Skip to main content
D
Deepika_Sivakumar
Visitor II
May 20, 2026
Question

STM32H563 Dual-Bank OTA — Recovery When New Firmware Corrupted and Reset_Handler Never Executes

  • May 20, 2026
  • 1 reply
  • 105 views

Device

STM32H563ZIT6, single binary (no separate bootloader), dual-bank OTA

Setup

 
Bank1: Current running firmware (original)Bank2: New OTA firmware (potentially corrupted)IWDG: Started in Bank1 before swapOTABootSafetyCheck: In Reset_Handler of every binary buildBKP0R: Boot counter set before swap

Problem

After bank swap, if Bank2 firmware is corrupted and Reset_Handler never executes:

 
 
Bank swap → resetCPU reads 0x08000000 → SP (may be valid)CPU reads 0x08000004 → Reset vector (may be valid)CPU jumps to Reset_Handler addressReset_Handler code is corrupted → garbage instructions → crashOTABootSafetyCheck never runsBoot counter never incrementsIWDG fires → reset → same crash → infinite loopRollback never happensBank1 original firmware never recoversDevice is permanently stuck

What We Have Tried

1. OTABootSafetyCheck in Reset_Handler

 
 
asm
Reset_Handler: ldr r0, =_estack mov sp, r0 bl OTABootSafetyCheck ; before SystemInit and main bl SystemInit bl __libc_init_array bl main

Works when Reset_Handler body executes. Does not help when Reset_Handler code itself is corrupted.

2. IWDG Started in Bank1 IWDG survives bank swap reset. Bank2 must feed it. If Bank2 never feeds IWDG → reset. But reset always goes back to corrupted Bank2 → same crash → infinite loop.

3. Pre-swap Vector Table Check

 
 
c
uint32_t sp = *(uint32_t *)0x08100000;
uint32_t reset = *(uint32_t *)0x08100004;

Catches completely empty or garbage vector table. Does not catch valid vector table pointing to corrupted Reset_Handler body.

Core Question

Without a separate bootloader, is there any STM32H563 hardware mechanism that can force a bank reswap when:

  • Bank2 Reset_Handler is corrupted
  • IWDG keeps firing
  • No code from Bank2 ever executes successfully
  • Bank1 original firmware needs to be restored

Specifically:

  1. Is there an option byte or hardware register that automatically reverts bank swap after N resets without a successful boot?
  2. Can IWDG reset be distinguished from other resets in a way that hardware automatically acts on it?
  3. Is there any RDP/TrustZone mechanism that can trigger bank reswap based on reset count without executing code from the corrupted bank?
  4. What is ST's recommended approach for single-binary dual-bank OTA rollback when the new firmware's Reset_Handler itself is corrupted?

Constraint

  • Single binary — no separate bootloader
  • No CRC validation (trying to avoid storing expected CRC)
  • Bank1 original firmware must be recoverable in all corruption scenarios

1 reply

mƎALLEm
mƎALLEm
Technical Moderator
May 20, 2026

Hello @Deepika_Sivakumar and welcome to the ST community,

@Deepika_Sivakumar wrote:
  1. Is there an option byte or hardware register that automatically reverts bank swap after N resets without a successful boot?

No. The bank swap is applied by the user. Nothing done by hardware.

To give better visibility on the answered topics, please click "Best answer" on the reply which solved your issue or answered your question.
Terms & ConditionsAccessibility statement