed and (330) the microprocessor is rebooted by using recovery boot software in the microprocessor's write-protected memory, the boot software in the microprocessor's memory is (332) replaced with the new boot software obtained over the data transmission connection, and the method continues from the second step (304) where the microprocessor is rebooted by using the new boot software.
2. A method of updating the boot software of a microprocessor, comprising: (302) replacing the old boot software in the microprocessor's memory with new boot software obtained over a data transmission connection; c h a r a c t e r i z e d by (340) starting a time counter for counting time; (302) rebooting the microprocessor by the new boot software; (306) starting a watchdog timer for monitoring the microprocessor;
(308 YES) if the microprocessor sends a signal to the watchdog timer before the watchdog timer expires, then (310) the boot software update is assumed to have been successful and the watchdog timer is restarted and (344) the time counter is switched off; (308 NO) if the microprocessor does not send a signal to the watchdog timer before the watchdog timer expires, then (314) the watchdog timer reboots the microprocessor,
(342 YES) if the time counter indicates that a predetermined time has lapsed, the boot software update is assumed to have failed and (330) the microprocessor is rebooted by recovery boot software in the microprocessor's write-protected memory, the boot software in the microprocessor's memory is (332) replaced with the new boot software obtained over the data transmission connection, and the method continues from the second step (340) where the time counter is started 3 A system for updating the boot software of a microprocessor, comprising a microprocessor (100), an erasable memory (102) in which the boot software (104) is stored and which is connected to the microprocessor (100), a watchdog timer (112) connected to the microprocessor (100), whereby the microprocessor (100) sends a toggle signal after successful startup to the watchdog timer (112) over a toggle signal connection (122) and the watchdog timer (112) is restarted, a connection (120) from the watchdog timer (112) to the microproc- essor (100), whereby the watchdog timer (112) sends a reset signal for rebooting the microprocessor (100) over said connection (120) to the microprocessor (100) when the watchdog timer (112) expires, a data transmission connection (126) connected to the microprocessor (100) for receiving new boot software (124), pointer means (118) for indicating to the microprocessor (100) which boot software (104, 110) is to be used, copying means (128) for copying the new boot software (124) obtained over the data transmission connection (126) to replace the old boot software (104) in the erasable memory (102), c h a r a c t e r i z e d by comprising a write-protected memory (108) in which recovery boot software (110) is stored for booting the microprocessor (100) in problem situations, a reset counter (1 16), which is connected to the microprocessor (100) by the toggle signal connection (122) and which is reset to zero when a toggle signal is received from the toggle signal connection (122), a time counter (114), which is connected to the microprocessor (110) by the toggle signal connection (122) and which is reset to zero when a toggle signal is received from the toggle signal connection (122); a connection (130) from the time counter (114) to the reset counter (116), over which connection (130) the time counter (114) gives to the reset counter (116), after a predetermined time has expired, a signal that resets the reset counter (116) to zero; a connection (132) from the reset .counter (116) to the pointer means (118), over which connection (132) the reset counter (116), when the reset counter (116) indicates at least a predetermined number of occurred resets, sets the pointer means (118) to indicate the recovery boot software
(110) in the write-protected memory (108); a connection (134) from the copying means (128) to the pointer means (118), over which connection (134) the copying means (128), after copying has taken place, set the pointer means (118) to indicate the new boot software (124) in the erasable memory (104).
4. A system for updating the boot software of a microprocessor, comprising: a microprocessor (100); an erasable memory (102) in which the boot software (104) is stored and which is connected to the microprocessor (100); a watchdog timer (112) connected to the microprocessor (100), whereby the microprocessor (100) sends a toggle signal after successful startup to the watchdog timer (112) over a toggle signal connection (122) and the watchdog timer (112) is restarted; a connection (120) from the watchdog timer (112) to the microprocessor (100), whereby the watchdog timer (112) sends a reset signal for rebooting the microprocessor (100) over said connection (120) to the microprocessor (100) when the watchdog timer (112) has expired; a data transmission connection (126) connected to the microproc- essor (100) for receiving new boot software (124); pointer means (118) for indicating to the microprocessor (100) which boot software (104, 110) is to be used; copying means (128) for copying the new boot software (124) obtained over the data transmission connection (126) to replace the old boot software (104) in the erasable memory (102); c h a r a c t e r i z e d by comprising a write-protected memory (108) in which recovery boot software (110) is stored for booting the microprocessor (100) in problem situations; a time counter (114), which is connected to the microprocessor (110) by the toggle signal connection (122) and which time counter (114) is reset to zero when a toggle signal is received from the toggle signal connection (122); a connection (200) from the time counter (114) to the pointer means (118), over which connection (200) the time counter (114), after a predetermined time has expired, sets the pointer means (118) to indicate the recovery boot software (110) in the write-protected memory (108); a connection (134) from the copying means (128) to the pointer means (118), over which connection (134) the copying means (128), after copying has taken place, set the pointer means (118) to indicate the new boot software (124) in the erasable memory (102).
PCT/FI2000/000552 1999-06-21 2000-06-20 Updating microprocessor boot software WO2000079390A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU54095/00A AU5409500A (en) 1999-06-21 2000-06-20 Updating microprocessor boot software

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI991411A FI991411A (en) 1999-06-21 1999-06-21 Update of a microprocessor's initial loading software
FI991411 1999-06-21

Publications (1)

Publication Number Publication Date
WO2000079390A1 true WO2000079390A1 (en) 2000-12-28

Family

ID=8554921

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2000/000552 WO2000079390A1 (en) 1999-06-21 2000-06-20 Updating microprocessor boot software

Country Status (3)

Country Link
AU (1) AU5409500A (en)
FI (1) FI991411A (en)
WO (1) WO2000079390A1 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10346278A1 (en) * 2003-10-06 2005-05-12 Giga Byte Technology Co Automatic recovery method of BIOS memory circuit in memory apparatus containing dual BIOS memory circuits - prevents boosting failure of computer system
CN100337197C (en) * 2002-10-14 2007-09-12 华为技术有限公司 Guide program recorder and method for guarantee of online upgrading thereof
DE10296986B4 (en) * 2001-06-29 2009-01-08 Intel Corporation, Santa Clara Method and device for programming a BIOS
US8122512B2 (en) 2003-03-10 2012-02-21 Igt Dynamic configuration of a gaming system
US20120246459A1 (en) * 2001-04-24 2012-09-27 Eagle Harbor Holdings, Llc Dynamic configuration of a home multiprocessor system
WO2016126864A1 (en) * 2015-02-03 2016-08-11 Uber Technologies, Inc. System and method for introducing functionality to an application for use with a network service
US10158528B2 (en) 2015-10-13 2018-12-18 Uber Technologies, Inc. Application service configuration system
US10298735B2 (en) 2001-04-24 2019-05-21 Northwater Intellectual Property Fund L.P. 2 Method and apparatus for dynamic configuration of a multiprocessor health data system
WO2019117990A1 (en) * 2017-12-12 2019-06-20 Google Llc Automated recovery of unstable mobile devices
WO2019140918A1 (en) * 2018-01-22 2019-07-25 格力电器(武汉)有限公司 Display panel control method, apparatus, system, display panel, and device unit
EP3742295A1 (en) * 2019-05-23 2020-11-25 NXP USA, Inc. Automatic firmware rollback
US10977105B2 (en) 2018-12-14 2021-04-13 Uber Technologies, Inc. Memory crash prevention for a computing device
US11533226B2 (en) 2015-10-13 2022-12-20 Uber Technologies, Inc. Application service configuration system
US11671791B2 (en) 2015-07-10 2023-06-06 Uber Technologies, Inc. Selecting a messaging protocol for transmitting data in connection with a location-based service

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0410030A1 (en) * 1989-07-25 1991-01-30 Unisia Jecs Corporation Method and apparatus for preventing failure of a CPU
EP0535761A2 (en) * 1991-10-04 1993-04-07 AEROSPATIALE Société Nationale Industrielle Method for failure detection and passivation in a data processing system and data processing system suitable for its implementation
DE19633919C1 (en) * 1996-08-22 1997-06-05 Siemens Ag Program module updating method for mobile communications appts
EP0803812A1 (en) * 1996-04-24 1997-10-29 Sony Corporation Method for updating a program
US5701492A (en) * 1996-03-29 1997-12-23 Canon Kabushiki Kaisha Fail-safe flashing of EPROM
WO1999008186A1 (en) * 1997-08-06 1999-02-18 Macronix International Co., Ltd. Fault-tolerant architecture for in-circuit programming
WO1999028823A1 (en) * 1997-11-28 1999-06-10 Fujitsu Siemens Computers Gmbh Monitoring system for computers

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0410030A1 (en) * 1989-07-25 1991-01-30 Unisia Jecs Corporation Method and apparatus for preventing failure of a CPU
EP0535761A2 (en) * 1991-10-04 1993-04-07 AEROSPATIALE Société Nationale Industrielle Method for failure detection and passivation in a data processing system and data processing system suitable for its implementation
US5701492A (en) * 1996-03-29 1997-12-23 Canon Kabushiki Kaisha Fail-safe flashing of EPROM
EP0803812A1 (en) * 1996-04-24 1997-10-29 Sony Corporation Method for updating a program
DE19633919C1 (en) * 1996-08-22 1997-06-05 Siemens Ag Program module updating method for mobile communications appts
WO1999008186A1 (en) * 1997-08-06 1999-02-18 Macronix International Co., Ltd. Fault-tolerant architecture for in-circuit programming
WO1999028823A1 (en) * 1997-11-28 1999-06-10 Fujitsu Siemens Computers Gmbh Monitoring system for computers

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11042385B2 (en) 2001-04-24 2021-06-22 Micropairing Technologies Llc. Method and system for dynamic configuration of multiprocessor system
US9645832B2 (en) 2001-04-24 2017-05-09 Dan A. Preston Dynamic configuration of a home multiprocessor system
US10298735B2 (en) 2001-04-24 2019-05-21 Northwater Intellectual Property Fund L.P. 2 Method and apparatus for dynamic configuration of a multiprocessor health data system
US10102013B2 (en) 2001-04-24 2018-10-16 Northwater Intellectual Property Fund, L.P. 2 Method and system for dynamic configuration of multiprocessor system
US9811354B2 (en) 2001-04-24 2017-11-07 Eagle Harbor Holdings, Llc Home audio system for operating different types of audio sources
US9697015B2 (en) 2001-04-24 2017-07-04 Eagle Harbor Holdings, Llc Vehicle audio application management system using logic circuitry
US9652257B2 (en) 2001-04-24 2017-05-16 Eagle Harbor Holdings, Llc Vehicle safety system
US9336043B2 (en) 2001-04-24 2016-05-10 Dan Alan Preston Method and apparatus for a task priority processing system
US20120246459A1 (en) * 2001-04-24 2012-09-27 Eagle Harbor Holdings, Llc Dynamic configuration of a home multiprocessor system
US10387166B2 (en) 2001-04-24 2019-08-20 Northwater Intellectual Property Fund L.P. 2 Dynamic configuration of a multiprocessor system
US9348637B2 (en) * 2001-04-24 2016-05-24 Eagle Harbor Holdings, Llc Dynamic configuration of a home multiprocessor system
DE10296986B4 (en) * 2001-06-29 2009-01-08 Intel Corporation, Santa Clara Method and device for programming a BIOS
CN100337197C (en) * 2002-10-14 2007-09-12 华为技术有限公司 Guide program recorder and method for guarantee of online upgrading thereof
US8359477B2 (en) 2003-03-10 2013-01-22 Igt Dynamic configuration of a gaming system
US8122512B2 (en) 2003-03-10 2012-02-21 Igt Dynamic configuration of a gaming system
DE10346278A1 (en) * 2003-10-06 2005-05-12 Giga Byte Technology Co Automatic recovery method of BIOS memory circuit in memory apparatus containing dual BIOS memory circuits - prevents boosting failure of computer system
US10228989B2 (en) 2015-02-03 2019-03-12 Uber Technologies, Inc. System and method for introducing functionality to an application for use with a network service
WO2016126864A1 (en) * 2015-02-03 2016-08-11 Uber Technologies, Inc. System and method for introducing functionality to an application for use with a network service
US11080117B2 (en) 2015-02-03 2021-08-03 Uber Technologies, Inc. System and method for introducing functionality to an application for use with a network service
US9575837B2 (en) 2015-02-03 2017-02-21 Uber Technologies, Inc. System and method for introducing functionality to an application for use with a network service
US11671791B2 (en) 2015-07-10 2023-06-06 Uber Technologies, Inc. Selecting a messaging protocol for transmitting data in connection with a location-based service
US11533226B2 (en) 2015-10-13 2022-12-20 Uber Technologies, Inc. Application service configuration system
US10917297B2 (en) 2015-10-13 2021-02-09 Uber Technologies, Inc. Application service configuration system
US10158528B2 (en) 2015-10-13 2018-12-18 Uber Technologies, Inc. Application service configuration system
US11881994B2 (en) 2015-10-13 2024-01-23 Uber Technologies, Inc. Application service configuration system
EP3757791A1 (en) * 2017-12-12 2020-12-30 Google LLC Automated recovery of unstable mobile devices
WO2019117990A1 (en) * 2017-12-12 2019-06-20 Google Llc Automated recovery of unstable mobile devices
WO2019140918A1 (en) * 2018-01-22 2019-07-25 格力电器(武汉)有限公司 Display panel control method, apparatus, system, display panel, and device unit
US10977105B2 (en) 2018-12-14 2021-04-13 Uber Technologies, Inc. Memory crash prevention for a computing device
US11379283B2 (en) 2018-12-14 2022-07-05 Uber Technologies, Inc. Memory crash prevention for a computing device
US11687389B2 (en) 2018-12-14 2023-06-27 Uber Technologies, Inc. Memory crash prevention for a computing device
EP3742295A1 (en) * 2019-05-23 2020-11-25 NXP USA, Inc. Automatic firmware rollback
US11176254B2 (en) 2019-05-23 2021-11-16 Nxp Usa, Inc. Automatic firmware rollback

Also Published As

Publication number Publication date
FI991411A (en) 2000-12-22
AU5409500A (en) 2001-01-09
FI991411A0 (en) 1999-06-21

Similar Documents

Publication Publication Date Title
JP6291248B2 (en) Firmware upgrade error detection and automatic rollback
WO2000079390A1 (en) Updating microprocessor boot software
CN100419698C (en) Network equipment and a method for monitoring the start up of such equipment
KR100952585B1 (en) Method and system for automatic recovery of an embedded operating system
US20080072030A1 (en) Computer System and Method for Updating Program Code
CN110647333A (en) Firmware upgrading method and equipment configured to upgrade firmware therein
CN111182033B (en) Method and equipment for restoring switch
US10921871B2 (en) BAS/HVAC control device automatic failure recovery
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
CN114237722A (en) System starting method, device, equipment and engineering vehicle
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps
Cisco Operational Traps

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ CZ DE DE DK DK DM DZ EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ CZ DE DE DK DK DM DZ EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP