Triggering Recovery Mechanism by Loader
During boot, when any bootloader, except BootROM, fails to load the next stage firmware, the recovery mechanism is triggered as follows:
- Attempts to load the next stage firmware in the Active Boot Chain.
- If the next stage firmware is loaded successfully, the loader continues to boot.
- If the next stage firmware is NOT successfully loaded, the recovery mechanism is triggered.
- If the
INVALID_CHAINxbit in theSCRATCHrregister is set to 1 or theswitch_boot_chainsoft fuse value is cleared to 0, these recovery actions are performed:- If the
reset_to_recoverysoft fuse value is set to 1, the system goes into forced recovery mode. - If the
reset_to_recoverysoft fuse value is cleared to 0, the system hangs.
- If the
- If the
INVALID_CHAINxbit is NOT set, and theswitch_boot_chainsoft fuse value is set to 1, then set theINVALID_CHAINxbit to 1 and change theACTIVE_BOOT_CHAINfield in theSCRATCHrregister and issue a reboot so that the system boots a different boot chain.
The flow for triggering the recovery mechanism by the loader is as follows:
MB2 and Quickboot load the Global Partition Table. Because this firmware component does not belong to any boot chain, the recovery flow is as follows:
- There is a single partition to store the global partition table of the system.
- The single partition contains multiple signed copies of the partition table. If one copy is corrupted, the system uses the next copy.
- The global partition table contains information for both boot chains of the system. As a result, the global partition table must NOT be erased during the update. If the global partition table is erased, the system cannot be recovered without reflashing the entire images.