Open in app

Sign in

Write

Sign in

AB SWAP on Aurix TriCore platform for OTA

Abhishek Anand
6 min readApr 1, 2022

--

With the advent of OTA (Over The Air) and connected services, it is now, more than ever easier to update the ECU in the field. With this comes the challenge of keeping the ECU running in the event of a download failure or unexpected behavior after installing the new application. The ECU may need to roll back updates and go back to a known good state in such situations. Aurix TriCore family of processors provides AB Swap feature to handle such scenarios. This feature lets you keep two different applications in the ECU and switch between them.
What’s impressive about this feature is that Aurix handles all of it at the hardware level. The application is not even aware of the bank from which it is running.
Even the image files (*.elf or *.hex) generation process need not change. The software is always generated for the standard address memory map. During the download process, the bootloader decides where the new application is written and triggers a bank switch on reset.

About the feature

The mechanism provides the ability to split the PFLASH into two groups of banks:
– A as the standard address map.
– B as the alternate address map.

When SOTA/SWAP is enabled within the Aurix TC3xx devices, the software can be read and executed from one of these bank groups, while new software can be written to the other group. SWAP gets executed after the next system reset (application reset has no effect). After reset, the selected address map is mapped to the CPU executive address range.

The SWAP feature is available for the entire Aurix TC3xx family, except for derivatives that use a single PFLASH bank. Half or less than half of the whole PFLASH is available for applications when this feature is enabled.

Ensure that the binary application code fits into the group of A-bank entirely and does not spill over into B-banks nor in NoSWAP-banks.

For example, Aurix 38xx has a total of 10MB PFLASH storage. 8MB (4 in each bank) is usable for SWAP. The last 2 MB cannot be used in this configuration.
The SWAP is done among the : 4 MB/4 MB between PFLASH 0/1 & PFLASH 2/3. Refer the MemMap of the controller that you are using for the physical address ranges of these PFLASH regions.

Registers involved

The feature is enabled and configured using UCB (User Configuration Block). This UCB is part of the DFLASH region (DF0) in Aurix. UCB is used to configure things like the startup address of the controller , set up protection for flash memory, and configure hardware security. For the AB SWAP feature this is the control centre.

To configure AB SWAP, we are interested in UCB_SWAP_ORIG, UCB_SWAP_COPY and UCB_OPT0_ORIG registers.

We will go over the description of these registers briefly and see what they do.

UCB_SWAP_{ORIG|COPY}
The UCB_SWAP (ORIG and COPY) contains the user-defined SWAP configuration. The SWAP configuration is evaluated by the SSW (Start-up software). SSW is a set of first few instructions that get executed on a reset or power on. This is basically the power on sequence of a controller where it reads its peripherals and registers and sets itself up.
UCB_SWAP_ORIG is the register that is normally read by SSW to install SWAP. UCB_SWAP_COPY is read only when the ORIG register is not in the correct state. The layout of both the registers is identical. COPY acts as a fail safe backup for ORIG.

  • UCB_SWAP_{ORIG|COPY}_MARKERLx: Determines the system address map (standard or alternate) used by the currently running application.
  • UCB_SWAP_{ORIG|COPY}_MARKERHx: Holds the 32-bit system address of the corresponding UCB_SWAP_{ORIG|COPY}_MARKERLx entry confirming its validity. The startup software checks this for safety before the address map is installed.
  • UCB_SWAP_{ORIG|COPY}_CONFIRMATIONLx: This holds the confirmation code of the address map configured in the previous MARKER{L|H}x. A valid code indicates that the startup software can install the above configuration of the address map in the SCU_SWAPCTRL register. (More on this register later)
  • UCB_SWAP_ORIG_CONFIRMATIONHx: Holds the 32-bit system address of the corresponding UCB_SWAP_{ORIG|COPY}_CONFIRMATIONLx entry confirming its validity. Startup software checks this register segment before the MARKER regions are read. The address map is installed only if this address matches the actual address of this location.

UCB_OTP{0–7}_{ORIG|COPY}
The UCB_OTP{0–7} is a set of 8 registers with each having a ORIG and COPY. So, in total 16 registers, 8 ORIG registers and 8 COPY registers. All the 16 registers are not used for the SWAP feature. We need to use only the UCB_OTP0_ORIG. (More on this later.) The register member of our interest here is the UCB_OTPx.PROCONTP.SWAPEN.
If this value is set to be valid and enabled, SSW will enter SOTA Mode after the next System Reset and install the new memory map.

The section above can seem dry and daunting. Read it again after reading this section below on how to use them.

How these registers are used ?

  • The address map value is written to MARKERLx. Address map value is either 0x55 or 0xAA. 0x55 corresponds to A-banks, and 0xAA corresponds to B-banks.
  • The address of the MARKERLx register is written to MARKERHx
  • Confirmation code 0x57B5327F is written to CONFIRMATIONLx.
  • The address of this CONFIRMATIONLx is written to CONFIRMATIONHx
  • Then the UCB_OTP.PROCONTP.SWAPEN is written to enable the swap. Before enabling SWAPEN, make sure that the UCB_SWAP_ORIG & UCB_SWAP_COPY are written.
  • After this, a system reset is needed to perform the address map swap and run the new bank.

During the startup process, DMU_HF_PROCONTP.SWAPEN and SCU_SWAPCTRL registers are evaluated, and the standard or alternate banks are installed for code execution.

UCB_OTP0 is evaluated by default regardless of whether it is CONFIRMED or UNLOCKED. UCB_OTP1–7 is evaluated if set to CONFIRMED. Hence, updating PROCONTP.SWAPEN of only UCB_OTP0 is sufficient to enable or disable SOTA mode.

There are 16 entries in the UCB_SWAP_{ORIG|COPY} registers.
Meaning, for UCB_SWAP_{ORIG|COPY}_MARKERLx, here x runs from 0–15. Same with other entries of this register. UCB_SWAP_{ORIG|COPY}_MARKERH{0–15}
UCB_SWAP_{ORIG|COPY}_CONFIRMATION{L|H}{0–15}.
When a new address map is to be written, one of these 16 entries are updated. On every swap next empty index is updated with a new address map. Also the previous entry can be invalidated. This can be done by writing 0xFFFFFFFF to CONFIRMATIONLx and CONFIRMATIONHx. Once all the entries are filled, the entire UCB_SWAP_{ORIG|COPY} is erased and new entry is done at index 0.

Caveats and situations that could lead to a bricked controller.

It is essential to be aware of these situations to avoid the potential bricking of the controller. Once bricked, the controller cannot be recovered.

  • If SWAP is enabled and UCB state of UCB_SWAP_ORIG is CONFIRMED or UNLOCKED, and no valid SWAP configuration exists in ORIG, then the device remains in the reset state forever.
  • Only if the state of UCB_SWAP_ORIG is ERRORED, then UCB_SWAP_COPY is evaluated and used for installation. If there is no valid entry in UCB_SWAP_COPY, then the device remains in reset state forever. Hence it is recommended to write the UCB_SWAP_COPY before the UCB_SWAP_ORIG is written.
  • SWAP cannot be switched off if any of UCB_OTPx_{ORIG | COPY} is set to UCB state ‘CONFIRMED’. So, set this only when the SWAP mechanism needs to be enabled permanently. This is where the term One Time Programmable of OTP comes from.

During the design and development phase, always check for probable situations that could lead up to these scenarios. Always remember what Uncle Ben said, “With great power comes great responsibility”

Monitoring and Debugging

During the development process or even to monitor the ECU in field, the following registers can be used.

Address Map Control Register [SCU_SWAPCTRL.ADDRCFG]
This two-bit value indicates the currently installed address map.
- 01b Standard Address map active
- 10b Alternate Address map active
Other values are not valid, and they trigger the SMU alarm.

Start-up Memory Register 1 of SCU [SCU_STMEM1]
Many members of this register contain relevant information about the SWAP feature. Lets check them out one by one.

  • SCU_STMEM1.SWAP_DW_INDEX: This is the index of the UCB_SWAP_{ORIG|COPY} register used to install the SWAP configuration (A/B). Recall,MARKER{L|H}x and CONFIRMATION{L|H}x. This is that x.
  • SCU_STMEM1.SWAP_TARGET: Indicates if the UCB_SWAP_COPY or the UCB_SWAP_ORIG was used to install the address map.
    - 0b SWAP configuration done based on UCB_SWAP_ORIG
    - 1b SWAP configuration done based on UCB_SWAP_COPY
  • SCU_STMEM1.SWAP_CFG: SWAP configuration. This register member indicates which address map is installed. Standard or Alternate.
    - 00B no SWAP configured by SSW (the SWAP feature is not enabled, the entire PFlash address space is active with the default map)
    - 01b SWAP A configured (PFlash Bank A active, B inactive)
    - 10b SWAP B configured (PFlash Bank B active, A inactive)
    - 11b reserved

Start-up Memory Register 2 of SCU [SCU_STMEM2.BOOT_ADDR]
Though not directly related to the SWAP feature, this can come handy while debugging. This register contains the address of the first user-code instruction executed, i.e., the start address of your boot or application.

For easy debugging, it can also be helpful to implement DIDs to read the status of these registers.

Apart from the registers mentioned above, you can directly monitor the UCB registers in a debugger.

That’s all folks. Let me know your thoughts on this.

Ab Swap
Sota
Fota
Ota
Aurix

--

--

Abhishek Anand

Written by Abhishek Anand

217 Followers

I stare at screens for a living.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams