nRF Desktop: Bootloader and Device Firmware Update

The nRF Desktop application uses the bootloaders firmware image that allows you to upgrade the used application firmware image using the Device Firmware Updates procedure.

You can use the following Device Firmware Update (DFU) procedures for upgrading the application firmware version:

• Background Device Firmware Upgrade

• Serial recovery DFU

Bootloader

The nRF Desktop application can use one of the following bootloaders:

Secure Bootloader

In this documentation, the Secure Bootloader is referred as B0. B0 is a small, simple, and secure bootloader that allows the application to boot directly from one of the application slots, thus increasing the speed of the direct firmware upgrade (DFU) process. B0 is supported on the SoCs from the following series:

• nRF52 Series

• nRF53 Series (supports only application core DFU)

This bootloader can be used only for the background DFU through the Configuration channel and Device Firmware Upgrade module. For more information about the B0, see the nRF Secure Immutable Bootloader page.

MCUboot

MCUboot is supported on the SoCs from the following series:

• nRF52 Series

• nRF53 Series

The MCUboot bootloader can be used in the following scenarios:

• Background DFU. In this scenario, the MCUboot either swaps the application images located on the secondary and primary slots before booting a new image (swap mode) or boots a new application image directly from the secondary image slot (direct-xip mode). The swap operation significantly increases boot time after a successful image transfer, but external non-volatile memory can be used as the secondary image slot.

  You can use the MCUboot for the background DFU through the Configuration channel and Device Firmware Upgrade module. The MCUboot can also be used for the background DFU over the Simple Management Protocol (SMP). The SMP can be used to transfer the new firmware image in the background, for example, from an Android device. In that case, either the Simple Management Protocol module or Device Firmware Upgrade MCUmgr module is used to handle the image transfer. The Simple Management Protocol module relies on a generic module implemented in the Common Application Framework (CAF). The Device Firmware Upgrade MCUmgr module uses an application-specific implementation that allows to synchronize a secondary image slot access with the Device Firmware Upgrade module using the DFU lock utility.

• USB serial recovery. In this scenario, the MCUboot bootloader supports the USB serial recovery. The USB serial recovery can be used for memory-limited devices that support the USB connection. In this mode, unlike in the background DFU mode, the DFU image transfer is handled by the bootloader. The application is not running and it can be overwritten. Because of that, only one application slot may be used.

For more information about the MCUboot, see the MCUboot documentation.

Note

The nRF Desktop application can use either B0 or MCUboot. The MCUboot is not used as the second stage bootloader.

Important

Make sure that you use your own private key for the release version of the devices. Do not use the debug key for production.

If your configuration enables the bootloader, make sure to define a static non-volatile memory layout in the Partition Manager. See nRF Desktop: Memory layout for details.

Configuring the B0 bootloader

To enable the B0 bootloader, select the CONFIG_SECURE_BOOT Kconfig option in the application configuration.

The B0 bootloader additionally requires enabling the following options in the application configuration:

• CONFIG_SB_SIGNING_KEY_FILE - Required for providing the signature used for image signing and verification.

• CONFIG_FW_INFO - Required for the application versioning information.

• CONFIG_FW_INFO_FIRMWARE_VERSION - Enable this option to set the version of the application after you enabled CONFIG_FW_INFO. The nRF Desktop application with the B0 bootloader configuration builds two application images: one for the S0 slot and the other for the S1 slot. To generate the DFU package, you need to update this configuration only in the main application image as the s1_image child image mirrors it. You can do that by rebuilding the application from scratch or by changing the configuration of the main image through menuconfig.

• CONFIG_BUILD_S1_VARIANT - Required for the build system to be able to construct the application binaries for both application’s slots in non-volatile memory.

Configuring the MCUboot bootloader

To enable the MCUboot bootloader, select the CONFIG_BOOTLOADER_MCUBOOT Kconfig option in the application configuration.

The MCUboot private key path (CONFIG_BOOT_SIGNATURE_KEY_FILE) must be set only in the MCUboot bootloader configuration file. The key is used both by the build system (to sign the application update images) and by the bootloader (to verify the application signature using public key derived from the selected private key).

The MCUboot bootloader configuration depends on the selected way of performing image upgrade. For detailed information about the available MCUboot bootloader modes, see the following sections.

Swap mode

In the swap mode, the MCUboot bootloader moves the image to the primary slot before booting it. The swap mode is the image upgrade mode used by default for the background DFU.

If the swap mode is used, the application must request a firmware upgrade and confirm the running image. For this purpose, make sure to enable the CONFIG_IMG_MANAGER and CONFIG_MCUBOOT_IMG_MANAGER Kconfig options in the application configuration. These options allow the Device Firmware Upgrade module, Simple Management Protocol module, and Device Firmware Upgrade MCUmgr module to manage the DFU image.

Note

When the MCUboot bootloader is in the swap mode, it can use a secondary image slot located on the external non-volatile memory. For details on using external non-volatile memory for the secondary image slot, see the External flash configuration section.

Direct-xip mode

The direct-xip mode is used for the background DFU. In this mode, the MCUboot bootloader boots an image directly from a given slot, so the swap operation is not needed. To set the MCUboot mode of operations to the direct-xip mode, make sure to enable the CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP Kconfig option in the application configuration. This option automatically enables CONFIG_BOOT_BUILD_DIRECT_XIP_VARIANT to build application update images for both slots.

Enable the CONFIG_BOOT_DIRECT_XIP Kconfig option in the bootloader configuration to make the MCUboot run the image directly from both image slots. The nRF Desktop’s bootloader configurations do not enable the revert mechanism (CONFIG_BOOT_DIRECT_XIP_REVERT). When the direct-xip mode is enabled (the CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP Kconfig option is set in the application configuration), the application modules that control the DFU transport do not request firmware upgrades and do not confirm the running image. In that scenario, the MCUboot bootloader simply boots the image with the higher image version.

By default, the MCUboot bootloader ignores the build number while comparing image versions. Enable the CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER Kconfig option in the bootloader configuration to use the build number while comparing image versions. To apply the same option for the Simple Management Protocol module or Device Firmware Upgrade MCUmgr module, enable the CONFIG_MCUMGR_GRP_IMG_VERSION_CMP_USE_BUILD_NUMBER Kconfig option in the application configuration.

It is recommended to also enable the CONFIG_MCUMGR_GRP_IMG_REJECT_DIRECT_XIP_MISMATCHED_SLOT Kconfig option in the application configuration to make sure that MCUmgr rejects application image updates with invalid start address. This prevents uploading an update image build for improper slot through the MCUmgr’s Simple Management Protocol (SMP).

Serial recovery mode

In the USB serial recovery mode, the MCUboot bootloader uses a built-in foreground DFU transport over serial interface through USB. The application is not involved in the foreground DFU transport, therefore it can be directly overwritten by the bootloader. Because of that, the configuration with the serial recovery mode requires only a single application slot.

Enable the USB serial recovery DFU using the following configuration options:

• CONFIG_MCUBOOT_SERIAL - This option enables the serial recovery DFU.

• CONFIG_BOOT_SERIAL_CDC_ACM - This option enables the serial interface through USB.

  Note

  Make sure to enable and properly configure the USB subsystem in the bootloader configuration. See USB device support APIs for more information.

If you press the predefined button during the boot, the MCUboot bootloader enters the serial recovery mode instead of booting the application. The GPIO pin used to trigger the serial recovery mode is configured using Devicetree Specification (DTS). The pin is configured with the mcuboot-button0 alias. The mcuboot-led0 alias can be used to define the LED activated in the serial recovery mode. You must select the CONFIG_MCUBOOT_INDICATION_LED Kconfig option to enable the LED. By default, both the GPIO pin and the LED are defined in the board’s DTS file. See boards/arm/nrf52833dongle_nrf52833/nrf52833dongle_nrf52833.dts for an example of board’s DTS file used by the nRF Desktop application.

For an example of bootloader Kconfig configuration file defined by the application, see the MCUboot bootloader debug configuration defined for nRF52833 dongle (applications/nrf_desktop/configuration/nrf52833dongle_nrf52833/child_image/mcuboot/prj.conf).

Note

The nRF Desktop devices use either the serial recovery DFU with a single application slot or the background DFU. Both mentioned firmware upgrade methods are not used simultaneously by any of the configurations. For example, the nrf52840dk_nrf52840 board in prj_mcuboot_smp.conf uses only the background DFU and does not enable the serial recovery feature.

Background Device Firmware Upgrade

The nRF Desktop application uses the Configuration channel and Device Firmware Upgrade module for the background DFU process. From the application perspective, the update image transfer during the background DFU process is very similar for all supported configurations:

• MCUboot

• Secure Bootloader (B0)

The firmware update process has the following three stages:

• Update image generation

• Update image transfer

• Update image verification and application image update

These stages are described in the following sections.

At the end of these three stages, the nRF Desktop application will be rebooted with the new firmware package installed.

Note

The background firmware upgrade can also be performed over the Simple Management Protocol (SMP). For more details about the DFU procedure over SMP, read the documentation of the following modules:

• Simple Management Protocol module (supported only with MCUboot bootloader)

• Device Firmware Upgrade MCUmgr module (supported only with MCUboot bootloader) The module uses the DFU lock utility to synchronize non-volatile memory access with other DFU methods. Therefore, this module should be used for configurations that enable multiple DFU transports (for example, if a configuration also enables Device Firmware Upgrade module).

Update image generation

The update image is generated in the build directory when building the firmware regardless of the chosen DFU configuration.

MCUboot and B0 bootloaders

The zephyr/dfu_application.zip file is used by both B0 and MCUboot bootloader for the background DFU through the Configuration channel and Device Firmware Upgrade module. The package contains firmware images along with additional metadata. If the used bootloader boots the application directly from either slot 0 or slot 1, the host script transfers the update image that can be run from the unused slot. Otherwise, the image is always uploaded to the slot 1 and then moved to slot 0 by the bootloader before boot.

Note

Make sure to properly configure the bootloader to ensure that the build system generates the zephyr/dfu_application.zip archive containing all of the required update images.

Update image transfer

The update image is transmitted in the background through the Configuration channel. The configuration channel data is transmitted either through USB or over Bluetooth, using HID feature reports. This allows the device to be used normally during the whole process (that is, the device does not need to enter any special state in which it becomes non-responsive to the user).

Depending on the side on which the process is handled:

• On the application side, the process is handled by Device Firmware Upgrade module. See the module documentation for how to enable and configure it.

• On the host side, the process is handled by the HID configurator for nRF Desktop. See the tool documentation for more information about how to execute the background DFU process on the host.

Image transfer over SMP

The update image can also be transferred in the background through one of the following modules:

• Simple Management Protocol module (supported only with MCUboot bootloader)

• Device Firmware Upgrade MCUmgr module (supported only with MCUboot bootloader) The module uses the DFU lock utility to synchronize non-volatile memory access with other DFU methods. Therefore, this module should be used for configurations that enable multiple DFU transports (for example, if a configuration also enables Device Firmware Upgrade module).

The nRF Connect Device Manager application transfers the image update files over the Simple Management Protocol (SMP).

To perform DFU using the nRF Connect Device Manager mobile app, complete the following steps:

1. Generate the DFU package by building your application with the FOTA support over Bluetooth Low Energy. You can find the generated dfu_application.zip archive in the following directory <build_dir>/zephyr.

   Note

   For each image included in the DFU-generated package, use a higher version number than your currently active firmware. Otherwise, the DFU target may reject the FOTA process due to a downgrade prevention mechanism.

2. Download the dfu_application.zip archive to your device. See Output build files (image files) for more information about the contents of update archive.

   Note

   nRF Connect for Desktop does not currently support the FOTA process.

3. Use the nRF Connect Device Manager mobile app to update your device with the new firmware.

   1. Ensure that you can access the dfu_application.zip archive from your phone or tablet.

   2. In the mobile app, scan and select the device to update.

   3. Switch to the Image tab.

   4. Tap the SELECT FILE button and select the dfu_application.zip archive.

   5. Tap the START button.

   6. Initiate the DFU process of transferring the image to the device:

      • If you are using an Android device, select a mode in the dialog window, and tap the START button.

      • If you are using an iOS device, tap the selected mode in the pop-up window.

   7. Wait for the DFU to finish and then verify that the application works properly.

Note

Support for FOTA updates with MCUboot in the direct-xip mode is available since the following versions of the nRF Connect Device Manager mobile app:

• Version 1.8.0 on Android.

• Version 1.4.0 on iOS.

Note

If the CONFIG_MCUMGR_GRP_IMG_REJECT_DIRECT_XIP_MISMATCHED_SLOT Kconfig option is enabled in the application configuration, the device rejects update image upload for the invalid slot. It is recommended to enable the option if the application uses MCUboot in the direct-xip mode.

Update image verification and application image update

Once the update image transfer is completed, the background DFU process will continue after the device reboot. If HID configurator for nRF Desktop is used, the reboot is triggered by the script right after the image transfer completes.

The implementation details of the reboot mechanism for the chosen DFU configuration are described in the following subsections.

MCUboot and B0 bootloaders

For these configuration variants, the sys_reboot() function is called to reboot the device. After the reboot, the bootloader locates the update image on the update partition of the device. The image verification process ensures the integrity of the image and checks if its signature is valid. If verification is successful, the bootloader boots the new version of the application. Otherwise, the old version is used.

Serial recovery DFU

The serial recovery DFU is a feature of MCUboot and you need to enable it in the bootloader’s configuration. For the configuration details, see the Configuring the MCUboot bootloader section.

To start the serial recovery DFU, the device should boot into recovery mode, in which the bootloader is waiting for a new image upload to start. In the serial recovery DFU mode, the new image is transferred through an USB CDC ACM class instance. The bootloader overwrites the existing application located on the primary slot with the new application image. If the transfer is interrupted, the device cannot boot the incomplete application, and the image upload must be performed again.

Once the device enters the serial recovery mode, you can use the mcumgr to:

• Query information about the present image.

• Upload the new image. The mcumgr uses the zephyr/app_update.bin update image file. It is generated by the build system when building the firmware.

For example, the following line starts the upload of the new image to the device:

mcumgr -t 60 --conntype serial --connstring=/dev/ttyACM0 image upload build-nrf52833dongle_nrf52833/zephyr/app_update.bin

The command assumes that /dev/ttyACM0 serial device is used by the MCUboot bootloader for the serial recovery.