There are two possible configurations in how boot code might be stored on a device
- Boot code is stored in raw flash (no file system) and directly accessed from bootloader
- Boot code is stored on a Reliance formatted flash volume
Option 1: Raw flash
If the boot image is being stored in RAW flash outside the file system, then the only way to be able to ensure that you got an update without damaging the original would be to reserve extra RAW space such that you could simultaneously have two boot images. The bootloader now needs to be able to switch between them and/or locate both of them The process of updating the boot image to a new location would include erasing the old image after updating the new, and having some sort of checksum to ensure the image was intact in case both were still there. In this case, there would be no really good way to protect the update of the file to that exact same location without compromising the boot image itself. Many customers still use this way to store their boot images, but of course this means that they can't take advantage of disabling transactions, atomically updating the boot image, and then doing a single transaction to commit all (or none) of the changes.
Option 2: Reliance
In this case, customer would not have a bootloader that checked a physical location for a boot image - they would have a bootloader that opened a file in the Reliance file system at boot time instead, if they were using a file system. Datalight Reliance comes with an utility called "Datalight Loader" which includes a lightweight Reliance reader. This utility integrates seamlessly in your bootloader code and allows the bootloader to mount and read Reliance partitions. Since the bootloader is capable of "reading" a Reliance disk, it doesn't care where in the file system Reliance stores the file - it just opens the file, and loads it. In this mode, while updating the boot image, the update utility disables all transactions and initiates the boot image update. Reliance never overwrites live data and hence this new boot code is written to a free-area of the flash. Once the entire boot image code is written, the bootloader calls for a manual transaction event, in which we update the metaroots to point to the new boot code area as the committed area. Old boot code area is now marked as free and can be used for future operations. If power loss occurs during this replacement process, the device still boots back using the previous boot image, which was never modified