OTA

OTA (Over The Air) represents the technology that apply Bluetooth to upgrade image (code and data) that runs in RTL87x2G Flash.

Flash Layout and OTA Scheme

Flash Layout

Flash Layout of RTL87x2G consists of Reserved，OEM Header, Bank0 Boot Patch，Bank1 Boot Patch, OTA Bank0, OTA Bank1, OTA TMP，Secure APP(optional)，FTL and APP defined section, the starting address for accessing flash is 0x04000000((The first 4K of flash is Reserved area). Memory and corresponding function of flash is shown in Flash Memory and Function Description.

Flash Layout

Flash Memory and Function Description

Memory Segment	Starting Address	Size(Bytes)	Functions	Support OTA
OEM Config	0x04010000	0x1000	Storage of Config information, including Bluetooth address, AES Key and Customizable Flash Layout	No
Bank0 Boot Patch	Variable (Determined by Efuse)	Variable (Determined by Efuse)	Flash boot loader. Bank0 Boot Patch and Bank1 Boot Patch have the same function and serve as backup areas for each other.	Yes
Bank1 Boot Patch	Variable (Determined by Efuse)	Variable (Determined by Efuse)	Flash boot loader	Yes
OTA Bank0	Variable (defined in OEM Config)	Variable (defined in OEM Config)	OTA Bank0 is primarily used to store the firmware and runtime data of the device. For specific functions, refer to OTA Bank Flash Segmentation. In the non-support bank switching OTA scheme, the OTA TMP area is used as an OTA backup area to store backup firmware. The BootLoader will eventually copy and activate the backup firmware. On the other hand, in the supporting bank switching OTA scheme, OTA Bank0 and OTA Bank1 are used as mutually backup firmware storage areas. During the firmware update process, these two storage areas can be alternately used, ensuring that in the event of a firmware update failure, the system can revert to the previous backup firmware, thereby maintaining system stability and security.	Yes
OTA Bank1	Variable (defined in OEM Config)	Variable (defined in OEM Config)	In the supporting bank switching OTA scheme, if OTA Bank0 is the active area, then OTA Bank1 will be the backup area. Conversely, if OTA Bank1 is the active area, then OTA Bank0 will be the backup area.	Yes
Bank0 Secure APP	Variable (defined in OEM Config)	Variable (defined in OEM Config)	When TrustZone is enabled, Secure APP (Secure Application) can run in the TrustZone environment, ensuring the security protection of sensitive data and operations. In this case, Bank0 Secure APP and Bank1 Secure APP have the same function and act as backup areas for each other.	Yes
Bank1 Secure APP	Variable (defined in OEM Config)	Variable (defined in OEM Config)	Same as Bank0 Secure APP, serving as a backup area for each other	Yes
OTA TMP	Variable (defined in OEM Config)	Variable (defined in OEM Config)	If you are not using bank switching for OTA updates, and instead using one bank as the backup area, then the size of the backup area must be equal to or greater than the maximum size of the image stored in OTA bank0.	Yes
FTL	Variable (defined in OEM Config)	Variable (defined in OEM Config)	This area supports accessing flash by logical address	No
APP Defined Section	Variable (defined in OEM Config)	Variable (defined in OEM Config)	The remaining space of the Flash can be used as the application's customized area. This region is not managed by the OTA scheme, and users can freely use it to store and manage their own data, code, or other application-related content.	No

OTA Bank layout and description for each part is shown below.

Layout of OTA Bank

OTA Bank Flash Segmentation

Memory Segment	Starting Address	Size(Bytes)	Functions	Support OTA or not
OTA Header	Determined in the OEM Config region	4KB	This region contains the OTA Header version and start address and size of the images in the bank	Yes, when using supporting Bank Switching scheme No, when using non-support Bank Switching scheme
System Patch	Determined in the OTA Header region	Variable	This region contains the code that optimize and extend the system in non-secure rom	Yes
BT Stack Patch	Determined in the OTA Header region	Variable	Bluetooth controller protocol stack optimization and extension code	Yes
BT Host	Determined in the OTA Header region	Variable	Implement part of the code for HCI and above Bluetooth protocol stack	Yes
App	Determined in the OTA Header region	Variable	This region contains project code	Yes
App Config File	Determined in the OTA Header region	Variable	App Config information	Yes
App Data1	Determined in the OTA Header region	Variable	Application's customized area	Yes
App Data2	Determined in the OTA Header region	Variable	Application's customized area	Yes
App Data3	Determined in the OTA Header region	Variable	Application's customized area	Yes
App Data4	Determined in the OTA Header region	Variable	Application's customized area	Yes
App Data5	Determined in the OTA Header region	Variable	Application's customized area	Yes
App Data6	Determined in the OTA Header region	Variable	Application's customized area	Yes

OTA Scheme

Depending on different flash layouts, there are two OTA schemes: supporting Bank switching and non-support Bank switching. Whether or not bank switching is supported, the boot patch image is always independently dual banked, serving the same function and acting as a backup for each other. For example, if the current boot patch is running in bank0, the OTA can only upgrade the boot patch in bank1. After the upgrade is complete, the system will restart and choose the bank with the higher version number to run, if the version numbers are the same, it will run in bank0.

The supporting bank switching scheme requires two identical OTA banks to back up each other. The advantage of this scheme is that the program directly jumps to the new Bank to run, making the OTA upgrade switching process very fast after the upgrade is completed and the system is rebooted. The disadvantage is that it increases the flash overhead, so in general, when choosing the supporting bank switching scheme, the flash size should be relatively large.

The Flash layout of the non-support bank switching scheme and the supporting bank switching scheme have the following differences.

1. The capacity of OTA Bank1 area is not allocated.

2. The OTA TMP area needs to be allocated, and its size should not be less than the largest image size in OTA Bank0. Therefore, the non-support bank switching scheme relatively saves flash space. After the OTA transmission is completed, the boot program will copy the data in the OTA TMP area to the specified image area in OTA Bank 0, and then restart to take effect, which relatively increases the restart time after the OTA upgrade is completed.

3. The non-support bank switching scheme also supports combined image upgrades, which is enabled by default. When using a combined image upgrade, when writing the image data to the OTA TMP area, it will calculate whether the remaining space in the OTA TMP area can accommodate the next image file that needs to be written. If it can, it will continue to write the next image file to the OTA temp area. When it can't, it will copy the data in the OTA TMP area to the OTA Bank0 area. The advantage of combined upgrading is to reduce the number of restarts and speed up the transmission rate.

supporting Bank switching

• Advantages: The total size of the bank is fixed. There is a backup bank, You can dynamically adjust the size of each image in the bank.

• Disadvantages: The utilization rate of flash space is low.

• Maintenance: It is necessary to maintain images for two bank corresponding addresses. The image released by Realtek by default only supports running on bank0. If you need to run on bank1, you need to contact Realtek to obtain it.

non-support Bank switching

• Advantages: The utilization rate of flash space is higher.

• Disadvantages: Each image cannot be upgraded at the same time, and there are situations where old and new combinations coexist. After OTA is completed, activating the image will increase the boot time for that time.

• Maintenance: Only the Bank0 image is needed.

Image format

All images that support upgrades are composed of a 1280-Bytes image header and a variable-length payload. The image header contains the image type, size, version number, hash value, signature information, etc. The headers in the OTA Header file and other images are slightly different, which are explained below.

OTA Header File Format

OTA Header file is generated by Flashmap Generate Tool. Each field description of the header are described below.

OTA Header Layout

Header fields and corresponding functions are shown below.

Fields of OTA Header

Fields	Length(Bytes)	Functions
image_signature	384	The signature of the OTA Header
image_hash	32	The hash of the OTA Header
ctrl_header	12	The control information of the OTA Header
ver_val	4	The version information of the OTA Header
image_info	252	The starting address and size of all images

Other Image Format

The definitions of each field in the Image header are shown below.

Image Header Layout

OTA corresponding functions are shown below.

Image Header Field

Fields	Length(Bytes)	Functions
image_signature	384	The signature of the image
image_hash	32	The hash of image
ctrl_header	12	The control information of the image
ver_val	4	The version information of the image

ctrl_header format in Image Header is shown as follows.

typedef struct _IMG_CTRL_HEADER_FORMAT
{
    uint16_t crc16;
    uint8_t ic_type;
    uint8_t secure_version;
    union
    {
        uint16_t value;
        struct
        {
            uint16_t xip: 1; // payload is executed on flash
            uint16_t enc: 1; // all the payload is encrypted
            uint16_t load_when_boot: 1; // load image when boot
            uint16_t enc_load: 1; // encrypt load part or not
            uint16_t enc_key_select: 3; // referenced to ENC_KEY_SELECT
            uint16_t not_ready: 1; //for copy image in ota
            uint16_t not_obsolete: 1; //for copy image in ota
            uint16_t integrity_check_en_in_boot: 1; // enable image integrity check in boot flow
            uint16_t compressed_not_ready: 1;
            uint16_t compressed_not_obsolete: 1;
            uint16_t rsvd: 1;
            uint16_t image_type: 3; /*for app 000b: normal image, 001b:compressed image, other for more types
            for patch in temp bank consist of 001b: patch+fsbl, 010b: patch+app, 011b: patch+fsbl+app*/
        };
    } ctrl_flag;
    uint16_t image_id;
    uint32_t payload_len;
} T_IMG_CTRL_HEADER_FORMAT;

• ic_type represents IC type, which has the value of 15 when RTL87x2G chip is used.

• secure_version indicates version of secure boot image.

• image_id identifies different types of image, among which SCCD, OCCD cannot be updated through OTA.

typedef enum
{
    IMG_SCCD             = 0x379D,
    IMG_OCCD             = 0x379E,
    IMG_BOOTPATCH        = 0x379F,          /*!< KM4 boot patch */
    IMG_DFU_FIRST        = IMG_BOOTPATCH,
    IMG_OTA              = 0x37A0,          /*!< OTA header */
    IMG_SECUREMCUAPP     = 0x37A2,          /*!< KM4 secure app */
    IMG_SECUREMCUAPPDATA = 0x37A3,          /*!< KM4 secure app data */
    IMG_BT_STACKPATCH    = 0x37A6,          /*!< BT stack patch */
    IMG_BANK_FIRST       = IMG_BT_STACKPATCH,
    IMG_MCUPATCH         = 0x37A7,          /*!< KM4 non-secure rom patch */
    IMG_UPPERSTACK       = 0x37A8,          /*!< KM4 non-secure Upperstack */
    IMG_MCUAPP           = 0x37A9,          /*!< KM4 non-secure app */
    IMG_MCUCFGDATA       = 0x37AA,          /*!< KM4 MCUConfigData */
    IMG_MCUAPPDATA1      = 0x37AE,
    IMG_MCUAPPDATA2      = 0x37AF,
    IMG_MCUAPPDATA3      = 0x37B0,
    IMG_MCUAPPDATA4      = 0x37B1,
    IMG_MCUAPPDATA5      = 0x37B2,
    IMG_MCUAPPDATA6      = 0x37B3,
    IMG_ZIGBEESTACK      = 0x37B4,          /*!< KM4 Zigbee stack */

    IMG_MAX              = 0x37B5,
    IMG_DFU_MAX          = IMG_MAX,

    IMG_RO_DATA1         = 0x3A81,
    IMG_RO_DATA2         = 0x3A82,
    IMG_RO_DATA3         = 0x3A83,
    IMG_RO_DATA4         = 0x3A84,
    IMG_RO_DATA5         = 0x3A85,
    IMG_RO_DATA6         = 0x3A86,

    IMG_USER_DATA8       = 0xFFF7,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA_FIRST  = IMG_USER_DATA8,
    IMG_USER_DATA7       = 0xFFF8,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA6       = 0xFFF9,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA5       = 0xFFFA,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA4       = 0xFFFB,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA3       = 0xFFFC,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA2       = 0xFFFD,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA1       = 0xFFFE,    /*!< the image data only support unsafe single bank ota */
    IMG_USER_DATA_MAX    = 0xFFFF,    /*!< the image data only support unsafe single bank ota */
} IMG_ID;

备注

1. The unit of payload_len is bytes, which indicates the size of the image, not including the 1280 bytes of the image header. The total length of the image is the payload_len plus 1280 bytes.

2. crc16 represents performing crc and SHA256 verification on the image. The prepend_header tool will calculate crc and sha256 values at the same time, and SHA256 check is used by default.

3. The ctrl_flag and its bit-fields related to OTA are only not_ready and not_obsolete.

   1. not_ready indicates whether the image is valid. By default, the not_ready field in the image header of files published, compiled, or generated by tools is all 0.

      1. There is a risk of power outage when transferring the image to the backup area via Bluetooth. Therefore, before writing to the backup area, you need to change not_ready to 1 and then write to the flash.

      2. Only when the image transfer is complete and the image integrity check is successful, modify the not_ready in the backup area image to 0, indicating the backup area image is valid.

      3. After the system restarts, the activation process of the backup image is completed by the BootLoader.

   2. not_obsolete indicates if the image should be abandoned and its default value is 1.

      1. When bank switching is supported, not_obsolete is invalid during the OTA process.

      2. When bank switching is not supported, after the OTA upgrade is complete, the boot code determines that not_ready is 0 and not_obsolete is 1. At this time, the image will be transferred from the OTA_TMP area to the corresponding image run area in OTA Bank0. After the transfer is successful, write the not_obsolete in the OTA_TMP area image to 0 to prevent repeated transfers. This ensures that the upgraded image is properly installed and run, and the old image is marked as obsolete to avoid being used again.

Tool Usage

Tool

Flash Map Generate Tool

Generate flash_map.h, flash map.ini and OTA Header file.

备注

• flash_map.h needs to be placed in the upper-level directory of the project to participate in the compilation and generate the APP image.

• flash map.ini is the input file of MPPackTool and MP Tool, and it is necessary to ensure that the image is consistent with all the output addresses set.

MP Pack Tool

Package OTA files.

APP Data Tool

The APP Data file is generated through the SDK/tools/AppData generation script. For details, please refer to the APP Data Tool Quick Start Guide.

User Data Tool

The User Data file is generated through the SDK/tools/UserData generation script.

OTA supporting Bank Switching scheme

Flash Layout

Below is an example of the supporting Bank switching scheme with a 2M byte flash. The flash layout is shown in the table below.

Flash Layout Sample(supporting bank switching)

Sample Layout for flash(total size = 2M)	Size(Bytes)	Start Address
Reserved	4K	0x04000000
OEM Header	4K	0x04001000
Bank0 Boot Patch	32K	0x04002000
Bank1 Boot Patch	32K	0x0400A000
OTA Bank0	596K	0x04012000
OTA Header	4K	0x04012000
System Patch code	32K	0x04013000
BT Stack Patch code	60K	0x0401B000
BT Host code	212K	0x0402A000
APP code	284K	0x0405F000
APP Config File	4K	0x040A6000
APP data1	0K	0x040A7000
APP data2	0K	0x040A7000
APP data3	0K	0x040A7000
APP data4	0K	0x040A7000
APP data5	0K	0x040A7000
APP data6	0K	0x040A7000
OTA Bank1	596K	0x040A7000
OTA Header	4K	0x040A7000
System Patch code	32K	0x040A8000
BT Stack Patch code	60K	0x040B0000
BT Host code	212K	0x040BF000
APP code	284K	0x040F4000
APP Config File	4K	0x0413B000
APP data1	0K	0x0413C000
APP data2	0K	0x0413C000
APP data3	0K	0x0413C000
APP data4	0K	0x0413C000
APP data5	0K	0x0413C000
APP data6	0K	0x0413C000
Bank0 Secure APP code	0K	0x0413C000
Bank0 Secure APP Data	0K	0x0413C000
Bank1 Secure APP code	0K	0x0413C000
Bank1 Secure APP Data	0K	0x0413C000
OTA Temp	32K	0x0413C000
FTL	16K	0x04148000
APP Defined Section	736K	0x040FF000

备注

Flash Layout should be determined based on actual size of image and data.

Usage of Package Tool

1. Use FlashMapGenerateTool to flash map.ini, flash_map.h, Bank0 OTA Header file and Bank1 OTA Header file.

   1. Select Flash Size.

   2. Select Enable bank switch.

   3. Set up two-level flash layout.

   4. Click Confirm to complete the flash layout settings.

   5. Modify OTA Header file version.

   6. Click Confirm to generate flash_map.h, flash map.ini, Bank0 OTA Header file and Bank1 OTA Header file.

   

   Flash layout config and generate ota header image

   备注

   The version number of the OTA Header used for packaging is higher than the version number of the original running version, so that the new bank can take effect normally after the OTA upgrade.

2. Copy flash_map.h to the upper-level directory with project. Link and compile the project to generate app_MP_sdk#####+version+MD5.bin file for packaging.

   

   Build APP image

   备注

   Supporting Bank switching scheme needs to compile the app images of OTA BANK0 and OTA BANK1. The demo app project in the Realtek released SDK can only compile the app image of OTA BANK0 by default. Compiling app image of OTA BANK1 need modify the macro ‘APP_BANK’ in mem_config.h in the upper-level directory as the project file to 1.

/** @brief set app bank to support OTA: 1 is ota bank1, 0 is ota bank0 */
#define APP_BANK                                  1

3. Get system patch, stack patch and BT Host image that runs runs in OTA Bank1.

   备注

   The default released system patch, stack patch and BT host image can only run in OTA Bank0. Please consult Realtek to get system patch, stack patch and BT Host image that runs in OTA Bank1, when you choose bank switching method.

4. Generate packet file of ImgPacketFile-xxxxxx.bin in current directory, which is used for updating.

   1. Select ForOTA option.

   2. Load the generated flash map.ini.

   3. Load all OTA Bank0 and Bank1 images according to the set flash map.

   4. Click Confirm to generate the package file.

   

   Use the MPPackTool to package files -- supporting bank switching

   备注

   • Both Bank0 OTA Header file and Bank1 OTA Header file need to be packaged, different from the scheme non-support bank switching.

   • All the contents defined in flash layout need to be packaged.

   • It is recommended that package both bank0 and bank1.

OTA non-support Bank switching scheme

Flash Layout

Below is an example of using a 1M byte flash non-support Bank switching method. The flash layout is shown in the table below.

Flash Layout Sample(non-support bank switching)

Sample Layout for flash(total size = 1M)	Size(Bytes)	Start Address
Reserved	4K	0x04000000
OEM Header	4K	0x04001000
Bank0 Boot Patch	32K	0x04002000
Bank1 Boot Patch	32K	0x0400A000
OTA Bank0	612K	0x04012000
OTA Header	4K	0x04012000
System Patch code	32K	0x04013000
BT Stack Patch code	60K	0x0401B000
BT Host code	212K	0x0402A000
APP code	304K	0x0405F000
APP Config File	4K	0x040AC000
APP data1	0K	0x040AD000
APP data2	0K	0x040AD000
APP data3	0K	0x040AD000
APP data4	0K	0x040AD000
APP data5	0K	0x040AD000
APP data6	0K	0x040AD000
OTA Bank1(Equal to 0)	0K	0x040AD000
Bank0 Secure APP code	0K	0x040AD000
Bank0 Secure APP Data	0K	0x040AD000
Bank1 Secure APP code	0K	0x040AD000
Bank1 Secure APP Data	0K	0x040AD000
OTA Temp	312K	0x040AD000
FTL	16K	0x040FB000

备注

The space for APP data is not allocated in this sample. Flash Layout should be distributed based on actual size of image and data.

Usage of Package Tool

1. Use FlashMapGenerateTool to flash map.ini, flash_map.h and Bank0 OTA Header file.

   1. Select Flash Size.

   2. Select Disable bank switch.

   3. Set up two-level flash layout.

   4. Click Confirm to complete the flash layout settings.

   5. Modify OTA Header file version.

   6. Click Confirm to generate flash_map.h, flash map.ini and Bank0 OTA Header file.

   

   Configure Flash Layout and generate Bank0 OTA Header file

   备注

   The flash map.ini generated here needs to be consistent with the flash map.ini used in the MP stage.

2. Copy flash_map.h to project directory. Link and compile the project to generate app_MP_sdk#####+version +MD5.bin file for packaging. To apply the non-support Bank switching scheme, mem_config.h in project directory should be modified.

/* @brief set app bank to support OTA: 1 is ota bank1, 0 is ota bank0 */
#define APP_BANK                                  0

3. Open MP Pack Tool to load flash_map.ini generated in previous step and load corresponding image.

   1. Select ForOTA option.

   2. Load the generated flash map.ini.

   3. Load all OTA Bank0 images according to the set flash map.

   4. Click Confirm to generate the package file.

   

   Use the MPPackTool to package files -- non-support bank switching

   备注

   • Bank0 OTA Header file can’t be packaged, which is different from the scheme supporting bank switching.

   • If only Patch Image or APP Image, either of them can be packaged.

User Data Upgrade

Flash Layout

Below is an example of upgrading User Data with a 1M byte flash. The flash layout is shown in the table below.

Flash Layout Sample(User Data upgrade)

Sample Layout for flash(total size = 1M)	Size(Bytes)	Start Address
Reserved	4K	0x04000000
OEM Header	4K	0x04001000
Bank0 Boot Patch	32K	0x04002000
Bank1 Boot Patch	32K	0x0400A000
OTA Bank0	612K	0x04012000
OTA Header	4K	0x04012000
System Patch code	32K	0x04013000
BT Stack Patch code	60K	0x0401B000
BT Host code	212K	0x0402A000
APP code	192K	0x0405F000
APP Config File	4K	0x0408F000
APP data1	0K	0x04090000
APP data2	0K	0x04090000
APP data3	0K	0x04090000
APP data4	0K	0x04090000
APP data5	0K	0x04090000
APP data6	0K	0x04090000
OTA Bank1(Equal to 0)	0K	0x04090000
Bank0 Secure APP code	0K	0x04090000
Bank0 Secure APP Data	0K	0x04090000
Bank1 Secure APP code	0K	0x04090000
Bank1 Secure APP Data	0K	0x04090000
OTA Temp	212K	0x04090000
FTL	16K	0x040C5000
user data1	16K	0x040C9000
user data2	16K	0x040CD000
user data3	16K	0x040D1000
user data4	16K	0x040D5000
user data5	16K	0x040D9000
user data6	16K	0x040DD000
user data7	16K	0x040E1000
user data8	16K	0x040E5000
APP Defined Section	4K	0x040E9000

Usage of Package Tool

1. Use Flash Map Generate Tool to flash map.ini, flash_map.h and Bank0 OTA Header file.

Configure Flash Layout and generate Bank0 OTA Header file

备注

The flash map.ini generated here needs to be consistent with the flash map.ini used in the MP stage.

2. Copy flash_map.h to project directory and open the project with Keil. Link and compile the project to generate app_MP_sdk#####+version +MD5.bin file for packaging.

3. Use the script in SDK/tools/UserData to generate a User Data file that supports packaging.

4. Open MPPackTool to load flash_map.ini generated in previous step and load corresponding image.

   1. Select ForOTA option.

   2. Load the generated flash map.ini.

   3. Load User data image according to the set flash map.

   4. Click Confirm to generate the package file.

Use the MPPackTool to package files – User Data upgrade

备注

• If you only need to update a certain User Data, you can package only one of them.

• Allows User Data to be packaged and upgraded together with other images.

OTA Protocol

OTA is divided into silent OTA and normal OTA depending on the transmission protocol.

• Silent OTA

  During the image upgrade process, the original functions of the device can be used normally. After the upgrade is completed, it only takes a short restart time for the program to automatically switch to the new functions.
• Normal OTA

  The function is stable. However, the upgrade process requires switching the device to DFU mode, and the original functions cannot be used until the upgrade is completed.

Both types of upgrades will use the OTA Service and DFU Service. The OTA Service is used to obtain device information or enter DFU mode, while the DFU Service is used to execute the upgrade process.

OTA Service

The uuid and characteristic of OTA Service are as follows.

{0x12, 0xA2, 0x4D, 0x2E, 0xFE, 0x14, 0x48, 0x8e, 0x93, 0xD2, 0x17, 0x3C, 0xFF, 0xD0, 0x00, 0x00}

OTA characteristics

Characteristic Name	Require- ment	UUID	Properties	Format	Value	Instruction
OTA CMD	M	0xFFD1	Write Without Response	Uint8	1	the control endpoint that allows the device to enter DFU mode
Device Mac	M	0xFFD2	Read	Uint8*6	XX:XX:XX:XX:XX:XX	read BDA of RTL87x2G to compare with the scanned BDA in DFU mode
Device Info	M	0xFFF1	Read	Device info Format (OTA version=1)	Device info Format (OTA version=1)	read device information
Protocol Type	M	0xFFF3	Read	Uint16	0xNNNN	a read request to obtain ota protocol information
Image Version	M	0xFFE0~FFE1	Read	(Uint32+Uint16)*21+2	Byte0: ank num 0: active bank 1: inactive bank Byte1: image num Byte2~Byte3: image ID 1 Byte4~Byte7: image version 1 Byte8~Byte9: image ID 2 Byte10~Byte13: image Version 2 ……	read image versions of device, see the following notes for details
Image Section Size	M	0xFFE4~FFE5	Read	(Uint32+Uint16)*21+1	Byte0: image num Byte1~Byte2: image ID 1 Byte3~Byte6: image max size 1 Byte7~Byte8: image ID 2 Byte9~Byte12: image max size 2 ……	a read request to obtain the maximum size of the firmware layout.

Device info Format (OTA version=1)

Byte	Value
Byte0	ic_type
Byte1	spec version
Byte2	Bit0: buffer check	0: not support buffer check 1: support buffer check
	Bit1: AES	0: AES not enable 1: AES enable
	Bit2: encryption mode	0: Encrypt First 16bytes 1: Encrypt 16*N bytes
	Bit3	0: Update one Image at a time 1: Update Multi Image at a time
Byte3	Reserved
Byte4~5	OTA Temp Buffer Size(uint 4K)
Byte6	active OTA bank num	0: not support dual bank 1: dual bank, bank0 is active bank 2: dual bank, bank1 is active bank
Byte7	active Boot Patch bank num	0: not support dual bank 1: dual bank, bank0 is active bank 2: dual bank, bank1 is active bank
Byte8	active Secure APP bank num	0: not support dual bank 1: dual bank, bank0 is active bank 2: dual bank, bank1 is active bank
Byte9~10	crtl header offset	The offset of the ctrl header in the image header

DFU Service

DFU Service uuid characteristics are shown below.

{0x12, 0xA2, 0x4D, 0x2E, 0xFE, 0x14, 0x48, 0x8e, 0x93, 0xD2, 0x17, 0x3C, 0x87, 0x62, 0x00, 0x00}

• Data Characteristic: accepts image data (write no response)

• Control Point Characteristic: accepts control commands (write/notification)

Control points supported by DFU Service.

DFU Opcode

Opcode value	Procedure	Requirement	Properties	Parameter Description	Applicable Response Value(s)	Response Parameter
0x01	Start DFU	M	Write	crc16((UINT16) ic_type(UINT8) secure_version(UINT8) ctrl_flag.value(UINT16) image_id(UINT16) payload_len(UINT32)	ARV	None
0x02	Receive FW image	M	Write	image_id(UINT16) nImageLength(UINT32)	ARV	None
0x03	Validate FW	M	Write	image_id(UINT16) is the last image(UINT8)	ARV	None
0x04	Activate Image and Reset	M	Write	is enter dfu mode directly after reset(UINT8)	ARV	None
0x05	Reset System	M	Write	None	None	None
0x06	Report Received Image Information	M	Write	image_id(UINT16)	ARV	origin_image_version(UINT32) cur_offset (UINT32)
0x07	Connection parameter update	M	Write	connIntervalMin(UINT16) connIntervalMax(UINT16) connLatency(UINT16) supervisionTimeout(UINT16)	ARV	None
0x09	Buffer check enable	M	Write	image_id(UINT16)	ARV	Max buffer size(UINT16) Mtu size(UINT16)
0x0A	Buffer check size&crc	M	Write	mBufferSize(UINT16) mCrc(UINT16)	ARV	Next send offset(UINT32)
0x0B	IC type	O	Write	None	ARV	ic_type(UINT8)
0x0D	Get image ver	M	Write	bank_num(UINT8)	ARV	bank_num(UINT8) image_num(UINT8) image_id1(UINT16) image_version1(UINT16) ...
0x0F	Check sha256 value	O	Write	image_num(UINT16) image_id(UINT16) sha256 value(UINT16)	ARV	image_id(UINT16) check ret(UINT8)
0x12	Report image number	M	Write	image id(UINT16) current image number(UINT8) total image number(UINT8)	ARV	None

备注

• After receiving the ctrl header of image, it needs to be decrypted and then parsed, not_ready will be temporarily written to 1 and then written to flash.

• During data transmission, if AES encryption is supported, every 16 bytes is encrypted. After the receiving end receives the data, it needs to be decrypted first. The last part less than 16 bytes is sent without encryption. When the buffer check size is full, write to flash.

OTA Procedure

OTA Bluetooth transmission process

OTA Bluetooth transmission process

OTA Activation Process

• Without bank switching, when the packaged file to be upgraded contains Patch, APP or APP DATA, one file upgrade needs to be successfully verified. After the copy is restarted and activated to take effect, the next file can be upgraded.

• Without bank switching with supports combined image upgrades, when writing image data to the OTA temporary area, it calculates whether the remaining space in the OTA TMP area can accommodate the next image file to be written. If it can, it continues to write the next image file to the OTA TMP area. When it cannot, it moves the data in the OTA TMP area to the OTA Bank0 area. After restarting, copying, and activating, it upgrades other files.

• With bank switching, the program cannot be rebooted until all the files have been updated and verified when the packaged file includes OTA Header, Patch, APP or APPDATA. Otherwise, this update will be invalid for that all the files in bank region must come into effect to ensure the program is running properly with bank switching.