When I refer to bootloader, I'm referring to the thing called "boot" in the app screen that irreversibly moved from 5.5015 to 5.5120 in the 8.350 software upgrade. As I understand, "system" loads "ttsystem" which loads the app in the bin folder. On a 720, "system" is the bootloader, stored somewhere in non-user-accessible space. If you place a new version of "system" on the INTERNAL drive, the real "system" will inspect it for an upgrade version and self update itself in the non-user-accessible space if the INTERNAL version is newer. But if the INTERNAL drive has an older version, same version, or is simply missing, the real "system" happily executes and starts up the tomtom.
So help me understand then - how exactly does flash controller wear leveling work? My assumption was that if a block was written repeatedly via the software, the flash controller would swap it out with another area less frequently used.
So, frequent rewrites to the temporary itinerary files, or to the mapsettings.cfg file, would ultimately mean that the controller will swap out a block with a less worn section (like a sector from the map). My worry is that the controller, in its lowest-level chip-based logic, may swap the blocks used for the true "system" file with the itinerary files, just for wear leveling purposes. If they're separate chips, or somehow intelligently not wear-loaded, then I wouldn't be as concerned.
Does my worry make sense? I'm concerned as replacing my tomtom would cost me $150 for a refurb + $100 for the map subscription + $70 for the plus traffic. If a cheapo $20 SD card could extend its brickable life, it may be a good insurance policy.
I've managed to "declarify" this whole thing a bunch as I read back through prior posts. There's more than one topic being discussed (three, actually) and by not keeping them clearly separated, they're getting muddled.
First, I understand what TT users are referring to when they talk about the version level of the "Boot" program. Whatever that thing is, it appears with its own version number right alongside the versions of the OS and application, and the real odd man out, the 'GPS' code version. I can't get over the idea that the latter is actually the rev of the device driver that Linux is using to interface to the GPS chipset. What I have yet to understand is what TomTom means when they refer to "Boot". My "boot" shows up as version 5.5120, but what actual part of the system is it, and which low level functions does it perform? I'm trying to look at this in terms of an embedded Linux based system.
The "boot" code on a device these days serves several functions and usually performs its 'normal' job in stages as the device comes alive on a power up. I've never been clear which functions are actually being managed by that code on a TomTom. Further, I continue to suspect that there is an underlying bit of code that is even "lower" in the grand scheme of things than the thing we all identify as "Boot" with a version number.
It would probably be best to start with what we can actually see -- the ttsystem file. AFAIK, and that's not a great deal more than enough to be dangerous, ttsystem is an image of the entire system that will be moved into DRAM for execution, INCLUDING A "BOOT LOADER" which represents the first section of the ttsystem file! How the devil is that possible, you may well ask? Or better yet --
if the thing that is identified with a version and called "Boot" is located at the head of ttsystem, what on earth do we call the thing that's causing the ttsystem image to get stuffed into DRAM in the first place? You will find, using a hex editor, that ttsystem does indeed start with "boot" code, and is even identified as such (TTBL = TomTom Boot Loader).
So you can see where I'm having problems dealing with the terminology. Normally, the bootloader is separate code but not necessarily residing on separate physical memory hardware, and is certainly
not part of the image. The job of a REAL bootloader in an environment like this is, among other things, to create a ramdisk system on the fly, unpack (if necessary) and move the OS image and application data to DRAM, start the OS, and by some mechanism, run a command line that allows the application to be started. So for obvious reasons, I'm having a problem calling something
outside of the ttsystem file a bootloader while TomTom is evidently calling something
INSIDE the image a bootloader (or "Boot", anyway) and giving it a version number.
The thing I've been calling "bootloader" appears to be a flash BIOS of some sort, and sports no version number on the version page at all. It also isn't visible in the flash file system, not that there is any reason it ever would unless a safe copy were kept there for some reason. So for now, let's try this on for size:
BIOS
BOOTLOADER
OS
APPLICATION
All of this can reside safely in the same physical piece of NVRAM (flash memory, in this case) if things are managed correctly. However, I've come to understand that at least in the past, if not the present, that the BIOS
may be reflashable and that there have been releases where a new BIOS has been provided with a reflashing tool in the Linux kernel area. That makes me really, really nervous. A hard core design will assure that no matter what happens, the piece of the puzzle that functions to download a new and clean OS and application image to NVRAM cannot itself be overwritten by
any user operation. That does mean you have to plan well ahead in your design, and this piece must be generic enough that you never design yourself into a box where you wish you could change it.
Ideally, a couple of things will be true that protect a design from serious error, especially by a user who is permitted to flash new code onto a consumer device...
First, the BIOS and/or Bootloader - whatever is the lowest level code - aren't even in address space that can be accessed by the operating system and application. This helps to assure that as the OS manages the flash memory tools, it has NO access to memory occupied by these critical bits of code. If the OS and application could access this space, it would be much easier for a corrupted OS or application to brick the unit such that it wasn't possible to bring in a clean version of whatever code was breaking things to begin with.
Second, as noted above, the lowest level code required for the device to bring in new OS and application code should itself be impossible to overwrite, even by intent. There
are ways to avoid this entirely. One is to write this code into an OTP (one-time-programmable) area of memory in the processor itself. I'm currently doing that very thing with a Hitachi/Renesas chip design. Other mechanisms include post-programming fusing of the protected area of an external device to turn it into read-only memory. The old way was to use a separate piece of ROM memory to do it.
-----------------------
Back to the original issue -- there is no reason why such a region of memory that contained the critical low level code/BIOS/whatever would ever be touched once that code is loaded and in place, even
if there is some sort of "auto leveling" function employed, which there may not be anyway.
Auto-leveling isn't a function of flash memory -- it's a function of the processor device that controls flash memory. Flash is just a bunch of bits like any other memory, without any real intelligence. A flash memory based device that includes a leveling function has it because there is a flash
controller incorporated into the device along with the flash memory itself. That control can either be done directly by the device's primary processor or by a separate bit of hardware.
So just because a device like a TomTom incorporates flash memory, this does
not mean that either 1) there is a leveling mechanism (either via hardware, or via software from the file system manager of the OS) in place, nor 2) that if there is such a mechanism, that is needs or will be applied to ALL blocks of flash memory.
Whether it is necessary or even helpful to employ an autoleveling feature that continually remaps memory when managing flash memory is really a function of the use model. What is REALLY nice to have is for remapping be available in the event of a bad chunk of flash so that it can be worked around. That's super helpful. Only requires that the system test flash for any goofs and have a bad block pool of spare flash available for the purpose.
100,000 erase/write cycles is a bunch. Truth to tell, it's a LOT more than flash used to have, and probably an understatement of the performance of most flash today. Some of them push 1,000,000 cycles.
But at the current state of the technology, assume 100,000 without leveling or any other mechanism in place to avoid killing it. Over the course of 10 years (a good bit longer than the expected product life of just about anything you can buy) that comes to 10,000 writes per year, or about 28 writes per day. Considering that there is no need for the TomTom to write to flash unless it is being truly powered down, changed data will be retained in DRAM until then. So you'd need to be doing a full power down and cold boot on a TomTom 28 times a day to hit 100,000 over the course of 10 years.
I wouldn't worry about it.
TomTom could have some flaky flash, they could have flaky processors that area having problems selecting or addressing or getting data from it -- but I doubt they're having any trouble killing it due to overuse, especially in the "boot" area. There are just far too many reasons why that shouldn't be the case.
