We have a fair bit of units in the field, these are installed in cars and trucks and designed to switch on a computer when the ignition is on and send a shutdown to the computer when the ignition turns off. It was designed with the MCU to stay powered for as long as the unit is installed however, these units are now installed into trucks that have emergency isolation switches that remove power.
As these units were designed with firmware updates in mind, a few of us are now worried now that if the firmware is updating and the power to the MCU is interrupted, corruption of the boot loader might be an issue. A couple of the engineers have said that during the low voltages, the logic levels will be violated along with setup and hold times and you might corrupt a page of flash you didn't even intend to write to.
The MCU has the following
Powered by 3.3V
BOD set to 1.8V
Using internal 8MHz RC oscillator
Boot Lock bits not set
Boot loader section enabled
The datasheet gives some explanation of what happens during a reset, under the heading of Preventing Flash Corruption (26.2.3) of the ATmega48A/PA/88A/PA/168A/PA/328/P datasheet
"If a reset occurs while a write operation is in progress, the write operation will be completed provided that the power supply voltage is sufficient."
Does this statement guarantee that if the power interruption happens in the middle of an erase or program operation, that operation is immediately terminated to protect against corruption? An engineer here believes this is a bit ambiguous.
We can deal with corruption in the application section, ie. a failed write - the boot loader stores the CRC and checks on startup and enters a recovery mode
The boot loader does guard against writing over itself via a simple page comparison - The reason the boot lock bit wasn't set was some early requirement that the boot loader could be upgraded - although this is now not the case.
We can instruct the SW to only initiate firmware updates while the vehicle is in motion (but still might run the risk - ie, GPS data not available)
Just a few questions:
- Are there any Microchip / Ex-Atmel employees that can clarify whether or not switching off power during the middle of an SPM write will not corrupt any other page other than the one that is currently being written to at the time of power loss.
- If we set the BLB fuse bits that control SPM access to the Boot loader section (something that can be fortunately done in code) does this set up hardware gating within the AVR to prevent writes to the boot loader pages, or would it likely suffer the same fate.
- Learn from this and add more bulk capacitance so that the voltages stays higher for longer after the brownout reset to ensure completion of the write