Arria 10: Remote Update Factory Fallback won't work & Watchdog does not trigger

Question

Hello,I have to reopen another topic from last year:Arria 10: Remote Update may brick FPGA and Factory Fallback won&amp;#39;t work | Altera Community - 315011Opposed to my&nbsp; comments in the original thread, enabling the watchdog does not trigger a factory fallback if the application Image is wrongly aligned.This brings me back to this scenario of the original post:Invalid application load image location, i.e. start of application load is shifted by1-10 Byte (Manually induced error scenario) --&gt; The reprogramming sequence starts but never completes and no fallback to the factory load is performed. =&gt; The FPGA is completely unresponsive unless programmed via JTAGIt is obvious, that the this scenario might be an exotic error scenario, however we require a robust setup and have to make sure, that the FPGA remains accessible under any circumstances, so we need the Factory Fallback mechanism to work reliable!&nbsp;We have this boot procedure:Boot into factory image (0x20 as boot address in flash boot sector 0x00 to 0x1F). We have certain HW which is sensible to boot up timing so we need this to guarantee an identical and reliable boot up procedure.Boot from factory load into application imageCheck for power up boot: Read RU_RECONFIG_TRIGGER_CONDITIONS register for power up state (0)do not reconfigure if Bit 4,2,1,0 is setSet AnF bit: write "1" to RU_CONFIGURATION_MODESet application image address RU_PAGE_SELECTEnable Watchdog Set RU_WATCHDOG_TIMEOUT &amp; RU_WATCHDOG_ENABLEReconfigure: write "1" to RU_RECONFIGIn Application mode we only read the RU_RECONFIG_TRIGGER_CONDITIONS as status infoWe do not write the RU_WATCHDOG_ENABLE nor RU_RESET_TIMER registersI have run tests, with a Application Image being stored with an offset of -2 Bytes, i.e. the first 2 Bytes of the Application image are not stored in Flash Memory and the full image is shifted in its Flash storage. In this case, the FPGA gets stuck in an unresponsive state, when trying to load the application image.There is no fallback to the factory load happening, no CRC error, no watchdog triggering.As a best guess I could assume it might be related to this Note in&nbsp;1.3.1. Remote System Configuration Mode that the factory fallback mechanism won't work for Arria 10 FPGAs if the last 576 Bytes of the bitstream are corrupted.Note: The fallback to the factory image does not work under the following conditions: If the last 576 bytes of an unencrypted application image bitstream are corrupted. Intel recommends that you examine the last 576 bytes of the unencrypted application image before triggering the application image configuration.But I have noticed that the binary images of the FPGA bitstream vary in size. So there is no way to check explicit memory locations for these 576 Bytes. Is there any way to identify this section?My Questions:Why is the factory configuration fallback mechanism not working in the above described scenario? The Factory load image is valid!How can I examine/validate a FPGA bitstream in flash memory before executing it?&nbsp;best regardsFabian&nbsp;

farabi · Answer

Note: The fallback to the factory image does not work under the following conditions: If the last 576 bytes of an unencrypted application image bitstream are corrupted. Intel recommends that you examine the last 576 bytes of the unencrypted application image before triggering the application image configuration.

But I have noticed that the binary images of the FPGA bitstream vary in size. So there is no way to check explicit memory locations for these 576 Bytes. Is there any way to identify this section?
My Questions:

Why is the factory configuration fallback mechanism not working in the above described scenario? The Factory load image is valid!
 How can I examine/validate a FPGA bitstream in flash memory before executing it.&nbsp;

&nbsp;
Status: consulting engineering to check on factory fallback mechanism failure and how to confirm the memory location of this 576 bytes is corrupted or not.&nbsp;
&nbsp;
regards,Farabi

farabi · Answer

Hello Fabian,&nbsp;
&nbsp;
I checked with internal team, the size of the bitstreams varies, and it does not have a fixed size.&nbsp;
Notes: The configuration bitstream is always the last block interpreted by FPGA, regardless of total image size.&nbsp;
So the it is important to understand that the last 576 bytes is relative to the end of the image, not an absolute flash address.&nbsp;
This block is processed before the FPGA can even attempt a configuration.&nbsp;
It consists of :&nbsp;
1- Configuration end markers - signal end of bitstream
2- CRC/Checksum data - to verify data integrity
3- Device configuration info - to confirm compatibility
4- RSU-related metadata - Required before fallback
&nbsp;
If corrupted:&nbsp;
1- FPGA doesn't know this image is failed
2- FPGA only know this image is invalid
3- Impact to - No fallback path is taken
&nbsp;
I am checking how to validate the bitstream before we can proceed with RSU. I will get back after getting the confirmed answer.&nbsp;
&nbsp;
regards,Farabi

farabi · Answer

Hi Fabian,&nbsp;
&nbsp;
1- Please dont do the 2-byte offset to trigger the CRC. You should delete some chunk of bitstream data and re-run to trigger the CRC.
2- Can you compare the last 576-bytes of RPD file with your flash last 576-bytes? the contents MUST match if not this area might corrupt and possible the root cause of your fallback failure.&nbsp;
&nbsp;
regards,Farabi

fabianl · Answer

Hello Farabi,&nbsp;I when data somewhere in between the bitstream the CRC Fallback mechanism works as expected. But that does not solve our problem when somethng goes wrong at the end of the bitstream.I checked the last 576 Byte of the RPD file and the flash contents. They actual do match.The last 2664 Bytes of the RPD are 0xFFSame applies for the Flash memoryI also compared multiple RPD files (same FPGA Target 10AX027E3F29E2SG)The end of the RPD always terminates with a sequence of 4 Byte 0x6A followed by multiple 0xFF Bytes.The last 576 Bytes of the RPD always show 0xFF as contentThe absolute number of 0xFF Bytes varies between 2664 and 1616 Bytes (could be other values as well, I only analyzed 8 different bitstreams.==&gt; Giving that I have no glue how to validate the last 576 Bytes and do not know what it should be (except 0xFF)I just checked the newest Datasheet of the Remote Update IP core in&nbsp;1.3.1. Remote System Configuration Mode d(Version 2024.07.25) has a new NOTE compared to Version 2022.08.16If the first 1024 bytes and the last 576 bytes of an encrypted application imagebitstream are corrupted. Intel recommends that you examine the first 1024 bytesand the last 576 bytes of the encrypted application image before triggering theapplication image configuration.This section does not make sense, as it is already included in the previous claim, that Fallback won't work if the last 576 Bytes are corrupted. Unless it is intended to be an OR combination, i.e. the Fallback won't work if the first 1024 or the last 576 Bytes are corrupted.Could you please clarify this!&nbsp;For being able to validate the first 1024 &amp; last 576 Byte of the Bitstream we have to know how the should look like.Thanks for your assistance.&nbsp;best regardsFabian

farabi · Answer

Hello Fabian,&nbsp;
&nbsp;
"I when data somewhere in between the bitstream the CRC Fallback mechanism works as expected. But that does not solve our problem when somethng goes wrong at the end of the bitstream."
[ANS] This is known issue where it is the limitation of RSU IP.&nbsp;
&nbsp;
regards,
Farabi

Forum Discussion

Arria 10: Remote Update Factory Fallback won't work & Watchdog does not trigger

9 Replies

Recent Discussions

5AGXFB7K4F40C5G

Cyclone V SoC 5CSXC6 Series GXB Utilization and Limitations

Quartus and power domain

MCD of AGFA006R16A2E3E

Power-Down Sequence Requirements for the Agilex 7 F-Series(2x F-Tile) Devices