Document number 205065Version Rev. NIssue date 2019-02-04Sirius OBC and TCM User Manualwww.aacmicrotec.com Page 147 of 1748.4. Boot images and boot procedure8.4.1. DescriptionThe bootrom is a small piece of software built into a read-only memory inside the System-on-Chip. Its main function is to load a software image from the system flash to RAM andstart it by jumping to the reset vector (0x100). To make the system fault tolerant, there aretwo logical images of the main software, designated Updated and Safe. Each logical imageis stored in three physical copies distributed over the system flash. By default the bootromwill first try to load the Updated image and if that fails fall back to the Safe image. The imageto load can also be selected by setting the Next FW register in the Error Manager and doinga soft reset (see section 5.3 for more details). Boot order of the logical images and theirphysical copies is shown in Figure 8-1.8.4.2. Block diagramFigure 8-1 Software images in flash8.4.3. Usage descriptionThe locations in the system flash where the bootrom looks for software images are given inTable 8.4. The first two 32-bit words of the image are expected to be a header with imagesize and an XOR checksum, see Table 8.5. If the size falls within the accepted range, thebootrom loads the image to RAM while verifying the checksum. Both the image size checkand the checksum is on top of the automatic EDAC on all flash data. The EDAC is handledby hardware and calculates one extra byte of redundancy data for each true data bytewritten to flash.The bootrom loads the system flash bad block table from NVRAM offset 0x0E00 – 0x11FF.If a flash block within the range to load from is marked as bad in the table, that block isassumed to have been skipped when the image was programmed, so the bootromcontinues reading from the next block. If the image could be loaded from flash without errorand its checksum is correct, the bootrom jumps to the reset vector in RAM. If there is a flasherror when loading, if the checksum is incorrect, or if the image has an invalid size, thebootrom steps to the next image by changing the Next FW field in the Error Manager anddoing a soft reset. If the image being loaded is the last available the bootrom will ignoreerrors and attempt to start it anyway, in order to always have a chance of a working system.To indicate to the software which image and copy is loaded, the Running FW field in theError Manager is updated before handing over execution.