Systems and methods for updating software in a hazard detection system
摘要
說明書
When it is determined safe (or otherwise an acceptable time) to reboot, a boot loader can locate the “newest” code in both the LOW and HIGH portions and boot using that code. After the reboot, an integrity check on that “new” code can be performed, as indicated by step 1216. The boot loader may examine a flag in the safety processor's NVM to determine which portion is the new code. If the boot loader cannot determine which code is the new code, it may select one of the portions and proceed. The integrity check can be a SHA1 integrity check, for example. If the integrity check is valid after a successful reboot, the safety sensor may inform the system processor that it has successfully rebooted, as indicated by step 1218. The safety sensor software update process may end at step 1220. After step 1220, the system processor may request a version check from the safety processor to confirm whether the safety processor code was successfully updated. If the safety processor returns an older version, the system process may ask the safety processor to try updating its software again.
If the integrity check at step 1216 fails, the boot loader may mark the inactive portion as bad or invalid and revert back to a previously known good portion, as indicated by step 1222. The boot loader may select, for example, the safety processor code in the active portion, reboot using the code in the active portion, and perform an integrity check on the code after the reboot. If the safety processor is unable to reboot from any portion containing safety processor code, the system processor may detect this reboot failure and notify users of the hazard system device that it is experiencing technical difficulty.
