Failsafe bootloader

Johnson, Stephen stevebj at
Wed Jun 4 23:15:08 EST 2003

We implemented a verification feature to ppcboot for products that performs
a crc32 check before branching to an image. If the crc32 fails to match a
stored checksum, it will check a secondary image, if that one fails too then
we usually default to a tftp from a well known tftp server that we have
accessible. One could take this to as much extreme as desired, but that's up
to the system designers to deem what's reasonable and what's overkill. The
key is the primitives to do such are in place.

Obviously, we put some resources into this for our products. You have to
expect to add some value to your products.

ppcboot allows this to be quite easy since the bootcmd can contain several

-----Original Message-----
From: Sam Ravnborg [mailto:sam at]
Sent: Tuesday, June 03, 2003 2:29 PM
To: linuxppc-embedded at
Subject: Failsafe bootloader

Hi all.

We are developing an application for an embedded target that will be
located in some rural areas. We foresee a need to update the target
with a new version of the application or a new kernel from time to time.

A few of the added requirements on top of that are:
1) The target shall boot up in the old kernel, if a bogus kernel is loaded
2) The target shall boot up in the old application, if a bogus
	application is loaded
3) On the management side an update shall be handled as a single file,
	the target may decide to 'unpack' it when received.

We have looked all over the net, but none of the bootloaders found
so far could meet the above demands.
The boot loaders usually have an interactive mode used to select
between different configurations - and there are no feedback from
the application side if the reboot actually went well.
The interactiviness does not fit well with an embedded target.

Do you know of a boot loader that partially or fully meets the above

Background information
Today we are using VxWorks - for which we have made our own boot loader.
The boot laoder allows the boot loader itself, and the application part
to be upgraded - and if a restart is failed the old version will
be activated on a subsequent build.
I want the same behaviour in the Linux based target.

	Thanks in advance,


** Sent via the linuxppc-embedded mail list. See

More information about the Linuxppc-embedded mailing list