"Rescue" monitor idea

Our NIOS design has a field-upgrade capability via USB. As of right now we transfer the FW image (NIOS code or FPGA config), do a little checksumming and burn it into CFI flash (code) or EPCS (FPGA config). If something goes wrong during the programming and the user doesn't manage to reflash then the device is bricked.

I'm toying with the idea of adding a small NIOS "rescue" image and putting it into EPCS after the FPGA config. Whenever the FPGA boots from EPCS it would boot the rescue image which would have ability to do USB transfers and CFI/EPCS programming.

Once the rescue image boots it checks whether the current firmware image in CFI flash is ok, sets a watchdog and boots the CFI flash image, which in turn switches off the watchdog. If the watchdog expires the rescue monitor knows something is wrong and takes control again. At this point our diagnostic utility would be able to do memory tests, reflash the firmware, etc.

I'm wondering if anyone has done something like this and has any tips. A couple of things I haven't worked out yet:

- Is it possible to have more than one FPGA image in EPCS? Right now the weak spot is when we upgrade the FPGA config in EPCS. As far as I know that's a one-shot deal and you have to hope your config image at offset 0 is ok.

- Can I put my rescue monitor at the top of the EPCS instead of directly after the FPGA config so I don't have to rewrite the monitor each time the FPGA image grows? It's been a while since I looked at the boot loader sources but it seems like the bootloader scans the config data and then assumes the NIOS code follows. Has anyone successfully placed their code higher up in the EPCS and rewritten the EPCS boot loader to go to that address?

Thanks for any comments and insights,

Andrew