Method for software upgrade of an unprivileged on-board computer

By establishing a communication channel between the primary and backup onboard computers, and using the authorized onboard computer to upgrade the software of the unauthorized onboard computer, the problem of the unrepairable onboard electronic system without control was solved. This enabled on-orbit updates and functional reconfiguration of the unauthorized onboard computer, improving the reliability of the onboard computer system and the lifespan of the satellite.

CN116360833BActive Publication Date: 2026-07-10SHANGHAI AEROSPACE COMP TECH INST

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHANGHAI AEROSPACE COMP TECH INST
Filing Date
2023-03-21
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In traditional spaceborne electronic systems, the lack of control over the system means that it cannot communicate with the outside world, making it impossible to repair software changes. This creates a single point of failure for the satellite and increases the risk of satellite operation.

Method used

By establishing a communication channel between the primary and backup onboard computers, the authorized onboard computer can perform software upgrades on the unauthorized onboard computer, including cold and warm boot processes. The monitoring software performs self-checks and the business software system code is migrated, thereby enabling the reconstruction of the unauthorized onboard computer.

Benefits of technology

It enabled on-orbit updates and functional reconfiguration of unauthorized onboard computer software, reducing the risk of updating satellite software systems and improving the reliability of onboard computer systems and satellite lifespan.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116360833B_ABST
    Figure CN116360833B_ABST
Patent Text Reader

Abstract

The application provides a method for software upgrading of an unauthorized spaceborne computer, comprising: an authorized spaceborne computer sending received number packets to the unauthorized spaceborne computer through a dual-computer communication channel; the unauthorized spaceborne computer waiting for all the number packets to pass the check and forming a service software system file; and if the service software system file passes the check, the unauthorized spaceborne computer writing the service software system file to a service software system file storage device and a memory. The application realizes on-orbit reconstruction and loading of software of a hot-standby unauthorized spaceborne computer through a dual-computer communication channel without affecting the normal service process of the authorized spaceborne computer, improves the reliability of the spaceborne computer system, ensures the upgrade safety of the key single computer, and greatly reduces the on-orbit update risk of the service software system of the spaceborne computer, prolongs the service life of the satellite, compared with the prior art in which the authorized spaceborne computer cannot be updated and repaired after being deprived of the control right due to an abnormality and becomes a single point of the satellite.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of satellite-borne electronic systems, and in particular to a method for upgrading the software of an unauthorized onboard computer. Background Technology

[0002] The harsh space environment in which satellites operate can cause malfunctions in onboard electronic systems due to single-event effects, which can alter the operating system image and application software files. Therefore, critical satellite components require backups during development, such as dual-system redundancy. When changes to the operating system image (operating system kernel and drivers) and minimum system software in the onboard electronic system cause malfunctions, the system needs to be rebuilt to restore it to normal operation.

[0003] In traditional spaceborne electronic system design, a dual-redundancy design is typically adopted. The backup spaceborne electronic system monitors the operational status of the primary spaceborne electronic system, which is in control. When an anomaly is detected in the primary spaceborne electronic system and certain conditions are met, control of the primary spaceborne electronic system is taken over, thereby enabling the spaceborne electronic system to be reconfigured and its operational status restored.

[0004] Currently, there are various methods for reconstructing and repairing spaceborne software, including middleware-based on-orbit programming methods for spaceborne embedded system software, file-based on-orbit programming methods for spaceborne embedded system software, and binary code-based on-orbit programming methods for spaceborne embedded system software. These on-orbit programming methods primarily involve the spaceborne software with control performing self-repair during operation. For spaceborne embedded systems without control, due to the lack of control, they cannot communicate normally with the outside world to obtain correct software code. If the executable code of the spaceborne software without control changes and it cannot function properly, it cannot be repaired through on-orbit programming.

[0005] In traditional spaceborne electronic systems, when control of the primary spaceborne electronic system is taken over by a backup system, the original primary system often struggles to recover. This makes the primary system a single point of failure for the satellite. Since single-event events are unavoidable in space, if another single-event event occurs, the satellite will be unable to perform its intended tasks, posing a significant risk.

[0006] Therefore, finding a method to reconstruct the operating system, drivers, and minimal system software of a faulty, uncontrolled spaceborne electronic system to restore it to normal operation and avoid single points of failure in the spaceborne electronic system has become an urgent problem to be solved. Summary of the Invention

[0007] The purpose of this invention is to provide a method for reconstructing the operating system kernel, drivers, and minimal system software of a faulty, uncontrolled spaceborne electronic system to restore it to normal operation, thereby avoiding single points of failure in the spaceborne electronic system.

[0008] like Figure 1 As shown, to solve the above problems, the present invention provides an apparatus and method for software upgrade of an unauthorized onboard computer, including a primary onboard computer, a backup onboard computer, monitoring software, a business software system (including an operating system kernel, drivers, and minimal system software), and repair files. The method includes the following steps:

[0009] S1: There is a communication channel between the primary satellite computer and the backup satellite computer, which is used for the primary satellite computer to send commands and data to the backup satellite computer, and for the backup satellite computer to send status data to the primary satellite computer.

[0010] S2: The primary satellite computer can not only receive telemetry data from each satellite electronic device, but also send control commands to each satellite electronic device, i.e., it is an authorized satellite computer; the backup satellite computer cannot send control commands to each satellite electronic device, i.e., it is an unauthorized satellite computer.

[0011] S3: The authorized onboard computer can send commands and data to the unauthorized onboard computer through the communication channel. The unauthorized onboard computer can receive commands and data sent by the authorized onboard computer and perform corresponding operations according to the commands.

[0012] S4: The restart process of the unauthorized onboard computer is divided into cold start and warm start. Cold start is when the unauthorized onboard computer starts the monitoring software, and then the monitoring software moves the business software system code from the business software system code storage to memory for execution. Warm start is when the unauthorized onboard computer jumps to the business system software entry point in memory for some reason during the operation of the business software system and restarts the business system software.

[0013] S5: The business software system code can be the executable code of the minimum system software, or it can be an operating system image and driver executable file;

[0014] S6: The unauthorized onboard computer performs a startup self-test during startup to establish an indicator that the business software system cannot work properly; the startup self-test checks the time interval between the most recent startups, and if the time interval between startups is too short for several consecutive times, it indicates that the business software system cannot work properly.

[0015] S7: Based on the indication that the business software system is not working properly:

[0016] If the identifier indicates that an unauthorized onboard computer has malfunctioned, causing the business software system of the unauthorized onboard computer to malfunction, then proceed to S8.

[0017] If the indicator shows that the unauthorized onboard computer is not malfunctioning and its business software system is functioning normally, then proceed to the cold start process.

[0018] S8: The unauthorized onboard computer performs a cold start, the monitoring software enters a privileged state, does not perform business software system migration operations, and continuously sends privileged status words to the authorized onboard computer.

[0019] S9: The authorized onboard computer transmits the self-test result identifier of the unauthorized computer to the ground station through the telemetry channel;

[0020] S10: After the satellite ground control station determines that the unauthorized onboard computer monitoring software has entered the privileged state, it sends a command to stop issuing privileges to the authorized onboard computer and forwards it to the unauthorized onboard computer monitoring software.

[0021] S11: After receiving the instruction to stop sending privileges, the unauthorized onboard computer monitoring software stops sending privilege status words to the authorized computer.

[0022] S12: The authorized onboard computer receives the business software system code uploaded by the satellite ground tracking and control station, and sends the business software system code to the unauthorized computer;

[0023] S13: The unauthorized computer monitoring software determines the correctness of the received business software system code:

[0024] If the received business software system code is correct, the monitoring software in the unauthorized computer will store the business software system code in the business software system code storage and then proceed to S15.

[0025] If the received business software system code is incorrect, the monitoring software in the unauthorized computer will not store the business software system code in the business software system code storage, but will send the incorrect business software system code identifier to the authorized onboard computer, and then proceed to S14;

[0026] S14: The authorized onboard computer transmits the incorrect identification of the business software system code sent by the unauthorized onboard computer monitoring software to the ground satellite tracking and control station through the telemetry channel, and then proceeds to S12;

[0027] S15: The authorized onboard computer receives the reconfiguration command of the unauthorized onboard computer uploaded by the satellite ground control station and forwards it to the unauthorized onboard computer monitoring software.

[0028] S16: The unauthorized onboard computer monitoring software receives the reconstruction instruction, exits the monitoring software privileged state, and performs reconstruction.

[0029] Step S12 includes the following steps:

[0030] S1201: The authorized onboard computer receives the command sent by the satellite ground telemetry and control station to upload and store the first address of the business software system code, and forwards the command to the unauthorized onboard computer;

[0031] S1202: The unauthorized onboard computer monitoring software receives the command to upload and store the first address of the business software system code, and then sends a status word to the authorized onboard computer indicating that the command to correctly receive and upload the first address of the business software system code has been successfully delivered.

[0032] S1203: The authorized onboard computer receives the business software system code verification code and length, and forwards the business software system code verification code and length to the unauthorized onboard computer monitoring software.

[0033] S1204: The unauthorized onboard computer receives the service software system code check code and length, and then sends a status word indicating that the service software system code check code and length have been correctly received to the authorized onboard computer.

[0034] S1205: The authorized onboard computer receives the business software system code packet and then forwards it to the unauthorized onboard computer monitoring software;

[0035] S1206: The unauthorized onboard computer monitoring software receives the business software system code packet and writes the correctly parsed business software system code packet into the specified cache area in memory;

[0036] S1207: The unauthorized onboard computer monitoring software determines whether the spliced ​​business software system code is correct based on the length of the business software system code received in step S1204, and establishes a business software system code reception completion identifier.

[0037] S1208: Receive completion flag based on business software system code:

[0038] If the reception of the business software system code is not completed, proceed to S1205;

[0039] If the business software code has been received, proceed to S1209;

[0040] S1209: The unauthorized onboard computer monitoring software calculates the verification code of the received business software system code, and then establishes a business software system code verification correctness identifier based on the verification code of the business software system code received in step S1204.

[0041] S1210: Verify the correctness of the business software system code:

[0042] If the business software system code verification correctness identifier is correct, the unauthorized onboard computer will write the received business software system code into the storage space starting from the first address of the business software system code in the business software system code storage, and send the business software system code verification correctness identifier to the authorized onboard computer.

[0043] If the code verification of the business software system is incorrect, the unauthorized onboard computer will send the code verification of the business software system to the authorized onboard computer.

[0044] This invention discloses an apparatus and method for software upgrades of an unauthorized onboard computer, enabling on-orbit updates and functional reconfiguration of the onboard computer software (including operating system, drivers, and minimum system software). The onboard computer system in this invention includes one authorized onboard computer and at least one unauthorized onboard computer; both authorized and unauthorized onboard computers can receive uplink remote control commands from the ground, but only the authorized onboard computer can transmit telemetry data downlink; the authorized and unauthorized onboard computers can exchange information through a dual-computer communication channel. The method of this invention includes the following steps: S1 The authorized onboard computer receives the data packets from the ground; S2 The authorized onboard computer sends the received data packets to the unauthorized onboard computer through a dual-machine communication channel; S3 The unauthorized onboard computer verifies the data packets; S4 Waits for all data packets to pass verification, forming a business software system file; S5 Verifies the business software system file; S6 If the business software system file passes verification, the unauthorized onboard computer writes the business software system file to the business software system file storage device and memory; S7 Selects to start from the business software system file storage device or memory according to ground instructions, completing the software reconstruction / loading. This invention, without affecting the normal business processes of the authorized onboard computer, utilizes a dual-machine communication channel to achieve on-orbit reconstruction and loading of the unauthorized onboard computer software (including operating system, drivers, and minimum system software), improving the reliability of the onboard computer system and ensuring the upgrade safety of critical single machines. Compared to existing systems where the authorized onboard computer cannot be updated or repaired after an anomaly and loss of control, becoming a single point of failure for the satellite, this invention significantly reduces the risk of on-orbit updates to the onboard computer's business software system and extends the satellite's lifespan.

[0045] Compared with the prior art, the present invention has the following technical advantages:

[0046] 1. The embodiments of the present invention can perform a complete on-orbit update of the business software system code stored in an unauthorized spaceborne computer, or perform a partial on-orbit update of the business software system code of an unauthorized spaceborne computer in a specified storage space.

[0047] 2. The embodiments of the present invention can be applied to both operating system-based business software systems and business software systems without an operating system.

[0048] 3. The embodiments of the present invention can be applied to business software systems developed using various technologies, including but not limited to business software systems developed based on middleware technology, business software systems developed based on file technology, and business software systems developed based on structured programming technology, and have wide applicability.

[0049] Of course, any product implementing this invention does not necessarily need to achieve all of the advantages described above at the same time. Attached Figure Description

[0050] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort. In the drawings:

[0051] Figure 1 This is a flowchart of the implementation steps of the present invention;

[0052] Figure 2 This is a block diagram of the onboard computer in an embodiment of the present invention;

[0053] Figure 3 This is a flowchart illustrating the on-orbit update process of the operating system image of the unauthorized onboard computer business software system in Embodiment 1 of the present invention.

[0054] Figure 4 This is a flowchart of the on-orbit update process for the unauthorized onboard computer application software in Embodiment 2 of the present invention.

[0055] Figure 5 In Embodiment 3 of the present invention, the memory storing the operating system image and application software files of the unauthorized onboard computer is damaged, so the business software system flowchart in memory is updated. Detailed Implementation

[0056] The following will describe in detail, with reference to the accompanying drawings, an apparatus and method for software upgrade of an unauthorized onboard computer provided by the present invention. This embodiment is implemented under the premise of the technical solution of the present invention, and provides detailed implementation methods and specific operation processes. However, the protection scope of the present invention is not limited to the following embodiment. Those skilled in the art can modify and refine it without changing the spirit and content of the present invention.

[0057] Example 1

[0058] Please refer to Figure 2 and Figure 3This invention provides an apparatus and method for upgrading the software of an unauthorized onboard computer, and a method for completely updating a business software system based on an operating system. This method includes the following steps:

[0059] S1: The primary satellite computer and the backup satellite computer use RS422 as a communication channel, which is used for the primary satellite computer to send commands and data to the backup satellite computer, and for the backup satellite computer to send status data to the primary satellite computer.

[0060] S2: The primary satellite computer, as an authorized satellite computer, has control over all I / O interfaces. It can not only send control commands to each satellite electronic device, but also receive data (including telemetry data) sent by each satellite electronic device. The backup satellite computer, as an unauthorized satellite computer, cannot send control commands to each satellite electronic device, but can receive all data sent by each satellite electronic device.

[0061] S3: The authorized onboard computer can send commands and data to the unauthorized onboard computer through the RS422 communication channel. The unauthorized onboard computer receives the commands and data sent by the authorized onboard computer through the RS422 communication channel, performs corresponding operations according to the commands, and then feeds back the command execution results through the RS422 communication channel.

[0062] S4: The restart process of the unauthorized onboard computer is divided into cold start and warm start. Cold start is when the unauthorized onboard computer starts the monitoring software, and then the monitoring software moves the business software system code from the business software system code storage NORFLASH to SDRAM for execution. Warm start is when the unauthorized onboard computer jumps to the business system software entry point in SDRAM for some reason during the operation of the business software system to restart the business system software.

[0063] S5: The business software system code is developed based on the operating system, forming an operating system image, drivers, and application software files;

[0064] S6: The unauthorized onboard computer monitoring software performs a startup self-test during startup and establishes an indicator that the business software system cannot work properly.

[0065] In this embodiment, during the cold start process of the unauthorized computer monitoring software, the current system clock is first read and stored in the cold start reset time area. Then, the watchdog reset counter and the cold start reset time are read to determine whether the last three reset times occurred within 9 minutes. If the last three reset times occurred within 9 minutes, the monitoring software determines that the business software system cannot work normally and establishes a self-check flag indicating that the unauthorized onboard computer business software system cannot work normally.

[0066] S7: Based on the indication that the business software system is not working properly:

[0067] If the identifier indicates that an unauthorized onboard computer has malfunctioned, causing the business software system of the unauthorized onboard computer to malfunction, then proceed to S8.

[0068] If the indicator shows that the unauthorized onboard computer is not malfunctioning and its business software system is functioning normally, then proceed to the cold start process.

[0069] S8: The unauthorized onboard computer performs a cold start, the monitoring software enters a privileged state, does not perform business software system migration operations, and continuously sends privileged status words to the authorized onboard computer through the RS422 communication channel.

[0070] S9: The authorized onboard computer transmits the self-test result identifier of the unauthorized computer to the ground station through the telemetry channel;

[0071] S10: After the satellite ground control station determines that the unauthorized onboard computer monitoring software has entered the privileged state, it sends a command to stop issuing privileges to the authorized onboard computer and forwards it to the unauthorized onboard computer monitoring software.

[0072] S11: The unauthorized onboard computer monitoring software reads the watchdog reset counter and cold start reset time, determines whether the reset time of the last 3 times exceeds 9 minutes, and then stops sending privilege status words to the authorized computer after receiving the stop privilege command by querying the RS422 communication channel data.

[0073] S1201: The authorized onboard computer receives the command sent by the satellite ground control station to upload and store the operating system image of the business software system, and forwards the command to the unauthorized onboard computer;

[0074] S1202: The unauthorized onboard computer monitoring software receives the command to upload and store the first address of the operating system image of the business software system, and then sends a status word to the authorized onboard computer indicating that the command to correctly receive and upload the first address of the operating system image of the business software system has been successfully stored.

[0075] S1203: The authorized onboard computer receives the CRC checksum and length of the business software system operating system image, and forwards the CRC checksum and length of the business software system operating system image to the unauthorized onboard computer.

[0076] S1204: The unauthorized onboard computer monitoring software receives the CRC checksum and length of the business software system operating system image, and then sends a status word indicating that the business software system operating system image CRC checksum and length have been correctly received to the authorized onboard computer.

[0077] S1205: The authorized onboard computer receives the business software system operating system image package and then forwards it to the unauthorized onboard computer;

[0078] S1206: The unauthorized onboard computer monitoring software receives the business software system code operating system image package, determines the correctness of the business software system code operating system image package, and writes the correct business software system code operating system image package into a specified area of ​​SDRAM.

[0079] S1207: The unauthorized onboard computer monitoring software determines whether the length of the spliced ​​business software system operating system image is correct based on the length of the business software system operating system image received in step S1204, and establishes a business software system reception completion identifier.

[0080] S1208: Based on the business software system's completion notification:

[0081] If the business software system has not completed receiving the data, proceed to step S1205;

[0082] If the business software system has completed receiving the data, proceed to step S1209;

[0083] In this embodiment, the unauthorized onboard computer completes the reception of the business software system by counting the length of the received files and then comparing it with the length of the files received in S1207; alternatively, it can use the packet group identifier to determine whether the reception is complete.

[0084] S1209: The unauthorized onboard computer monitoring software calculates the CRC checksum of the received business software system operating system image, and then establishes a business software system CRC checksum correctness identifier based on the CRC checksum of the business software system operating system image received in step S1204.

[0085] S1210: Based on the CRC checksum of the business software system:

[0086] If the CRC check of the business software system is correct, the unauthorized onboard computer monitoring software will write the received business software system operating system image into the business software system code storage NORFLASH, storing the storage space starting from the first address of the business software system operating system image, and send the CRC check of the business software system to the authorized onboard computer.

[0087] If the CRC checksum of the business software system is incorrect, the unauthorized onboard computer monitoring software will not write the business software operating system mirror into NORLASH, but will instead send the CRC checksum of the business software system to the authorized onboard computer.

[0088] S13: The unauthorized computer determines the correctness of the received business software system operating system image:

[0089] If the received business software system operating system image is correct, the monitoring software in the unauthorized computer will store the business software system operating system image in the business software system operating system image storage NORFLASH, and then proceed to S15.

[0090] If the received business software system operating system image is incorrect, the monitoring software in the unauthorized computer will not store the business software system operating system image in the business software system operating system image storage, but will send the incorrect business software system operating system image to the authorized onboard computer, and then proceed to S14.

[0091] S14: The authorized onboard computer transmits the incorrect identification of the business software system operating system image sent by the unauthorized onboard computer monitoring software to the ground satellite tracking and control station through the telemetry channel, and then proceeds to S12;

[0092] S15: The authorized onboard computer receives the reconfiguration instruction from the unauthorized onboard computer uploaded by the satellite ground control station and forwards it to the unauthorized onboard computer.

[0093] S16: The unauthorized onboard computer monitoring software receives the reconstruction instruction, exits the monitoring software privilege state, moves the business software system operating system image and application software files to SDRAM, and performs reconstruction.

[0094] In this embodiment, the unauthorized onboard computer monitoring software exits the privileged state and, in accordance with the reconstruction instruction, moves the operating system image of the specified business software system stored in NORFLASH to SDRAM for operation.

[0095] Example 2

[0096] Please refer to Figure 2 and Figure 4 This invention provides an apparatus and method for upgrading the software of an unauthorized onboard computer, and provides a method for updating application software, which includes the following steps:

[0097] S1: The primary satellite computer and the backup satellite computer use RS422 as a communication channel, which is used for the primary satellite computer to send commands and data to the backup satellite computer, and for the backup satellite computer to send status data to the primary satellite computer.

[0098] S2: The primary satellite computer, as an authorized satellite computer, has control over all I / O interfaces. It can not only send control commands to each satellite electronic device, but also receive data (including telemetry data) sent by each satellite electronic device. The backup satellite computer, as an unauthorized satellite computer, cannot send control commands to each satellite electronic device, but can receive all data sent by each satellite electronic device.

[0099] S3: The authorized onboard computer can send commands and data to the unauthorized onboard computer through the RS422 communication channel. The unauthorized onboard computer receives the commands and data sent by the authorized onboard computer through the RS422 communication channel, performs corresponding operations according to the commands, and then feeds back the command execution results through the RS422 communication channel.

[0100] S4: The restart process of the unauthorized onboard computer is divided into cold start and warm start. Cold start is when the unauthorized onboard computer starts the monitoring software, and then the monitoring software moves the business software system code from the business software system code storage NORFLASH to SDRAM for execution. Warm start is when the unauthorized onboard computer jumps to the business system software entry point in SDRAM for some reason during the operation of the business software system to restart the business system software.

[0101] S5: The business software system code is developed based on the operating system, forming an operating system image and application software files;

[0102] S6: The unauthorized onboard computer monitoring software performs a startup self-test during startup and establishes an indicator that the business software system cannot work properly.

[0103] In this embodiment, during the cold start process of the unauthorized computer, the current system clock is first read and stored in the cold start reset time area. Then, the watchdog reset counter and the cold start reset time are read to determine whether the last three reset times occurred within 9 minutes. If the last three reset times occurred within 9 minutes, the monitoring software determines that the business software system cannot work normally and establishes a self-check flag indicating that the unauthorized onboard computer's business software system cannot work normally.

[0104] S7: Based on the indication that the business software system is not working properly:

[0105] If the identifier indicates that an unauthorized onboard computer has malfunctioned, causing the business software system of the unauthorized onboard computer to malfunction, then proceed to S8.

[0106] If the indicator shows that the unauthorized onboard computer is not malfunctioning and its business software system is functioning normally, then proceed to the cold start process.

[0107] S8: The unauthorized onboard computer performs a cold start, the monitoring software enters a privileged state, does not perform business software system migration operations, and continuously sends privileged status words to the authorized onboard computer through the RS422 communication channel.

[0108] S9: The authorized onboard computer transmits the self-test result identifier of the unauthorized computer to the ground station through the telemetry channel;

[0109] S10: After the satellite ground control station determines that the unauthorized onboard computer monitoring software has entered the privileged state, it sends a command to stop issuing privileges to the authorized onboard computer and forwards it to the unauthorized onboard computer monitoring software.

[0110] S11: The unauthorized onboard computer monitoring software reads the watchdog reset counter and cold start reset time, determines whether the reset time of the last 3 times exceeds 9 minutes, and then stops sending privilege status words to the authorized computer after receiving the stop privilege command by querying the RS422 communication channel data.

[0111] S1201: The authorized onboard computer receives the command from the satellite ground control station to upload the application software stored in NORFLASH, which contains the first address, and forwards the command to the unauthorized onboard computer.

[0112] S1202: The unauthorized onboard computer monitoring software receives the starting address command stored in NORFLASH by the uploading application software, and then sends the status word of correctly receiving the starting address command stored in NORFLASH by the authorized onboard computer.

[0113] S1203: The authorized onboard computer receives the CRC checksum and length of the application software file, and forwards the CRC checksum and length of the application software file to the unauthorized onboard computer;

[0114] S1204: The unauthorized onboard computer monitoring software receives the CRC checksum and length of the application software file, and then sends a status word indicating that the application software file CRC checksum and length have been correctly received to the authorized onboard computer.

[0115] S1205: The authorized onboard computer receives the application software file data packet and then forwards it to the unauthorized onboard computer;

[0116] S1206: The unauthorized onboard computer monitoring software receives the application software file data packet, determines the correctness of the application software file data packet, and writes the correct application software file data packet into a specified area in SDRAM.

[0117] S1207: The unauthorized onboard computer monitoring software determines whether the length of the spliced ​​application software file is correct based on the length of the application software file received in step S1204, and establishes an application software file reception completion identifier.

[0118] S1208: Based on the application software file reception completion identifier:

[0119] If the application software file reception is not completed, proceed to S1205;

[0120] If the application software file reception is complete, proceed to S1209;

[0121] In this embodiment, the unauthorized onboard computer completes the reception of the business software system by counting the length of the received files and then comparing it with the length of the files received in S1207; alternatively, it can use the packet group identifier to determine whether the reception is complete.

[0122] S1209: The unauthorized onboard computer monitoring software calculates the CRC checksum of the received application software file, and then establishes the CRC checksum of the application software file based on the CRC checksum of the application software file received in step S1204.

[0123] S1210: CRC checksum verification based on application software file:

[0124] If the CRC checksum of the application software file is correct, the unauthorized onboard computer monitoring software will write the received application software file into the business software system code storage NORFLASH, storing the storage space starting from the first address of the application software file, and send the CRC checksum of the application software file to the authorized onboard computer.

[0125] If the CRC checksum of the application software file is incorrect, the unauthorized onboard computer monitoring software will not write the application software file into NORLASH, but will instead send the application software file checksum to the authorized onboard computer.

[0126] S13: The unauthorized computer determines the correctness of the received application software file:

[0127] If the received application software file is correct, the monitoring software in the unauthorized computer will store the application software file in the business software system memory NORFLASH, and then proceed to S15.

[0128] If the received application software file is incorrect, the monitoring software on the unauthorized computer will not store the application software file in the business software system memory NORFLASH, but will send the incorrect application software file identifier to the authorized onboard computer, and then proceed to S14;

[0129] S14: The authorized onboard computer incorrectly identifies the application software file sent by the unauthorized onboard computer monitoring software and transmits it to the ground satellite tracking and control station through the telemetry channel, and then proceeds to S12;

[0130] S15: The authorized onboard computer receives the reconfiguration instruction from the unauthorized onboard computer uploaded by the satellite ground control station and forwards it to the unauthorized onboard computer.

[0131] S16: The unauthorized onboard computer receives the reconstruction instruction, exits the privileged state of the monitoring software, moves the business software system operating system image and application software files to SDRAM, and performs reconstruction.

[0132] In this embodiment, the unauthorized onboard computer monitoring software exits the privileged state and, in accordance with the reconstruction instruction, moves the operating system image of the specified business software system stored in NORFLASH to SDRAM for operation.

[0133] Example 3

[0134] Please refer to Figure 2 and Figure 5 This invention provides an apparatus and method for upgrading the software of an unauthorized onboard computer, and provides a method for updating the business software system in memory when the operating system image and application software file storage are damaged. This method includes the following steps:

[0135] S1: The primary satellite computer and the backup satellite computer use RS422 as a communication channel, which is used for the primary satellite computer to send commands and data to the backup satellite computer, and for the backup satellite computer to send status data to the primary satellite computer.

[0136] S2: The primary satellite computer, as an authorized satellite computer, has control over all I / O interfaces. It can not only send control commands to each satellite electronic device, but also receive data (including telemetry data) sent by each satellite electronic device. The backup satellite computer, as an unauthorized satellite computer, cannot send control commands to each satellite electronic device, but can receive all data sent by each satellite electronic device.

[0137] S3: The authorized onboard computer can send commands and data to the unauthorized onboard computer through the RS422 communication channel. The unauthorized onboard computer receives the commands and data sent by the authorized onboard computer through the RS422 communication channel, performs corresponding operations according to the commands, and then feeds back the command execution results through the RS422 communication channel.

[0138] S4: The restart process of the unauthorized onboard computer is divided into cold start and warm start. Cold start is when the unauthorized onboard computer starts the monitoring software, and then the monitoring software moves the business software system code from the business software system code storage NORFLASH to SDRAM for execution. Warm start is when the unauthorized onboard computer jumps to the business system software entry point in SDRAM for some reason during the operation of the business software system to restart the business system software.

[0139] S5: The business software system code is developed based on the operating system, forming an operating system image and application software files;

[0140] S6: The unauthorized onboard computer monitoring software performs a startup self-test during startup and establishes an indicator that the business software system cannot work properly.

[0141] In this embodiment, during the cold start process of the unauthorized computer, the current system clock is first read and stored in the cold start reset time area. Then, the watchdog reset counter and the cold start reset time are read to determine whether the last three reset times occurred within 9 minutes. If the last three reset times occurred within 9 minutes, the monitoring software determines that the business software system cannot work normally and establishes a self-check flag indicating that the unauthorized onboard computer's business software system cannot work normally.

[0142] S7: Based on the indication that the business software system is not working properly:

[0143] If the identifier indicates that an unauthorized onboard computer has malfunctioned, causing the business software system of the unauthorized onboard computer to malfunction, then proceed to S8.

[0144] If the indicator shows that the unauthorized onboard computer is not malfunctioning and its business software system is functioning normally, then proceed to the cold start process.

[0145] S8: The unauthorized onboard computer performs a cold start, the monitoring software enters a privileged state, does not perform business software system migration operations, and continuously sends privileged status words to the authorized onboard computer through the RS422 communication channel.

[0146] S9: The authorized onboard computer transmits the self-test result identifier of the unauthorized computer to the ground station through the telemetry channel;

[0147] S10: After the satellite ground control station determines that the unauthorized onboard computer monitoring software has entered the privileged state, it sends a command to stop issuing privileges to the authorized onboard computer and forwards it to the unauthorized onboard computer monitoring software.

[0148] S11: The unauthorized onboard computer monitoring software reads the watchdog reset counter and cold start reset time, determines whether the reset time of the last 3 times exceeds 9 minutes, and then stops sending privilege status words to the authorized computer after receiving the stop privilege command by querying the RS422 communication channel data.

[0149] S1201: The authorized onboard computer receives the command sent by the satellite ground control station to upload and store the operating system image and application software file address, and forwards the command to the unauthorized onboard computer;

[0150] S1202: The unauthorized onboard computer monitoring software receives the command to upload and store the operating system image of the business software system and the starting address of the application software file, and then sends a status word to the authorized onboard computer that correctly received the command to upload and store the operating system image of the business software system and the starting address of the application software file.

[0151] S1203: The authorized onboard computer receives the CRC checksum and length of the operating system image and application software file, and forwards the CRC checksum and length of the operating system image and application software file to the unauthorized onboard computer;

[0152] S1204: The unauthorized onboard computer monitoring software receives the CRC checksum and length of the operating system image and application software file, and then sends a status word indicating that the operating system image and application software file CRC checksum and length have been correctly received to the authorized onboard computer.

[0153] S1205: The authorized onboard computer receives the operating system image and application software file data packet, and then forwards it to the unauthorized onboard computer;

[0154] S1206: The unauthorized onboard computer monitoring software receives the operating system image and application software file data package, determines the correctness of the operating system image and application software file data package, and writes the correct operating system image package into a specified area in SDRAM.

[0155] S1207: The unauthorized onboard computer monitoring software determines whether the length of the spliced ​​operating system image and application software file is correct based on the length of the operating system image and application software file received in step S1204, and establishes a business software system reception completion identifier.

[0156] S1208: Based on the business software system's completion notification:

[0157] If the business software system has not completed receiving the data, proceed to step S1205;

[0158] If the business software system has completed receiving the data, proceed to step S1209;

[0159] In this embodiment, the unauthorized onboard computer completes the reception of the business software system by counting the length of the received files and then comparing it with the length of the files received in S1207; alternatively, it can use the packet group identifier to determine whether the reception is complete.

[0160] S1209: The unauthorized onboard computer monitoring software calculates the CRC checksum of the received operating system image and application software file, and then establishes a CRC checksum correctness identifier for the business software system based on the CRC checksum of the received operating system image and application software file in step S1204.

[0161] S1210: The unauthorized onboard computer monitoring software will send the CRC check correctness identifier of the business software system to the authorized onboard computer;

[0162] S13: The unauthorized computer determines the correctness of the received business software system operating system image:

[0163] If the received operating system image and application software files are correct, the monitoring software on the computer is not authorized to be transferred to S15.

[0164] If the received business software system operating system image is incorrect, the monitoring software in the computer is not authorized to be transferred to S14.

[0165] S14: The authorized onboard computer transmits the incorrect identification of the business software system sent by the unauthorized onboard computer monitoring software to the ground satellite tracking and control station through the telemetry channel, and then proceeds to S12;

[0166] S15: The authorized onboard computer receives the reconfiguration instruction from the unauthorized onboard computer uploaded by the satellite ground control station and forwards it to the unauthorized onboard computer.

[0167] S16: The unauthorized onboard computer receives the reconstruction instruction, exits the privileged state of the monitoring software, and jumps to the starting address of the operating system image and application software file in SDRAM to begin execution.

[0168] Compared with existing on-orbit file update technologies, this invention, through the addition of a design to parse remote control commands in the unauthorized onboard computer monitoring software, enables the updating of the operating system image and application software files stored in the unauthorized onboard computer's business software system memory. This allows for various unauthorized onboard computer reconfiguration modes, such as booting from the business software system memory and booting from a specified address in SDRAM.

[0169] Existing on-orbit document update technologies can only update the authorized onboard computer's operational software systems. When an authorized onboard computer malfunctions and is deprived of control, it cannot be updated or repaired, becoming a single point of failure for the satellite. This adds significant pressure to the on-orbit maintenance process. Compared to existing on-orbit document update technologies, this invention enables on-orbit updates of unauthorized onboard computer's operational software systems, greatly reducing the risks associated with on-orbit updates and extending the satellite's lifespan.

[0170] The above-disclosed embodiments are merely specific examples of this application, but this application is not limited thereto. Any variations that can be conceived by those skilled in the art should fall within the protection scope of this application.

Claims

1. A method for software upgrade of an unauthorized onboard computer, characterized in that, include: A1: The monitoring software of the unauthorized onboard computer performs a startup self-test during startup and establishes a working identifier for the business software system. A communication channel exists between the primary and backup onboard computers, used for the primary computer to send commands and data to the backup computer, and for the backup computer to send status data to the primary computer. The primary onboard computer can not only receive telemetry data from each onboard electronic device but also send control commands to each onboard electronic device; it is an authorized onboard computer. The backup computer cannot send control commands to any onboard electronic device; it is an unauthorized onboard computer. The authorized onboard computer can communicate with the unauthorized onboard computer through the communication channel. The onboard computer sends commands and data, and the unauthorized onboard computer can receive commands and data sent by the authorized onboard computer and perform corresponding operations according to the commands. The restart process of the unauthorized onboard computer is divided into cold start and warm start. Cold start is when the unauthorized onboard computer starts the monitoring software, and then the monitoring software moves the business software system code from the business software system code storage to memory for execution. Warm start is when the unauthorized onboard computer jumps to the business system software entry point in memory and restarts the business system software for some reason during the operation of the business software system. The business software system code is the executable code of the minimum system software, or the operating system image and driver executable file. A2: If the work identifier indicates that the unauthorized onboard computer is malfunctioning, causing the business software system of the unauthorized onboard computer to malfunction, the unauthorized onboard computer will perform a cold start, the monitoring software will enter a privileged state, and the business software system will not be migrated. The software will continue to send privileged status words to the authorized onboard computer. A3: The authorized onboard computer transmits the working identifier of the unauthorized computer to the satellite ground control station through the telemetry channel; A4: Based on the malfunction indicator, the satellite ground control station determines that the monitoring software of the unauthorized onboard computer has entered a privileged state. It then sends a command to stop granting privileges to the authorized onboard computer and forwards it to the monitoring software of the unauthorized onboard computer. A5: After receiving the instruction to stop sending privileges, the monitoring software of the unauthorized onboard computer stops sending privilege status words to the authorized computer; A6: The authorized onboard computer's business software receives the business software system code of the unauthorized onboard computer uploaded by the satellite ground tracking and control station, and sends the business software system code to the unauthorized computer; A7: The monitoring software of the unauthorized computer determines the correctness of the received business software system code: A8: The authorized onboard computer receives the reconfiguration instruction from the unauthorized onboard computer uploaded by the satellite ground control station and forwards it to the unauthorized onboard computer; A9: The unauthorized onboard computer receives the reconstruction instruction, exits the privileged state of the monitoring software, and performs reconstruction.

2. The method for software upgrade of an unauthorized onboard computer according to claim 1, characterized in that, A1: The monitoring software of the unauthorized onboard computer performs a startup self-test during the startup process and establishes a working identifier for the business software system, including: B1: The monitoring software of the unauthorized onboard computer reads the onboard computer system clock during the startup process and stores it in the important data area; B2: The monitoring software of the unauthorized onboard computer performs a startup self-test, which checks the time interval between the most recent startups. If the startup time intervals are too short for several consecutive times, it indicates that the business software system cannot work properly.

3. The method for software upgrade of an unauthorized onboard computer according to claim 2, characterized in that, Following steps B1 and B2, the following is also included: B3: Based on the working identifier of the business software system: If the work status indicates that the unauthorized onboard computer has malfunctioned, causing the business software system of the unauthorized onboard computer to malfunction, then proceed to B4. If the work indicator shows that the unauthorized onboard computer has not experienced any abnormalities and the business software system of the unauthorized onboard computer can work normally, then proceed to the cold start process. B4: The unauthorized onboard computer performs a cold start, the monitoring software enters a privileged state, does not perform business software system migration operations, and continuously sends privileged status words to the authorized onboard computer.

4. The method for software upgrade of an unauthorized onboard computer according to claim 3, characterized in that, Following step B4, the following is also included: B5: The authorized onboard computer will transmit the self-test result identifier of the unauthorized computer to the ground station through the telemetry channel.

5. The method for software upgrade of an unauthorized onboard computer according to claim 4, characterized in that, Following step B5, the following is also included: B6: After the satellite ground control station determines that the unauthorized onboard computer monitoring software has entered a privileged state, it sends a command to the authorized onboard computer to stop issuing privileges and forwards it to the unauthorized onboard computer monitoring software.

6. The method for software upgrade of an unauthorized onboard computer according to claim 5, characterized in that, Following step B6, the following is also included: B7: After receiving the instruction to stop sending privileges, the unauthorized onboard computer monitoring software stops sending privilege status words to authorized computers.

7. The method for software upgrade of an unauthorized onboard computer according to claim 6, characterized in that, Following step B7, the following is also included: B8: The authorized onboard computer receives the business software system code uploaded by the satellite ground tracking and control station and sends the business software system code to the unauthorized computer.

8. The method for software upgrade of an unauthorized onboard computer according to claim 7, characterized in that, Following step B8, the following is also included: B9: The unauthorized computer monitoring software determines the correctness of the received business software system code. If the received business software system code is correct, the monitoring software in the unauthorized computer will store the business software system code in the business software system code storage and then proceed to the refactoring process. If the received business software system code is incorrect, the monitoring software on the unauthorized computer will not store the business software system code in the business software system code storage, but will send an incorrect business software system code identifier to the authorized onboard computer, and then transfer to B10.

9. The method for software upgrade of an unauthorized onboard computer according to claim 8, characterized in that, Following step B9, the following is also included: B10: The authorized onboard computer transmits the incorrect identification of the business software system code sent by the unauthorized onboard computer monitoring software to the ground satellite tracking and control station through the telemetry channel, and then proceeds to B6.

10. The method for software upgrade of an unauthorized spaceborne computer according to claim 9, characterized in that, Following the 10 steps, the following is also included: B11: The authorized onboard computer receives the reconfiguration command from the unauthorized onboard computer uploaded by the satellite ground control station and forwards it to the unauthorized onboard computer monitoring software.

11. The method for software upgrade of an unauthorized spaceborne computer according to claim 10, characterized in that, Following step B11, the following is also included: B12: The unauthorized onboard computer monitoring software receives the reconstruction instruction, exits the privileged monitoring software state, and performs reconstruction.