Exhibit 1007
`
`”111111111111 11111" Illlilllllllllllllll11111111111111111111111111111
`U5005210854A
`
`[19;
`United States Patent
`5,210,854
`[11] Patent Number:
`[45] Date of Patent: May 11, 1993
`Beaverton et al.
`
`[541
`
`[751
`
`173]
`
`[211
`
`1221
`151]
`[521
`
`1581
`
`[551
`
`SYSTEM FOR UPDATING PROGRAM
`STORED IN EEPROM BY STORING NEW
`VERSION INTO NEW LOCATION AND
`UPDATING SECOND TRANSFER VECTOR
`T0 CONTAIN STARTING ADDRESS OF NEW
`VERSION
`
`Inventors: Arthur J. Beaverton, Maynard,
`Mass; Thomas E. Hunt, Brookline,
`NH.
`
`Assignee: Digital Equipment Corpontion,
`Maynard, Mass.
`
`App1.No.: 366,168
`Filed:
`Jun. 14, 1989
`GOGF 12/02
`11.1.0.5
` US. Cl.
`395/500; 364/DIG. 1;
`364/259; 364/259.9; 364/243; 364/245.2;
`395/425
`364/200 MS File, 900 MS File;
`395/500, 425
`
`Field of Search
`
`References Cited
`U.S, PATENT DOCUMENTS
`
`4,241,405 12/1980 A110cca
`..................... 364/466
`4,298,934 11/1981 Fischer
`..
`
`.
`4,327,410 4/1982 Patel C! a].
`,.
`4,403,303 9/1983 Howe: et til.
`..
`.. 364/900
`4,503,491
`3/1985 Lusthak et al.
`
`4,590,557
`5/1986 Lillie ..........
`4,663,707
`5/1987 Dawson
`.. 364/200
`4,727,480 2/1988 Albright ct a.
`1. 364/200
`4,742,483
`5/1988 Morrell ......
`,. 364/900
`4,779,187 10/1988 Letwin
`364/200
`4.787.032 11/1988 Culley
`.. 364/200
`4,791,603 12/1988 Henry .........
`.. 364/900
`4,803,623
`2/1989 Klashka et 111.
`...... 364/200
`4,839,628 6/1989 Davis et al.
`340/311.1
`4,853,850 8/1989 Krass, Jr. et a1.
`364/200
`4,907,228 6/1990 Bruckert et al,
`364/900
`
`.
`
`5/1990
`4,926,322
`4,930,129 5/1990
`4,935,870 9/1990
`4,943,910 7/1990
`4,984,213
`1/1991
`S,m8,814 4/1991
`5,062,080 10/1991
`5,123,098 6/ 1992
`5,155,680 10/1992
`
`..
`.. 364/2m
`365/2303
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`0137758 4/1985 Europeui Pat. Off.
`60-05962 4/1985 leun .
`1-073435
`3/1989 leln .
`1-150297
`6/1989 leln .
`
`.
`
`Primary Examiner—Thom C. Lee
`Assistant Examiner—Mehmet Geckil
`Attorney, Agent, or Firm—Kenyon & Kenyon
`
`ABSTRACT
`[57]
`Firmware resident in electrically erasable programs-
`ble read only memory (“EEPROM”) can be updated by
`a user while maintaining the intelligence of a computer
`system during the updating process by a control logic
`device, The control logic device decodes address and
`control signals to provide a hardware partitioning of the
`firmware resident in the EEPROMS to prevent writing
`to protected partitions of the firmware. Transfer vec-
`tors are used to provide indirect accessing of subrou-
`tines resident in the firmware. During an updating pro-
`cess, a new version of a subroutine is stored in a free
`area in the EEPROMs before the transfer vector point-
`ing to the old version of the subroutine is updated. The
`window of vulnerability to errors during the updating
`process is minimized by only updating a page of mem-
`ory containing the transfer vector that points to the old
`version of the subroutine after the new version has been
`stored.
`
`7 Claims, 5 Drawing Sheets
`
`
`
`EEPRDH MEMORY
`Ail-MY
`
`
`
`CONTROL
`LOGIC
`
`Exhibit 1007
`
`Liberty Mutual
`
`Page 000001
`
`Page 000001
`
`

`

`US. Patent
`
`May 11, 1993
`
`Sheet 1 of 5
`
`5,210,854
`
`
`
`EEPROMMEMORY
`
`FIG.1
`
`12
`
`15
`
` ARRAY
`
`Page 000002
`
`Page 000002
`
`

`

`US. Patent
`
`May 11, 1993
`
`Sheet 2 of 5
`
`5,210,854
`
`21
`
`3412
`
`.
`‘2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`11 3
`
`LADH<17>
`LADH<16
`LADH<1
`LADR<14
`LADR<13
`LADH<12
`LADR<11
`LADR<10
`LADR<9>
`LADR<8>
`LADR<7>
`LADR<6>
`LADR<5>
`LAUR<4>
`LADR<3>
`LADR<2>
`
`+5v
`
`
`
`NC 19
`1:]
`
`11‘
`
`13
`
`a
`
`PALI DE
`LADR<17>
`LADH<16>
`LALF<15>
`LADH<14>
`22
`\LADR<13>
`23‘“) EERON
`24--lE EEHDH
`UPDATE ENE
`CF an<3>
`cp an<2>
`cp BH<1>
`CP BH<0>
`
`17
`
`a
`I
`
`.
`
`'
`.
`
`NC
`
`Page 000003
`
`Page 000003
`
`

`

`US. Patent
`
`May 11, 1993
`
`Sheet 3 of 5
`
`5,210,854
`
`FIG. 3
`
`PHYSICAL ADDRESS
`
`2007FFFF
`
`CONSOLE. DIAGNOSTIC
`AND
`BOOT CODE
`
`ENTRY CODE
`
`RESERVED
`AREA
`
`20044000
`
`20042000
`
`20040000
`
`Page000004
`
`Page 000004
`
`

`

`U.S. Patent
`
`May 11, 1993
`
`Sheet 4 of 5
`
`5,210,854
`
`FIG. 4
`
`2007FFFF
`
`CONDITIONALLY
`HRITABLE
`
`35
`
`35
`
`37
`
`PROTECTED
`(NONNRITABLE)
`
`
`
`SUBROUTINE A
`
`42
`
`POINTER TO SUBROUTINE A
`
`
`
`
`
`
`
`
`
`
`
`
`POINTER TO POINTER TO SUBROUTINE A
`
`38
`
`
`
`Page 000005
`
`Page 000005
`
`

`

`US. Patent
`
`May 11, 1993
`
`Sheet 5 of 5
`
`5,210,854
`
`FIG . 5
`
`EDWFFFF -
`
`35
`
`SUBROUTINE A'
`
`
`
`
`SUBROUTINE A
`
`36 _
`
`20044000 =
`
`
`
`PDINTER T0 SUBROUTINE A'
`
`20042000 —
`
`POINTER T0 POINTER T0 SUBRUUTIME A'
`
`20040000 _
`
`
`
`
`Page 000006
`
`Page 000006
`
`

`

`1
`
`5,210,854
`
`2
`protect an area of the firmware from being updated also
`generally use a combination of EPROMs and EE-
`PROMs. The EPROMs are used to store the firmware
`that is protected from the updating process.
`The above described computer systems overcome the
`low density problem of the EEPROMs but lose the
`ability to update a large percentage of the firmware in
`the field since typically, only a small amount of the
`firmware is stored in the EEPROM. Most of the Opera-
`10 ble code is stored in EPROMs. Thus, updates to the
`firmware resident in the EPROM would still require a
`field service technician to either replace the EPROM or
`install a new circuit board containing EPROM with the
`updated firmware.
`Rwent advances in technology have obviated the
`disparity
`in
`densities
`between EEPROMs
`and
`EPROMs. Now, the entire system firmware can reside
`in EEPROMs. While these advances eliminate the ne-
`cessity for using a combination of EPROMs and EE-
`PROMs for firmware storage, they have also raised the
`problem of how to maintain a minimum amount of firm-
`ware constant in the system. Thus, without providing
`some safeguards, a user could inadvertently or inten-
`tionally corrupt the firmware when performing updates
`to the extent that a total
`loss of system intelligence
`could result. Accordingly, the services of a skilled tech-
`nician would still be required to perform firmware up-
`dates in the field to prevent such corruption of the firm-
`ware.
`
`SYSTEM FOR UPDATING PROGRAM STORED IN
`EEPROM BY STORING NEW VERSION INTO
`NEW LOCATION AND UPDATING SECOND
`TRANSFER VECTOR T0 CONTAIN STARTING
`ADDRESS OF NEW VERSION
`
`FIELD OF THE INVENTION
`
`5
`
`This invention relates to a digital computer memory
`system and, more particularly, to a digital computer
`memory system in which firmware resides in electri-
`cally erasable programmable read-only memory. The
`invention provides an efficient means whereby firm-
`ware can be updated in the field by a user while main-
`taining fully functional firmware in the system and an 15
`effective means to recover from failure conditions
`which may occur during the updating process.
`BACKGROUND OF THE INVENTION
`
`General purpose digital computers utilize a wide 20
`variety of programs to perform various tasks. A com-
`puter program is a series of instructions or statements, in
`a form which is executable by a computer, to achieve a
`certain result. In a computer system, these programs
`may be, among others, part of the operating system, 25
`compilers. editors or specific application programs.
`Such computer programs are also referred to as soft-
`ware.
`
`Firmware is a form of a computer program which
`embodies instructions or data stored in a fixed means. 30
`i.e.. the instructions or data stored remain intact without
`the need of a power source, such as a read-only memory
`(“ROM"),
`a
`programmable
`read-only memory
`(“PROM”) or an erasable programmable read-only
`memory ("EPROM"), as opposed to instructions or 35
`data stored in a random access memory (“RAM”).
`Once the firmware is stored in one of the aforemen-
`tioned fixed means, it cannot be written over without
`removing the integrated circuit chip in which the firm-
`ware is stored. Thus, if errors in the firmware are dis‘ 40
`covered once a computer system has been shipped to a
`customer, a field service technician would be required
`to correct the errors. The technician would have to
`power down the system to install either a new chip or a
`new circuit board containing a new chip including the 45
`corrected firmware. This procedure can be expensive
`and time consuming.
`The advent of electrically erasable programmable
`read-only memory (“EEPROM”) has obviated the need
`to remove a memory chip containing firmware with 50
`errors. An EEPROM is a read-only memory that can be
`erased and reprogrammed by electrical signals to store
`new firmware without removing the EEPROM from
`the circuit board or powering down the computer sys-
`tem. In typical EEPROMs, each location in the EB 55
`PROM can be erased separately. The drawback of typi-
`cal EEPROMs is that they are on the order of one
`fourth the density of EPROMS. The low density of
`typical EEPROMs is attributable to the technology
`utilized to make these EEPROMS. Thus, a greater num- 60
`her of EEPROM chips would be required to provide
`sufficient storage capabilities.
`As a result, present computer systems using EE-
`PROMs typically do not use all EEPROMs for storing
`firmware. Such systems generally utilize some combina- 65
`tion of EEPROMs and ROM, PROM, or EPROM to
`achieve full functionality and sufficient storage capabili>
`ties. Furthermore, present computer systems which
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a computer memory
`system utilizing only EEPROMs in which to store firm-
`ware wherein an end user can perform firmware up-
`dates without corrupting the firmware. The invention
`also provides a failure recovery mechanism to insure
`that the user will have fully functional firmware if cer—
`tain failure conditions occur during the updating pro-
`cess. The user need not be a skilled service technician
`but rather an everyday computer user.
`Generally, the present invention comprises an EE-
`PROM array coupled by a bus arrangement to a central
`processing unit (hereinafter “CPU"). The CPU is also
`coupled to a system console through which an operator
`can communicate directly with the CPU. A control
`logic device is intercoupled between the EEPROM
`array and the CPU. The control logic device generates
`the signals which enable the EEPROM to be erased and
`reprogrammed under the control of the CPU.
`The present invention provides for the firmware resi-
`dent in the EEPROM to be hardware partitioned into
`protected areas and unprotected areas. The partitioning
`of the firmware prevents a user from writing over se—
`lected partitions of the firmware resident in the EB-
`PROM. This insures that a minimum amount of firm-
`ware is constant in the system. thereby preventing the
`ordinary user from corrupting the firmware to the ex-
`tent that a total loss of system intelligence results. The
`EEPROMs maintain a minimal bootstrap to enable
`either the repeating of the upgrade process upon power
`failure or simply bootstrapping a known good image of
`the firmware upon the load of faulty firmware.
`The upgrade is implemented by operating the CPU
`through the console to generate the EEPROM ad-
`dresses and control signals and thereby transmit the
`firmware to the EEPROM for storage in the corre»
`sponding EEPROM addresses. A portion of the BE»
`
`Page 000007
`
`Page 000007
`
`

`

`5,210,854
`
`3
`PROM addresses generated by the CPU are transmitted
`to the control logic device. The CPU also generates and
`transmits control signals to indicate that a firmware
`update is requested. The control logic device ascertains
`whether the addresses generated by the CPU are in an
`area of the EEPROM which is a protected or unpro-
`tected partition. If the partition is unprotected, the con-
`trol logic device generates the appropriate signals to
`enable the loading of the firmware into the EEPROM.
`The present invention also provides a failure recov-
`ery mechanism to insure that during firmware upgrades
`the user will have functional firmware if a failure occurs
`during the updating process. Two such potential fail-
`ures are power failure during the upgrade process or the
`loading of faulty code. The invention minimizes the
`susceptibility of the computer system to such failure
`conditions through the partitioning of the firmware and
`the use ofsoftware constructs known as transfer vectors
`and jump tables. During the updating process, the new
`version of the firmware is written to memory. It is not
`until
`the entire updated version of the firmware is
`stored that the pointers to the old version of the firm-
`ware, maintained in the transfer vectors and jump ta-
`bles, are updated. This procedure minimizes the risk of
`firmware corruption during the updating process.
`Accordingly, the present invention provides a user
`with the ability to perform field updating of firmware
`resident in EEPROM without requiring the removal of
`circuit boards from the computer system or the need for
`a skilled operator to perform the upgrade. The inven~
`tion provides a control logic device to maintain a prese»
`lected amount of firmware in a protected partition to
`prevent overwriting by the user and also provides a
`recowry mechanism that allows a user to either fall
`back to the previous state of the firmware or when such
`fall back cannot be done, to retry the update process
`and reload the new firmware when failures occur dur-
`ing the firmware update.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram of a computer system ac-
`cording ‘to the invention.
`FIG. 2 is a more detailed block diagram of the com-
`puter system of FIG. 1.
`FIG. 3 is a memory map illustrating the partitioning
`of the EEPROMs of FIG. 2.
`FIG. 4 is a memory map of the EEPROMs illustrat-
`ing the locations where a subroutine and transfer vec-
`tors are stored in the firmware.
`FIG. 5 a memory map of the EEPROMs illustrating
`the locations where a first and second version of a sub-
`routine and transfer vectors are stored in the firmware
`during and after updating.
`DETAILED DESCRIPTION
`
`Referring now to the drawings and initially to FIG. 1,
`there is illustrated.
`in block diagram form, a system
`configuration according to the invention. The system
`comprises a CPU 10, a control logic device 15 and an
`EEPROM memory array 16. The CPU 10 is coupled to
`the control logic device 15 by a bus 13. A plurality of
`control signals is transmitted by the CPU 10 across the
`bus 13 to the control logic device 15. A bus 12 is a
`bidirectional data bus which couples the CPU 10 to the
`EEPROM memory array 16. The CPU 10 transmits
`data information across the bus 12 to the EEPROM
`memory array 16. A bus 11 is an address bus which
`couples the CPU 10 to the EEPROM memory array 16.
`
`4
`A bus 11A, which comprises a portion of the address
`bus 11, couples the CPU 10 to the control logic device
`15. The control logic device 15 is coupled to the EE-
`PROM memory array 16 by a bus 14. The control logic
`device 15 transmits a plurality of control signals across
`the bus 14 to the EEPROM memory array 16.
`The CPU 10 generates and transmits various control
`signals across the bus 13. These signals from bus 13 and
`the address bits supplied from the bus 11A are decoded
`by the control logic device 15 to supply control signals
`including write enable signals via the bus 14 to the BE-
`PROM memory array 16.
`Referring now to FIG. 2, there is illustrated, a pre-
`ferred embodiment of the present invention. In this
`preferred embodiment, the control logic device of FIG.
`1 is a programmable array logic chip (hereinafter
`“PAL") 17, for example, a 24 pin AmPAL22V 10 manu-
`factured by Advanced Micro Devices. The PAL 17
`utilizes a sum-of-products (AND—OR) logic structure,
`allowing logic designers to program custom logic func-
`tions. The PAL 1'! is programmed to accept twelve
`input signals and to generate six output signals. The
`CPU 10 of FIG. 1 is coupled to the PAL 17 by the bus
`11A and the bus 13. The CPU 10 transmits twelve input
`signals to the PAL 17 across the bus 11A and the bus 13.
`The CPU 10 is coupled by the bus 11 and the bus 12 to
`the EEPROM memory array 16. The EEPROM mem-
`ory array 16 comprises four 64sz EEPROMS 18, 19,
`20 and 21. The four EEPROMs are organized to pro-
`vide a 32 bit wide data word. Each of the EEPROMs
`18, 19, 20 and 21 have a chip enable, output enable, and
`a write enable input. This preferred embodiment of the
`present
`invention utilizes EEPROMs model number
`48C5 [2 manufactured by SEEQ Technology. The
`48C512 EEPROMs 18—21 are referred to as Flash EE-
`PROMS. This type of EEPROM achieves densities
`equivalent to EPROMs. However, the data stored in
`such EEPROMs is erased one page (a page is 512 bytes)
`at a time instead of location by location.
`The first group of input signals transmitted from the
`CPU 10 to the PAL 17, are the address bits. LADR
`< l7:l3> 26, transmitted from the CPU 10 over the bus
`11A. The LADR 26 signals are supplied to the PAL 17
`so it can determine an address range being addremed by
`the CPU 10 when a write to the EEPROM memory
`array 16 is requested. The second group of input signals
`are the CP_BM <3:0> 25 signals which are control
`signals transmitted by the CPU 10 across the bus 13.
`These signals are byte masks that indicate which byte(s)
`of the firmware stored in the EEPROM memory array
`16istobe written. TheCPU 10canalsotransmit three
`more control signals, a RDJEROM 22, a WR_EE-
`ROM 23 and an UPDATE—ENE 24 across the bus 13
`to the PAL 1']. The RD_EEROM 22 is an active low
`signal which indicates a read memory request. The
`Wit—EEROM 23 is also an active low signal which
`indicates a write to memory request. The UPDATE_
`END 24 signal is an active low signal which indicates
`that a firmware update is to be performed.
`The UPDATEJNB 24 signal also provides a physi-
`cal security checlt to the update process. In the pre-
`ferred embodiment of the present invention, the UP-
`DATEJNB 24 signal is generated by the CPU 10 in
`response to the setting of a switch on the console. Re-
`mote firmware updates to selected partitions referred to
`as conditionally writable partitions of the firmware are
`prevented by requiring this switch to be physically set
`by a user present at the console.
`
`IO
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`55
`
`60
`
`65
`
`Page 000008
`
`Page 000008
`
`

`

`5,210,854
`
`5
`The bus 11 of FIG. 1 is an address bus 33 in the pre-
`ferred embodiment which couples the four EEPROMS
`18, 19, 20 and 21 to the CPU 10. The CPU 10 transmits
`[6 address signals LADR < l7:2> across the address
`bus 33 to the EEPROMs l8, I9, 20 and 21. The bus 12
`of FIG. 1 is a bidirectional data bus 34 in the preferred
`embodiment which also couples the four EEPROMS
`18, 19, 20 and 21 to the CPU 10. The bus 34 comprises
`32 signal lines which carry 32 bits of data. The bus 34 is
`divided into four bytes and thereafter coupled to the
`EEPROMs. The bytes of data are coupled to the EE-
`PROMs in ascending byte order starting with EB-
`PROM 21, as the least significant byte, then EEPROM
`20. EEPROM l9. and EEPROM 18 as the most signifi-
`cant byte.
`The internal organization of the PAL 1'] provides for
`the hardware partitioning of the firmware resident in
`the EEPROMS. Referring now to FIG. 3,
`there is
`shown a memory map of the 64KX32 bit wide EE-
`
`6
`reserved for the firmware entry code that can never be
`written to by a user.
`The PAL 1‘! prevents the updating of the lower ad-
`dress range partition 37 by not generating a write signal
`to the addressed EEPROM if a write request to that
`partition is generated by the CPU 10. The PAL 1‘7
`implements a set of rules and conditions to accomplish
`the hardware partitioning of the firmware and thereby
`render certain areas of the firmware inaccessible to a
`user. An advantage of utilizing a PAL for the hardware
`partitioning of the firmware instead of partitioning the
`firmware in software. is that the PAL prevents users
`from bypassing the software protection and gaining
`write access to the protected partitions.
`The six output signals of the PAL 17, a ROM_CE 27,
`a ROM—OE 28, a ROM_W_E BO 32. a ROM-
`WEJI 31. a ROM_WE__BZ 30, and a ROM—
`WEJ3 29, are generated in accordance with the con-
`ditions set forth in the rules listed below:
`
`lo
`
`15
`
`ROM_CE = RDJEROM + WRJEROM
`ROM_CE.OE = 015
`
`ROM_0E = RD_.EEROM
`ROM_OE.OE = OE
`
`ROM_WE_BD = CP_BMO ' WR—EEROM ' ADDR: [ZWZGJO l
`mlFFFl + CP_BMD ' WRJEROM '
`UPDATE—ENE ' ADDR: [ZN-MW. .
`. ZWFFFF]
`ROM_WE_DD.OE = OE
`
`.
`
`.
`
`ROM_WE_Bl = CPJMl ' WR_EEROM ' ADDR: [MIND .
`20043FFF'] + CP_.BMI ' WRJEROM ’
`UPDATEJNB ' ADDR: [2W .
`.
`. 2007mm
`ROM_WE_Bl .05 = 0E
`
`.
`
`.
`
`ROM_WE_BZ = CP__BM2 ‘ WR_EEROM ' ADDR: [ZWZOGJ .
`2W3FFF] + CP_BM2 ' WLEEROM '
`UPDATEJNB ' ADDR: [2W .
`.
`. 2m7FFFF]
`ROM_WE_BZ.OE a GE
`
`.
`
`.
`
`ROM—WE_53 = CPJMS ' WR_EEROM ' ADDR: (20042000 .
`2W3FFF] + CP..BM3 ‘ WUEROM '
`UPDATE—END ' ADDR: [20344020 .
`.
`. 2m7FFFF]
`ROM_WE_BS.OE = 0E
`
`.
`
`.
`
`(I)
`
`(2)
`
`(3)
`
`(0
`
`(5)
`
`(6)
`
`PROM array 18—21 which illustrates the partitions of
`the firmware. The firmware is partitioned into three
`distinct areas. The upper address range (20044000 to
`2007FFFF) partition 35 of the firmware is a condition-
`ally writable partition reserved for console, diagnostic
`and bootstrap code. This partition 35 is conditionally
`writable by any user with system privileges because of
`the physical security check described above which must
`be satisfied to write to this partition. The physical secu-
`rity check requires the CPU 10 to generate the UP-
`DATE_ENB 24 signal in response to the setting of a
`switch on the system console by a user. This physical
`security check, therefore, requires the user to be physi.
`cally present at the system console during the updating
`of firmware in this partition. The physical security
`check also prevents a user from remotely initiating a
`write to this partition. The middle address range
`(20042000 to 20043FFF) partition 36 is a writable parti>
`tion reserved for the firmware. This partition can be
`written to, either locally or remotely, by any user with
`system privileges. The lower address range (200-40000
`to 20041FFF) partition 37 is a nonwritable partition
`
`50
`
`SS
`
`65
`
`These output signals are transmitted by the PAL 17 to
`the EEPROM memory array 16 across the bus 14 when
`the above conditions are met. For example, referring to
`rule one, the ROM_CE 27 signal is generated when
`either the RD_EEROM 22 or (logical OR) the WR.
`EEROM 23 signal
`is generated. Similarly, rule two
`shows that the ROM_OE 28 signal is generated when-
`ever the RDJEROM 22 signal
`is generated. The
`remaining rules produce a write signal for a specific
`EEPROM addressed by the LADR 26 signals provided
`the conditions set forth are met. Referring to rule three,
`the conditions which must be met to generate the write
`signal, ROM_.WE_BO 32, are that the address pres-
`ented to the PAL 17 on LADR < 17:13) 26 be within
`the address range 20042000 to 20043FFF and (logical
`AND) the CP_BMO signal is low and (logical AND)
`the WLEEROM 23 signal is low, or (logical OR) the
`address presented to the PAL 17 on LADR < l7zl3>
`26 be within the address range 20044000 to 2007FFFF
`and (logical AND) the CP_BMO signal
`is low and
`(logical AND) the WLEEROM 23 and (logical
`AND) the UPDATE_ENB 24 signals are low. It is
`implicit in the conditions set forth in rule three that a
`
`Page 000009
`
`Page 000009
`
`

`

`5,210,854
`
`7
`write to an address within the address range of
`20040000 to 20041FFF will never be performed since
`such write is effectively inhibited. The other write re-
`quest signals, the ROM_WE_BS 29, ROM_WE_B2
`30, and ROM_WE._BI 31, are similarly generated.
`The conditions set forth in the rules three through six to
`generate the write signals are identical with the excep-
`tion of the CP_BM 25 signals. The CP_BM 25 signals
`are byte mask signals that determine which output write
`signal is generated. For example, if CPJM <2> is
`generated, then ROM_WE__BZ 30 is generated pro-
`vided the other conditions listed in rule five are met.
`In summary. to cause the PAL 17 to generate a write
`enable signal for an address within the address range of
`M42000 to 20043FFF, the CPU 10 must generate a
`write control signal and an address within the specified
`address range. Similarly, the CPU It] must generate a
`write control signal, an update enable signal. and an
`address within the specified address range to cause the
`PAL 17 to generate a write enable signal to store data at
`an address within the address range of 20044000 to
`2007FFFF. The CPU 10 controls which EEPROM of
`the EEPROM memory array is written by generating
`the byte mask signal(s) for the EEPROM to be written.
`The PAL 17 will never generate a write enable signal to
`write data to an address within the address range of
`20040000 to 20041FFF. This is a protected area of the
`firmware which can never be updated.
`The ROM—CE 27 signal output by the PAL 17 is
`coupled to the chip enable input of each of the BE»
`PROMs. The ROM_OE 28 signal output by the PAL
`[7 is coupled to the output enable input of each of the
`EEPROMS. The ROM_WE_B3 29, ROM_WE_B2
`30, ROM_WE_B1 31, and ROM_WE_BO 32 signals
`output by the PAL 17 are coupled respectively to the
`write enable inputs of EEPROM l8. EEPROM l9.
`EEPROM 20. and EEPROM 21.
`The hardware partition of the firmware provided by
`the PAL 17 in the present invention prevents unautho-
`rized updates of the protected partition of the firmware
`resident in the EEPROMs and maintains enough intelli-
`gence so that the EEPROMs can be successfully up-
`dated. If a firmware error is present in the lower parti-
`tion 37, then previously described methods of updating
`must be used. The remaining partitions,
`the middle
`address range partition 36 and the upper address range
`partition 35 are updatable by a user. It is in partitions 36
`and 35 that the system firmware resides.
`To start the update process, the UPDATEJNB 24
`input to the PAL 17 is driven low by the CPU 10. The
`PAL 17 can then issue a write request by setting WIL.
`EEROM 23 low, providing the address of the location
`in the EEPROM on the LADR 33 lines to the BE—
`PROMs and the LADR 26 lines to the PAL 17 and
`setting the CP_BM 25 lines low to indicate which EE-
`PROM(s) is to be written. The PAL 17 interprets the
`input signals in accordance with the conditions set forth
`in the rules to determine if the write request is to an
`accessible area in the firmware or a protected area as
`indicated by the address presented on LADR (17:13 >
`26. If the write request is within the protected area of
`the firmware the PAL 17 does not generate an output
`signal and, therefore, the write is blocked. If, however,
`the write request is outside the protected area, the PAL
`17 generates a ROM_WE signal to the respective EE-
`PROM(s) to store the data present on the data bus 34
`into the EEPROM(s). As discussed above, the PAL l7
`
`lo
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`determines which EEPROM is to be written by the
`CP_BM 25 signals.
`The present
`invention also provides an effective
`means to maintain the integrity of the system firmware
`during the updating process. The invention prevents a
`total loss of firmware functionality that would render
`the system inoperable by reducing a “window of vul-
`nerability" to errors. The window of vulnerability is the
`time period during the updating process when the firm-
`ware can be corrupted by a failure. This window is
`reduced by updating the EEPROMs one page at a time
`in combination with the use of software constructs
`known as transfer vectors and jump tables.
`The subroutines resident in the furnware can be uti-
`lized by software which is stored in other areas in mem—
`ory in the computer system of the present invention.
`Transfer vectors are used to provide a level of indirect
`addressing to these subroutines. These vectors provide
`a valuable means to maintain the accessibility of a sub-
`routine resident in the firmware to the rest of the system
`software routines when the firmware is updated. This
`accessibility is maintained without affecting the other
`software routines, thus, an update of the firmware is
`transparent to the rest of the system.
`To use a subroutine in firmware, the software routine
`calls the transfer vector which causes the execution to
`start at the beginning of the subroutine. To maintain the
`accessibility of these subroutines, the transfer vectors
`are stored in the nonwritable area of the EEPROMs.
`Thus, two levels of indirect addressing must be pro—
`vided by utilizing two transfer vectors to access a sub-
`routine. One vector is stored in the protected partition
`of the firmware to keep its address constant while the
`second vector is stored in an unprotected partition so it
`can be updated. A group of the second transfer vectors
`are stored in the same page of memory for reasons set
`forth below.
`Referring now to FIG. 4, there is illustrated, in the
`memory map of FIG. 3, how transfer vectors are used
`in the present invention. The transfer vector 38 is stored
`in the protected partition 37 of the firmware. Since the
`address of the vector 38 is fixed. updates to a subroutine
`which it points to will not affect its starting address, and
`therefore, be transparent to the rest of the system. Vec—
`tor 30 contains the address of transfer vector 41 which
`resides in the writable partition 36 of the firmware. The
`vector 41 contains the starting address ofa subroutine A
`42. Thus, a software routine which wants to execute
`subroutine A 42, obtains access to it by addressing the
`fixed address of vector 38 which points to vector 41
`which points to the starting address of subroutine A 42.
`Referring now to FIG. 5. there is illustrated in the
`memory map of FIG. 3, the process of updating the
`firmware. As shown, the location of transfer vectors 38
`and 41 and subroutine A 42 are unchanged. The CPU 10
`stores the new version of subroutine A 42, subroutine A'
`44, in the conditional write partition 35 of the firmware.
`The process of storing the subroutine A’ 44 could be on
`the order of seconds depending on how much memory
`subroutine A' 44 occupies.
`if, at anytime during the
`storing of subroutine A' 44 an error occurs, i.e., a power
`failure. the integrity of the firmware will not be effected
`since subroutine A 42 has not been erased.
`Once the subroutine A‘ 44 is successfully stored, the
`next step is to update vector 41 to point to subroutine A’
`44 instead of subroutine A 42. This portion of the updat-
`ing procedure is critical. The preferred embodiment of
`the present invention effectively minimizes the window
`
`Page 000010
`
`Page 000010
`
`

`

`5,210,854
`
`9
`of vulnerability by storing all transfer vectors in the
`writable partition of the firmware in one page of mem-
`ory, thus requiring only one page of the firmware in
`which vector 41 resides to be erased and updated. Thus,
`the invention reduces the window of vulnerability to
`the lowest time period that current technology allows.
`Once the vector 41 is updated to point to subroutine A'
`M, the update process is complete and the area of mem-
`ory subroutine A 42 is stored becomes free space.
`Accordingly, the subroutine A 42 can be updated and
`the window of vulnerability minimized by simply copy-
`ing the new version of subroutine A ‘2 into the condi-
`tional write partition 35 of the firmware without erasing
`the old version of subroutine A 42, and updating vector
`41 after the new subroutine has been stored.
`The above described preferred embodiment of the
`invention is meant to be representative only, as certain
`changes may be made therein without departing from
`the clear teachings of the invention. Accordingly, refer-
`ence should be made to the following claims which
`alone define the invention.
`What is claimed is:
`1. A digital computer memory system comprising:
`an electrically erasable programmable read—only
`memory containing firmware, having a plurality of
`address and data inputs and a plurality of locations,
`each location having an address, and a control
`input which permits writing to the electrically
`erasable programmable read-only memory,
`the
`electrically
`erasable
`programmable
`read-only
`memory is partitioned into a protected area and an
`unprotected area, the unprotected area having a
`conditionally writable area;
`a central processing unit having a plurality of data
`outputs, a plurality of address outputs, a control
`output and an update enable output;
`an address bus coupling the plurality of address inputs
`in the electrically erasable programmable read-
`only memory to the plurality of address outputs of
`the central processing unit;
`a data bus coupling the plurality of data inputs in the
`electrically
`erasable
`programmable
`read~only
`memory to the plurality of data outputs of the
`central processing unit; and
`a control logic device having a plurality of address
`inputs, a control input. an update enable input and
`an output, the plurality of address inputs coupled to
`at least a portion of the address bus, the output
`coupled to the control input of the electrically
`erasable programmable read-only memory,
`the
`control input coupled to the control output of the
`central processing unit, and the update enable input
`coupled to the update enable output of the central
`processing unit;
`the control logic device responsive to the control
`output of the central processing unit and an address
`transmitted on the at least a portion of the address
`bus, generating a write enable signal when the
`address is within the unprotected area of the elec-
`trically erasable programmable read—only memory
`and inhibiting the write enable signal wh