Fail Safe Boot
The Toradex Bootloader and Windows CE 5/6 images for Colibri PXA modules support a fail-safe boot mechanism since V3.6b1. The Bootloader can be configured to perform a fail safe boot with the Set Fail Safe tool. There is a second Bootloader which gets updated. If this update fails, the first (fail-safe) Bootloader takes control and performs the specified action (launching image, start download via Ethernet or USB RNDIS...)
The following table explains how the system decides which bootloader to use. | Without Failsafe | Failsafe activated -|------------------|------------------- 1st Bootloader | regular boot | used if 2nd bootloader fails 2nd Bootloader | - | regular boot
Config Block settings
There is a setting in the Config Block to set the start address of the 2nd bootloader (the one that gets overwritten during a bootloader update when fail-safe boot is enabled).
More information about the memory map of the flash can be found in the article Flash Layout.
Addr of 2nd Bootloader in Flash if FailSafe enabled the default is 0 which isn't a valid address. Change this address to a suitable value, e.g. to 0x80000, but don't forget to move the Windows CE image as well (e.g. set loc.imgstart=0xC0000)
Setup Failsafe Bootloader
- set the config block parameter loc.bl2start from the bootloader command line.
- Use the set fail safe tool to activate the fail safe Bootloader.
- Update the bootloader using any regular Toradex process like the Update Tool or Colibri Loader. It will be used as the 2nd bootloader.
Update 2nd bootloader
Update 1st bootloader
- Use the set fail safe tool to disable the failsafe Bootloader.
- Update the bootloader using any regular Toradex process like the Update Tool or Colibri Loader.
- Use the set fail safe tool to enable the failsafe Bootloader.
Get fail safe boot status
To get the status of the fail-safe boot sequence there is an I/O control IOCTL HAL GETBOOTFLAGS in Windows CE.