`Beaverton et al.
`
`[75]
`
`[54] SYSTEM FOR UPDATING PROGRAM
`STORED IN EEPROM BY STORING NEW
`VERSION INTO NEW LOCATION AND
`UPDATING SECOND TRANSFER VECTOR
`TO CONTAIN STARTING ADDRESS OF NEW
`VERSION
`Inventors: Arthur J. Beaverton, Maynard,
`Mass.; Thomas E. Hunt, Brookline,
`N.H.
`[73] Assignee: Digital Equipment Corporation,
`Maynard, Mass.
`[21] Appl. No.: 366,168
`Jun. 14, 1989
`[22] Filed:
`Int. a.s .............................................. G06F 12/02
`[51]
`[52] U.S. a .............................. 395/500; 364/DIG. 1;
`364/259; 364/259.9; 364/243; 364/245.2;
`395/425
`[58] Field of Search ... 364/200 MS File, 900 MS File;
`395/500, 425
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`4,241,405 12/1980 Allocca ............................... 364/466
`4,298,934 11/1981 Fischer ................................ 364/200
`4,327,410 4/1982 Patel et al. .......................... 364/200
`4,403,303 9/1983 Howes et al. ....................... 364/900
`4,503,491 3/1985 Lusthak et al ...................... 364/200
`4,590,557 5/1986 Lillie ................................... 364/200
`4,663,707 5/1987 Dawson .............................. 364/200
`4,727,480 2/1988 Albright et al. .................... 364/200
`4,742,483 5/1988 Morrell ............................... 364/900
`4,779,187 10/1988 Letwin ................................ 364/200
`4,787,032 11/1988 Culley ................................. 364/200
`4,791,603 12/1988 Henry .................................. 364/900
`4,803,623 2/1989 Klashka et al. ..................... 364/200
`4,839,628 6/1989 Davis et al ....................... 340/311.1
`4,853,850 8/1989 Krass, Jr. et al. ................... 364/200
`4,907,228 6/1990 Brockert et al. .................... 364/900
`
`I IIIII IIIIIIII Ill lllll lllll lllll lllll lllll lllll lllll lllll 111111111111111111
`US005210854A
`5,210,854
`[11] Patent Number:
`[45] Date of Patent: May 11, 1993
`
`4,926,322 5/1990 Stimac et al ........................ 364/200
`4,930,129 5/1990 Takahira ............................ 371/40.4
`4,935,870 9/1990 Burk, Jr. et al ..................... 364/200
`4,943,910 7/1990 Nakamura ........................... 364/200
`4,984,213 1/1991 Abdoo et al ..................... 365/230.3
`5,008,814 4/1991 Mathur ................................ 364/200
`5,062,080 10/1991 Goldsmith ...................... 365/230.01
`5,123,098 6/1992 Gunning et al ..................... 395/400
`5,155,680 10/1992 Wiedemer ........................... 364/406
`
`FOREIGN PA TENT DOCUMENTS
`0137758 4/1985 European Pat. Off ..
`60-059452 4/1985 Japan .
`1-073435 3/1989 Japan .
`1-150297 6/1989 Japan .
`Primary Examiner-Thomas C. Lee
`Assistant Examiner-Mehmet Geckil
`Attorney, Agent, or Finn-Kenyon & Kenyon
`ABSTRACT
`[57]
`Firmware resident in electrically erasable programma(cid:173)
`ble read only memory ("EEPROM") can be updated by
`a user while maintaining the intelligence of a computer
`system during the updating process by a control logic
`device. The control logic device decodes address and
`control signals to provide a hardware partitioning of the
`firmware resident in the EEPROMs to prevent writing
`to protected partitions of the firmware. Transfer vec(cid:173)
`tors are used to provide indirect accessing of subrou(cid:173)
`tines resident in the firmware. During an updating pro(cid:173)
`cess, a new version of a subroutine is stored in a free
`area in the EEPROMs before the transfer vector point(cid:173)
`ing to the old version of the subroutine is updated. The
`window of vulnerability to errors during the updating
`process is minimized by only updating a page of mem(cid:173)
`ory containing the transfer vector that points to the old
`version of the subroutine after the new version has been
`stored.
`
`7 Claims, 5 Drawing Sheets
`
`CPU
`
`11
`
`11A
`
`CONTROL
`LOGIC
`
`10
`
`13
`
`12
`
`15
`
`EEPROM tf:MORY
`ARRAY
`
`16
`
`Page 1 of 12
`
`GOOGLE EXHIBIT 1013
`
`
`
`U.S. Patent
`US. Patent
`
`May 11, 1993
`May 11, 1993
`
`Sheet 1 of 5
`Sheet 1 of 5
`
`5,210,854
`5,210,854
`
`I.C -
`
`MEMORYARRAY
`
`.....
`
`C'\J
`12
`
`.....
`
`Ln
`15
`
` EEPROM
`
`.....
`.....
`.....
`er
`.....
`
`::::,
`Cl..
`c:..:>
`
`("t'l
`
`.....
`
`0 .....
`
`1
`
`•
`FIG.
`(!)
`~
`
`Page 2 of 12
`
`Page 2 of 12
`
`
`
`U.S. Patent
`
`May 11, 1993
`
`Sheet 2 of 5
`
`5,210,854
`
`FIG. 2
`
`11 3
`
`.
`LADR<17iS"" A15
`i- A14
`LADR<16
`LADR<15
`.. A13
`LADR<14>-, .. A12
`LADR<13~
`A11
`LADR<12~
`A10
`LADR<11~
`A9
`LADR<10~ ... AB
`LADR<9> _... A7
`LADR<B> ~ ... A6
`LADR<7> -
`- A5
`LADR<6> -
`-
`A4
`LADR<5> -
`.. A3
`LADR<4> -
`"" A2
`LADR<3> -
`"' Ai
`LADR<2> -
`-
`AO
`,......, re CE
`~ 1' OE
`~ WE
`• VPP
`-+12V
`
`64Kx8 i--20
`EEPFO!
`48C512
`107 <I ~21..
`106<1 ~ ""
`1054~ '"'
`
`rn~~: : ,.34 12
`
`•
`
`64Kx8 v--- 21
`EEPROM
`48C512
`107¢1"121 .. •
`1~1~ :
`rn~~: jF
`
`104~ .... >34 12
`
`1
`
`1
`
`I
`
`J
`
`64Kx8 L.r 18
`64Kx8 L-- 19
`EEPROM
`EEPROM
`48C512
`48C512
`107 <11-121-.
`1074l1 ..
`106~ ~ ..
`106~ ~ ...
`105~
`..
`105< • ...
`1044~ .. >34 >12
`... ~34 >12
`104 4 ..
`1034~ ~
`1034'" ...
`1024~ .-
`1024 .. ~
`102<1~ ...
`1014~ ...
`1014• ~
`1014 ..
`101 <I~
`'"'
`1004~~-
`100 <I~~ ..
`•
`1004 .. ~.
`100<1 .. - .
`...._ __ .....,.'...1A15
`r------ie"""A15
`i-----'"'""'1113..tA15
`t I A14
`~ A14
`?l A14
`i------o1a1,....1 A13
`;:
`A13
`2 I A13
`i----......i..;A12
`.,..... __ --,ii.-t A12
`t----......;...+A12
`• AU
`i------1t1..+1 A11
`i-------e111,,,,1 A11
`,,·i A10
`A10
`i---........ ,--e111,,,,1 A10
`, 1 A9
`A9
`i-------t11""" A9
`i-------.-~ AB
`AB
`i----~--+ AB
`A7
`~ A7
`i - - - -...... -i A7
`'i
`i----.....,...,. A6
`i-------...,.A6
`t--------1 ..... A6
`......, __ ......,,... A5
`i-------fl...+ A5
`i------....,.A5
`r----~l""'t A4
`i-----........i .... A4
`t----~...+ A4
`1 - - - -........ .-. A3
`i-----~i,,,,j A3
`t----......;;""" A3
`i-----+1-+ A2
`i-----......,1-1 A2
`t-----+1-+I A2
`i-------.1-1 At
`t----"'"'""flt-t At
`i----~..+ Ai
`AO
`AO
`AO
`~;.,~ CE
`,......j ~ CE
`~~ CE
`r-i i"4 OE
`,..: i"4 OE
`... i"4 OE
`1.e WE
`I.C: WE
`"' WE
`i- VPP
`i- VPP
`i- VPP
`--+12V
`-+12v
`-+12v
`
`PAL
`22V10
`R10~~~·1i-'-l~QIMH-,nMr.~F~tlt--7 ~~~f.----'"...._--_,
`.... (It-
`R9 ~
`: ,'
`R8 D
`,
`,,
`1
`R7 ~
`ROM WE B3 29
`':
`R6
`::.
`NI: 2 30
`I I
`R5
`;,_
`lft- 1 31
`I ~
`R4 .. ~1
`IIFO'.:i~,,
`NC 19
`~,
`Jr- D13
`________ ,.... 012
`/
`PALI OE
`:
`.. 011
`LADR<17> -
`.. 010
`LADR<16> -
`'" 09
`LADR<15> -
`LADR<14> - ~ 08
`
`+5V
`
`:>
`
`2
`{
`
`VI ~I)
`
`;.iH
`
`~
`
`14
`
`L...r-17
`
`13
`
`,
`
`22....,LADR<13> 4~ 07
`23._IIJ EEROM -, II. 06
`2~WE EEROM -i - 05
`lfOATE Etil r 04
`CP BM<3> -t 03
`CP BM<2>
`:.. 02
`CP BM<1> -4- 01
`CP BM<O> ~ DO
`NC"-1--CL-K ---1
`
`Page 3 of 12
`
`
`
`U.S. Patent
`
`May 11, 1993
`
`Sheet 3 of S
`
`5,210,854
`
`FIG. 3
`
`PHYSICAL ADDRESS
`
`2007FFFF
`
`CONSOLE, DIAGNOSTIC
`AND
`BOOT CODE
`
`35
`~
`
`RESERVED
`AREA
`
`I-/"
`
`36
`
`37
`ENTRY CODE ~
`
`20044000
`
`20042000
`
`20040000
`
`Page 4 of 12
`
`
`
`U.S. Patent
`
`May 11, 1993
`
`Sheet 4 of S
`
`5,210,854
`
`FIG. 4
`
`SUBROUTINE A
`
`42
`
`POINTER TO SUBROUTINE A
`
`POINTER TO POINTER TO SUBROUTINE A
`
`2007FFFF
`
`CONDITIONALLY
`WRITABLE
`35
`
`20044000
`
`WRITABLE
`
`36
`
`20042000
`
`37
`
`PROTECTED
`(NONWRIT ABLE)
`
`20040000
`
`Page 5 of 12
`
`
`
`U.S. Patent
`
`May 11, 1993
`
`Sheet 5 of 5
`
`5,210,854
`
`FIG. 5
`
`SUBROUTINE A'
`
`44
`
`SUBROUTINE A
`
`POINTER TO SUBROUTINE A'
`
`POINTER TO POINTER TO SUBROUTINE A'
`
`2007FFFF
`
`35
`
`20044000
`
`36
`
`20042000
`
`37
`
`20040000
`
`Page 6 of 12
`
`
`
`s
`
`SUMMARY OF THE INVENTION
`
`1
`
`5,210,854
`
`SYSTEM FOR UPDATING PROGRAM STORED IN
`EEPROM BY STORING NEW VERSION INTO
`NEW LOCATION AND UPDATING SECOND
`TRANSFER VECTOR TO CONTAIN STARTING
`ADDRESS OF NEW VERSION
`
`2
`protect an area of the firmware from being updated also
`generally use a combination of EPROMs and EE(cid:173)
`PROMs. The EPROMs are used to store the firmware
`that is protected from the updating process.
`The above described computer systems overcome the
`low density problem of the EEPROMs but lose the
`ability to update a large percentage of the firmware in
`FIELD OF THE INVENTION
`the field since typically, only a small amount of the
`firmware is stored in the EEPROM. Most of the opera-
`This invention relates to a digital computer memory
`system and, more particularly, to a digital computer 10 ble code is stored in EPROMs. Thus, updates to the
`firmware resident in the EPROM would still require a
`memory system in which firmware resides in electri-
`cally erasable programmable read-only memory. The
`field service technician to either replace the EPROM or
`invention provides an efficient means whereby firm-
`install a new circuit board containing EPROM with the
`ware can be updated in the field by a user while main-
`updated firmware.
`taining fully functional firmware in the system and an 15 Recent advances in technology have obviated the
`effective means to recover from failure conditions
`disparity
`in densities between EEPROMs and
`which may occur during the updating process.
`EPROMs. Now, the entire system firmware can reside
`BACKGROUND OF THE INVENTION
`in ~EPROM~. While thC:SC ~vances eliminate the ne(cid:173)
`cessity for using a combmanon of EPROMs and EE-
`~eneral purpose digital comput~rs utilize a wide 20 PROMs for firmware storage, they have also raised the
`vanety of pro~rams ~o pe~orm v~ous tasks. A co~-
`problem of how to maintain a minimum amount of firm-
`puter prog~am.1s a senes of instructions or stateme~ts, m
`ware constant in the system. Thus, without providing
`a fo~ which 1s executable by a computer, to achieve a
`some safeguards, a user could inadvertently or inten-
`certam result. In a computer system, th~ programs
`tionally corrupt the firmware when performing updates
`may ~· amo~g others, pa~ of the _ope_ratmg system, 25 to the extent that a total loss of system intelligence
`could result. Accordingly, the services of a skilled tech-
`compliers, editors or specific apphcat1on programs.
`Such computer programs are also referred to as soft-
`nician would still be required to perform firmware up-
`ware.
`dates in the field to prevent such corruption of the firm-
`Firmware is a form of a computer program which
`embodies instructions or data stored in a fixed means, 30 ware.
`i.e., the instructions or data stored remain intact without
`the need of a power source, such as a read-only memory
`("ROM"),
`The present. invention provides a computer memory
`a programmable
`read-only memory
`("PROM") or an erasable programmable read-only
`system utilizing only EEPROMs in which to store firm-
`memory ("EPROM"), as opposed to instructions or 35 ware wherein an end user can perform firmware up-
`data stored in a random access memory ("RAM").
`dates without corrupting the firmware. The invention
`Once the firmware is stored in one of the aforemen-
`also provides a failure recovery mechanism to insure
`tioned fixed means, it cannot be written over without
`that the user will have fully functional firmware if cer-
`removing the integrated circuit chip in which the firm-
`tain failure conditions occur during the updating pro-
`ware is stored. Thus, if errors in the firmware are dis- 40 cess. The user need not be a skilled service technician
`covered once a computer system has been shipped to a
`but rather an everyday computer user.
`customer, a field service technician would be required
`Generally, the present invention comprises an EE-
`PROM array coupled by a bus arrangement to a central
`to correct the errors. Toe technician would have to
`power down the system to install either a new chip or a
`processing unit (hereinafter "CPU"). The CPU is also
`new circuit board containing a new chip including the 45 coupled to a system console through which an operator
`corrected firmware. This procedure can be expensive
`can communicate directly with the CPU. A control
`logic device is intercoupled between the EEPROM
`and time consuming.
`The advent of electrically erasable programmable
`array and the CPU. The control logic device generates
`read-only memory ("EEPROM") has obviated the need
`the signals which enable the EEPROM to be erased and
`to remove a memory chip containing firmware with so reprogrammed under the control of the CPU.
`errors. An EEPROM is a read-only memory that can be
`The present invention provides for the firmware resi-
`erased and reprogrammed by electrical signals to store
`dent in the EEPROM to be hardware partitioned into
`new firmware without removing the EEPROM from
`protected areas and unprotected areas. The partitioning
`the circuit board or powering down the computer sys-
`of the firmware prevents a user from writing over se-
`tem. In typical EEPROMs, each location in the EE- 55 lected partitions of the firmware resident in the EE-
`PROM. This insures that a minimum amount of firm-
`PROM can be erased separately. The drawback oftypi-
`cal EEPROMs is that they are on the order of one
`ware is constant in the system, thereby preventing the
`fourth the density of EPROMS. The low density of
`ordinary user from corrupting the firmware to the ex-
`typical EEPROMs is attributable to the technology
`tent that a total loss of system intelligence results. The
`utilized to make these EEPROMs. Thus, a greater num- 60 EEPROMs maintain a minimal bootstrap to enable
`either the repeating of the upgrade process upon power
`ber of EEPROM chips would be required to provide
`sufficient storage capabilities.
`failure or simply bootstrapping a known good image of
`As a result, present computer systems using EE-
`the firmware upon the load of faulty firmware.
`PROMs typically do not use all EEPROMs for storing
`The upgrade is implemented by operating the CPU
`firmware. Such systems generally utilize some combina- 65 through the console to generate the EEPROM ad-
`dresses and control signals and thereby transmit the
`tion of EEPROMs and ROM, PROM, or EPROM to
`achieve full functionality and sufficient storage capabili-
`firmware to the EEPROM for storage in the corre-
`sponding EEPROM addresses. A portion of the EE-
`ties. Furthermore, present computer systems which
`
`Page 7 of 12
`
`
`
`5,210,854
`
`40
`
`4
`3
`A bus 11A, which comprises a portion of the address
`PROM addresses generated by the CPU are transmitted
`to the control logic device. The CPU also generates and
`bus 11, couples the CPU 10 to the control logic device
`15. The control logic device 15 is coupled to the EE-
`transmits control signals to indicate that a firmware
`PROM memory array 16 by a bus 14. The control logic
`update is requested. The control logic device ascertains
`whether the addresses generated by the CPU are in an 5 device 15 transmits a plurality of control signals across
`the bus 14 to the EEPROM memory array 16.
`area of the EEPROM which is a protected or unpro-
`tected partition. If the partition is unprotected, the con-
`The CPU 10 generates and transmits various control
`signals across the bus 13. These signals from bus 13 and
`trol logic device generates the appropriate signals to
`enable the loading of the firmware into the EEPROM.
`the address bits supplied from the bus 11A are decoded
`The present invention also provides a failure recov- 10 by the control logic device 15 to supply control signals
`including write enable signals via the bus 14 to the EE-
`cry mechanism to insure that during firmware upgrades
`the user will' have functional firmware if a failure occurs
`PROM memory array 16.
`Referring now to FIG. 2, there is illustrated, a pre-
`during the updating process. Two such potential fail-
`ferred embodiment of the present invention. In this
`ures are power failure during the upgrade process or the
`loading of faulty code. The invention minimizes the 15 preferred embodiment, the control logic device of FIG.
`1 is a programmable array logic chip (hereinafter
`susceptibility of the computer system to such failure
`conditions through the partitioning of the firmware and
`"PAL") 17, for example, a 24 pin AmPAL22V10 manu-
`the use of software constructs known as transfer vectors
`factured by Advanced Micro Devices. The PAL 17
`and jump tables. During the updating process, the new
`utilizes a sum-of-products (AND-OR) logic structure,
`version of the firmware is written to memory. It is not 20 allowing logic designers to program custom logic func-
`tions. The PAL 17 is programmed to accept twelve
`until the entire updated version of the firmware is
`stored that the pointers to the old version of the firm-
`input signals and to generate six output signals. The
`ware, maintained in the transfer vectors and jump ta-
`CPU 10 of FIG. 1 is coupled to the PAL 17 by the bus
`bles, are updated. This procedure minimizes the risk of
`11A and the bus 13. The CPU 10 transmits twelve input
`firmware corruption during the updating process.
`25 signals to the PAL 17 across the bus 11A and the bus 13.
`The CPU 10 is coupled by the bus 11 and the bus U to
`Accordingly, the present invention provides a user
`with the ability to perform field updating of firmware
`the EEPROM memory array 16. The EEPROM mem-
`resident in EEPROM without requiring the removal of
`ory array 16 comprises four 64K X 8 EEPROMS 18, 19,
`circuit boards from the computer system or the need for
`20 and 21. The four EEPROMs are organized to pro-
`a skilled operator to perform the upgrade. The inven- 30 vide a 32 bit wide data word. Each of the EEPROMs
`tion provides a control logic device to maintain a prese-
`18, 19, 20 and 21 have a chip enable, output enable, and
`lected amount of firmware in a protected partition to
`a write enable input. This preferred embodiment of the
`prevent overwriting by the user and also provides a
`present invention utilizes EEPROMs model number
`recovery mechanism that allows a user to either fall
`48C512 manufactured by SEEQ Technology. The
`back to the previous state of the firmware or when such 35 48CS 12 EEPROMs 18-21 are referred to as Flash EE-
`fall back cannot be done, to retry the update process
`PROMs. This type of EEPROM achieves densities
`and reload the new firmware when failures occur dur-
`equivalent to EPROMs. However, the data stored in
`ing the firmware update.
`such EEPROMs is erased one page (a page is 512 bytes)
`at a time instead of location by location.
`BRIEF DESCRIPTION OF THE ORA WINGS
`The first group of input signals transmitted from the
`CPU 10 to the PAL 17, are the address bits, LADR
`FIG. 1 is a block diagram of a computer system ac-
`< 17:13> 26, transmitted from the CPU lOover the bus
`cording ·to the invention.
`11A. The LADR 26 signals are supplied to the PAL 17
`FIG. 2 is a more detailed block diagram of the com-
`puter system of FIG. 1.
`so it can determine an address range being addressed by
`FIG. 3 is a memory map illustrating the partitioning 45 the CPU 10 when a write to the EEPROM memory
`of the EEPROMs of FIG. 2.
`array 16 is requested. The second group of input signals
`FIG. 4 is a memory map of the EEPROMs illustrat-
`are the CP-BM <3:0> 25 signals which are control
`signals transmitted by the CPU 10 across the bus 13.
`ing the locations where a subroutine and transfer vec-
`tors are stored in the firmware.
`These signals are byte masks that indicate which byte(s)
`FIG. 5 a memory map of the EEPROMs illustrating so of the firmware stored in the EEPROM memory array
`the locations where a first and second version of a sub-
`16 is to be written. The CPU 10 can also transmit three
`more control signals, a RD-EEROM 22, a WR.-EE-
`routine and transfer vectors are stored in the firmware
`during and after updating.
`ROM 23 and an UPDA TE-ENB 24 across the bus 13
`to the PAL 17. The RD-EEROM 22 is an active low
`55 signal which indicates a read memory request. The
`WR-EEROM 23 is also an active low signal which
`indicates a write to memory request. The UPDATE_
`ENB 24 signal is an active low signal which indicates
`that a firmware update is to be performed.
`The UPDA TE-ENB 24 signal also provides a physi(cid:173)
`cal security check to the update process. In the pre(cid:173)
`ferred embodiment of the present invention, the UP(cid:173)
`DA TE-ENB 24 signal is generated by the CPU 10 in
`response to the setting of a switch on the console. Re(cid:173)
`mote firmware updates to selected partitions referred to
`as conditionally writable partitions of the firmware are
`prevented by requiring this switch to be physically set
`by a user present at the console.
`
`DETAILED DESCRIPTION
`Referring now to the drawings and initially to FIG. 1,
`there is illustrated, in block diagram form, a system
`configuration according to the invention. The system
`comprises a CPU 10, a control logic device 15 and an
`EEPROM memory array 16. The CPU 10 is coupled to 60
`the control logic device 15 by a bus 13. A plurality of
`control signals is transmitted by the CPU 10 across the
`bus 13 to the control logic device 15. A bus 12 is a
`bidirectional data bus which couples the CPU 10 to the
`EEPROM memory array 16. The CPU 10 transmits 65
`data information across the bus 12 to the EEPROM
`memory array 16. A bus 11 is an address bus which
`couples the CPU 10 to the EEPROM memory array 16.
`
`Page 8 of 12
`
`
`
`5,210,854
`
`5
`6
`reserved for the firmware entry code that can never be
`The bus 11 of FIG. 1 is an address bus 33 in the pre-
`written to by a user.
`ferred embodiment which couples the four EEPROMS
`The PAL 17 prevents the updating of the lower ad-
`18, 19, 20 and 21 to the CPU 10. The CPU 10 transmits
`16 address signals LADR < 17:2> across the address
`dress range partition 37 by not generating a write signal
`bus 33 to the EEPROMs 18, 19, 20 and 21. The bus 12 5 to the addressed EEPROM if a write request to that
`of FIG. 1 is a bidirectional data bus 34 in the preferred
`partition is generated by the CPU 10. The PAL 17
`embodiment which also couples the four EEPROMs
`implements a set of rules and conditions to accomplish
`18, 19, 20 and 21 to the CPU 10. The bus 34 comprises
`the hardware partitioning of the firmware and thereby
`32 signal lines which carry 32 bits of data. The bus 34 is
`render certain areas of the firmware inaccessible to a
`divided into four bytes and thereafter coupled to the 10 user. An advantage of utilizing a PAL for the hardware
`partitioning of the firmware instead of partitioning the
`EEPROMs. The bytes of data are coupled to the EE-
`PROMs in ascending byte order starting with EE-
`firmware in software, is that the PAL prevents users
`PROM 21, as the least significant byte, then EEPROM
`from bypassing the software protection and gaining
`20, EEPROM 19, and EEPROM 18 as the most signifi-
`write access to the protected partitions.
`The six output signals of the PAL 17, a ROM...CE 27,
`cant byte.
`The internal organization of the PAL 17 provides for
`a ROM-OE 28, a ROM...W__E BO 32, a ROM-
`the hardware partitioning of the firmware resident in WE-131 31, a ROM-WE-132 30, and a ROM-
`the EEPROMs. Referring now to FIG. 3, there is WE-133 29, are generated in accordance with the con-
`shown a memory map of the 64K X 32 bit wide EE-
`ditions set forth in the rules listed below:
`
`15
`
`ROM-CE = RD-EEROM + W1LEEROM
`ROM_CE.OE = OE
`ROM_OE = RD--EEROM
`ROM_OE.OE = OE
`ROM_ WE_BO = CP-BMO • WILEEROM • ADDR: (20042000 . . .
`20043FFF) + CP _BMO • WILEEROM •
`UPDA TE-ENB • ADDR: (20044000 ... 2007FFFF)
`ROM_ WE_BO.OE = OE
`ROM_WE_BJ = CP-8Ml • WILEEROM • ADDR: (20042000...
`20043FFF) + CP-8Ml • WILEEROM •
`UPDA TE-ENB • ADDR: (20044000 ... 2007FFFF]
`ROM_WE_BI.OE = OE
`ROM_WE_B2 = CP-BM2 • WILEEROM • ADDR: (20042000...
`20043FFF] + CP _BM2 • WILEEROM •
`UPDA TE-ENB • ADDR: (20044000 ... 2007FFFF)
`ROM_WE_B2.0E = OE
`ROM_WE-83 = CP-8M3 • WILEEROM • ADDR: (20042000...
`20043FFF) + CP -8M3 • WILEEROM •
`UPDA TE_ENB • ADDR: (20044000 ... 2007FFFF)
`ROM_ WLB3.0E = OE
`
`(I)
`
`(2)
`
`(3)
`
`(4)
`
`(5)
`
`(6)
`
`These output signals are transmitted by the PAL 17 to
`the EEPROM memory array 16 across the bus 14 when
`PROM array 18-21 which illustrates the partitions of
`the firmware. The firmware is partitioned into three
`the above conditions are met. For example, referring to
`distinct areas. The upper address range (20044000 to
`rule one, the ROM-CE 27 signal is generated when
`2007FFFF) partition 35 of the firmware is a condition- SO either the RD_EEROM 22 or (logical OR) the WR-.
`ally writable partition reserved for console, diagnostic
`EEROM 23 signal is generated. Similarly, rule two
`and bootstrap code. This partition 35 is conditionally
`shows that the ROM-OE 28 signal is generated when-
`writable by any user with system privileges because of
`ever the RD--EEROM 22 signal is generated. The
`the physical security check described above which must
`remaining rules produce a write signal for a specific
`be satisfied to write to this partition. The physical secu-. 55 EEPROM addressed by the LADR 26 signals provided
`rity check requires the CPU 10 to generate the UP-
`the conditions set forth are met. Referring to rule three,
`DA TE-ENB 24 signal in response to the setting of a
`the conditions which must be met to generate the write
`switch on the system console by a user. This physical
`signal, ROM_ WE-BO 32, are that the address pres-
`ented to the PAL 17 on LADR < 17:13> 26 be within
`security check, therefore, requires the user to be physi-
`cally present at the system console during the updating 60 the address range 20042000 to 20043FFF and (logical
`of firmware in this partition. The physical security
`AND) the CP _BMO signal is low and (logical AND)
`the WR--EEROM 23 signal is low, or (logical OR) the
`check also prevents a user from remotely initiating a
`write to this partition. The middle address range
`address presented to the PAL 17 on LADR <17:13>
`(20042000 to 20043FFF) partition 36 is a writable parti-
`26 be within the address range 20044000 to 2007FFFF
`tion reserved for the firmware. This partition can be 65 and (logical AND) the CP _BMO signal is low and
`written to, either locally or remotely, by any user with
`(logical AND) the WR--EEROM 23 and (logical
`AND) the UPDA TE-ENB 24 signals are low. It is
`system privileges. The lower address range (20040000
`to 20041FFF) partition 37 is a nonwritable partition
`implicit in the conditions set forth in rule three that a
`
`Page 9 of 12
`
`
`
`5,210,854
`
`7
`8
`determines which EEPROM is to be written by the
`write to an address within the address range of
`CP-13M 25 signals.
`20040000 to 20041FFF will never be performed since
`such write is effectively inhibited. The other write re-
`The present invention also provides an effective
`quest signals, the ROM_ WE-133 29, ROM_ WE_B2 means to maintain the integrity of the system firmware
`30, and ROM_ WE-Bl 31, are similarly generated. S during the updating process. The invention prevents a
`The conditions set forth in the rules three through six to
`total loss of firmware functionality that would render
`the system inoperable by reducing a "window of vul-
`generate the write signals are identical with the excep-
`tion of the CP _BM 25 signals. The CP -BM 25 signals
`nerability" to errors. The window of vulnerability is the
`are byte mask signals that determine which output write
`time period during the updating process when the firm-
`signal is generated. For example, if CP-13M <2> is 10 ware can be corrupted by a failure. This window is
`generated, then ROM-WE-132 30 is generated pro-
`reduced by updating the EEPROMs one page at a time
`vided the other conditions listed in rule five are met.
`in combination with the use of software constructs
`In summary, to cause the PAL 17 to generate a write
`known as transfer vectors and jump tables.
`enable signal for an address within the address range of
`The subroutines resident in the firmware can be uti-
`20042000 to 20043FFF, the CPU 10 must generate a 15 lized by software which is stored in other areas in mem-
`write control signal and an address within the specified
`ory in the computer system of the present invention.
`address range. Similarly, the CPU 10 must generate a
`Transfer vectors are used to provide a level of indirect
`addressing to these subroutines. These vectors provide
`write control signal, an update enable signal, and an
`a valuable means to maintain the accessibility of a sub-
`address within the specified address range to cause the
`PAL l7 to generate a write enable signal to store data at 20 routine resident in the firmware to the rest of the system
`software routines when the firmware is updated. This
`an address within the address range of 20044000 to
`h
`accessibility is maintained without affecting the ot er
`2007FFFF. The CPU 10 controls which EEPROM of
`software routines, thus, an update of the firmware is
`the EEPROM memory array is written by generating
`transparent to the rest of the system.
`the byte mask signal(s) for the EEPROM to be written. 25
`To use a subroutine in firmware, the software routine
`The PAL 17 will never generate a write enable signal to
`calls the transfer vector which causes the execution to
`write data to an address within the address range of
`start at the beginning of the subroutine. To maintain the
`20040000 to 20041FFF. This is a protected area of the
`accessibility of these subroutines, the transfer vectors
`are stored in the nonwritable area of the EEPROMs.
`firmware which can never be updated.
`The ROM-CE 27 signal output by the PAL 17 is 30 Thus, two levels of indirect addressing must be pro-
`coupled to the chip enable input of each of the EE-
`vided by utilizing two transfer vectors to access a sub-
`PROMs. The ROM-OE 28 signal output by the PAL
`routine. One vector is stored in the protected partition
`17 is coupled to the output enable input of each of the
`of the firmware to keep its address constant while the
`EEPROMs. The ROM_ WE_B3 29, ROM-WE-B2
`second vector is stored in an unprotected partition so it
`30, ROM_ WE-Bl 31, and ROM_ WE-BO 32 signals 35 can be updated. A group of the second transfer vectors
`output by the PAL 17 are coupled respectively to the
`are stored in the same page of memory for reasons set
`write enable inputs of EEPROM 18, EEPROM 19,
`forth below.
`Referring now to FIG. 4, there is illustrated, in the
`EEPROM 20, and EEPROM 21.
`The hardware partition of the firmware provided by
`memory map of FIG. 3, how transfer vectors are used
`the PAL 17 in the present invention prevents unautho- 40 in the present invention. The transfer vector 38 is stored
`rized updates of the protected partition of the firmware
`in the protected partition 37 of the firmware. Since the
`address of the vector 38 is fixed, updates to a subroutine
`resident in the EEPROMs and maintains enough intelli-
`gence so that the EEPROMs can be successfully up-
`which it points to will not affect its starting address, and
`dated. If a firmware error is present in the lower parti-
`therefore, be transparent to the rest of the system. Vec-
`tion 37, then previously described methods of updating 45 tor 38 contains the address of transfer vector 41 which
`resides in the writable partition 36 of the firmware. The
`must be used. The remaining partitions, the middle
`address range partition 36 and the upper address range
`vector 41 contains the starting address of a subroutine A
`partition 35 are updatable by a user. It is in partitions 36
`42. Thus, a software routine which wants to execute
`and 35 that the system firmware resides.
`subroutine A 42, obtains access to it by addressing the
`To start the update process, the UPDA TE-ENB 24 50 fixed address of vector 38 which points to vector 41
`input to the PAL 17 is driven low by the CPU 10. The
`which points to the starting address of subroutine A 42.
`PAL 17 can then issue a write request by setting WR-..
`Referring now to FIG. 5, there is illustrated in the
`EEROM 23 low, providing the address of the location
`memory map of FIG. 3, the process of updating the
`in the EEPROM on the LADR 33 lines to the EE-
`firmware. As shown, the location of transfer vectors 38
`PROMs and the LADR 26 lines to the PAL 17 and 55 and 41 and subroutine A 42 are unchanged. The CPU 10
`setting the CP -13M 25 lines low to indicate which EE-
`stores the new version of subroutine A 42, subroutine A'
`44, in the conditional write partition 35 of the firmware.
`PROM(s) is to be written. The PAL 17 interprets the
`The process of storing the subroutine A' 44 could be on
`input signals in accordance with the conditions set forth
`in the rules to determine if the write request is to an
`the order of seconds depending on how much memory
`accessible area in the firmware or a protected area as 60 subroutine A' 44 occupies. If, at anytime during the
`indicated by the address presented on LADR <17:13>
`storing of subroutine A' 44 an error occurs, i.e., a power
`26. If the write request is within the protected area of
`failure, the integrity of the firmware will not be effected
`the firmware the PAL 17 does not generate an output
`since subr