17.8.1 Fail-Safe Update Mechanism

As mentioned in 17.5 Firmware Images and SD-Card Partitions and 18.1 Power LED Signalling, the SP-ICE-3 Card implements a (more or less) fail-safe update mechanism.

Thus it should always be possible to perform or repeat an update of the card's firmware, regardless of whether the previous attempt failed or succeeded.

Multiple Firmware Images

The SP-ICE-3 Card maintains the following firmware images on its SD-Card:

a current system image, including all operating system, Web Interface, and firmware components;
a previous system image, including all operating system, Web Interface, and firmware components;
a recovery image, containing the operating system and the Web Interface, but omitting the firmware components.

Fail-Safe Update Mechanism

The SP-ICE-3 Card's update sequence proceeds broadly as follows:

An Update-Package is delivered to the card (see 17.8 How to update the card's Firmware).
The card uses the contents of the package to overwrite the previous image.
The designations of the current and previous images are swapped.
The card attempts to reboot itself with the new current image.

Update Failure

Amongst other reasons, an attempt to update the card's firmware may fail because:

Power was removed during the update sequence;
the network connection failed during the update sequence;
the contents of the update-package are themselves damaged or otherwise invalid.

Any of these can result in a new current image that cannot be successfully booted.

In such cases, the card's Fallback Mechanism (see 17.8.2 Boot Failure Fallback Mechanism) comes into play, and it should then possible to retry the update.

Other Resources

17.8.2 Boot Failure Fallback Mechanism

17.6 How to check which Firmware Image has been booted