[OLPC-devel] Requirements for a field BIOS reflashing tool.

Jim Gettys jg at laptop.org
Fri Jun 16 11:02:25 EDT 2006 

Some of us (e.g. Jim, David Woodhouse, and a few others) have experience
(and scars on our backs), from the iPAQ bootloader.

It is amazing how idiot proof one needs to make such a utility that will
be used by random people all over the world (and all of us turn out to
be idiots at one time or another).

On the iPAQ, if there was a problem updating the bootloader in flash, we
called it "bricking" the iPAQ, as your machine was only usable as a
brick thereafter.  In our case, if the BIOS update goes wrong, we'll
have similar bricks, and potentially all over the world.  The serial ROM
is not socketed as on commercial motherboards, so repairs will be very
difficult. It will cost more to try to return boards for repair than
they are worth.

We are planning, as I believe has been mentioned on the mailing list, to
have the embedded controller disable the flash write line unless and
until the space bar has been held down for a 5 second period, to make it
difficult for worms/viruses to "brick" the machines.

After much bitter experience on the iPAQ, this is what we ended up doing
the following as I remember:
   0) we ask the user in the instructions to make sure the machine has
charged batteries *and* is plugged in; it would be good to eventually be
able to test that this has actually been done ourselves in software.
   1) the flash utility would verify a checksum embedded at the end of
the flash image, to make sure no bits had been damaged.
   2) A additional adder was added, to bring the sum of the checksum and
the adder up to a known (to the flash utility) magic number, so we know
that it was for the intended model machine.
   3) the model of machine gets checked against the model(s) the
firmware image will work on.
   4) a copy of the existing bits get saved from flash. The flash gets
unlocked.
   5) the flash finally gets erased.
   6) the flash gets written with the new image.
   7) the checksum of the flash is checked against what actually can be
read back from the flash.
   8) if there is a problem, try to reflash a time or two more.
   9) if this still fails, put back the original image on  (there might
be a stuck bit in flash, and if you had a BIOS working before the
reflash, it is more likely to work afterwards with the old image than
any new image where that bit might be significant.).
  10) the flash gets relocked.
  11) congratulate the user on their success.

Once we did all this, we pretty much eliminated almost all a fool could
do to flash bad bits into the machine.  Most of the remaining bricks
were caused by people putting the WindowsCE bootloader back (which they
never needed to do, since the CRL bootloader was happy to boot WinCE as
well as Linux). But some people liked Parrots, I guess.

After all this bricks became very rare on (re)installation of the
bootloader; usually by someone following some directions some random
person had put someplace on the web with early flashing tools and
antique firmware that were not so careful.

Dave, did I miss anything?
                                    - Jim

-- 
Jim Gettys
One Laptop Per Child

More information about the Devel mailing list