The Toradex Bootloader and Windows CE 5/6 images for Colibri PXA modules support a fail-safe boot mechanism since V3.6b1. The Bootloader can be configured to perform a fail safe boot with the Set Fail Safe tool. There is a second Bootloader which gets updated. If this update fails, the first (fail-safe) Bootloader takes control and performs the specified action (launching image, start download via Ethernet or USB RNDIS...)
The following table explains how the system decides which bootloader to use.
|Without Failsafe||Failsafe activated|
|1st Bootloader||regular boot||used if 2nd bootloader fails|
|2nd Bootloader||-||regular boot|
There is a setting in the Config Block to set the start address of the 2nd bootloader (the one that gets overwritten during a bootloader update when fail-safe boot is enabled).
More information about the memory map of the flash can be found in the article Flash Layout.
loc.bl2start: 0x00000000 Addr of 2nd Bootloader in Flash if FailSafe enabled the default is 0 which isn't a valid address. Change this address to a suitable value, e.g. to 0x80000, but don't forget to move the Windows CE image as well (e.g. set loc.imgstart=0xC0000)
To get the status of the fail-safe boot sequence there is an I/O control IOCTL HAL GETBOOTFLAGS in Windows CE.