An OTA updating method and device, electronic equipment and storage medium

By redundantly storing OTA update packages in satellite base stations and monitoring for anomalies in the storage media and main control unit, combined with security verification and radiation monitoring, the problem of poor reliability of OTA updates in radiation environments is solved, and a more stable OTA update process is achieved.

CN122240143APending Publication Date: 2026-06-19SHANGHAI SATELLITE NETWORK RESEARCH INSTITUTE CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANGHAI SATELLITE NETWORK RESEARCH INSTITUTE CO LTD
Filing Date
2024-12-17
Publication Date
2026-06-19

Smart Images

  • Figure CN122240143A_ABST
    Figure CN122240143A_ABST
Patent Text Reader

Abstract

This application discloses an OTA update method, apparatus, electronic device, and storage medium. It receives an OTA update package and writes the file system image from the OTA update package into at least two storage media of a first main control unit. The file system image is then read from the at least two storage media, and an OTA update is performed based on the file system image. Considering the different radiation resistance capabilities of different storage media, the file system image in the OTA update package is redundantly stored in at least two storage media. This improves the security of the file system image storage in radiation scenarios. During OTA updates, the file system image is read from the at least two storage media, and the OTA update is performed based on the file system image. This improves the reliability and stability of OTA updates for electronic devices.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of satellite communication technology, and in particular to an OTA update method, apparatus, electronic device and storage medium. Background Technology

[0002] Traditional satellite internet is a network system based on satellite communication systems, serving internet applications and capable of independent operation. It typically comprises three main parts: satellite base stations in geostationary orbit, a ground network management system, and an antenna system. To achieve long lifespan and high value, satellite base station electronic information systems employ various radiation-resistant, mechanical, and thermal hardening measures. This results in relatively lower component performance, long development cycles, slow iteration updates, and high overall lifecycle costs. Emerging satellite internet constellations, on the other hand, are giant satellite communication systems composed of hundreds or thousands of satellites, offering advantages such as wide coverage, large communication capacity, and low transmission latency. To meet the requirements of large-scale constellations in terms of computing, data processing, massive data storage, and high-bandwidth data transmission performance, modern satellite systems inevitably utilize a large number of non-aerospace-grade commercial chips in their satellite base stations, including the main control unit that controls the entire base station's task processing and information transmission.

[0003] However, the space environment is constantly subject to various forms of radiation. When commercially available chips lacking radiation resistance are exposed to such harsh conditions, high-energy particles may collide with sensitive circuit nodes, causing chip failure and reducing the reliability of the entire system. This situation occurs even more frequently during the main control unit's frequent read and write operations on storage devices. Over-the-Air (OTA) technology, which enables remote software management through mobile communication interfaces, is widely used in satellite base stations to facilitate remote updates of base station firmware and software. However, existing OTA update methods typically do not consider the impact of the radiation environment on the system, leading to OTA update failures or anomalies at high radiation levels, further increasing the probability of instability or malfunction of the satellite base station. Therefore, providing a reliable OTA update solution is a technical problem that needs to be solved. Summary of the Invention

[0004] This application provides an OTA update method, apparatus, electronic device, and storage medium to solve the problem of poor reliability of existing OTA updates.

[0005] In a first aspect, this application provides an OTA update method applied to an electronic device, the method comprising:

[0006] Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0007] The file system image is read from the at least two storage media, and an OTA update is performed based on the file system image.

[0008] In an optional implementation, before writing the file system image from the OTA update package into at least two storage media of the first master control unit, the method further includes:

[0009] If the performance of the first main control unit is determined to be abnormal based on the first parameter of the first main control unit, the alternative second main control unit is selected as the first main control unit; wherein, the first parameter includes at least one of voltage, current, temperature and power consumption.

[0010] In an optional implementation, before writing the file system image from the OTA update package into at least two storage media of the first master control unit, the method further includes:

[0011] If it is determined that the first master control unit is experiencing a communication failure, the second master control unit will be selected as the first master control unit.

[0012] In one optional implementation, determining that the first master control unit communication is abnormal includes:

[0013] If the interaction process between the microcontroller unit (MCU) and the first main control unit according to the heartbeat signal at the first frequency is abnormal, it is determined that the communication of the first main control unit is abnormal.

[0014] In one optional implementation, during the OTA update process based on the file system image, the method further includes:

[0015] The MCU and the first main control unit interact with each other using a heartbeat signal at a second frequency. If the heartbeat signal interaction process is abnormal, the OTA update process based on the file system image is suspended. The second frequency is greater than the first frequency.

[0016] In an optional implementation, before writing the file system image from the OTA update package into at least two storage media of the first master control unit, the method further includes:

[0017] If the functions of at least two storage media are all abnormal, the alternative second master control unit will be used as the first master control unit.

[0018] In one alternative implementation, reading the file system image from the at least two storage media includes:

[0019] The file system image is read from at least one functional storage medium.

[0020] In an optional implementation, before writing the file system image from the OTA update package to at least two storage media of the first master control unit, the method further includes:

[0021] The OTA update package is subjected to security verification. If the security verification passes, the file system image in the OTA update package is written to at least two storage media of the first main control unit. The security verification includes at least one of integrity verification and digital signature verification.

[0022] In one optional implementation, security verification of the OTA update package includes:

[0023] The OTA update package is written into the dynamic random access memory (DDR), and the security of the OTA update package is verified in the DDR.

[0024] In one optional implementation, security verification of the OTA update package includes:

[0025] The OTA update package is written to the first partition in DDR, and the security of the OTA update package is verified in the first partition.

[0026] In one optional implementation, reading the file system image from the at least two storage media and performing OTA updates based on the file system image includes:

[0027] The file system image is read from the at least two storage media, loaded into the DDR, and then run in the DDR to perform an OTA update.

[0028] In one optional implementation, reading the file system image from the at least two storage media and performing OTA updates based on the file system image includes:

[0029] The file system image is read from the at least two storage media, the file system image is loaded into a second partition in DDR, and the file system image is run in the second partition for OTA update.

[0030] In one optional implementation, during the OTA update process based on the file system image, the method further includes:

[0031] If the detected radiation intensity is greater than the first radiation intensity threshold, the OTA update process based on the file system image is suspended.

[0032] In one alternative implementation, the at least two storage media include at least two of the following: non-volatile flash memory (NRFlash) storage media, non-volatile memory transfer specification (NVME) storage media, embedded multimedia card (EMMC) storage media, and flash memory card (TF Card) storage media.

[0033] In one optional implementation, the OTA update package includes a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image.

[0034] Write the first-stage file system image into the NOR Flash storage medium;

[0035] Write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the TF Card storage medium;

[0036] Write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the EMMC storage medium;

[0037] Write the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the NVME storage medium.

[0038] Secondly, this application provides an OTA update device, the device comprising: a first main control unit, a communication bus, and a switch; the first main control unit includes at least two storage media;

[0039] The first main control unit receives Over-the-Air (OTA) update packages via the communication bus and the switch, writes the file system image in the OTA update package into the at least two storage media respectively, reads the file system image from the at least two storage media, and performs OTA updates based on the file system image.

[0040] In one optional implementation, the device further includes: a microcontroller unit (MCU) and at least one second main control unit;

[0041] The MCU obtains and determines that the first main control unit is malfunctioning based on the first parameter of the first main control unit through the communication bus, and selects the second main control unit as the first main control unit; wherein, the first parameter includes at least one of voltage, current, temperature and power consumption.

[0042] In one alternative implementation, the at least two storage media include at least two of the following: non-volatile flash memory (NRFlash) storage media, non-volatile memory transfer specification (NVME) storage media, embedded multimedia card (EMMC) storage media, and flash memory card (TF Card) storage media.

[0043] In one optional implementation, the OTA update package includes a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image.

[0044] The first master control unit writes the first-stage file system image to the NOR Flash storage medium; writes the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the TF Card storage medium; writes the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the EMMC storage medium; and writes the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the NVME storage medium.

[0045] Thirdly, this application provides another OTA update device for use in electronic devices, the device comprising:

[0046] The receiving module is used to receive Over-the-Air (OTA) update packages and write the file system image in the OTA update package into at least two storage media of the first main control unit.

[0047] An update module is used to read the file system image from the at least two storage media and perform OTA updates based on the file system image.

[0048] In one alternative embodiment, the device further includes:

[0049] The determining module is configured to, if it is determined that the performance of the first main control unit is abnormal based on the first parameter of the first main control unit, select a second candidate main control unit as the first main control unit; wherein the first parameter includes at least one parameter among voltage, current, temperature and power consumption.

[0050] In one optional implementation, the determining module is further configured to, if it is determined that the first master control unit is in communication abnormality, select a candidate second master control unit as the first master control unit.

[0051] In one optional implementation, the determining module is specifically used to determine that the communication of the first main control unit is abnormal if the interaction process between the microcontroller unit (MCU) and the first main control unit according to the heartbeat signal at the first frequency is abnormal.

[0052] In one optional implementation, the update module is further configured to allow the MCU and the first main control unit to interact with a heartbeat signal at a second frequency, and if the heartbeat signal interaction process is abnormal, to suspend the OTA update process based on the file system image; wherein the second frequency is greater than the first frequency.

[0053] In one optional implementation, the determining module is further configured to, if the functions of the at least two storage media are all abnormal, select the alternative second master control unit as the first master control unit.

[0054] In one alternative implementation, the update module is specifically configured to read the file system image from at least one functional storage medium.

[0055] In one alternative embodiment, the device further includes:

[0056] The verification module is used to perform security verification on the OTA update package. If the security verification passes, the file system image in the OTA update package is written to at least two storage media of the first main control unit. The security verification includes at least one of integrity verification and digital signature verification.

[0057] In one optional implementation, the verification module is specifically used to write the OTA update package into the dynamic random access memory (DDR) and perform security verification on the OTA update package in the DDR.

[0058] In one optional implementation, the verification module is specifically used to write the OTA update package into a first partition in DDR and perform security verification on the OTA update package in the first partition.

[0059] In one optional implementation, the update module is specifically configured to read the file system image from the at least two storage media, load the file system image into the DDR, and run the file system image in the DDR for OTA update.

[0060] In one optional implementation, the update module is specifically configured to read the file system image from the at least two storage media, load the file system image into a second partition in DDR, and run the file system image in the second partition for OTA update.

[0061] In one alternative embodiment, the device further includes:

[0062] The monitoring module is used to suspend the OTA update process based on the file system image if the detected radiation intensity is greater than a first radiation intensity threshold.

[0063] In one alternative implementation, the at least two storage media include at least two of the following: non-volatile flash memory (NRFlash) storage media, non-volatile memory transfer specification (NVME) storage media, embedded multimedia card (EMMC) storage media, and flash memory card (TF Card) storage media.

[0064] In one optional implementation, the OTA update package includes a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image.

[0065] The receiving module is specifically used to write the first-stage file system image to the NOR Flash storage medium; write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the TF Card storage medium; write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the EMMC storage medium; and write the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the NVME storage medium.

[0066] Fourthly, this application provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus;

[0067] Memory, used to store computer programs;

[0068] A processor, used to execute a program stored in memory, implements the method described.

[0069] Fifthly, this application provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the method described herein.

[0070] In a sixth aspect, this application provides a computer program product comprising an executable program that is executed by a processor to implement the method described.

[0071] This application takes into account the varying radiation resistance of different storage media and redundantly stores the file system image in the OTA update package across at least two storage media. This improves the security of the file system image storage in radiation-prone environments. During OTA updates, the file system image is read from the at least two storage media, and the OTA update is performed based on the file system image. This enhances the reliability and stability of OTA updates for electronic devices. Attached Figure Description

[0072] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0073] Figure 1 This application provides a schematic diagram of the first type of OTA update process;

[0074] Figure 2 This application provides a schematic diagram of a second type of OTA update process;

[0075] Figure 3 A schematic diagram of the third type of OTA update process provided in this application;

[0076] Figure 4 This application provides a schematic diagram of the fourth type of OTA update process;

[0077] Figure 5 This application provides a schematic diagram of the fifth type of OTA update process;

[0078] Figure 6 A schematic diagram of the sixth type of OTA update process provided in this application;

[0079] Figure 7 A diagram illustrating the seventh type of OTA update process provided in this application;

[0080] Figure 8 This application provides a schematic diagram of the eighth type of OTA update process;

[0081] Figure 9 A diagram illustrating the ninth type of OTA update process provided in this application;

[0082] Figure 10 A diagram illustrating the tenth type of OTA update process provided in this application;

[0083] Figure 11 A schematic diagram of the eleventh OTA update process provided in this application;

[0084] Figure 12 This application provides a schematic diagram of the twelfth type of OTA update process;

[0085] Figure 13 A schematic diagram of an OTA update device provided in this application;

[0086] Figure 14 This is a schematic diagram of the redundant motherboard architecture for the satellite base station provided in this application;

[0087] Figure 15 This is a schematic diagram of the DDR partition structure provided in this application;

[0088] Figure 16 This application provides a schematic diagram of a multi-storage-media boot partition.

[0089] Figure 17 A schematic diagram of another OTA update device provided in this application;

[0090] Figure 18 A schematic diagram of the electronic device structure provided in this application. Detailed Implementation

[0091] To make the objectives and implementation methods of this application clearer, the exemplary implementation methods of this application will be clearly and completely described below with reference to the accompanying drawings of the exemplary embodiments of this application. Obviously, the exemplary embodiments described are only some embodiments of this application, and not all embodiments.

[0092] It should be noted that the brief descriptions of terms in this application are only for the convenience of understanding the embodiments described below, and are not intended to limit the embodiments of this application. Unless otherwise stated, these terms should be understood in their ordinary and common meaning.

[0093] The terms "first," "second," "third," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar or related objects or entities, and do not necessarily imply a specific order or sequence, unless otherwise specified. It should be understood that such terms are interchangeable where appropriate.

[0094] The terms “comprising” and “having”, and any variations thereof, are intended to cover but not exclude inclusion, for example, a product or device that includes a range of components is not necessarily limited to all of the components that are clearly listed, but may include other components that are not clearly listed or that are inherent to such product or device.

[0095] The term "module" refers to any known or subsequently developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware and / or software code that is capable of performing the functions associated with that element.

[0096] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.

[0097] For ease of explanation, the above description has been provided in conjunction with specific embodiments. However, the above exemplary discussion is not intended to be exhaustive or to limit the embodiments to the specific forms disclosed above. Various modifications and variations can be obtained based on the above teachings. The selection and description of the above embodiments are for the purpose of better explaining the principles and practical applications, thereby enabling those skilled in the art to better utilize the described embodiments and various different variations of embodiments suitable for specific use considerations.

[0098] Figure 1 The first OTA update process provided in this application includes the following steps:

[0099] S101: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0100] S102: Read the file system image from the at least two storage media and perform OTA update based on the file system image.

[0101] The OTA update method provided in this application is applied to electronic devices, which can be network-side devices such as satellites or network-side eNBs (eNBs, evolved NodeBs, wireless base stations); terminal devices such as mobile phones and computers; servers; and vehicle-mounted terminal devices. The electronic device communicates with a network management system. When an Over-The-Air (OTA) update is required, the network management system sends an OTA update package to the electronic device, carrying the file system image required for the OTA update. The electronic device receives the OTA update package sent by the network management system and obtains the file system image carried within it by parsing the OTA update package. In this application, the main control unit in the powered-on state of the electronic device is designated as the first main control unit. The first main control unit includes at least two storage media. These at least two storage media can be selected from at least two of the following: NOR Flash storage media, NVME storage media, EMMC storage media, and TF Card storage media. After obtaining the file system image from the OTA update package, the electronic device writes the file system image into the at least two storage media of the first main control unit. Preferably, the first main control unit may simultaneously include NOR Flash storage media, NVME storage media, eMMC storage media, and TF Card storage media. After the electronic device obtains the file system image from the OTA update package, it writes the file system image to the NOR Flash storage media, NVME storage media, eMMC storage media, and TF Card storage media, respectively.

[0102] Optionally, the OTA update package can carry multiple file system images, such as four-stage file system images: a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image. The OTA update process executes the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image in sequence. If the first master control unit includes NOR Flash storage media, NVME storage media, eMMC storage media, and TF Card storage media, then the first-stage file system image can be written to the NOR Flash storage media; the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image can be written to the NVME storage media; the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image can be written to the eMMC storage media; and the second-stage file system image, the third-stage file system image, and the fourth-stage file system image can be written to the TF Card storage media.

[0103] During OTA updates, file system images are read from at least two storage media, and the OTA update is performed based on these images. Since the radiation environment affects different storage media to varying degrees, some storage media may malfunction. In this application, a boot selection pin Boot management module can be deployed in the first main control unit. This module monitors the functionality of each storage media. Each storage media's functionality includes read / write and storage functions. During OTA updates, the functional storage media can be identified from at least two storage media. In one optional implementation, reading the file system image from the at least two storage media includes: reading the file system image from at least one functional storage media. The file system image is then read from the functional storage media, and the file system image is run to perform the OTA update.

[0104] For example, there are four stages of file system images: Stage 1, Stage 2, Stage 3, and Stage 4. The first main control unit includes NOR Flash storage media, NVME storage media, eMMC storage media, and a TF Card storage media. The first stage file system image is written to the NOR Flash storage media; the first, second, third, and fourth stage file system images are written to the NVME storage media; the first, second, third, and fourth stage file system images are written to the eMMC storage media; and the second, third, and fourth stage file system images are written to the TF Card storage media. If the Boot Management module detects malfunctions in the NOR Flash and NVME storage media, it can read and run the respective stage file system images from the eMMC and TF Card storage media to achieve OTA updates. Optionally, based on control commands from the network management system, the first-stage file system image, second-stage file system image, third-stage file system image, and fourth-stage file system image can be read from the EMMC storage medium and run sequentially to achieve OTA updates. Alternatively, based on control commands from the network management system, file system images of different stages can be read from different storage media and run in a preset order to achieve OTA updates. For example, the first-stage and second-stage file system images can be read from the EMMC storage medium, and the third-stage and fourth-stage file system images can be read from the TF Card storage medium. The file system images can then be run sequentially in the order of the first-stage, second-stage, third-stage, and fourth-stage file system images to achieve OTA updates.

[0105] This application takes into account the varying radiation resistance of different storage media and redundantly stores the file system image in the OTA update package across at least two storage media. This improves the security of the file system image storage in radiation-prone environments. During OTA updates, the file system image is read from the at least two storage media, and the OTA update is performed based on the file system image. This enhances the reliability and stability of OTA updates for electronic devices.

[0106] In one alternative implementation, Figure 2 The second OTA update process provided in this application includes the following steps:

[0107] S201: If the performance of the first main control unit is determined to be abnormal based on the first parameter of the first main control unit, the alternative second main control unit shall be selected as the first main control unit; wherein, the first parameter includes at least one parameter among voltage, current, temperature and power consumption;

[0108] S202: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0109] S203: Read the file system image from the at least two storage media and perform an OTA update based on the file system image.

[0110] In this application, the electronic device includes N main control units, all of which have the same structure and include at least two storage media. The control unit currently in the power-on state is designated as the first control unit, and the control unit in the power-off state is designated as a candidate second control unit. Optionally, if there are multiple control units in the power-off state, any one of them can be designated as a candidate second control unit. Further optionally, each main control unit is sequentially numbered, for example, control unit 0, control unit 1, ..., control unit N. Then, the control unit with the next highest number after the first control unit can be designated as a candidate second control unit.

[0111] The electronic device includes a microcontroller unit (MCU), which acts as a health management unit and is connected to N main control units. The MCU can acquire first parameters of the first main control unit, which include at least one of voltage, current, temperature, and power consumption. Based on these first parameters, it determines whether the performance of the first main control unit is abnormal. Optionally, the first parameters include voltage, current, temperature, and power consumption. The MCU stores a corresponding normal range for each of these parameters. If the voltage, current, temperature, and power consumption of the first main control unit are within the normal range, then the performance of the first main control unit is determined to be normal. If any of these parameters are outside their corresponding normal range, then the performance of the first main control unit is determined to be abnormal.

[0112] If the performance of the first main control unit is determined to be abnormal based on its first parameters, a backup second main control unit is selected as the first main control unit. Then, an Over-the-Air (OTA) update package is received, and the file system image from the OTA update package is written to at least two storage media of the first main control unit. During OTA updates, the file system image is read from the at least two storage media, and an OTA update is performed based on the file system image. Because in this application, if the performance of the first main control unit is determined to be abnormal based on its first parameters, a backup second main control unit is selected as the first main control unit, the redundancy of the main control units in the electronic device further improves the reliability and stability of OTA updates.

[0113] In one alternative implementation, Figure 3 The third OTA update process provided in this application includes the following steps:

[0114] S301: If it is determined that the communication of the first main control unit is abnormal, the alternative second main control unit will be used as the first main control unit;

[0115] S302: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0116] S303: Read the file system image from the at least two storage media and perform an OTA update based on the file system image.

[0117] In this application, the MCU and the first master control unit communicate via a communication handshake mechanism. Upon startup, the first master control unit sends a handshake request signal to the MCU. After receiving the handshake request signal, the MCU sends a handshake response signal to the first master control unit. If the first master control unit does not send a handshake request signal to the MCU, meaning the MCU does not receive a handshake request signal not sent by the first master control unit, a communication anomaly is determined according to the communication handshake mechanism, and a backup second master control unit is selected as the first master control unit. Subsequently, over-the-air (OTA) update packages are received, and the file system image from the OTA update package is written to at least two storage media of the first master control unit. During OTA updates, the file system image is read from the at least two storage media, and the OTA update is performed based on the file system image. This further improves the reliability and stability of OTA updates.

[0118] In one alternative implementation, Figure 4 The fourth OTA update process provided in this application includes the following steps:

[0119] S401: If the interaction process between the microcontroller unit (MCU) and the first main control unit according to the heartbeat signal at the first frequency is abnormal, it is determined that the communication of the first main control unit is abnormal, and the alternative second main control unit is used as the first main control unit.

[0120] S402: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0121] S403: Read the file system image from the at least two storage media and perform an OTA update based on the file system image.

[0122] In this application, the microcontroller unit (MCU) and the first master control unit interact with each other via heartbeat signals at a first frequency. At the first frequency, the first master control unit sends a heartbeat signal to the MCU, and the MCU, upon receiving the heartbeat signal, sends a heartbeat signal back to the first master control unit. If the MCU does not receive the heartbeat signal from the first master control unit, it indicates a communication abnormality. In this case, a backup second master control unit is selected as the first master control unit. Then, an over-the-air (OTA) update package is received, and the file system image from the OTA update package is written to at least two storage media of the first master control unit. During OTA updates, the file system image is read from the at least two storage media, and an OTA update is performed based on the file system image. This further improves the reliability and stability of OTA updates.

[0123] In one alternative implementation, Figure 5 The fifth OTA update process provided in this application includes the following steps:

[0124] S501: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0125] S502: Read the file system image from the at least two storage media and perform OTA update based on the file system image; wherein, the MCU and the first main control unit interact with a heartbeat signal at a second frequency, and if the heartbeat signal interaction process is abnormal, the OTA update process based on the file system image is suspended; wherein, the second frequency is greater than the first frequency.

[0126] In this application, during OTA updates based on a file system image, the microcontroller unit (MCU) and the first master control unit interact with each other using a heartbeat signal at a second frequency, which is greater than the first frequency. At the second frequency, the first master control unit sends a heartbeat signal to the MCU, and the MCU, upon receiving the heartbeat signal, sends a heartbeat signal back to the first master control unit. If the MCU does not receive the heartbeat signal from the first master control unit, it indicates a communication abnormality, and the OTA update process based on the file system image is paused. Optionally, a preset time can be waited to determine if the heartbeat signal has recovered. If the heartbeat signal recovers, the OTA update process based on the file system image continues. If not, a second master control unit can be selected as the first master control unit; then, an over-the-air (OTA) update package is received, and the file system image from the OTA update package is written to at least two storage media of the first master control unit; during OTA updates, the file system image is read from the at least two storage media, and an OTA update is performed based on the file system image. This further improves the reliability and stability of OTA updates.

[0127] In one alternative implementation, Figure 6 The sixth OTA update process provided in this application includes the following steps:

[0128] S601: If the functions of at least two storage media are all abnormal, the alternative second master control unit shall be used as the first master control unit.

[0129] S602: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0130] S603: Read the file system image from the at least two storage media and perform an OTA update based on the file system image.

[0131] In this application, a boot selection pin Boot management module can be deployed in the first main control unit. This module monitors the functionality of each storage medium. Each storage medium includes read and write capabilities. If at least two storage media are found to be malfunctioning—meaning all storage media in the first main control unit are detected to be malfunctioning—then a backup second main control unit is selected as the first main control unit. Then, an Over-the-Air (OTA) update package is received, and the file system image from the OTA update package is written to at least two storage media of the first main control unit. During OTA updates, the file system image is read from the at least two storage media, and an OTA update is performed based on the file system image. This further improves the reliability and stability of OTA updates.

[0132] In one optional implementation, before selecting the alternative second master control unit as the first master control unit, the first master control unit can be restarted. After restarting, it is checked whether the first master control unit can normally execute the OTA update task, that is, the performance, communication function, and storage medium function of the first master control unit are checked again. If all functions are normal, the OTA update continues based on the first master control unit. If after a preset number of restarts, such as 3 restarts, the first master control unit is still found to be malfunctioning, the first master control unit is marked as faulty, and the process of selecting the alternative second master control unit as the first master control unit is initiated.

[0133] In one alternative implementation, Figure 7 The seventh OTA update process provided in this application includes the following steps:

[0134] S701: Receives an Over-the-Air (OTA) update package, performs security verification on the OTA update package, and if the security verification passes, writes the file system image in the OTA update package to at least two storage media of the first main control unit; wherein, the security verification includes at least one of integrity verification and digital signature verification;

[0135] S702: Read the file system image from the at least two storage media and perform an OTA update based on the file system image.

[0136] In this application, after receiving an OTA update package, the electronic device first performs security verification on the OTA update package. Optionally, the security verification of the OTA update package can be performed using an integrity verification method, a digital signature verification method, or a combination of both. If the verification passes, the OTA update package is considered secure. Then, the file system image from the OTA update package is written to at least two storage media of the first main control unit. During the OTA update, the file system image is read from the at least two storage media, and the OTA update is performed based on the file system image. This further ensures the reliability and stability of the OTA update.

[0137] In one alternative implementation, Figure 8 The eighth OTA update process provided in this application includes the following steps:

[0138] S801: Receive OTA update package, write OTA update package into dynamic random access memory DDR, perform security verification on OTA update package in DDR, if security verification passes, write the file system image in OTA update package into at least two storage media of the first main control unit respectively.

[0139] S802: Read the file system image from the at least two storage media and perform an OTA update based on the file system image.

[0140] In this application, the first main control unit further includes a Dynamic Random Access Memory (DDR). After receiving an OTA update package, the electronic device first writes the OTA update package into the DDR. The DDR performs security verification on the OTA update package using at least one verification method, namely integrity verification and digital signature verification. After successful verification, the file system image from the OTA update package is written to at least two storage media of the first main control unit. During OTA updates, the file system image is read from the at least two storage media, and the OTA update is performed based on the file system image. In this application, performing security verification on the OTA update package in the DDR reduces the number of read / write operations on the storage media and the dependence on the storage media, thus improving the lifespan of the storage media. This further ensures the stability of the first main control unit's functionality.

[0141] In one alternative implementation, Figure 9 The ninth OTA update process provided in this application includes the following steps:

[0142] S901: Receives an Over-the-Air (OTA) update package, writes the OTA update package into the first partition of DDR, performs security verification on the OTA update package in the first partition, and if the security verification passes, writes the file system image in the OTA update package into at least two storage media of the first main control unit.

[0143] S902: Read the file system image from the at least two storage media and perform an OTA update based on the file system image.

[0144] The first partition refers to the partition within the DDR memory allocated for OTA update packages. After receiving an OTA update package, the electronic device writes it to the first partition in the DDR memory, where security verification of the OTA update package is performed. This avoids data interference from other data stored in the DDR memory during the security verification process of the OTA update package, ensuring the accuracy of the OTA data packet security verification and thus guaranteeing the reliability of the OTA update.

[0145] In one alternative implementation, Figure 10The tenth OTA update process provided in this application includes the following steps:

[0146] S111: Receive an Over-the-Air (OTA) update package, write the OTA update package into the first partition of DDR, perform security verification on the OTA update package in the first partition, and if the security verification is successful, write the file system image in the OTA update package into at least two storage media of the first main control unit respectively.

[0147] S112: Read the file system image from the at least two storage media, load the file system image into the DDR, and run the file system image in the DDR to perform OTA update.

[0148] In this application, during OTA updates, the file system image is read from at least two storage media, loaded into DDR, and then run on the DDR to perform the OTA update. This reduces the number of read / write operations on the storage media and its dependence on them, thus extending the storage media's lifespan. Furthermore, loading the file system image into DDR and running it on the DDR further improves the reliability and stability of the OTA update.

[0149] In one alternative implementation, Figure 11 The eleventh OTA update process provided in this application includes the following steps:

[0150] S121: Receive an Over-the-Air (OTA) update package, write the OTA update package into the first partition of DDR, perform security verification on the OTA update package in the first partition, and if the security verification is successful, write the file system image in the OTA update package into at least two storage media of the first main control unit respectively.

[0151] S122: Read the file system image from the at least two storage media, load the file system image into the second partition in DDR, and run the file system image in the second partition for OTA update.

[0152] In this application, during OTA updates, the file system image is read from the at least two storage media, loaded into a second partition in the DDR, and then the file system image is run on the second partition to perform the OTA update. This further ensures the reliability of the OTA update.

[0153] In one alternative implementation, Figure 12The twelfth OTA update process provided in this application includes the following steps:

[0154] S131: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit;

[0155] S132: Read the file system image from the at least two storage media and perform OTA update based on the file system image; wherein, if the radiation intensity is detected to be greater than the first radiation intensity threshold, the OTA update process based on the file system image is suspended.

[0156] In this application, the network-side base station also includes a radiation environment monitoring module, such as a space situation environment forecasting and early warning system. The radiation environment monitoring module monitors the radiation intensity of the external environment in which the electronic equipment is located. If the detected radiation intensity exceeds a first radiation intensity threshold, it indicates that the radiation is high and will significantly interfere with or affect the OTA update process. In this case, the OTA update process based on the file system image is suspended. When the detected radiation intensity is not greater than the first radiation intensity threshold, the OTA update process based on the file system image continues. It should be noted that if the detected radiation intensity is not greater than the first radiation intensity threshold, and the duration of this period reaches a preset duration threshold, the OTA update process based on the file system image continues. This further ensures the reliability and stability of the OTA update.

[0157] Figure 13 This application provides a schematic diagram of an OTA update device structure, the device comprising: a first main control unit 141, a communication bus 142, and a switch 143; the first main control unit 141 includes at least two storage media.

[0158] The first main control unit 141 receives Over-the-Air (OTA) update packets via the communication bus 142 and the switch 143, writes the file system image in the OTA update packet into the at least two storage media respectively, reads the file system image from the at least two storage media, and performs OTA updates based on the file system image.

[0159] like Figure 13 As shown, the first main control unit 141 and the switch 143 are connected via a communication bus 142. The switch 143 is also connected to an external network management system. The first main control unit 141 receives OTA update packages sent by the gateway system through the communication bus 142 and the switch 143.

[0160] like Figure 13As shown, the device further includes: a microcontroller unit MCU 144 and at least one second main control unit 145;

[0161] The MCU144 obtains and determines that the first main control unit 141 is malfunctioning based on the first parameter of the first main control unit 141 through the communication bus 142, and selects the alternative second main control unit 145 as the first main control unit; wherein, the first parameter includes at least one of voltage, current, temperature and power consumption.

[0162] The at least two storage media include at least two of the following: NOR Flash storage media, NVME storage media, EMMC storage media for embedded multimedia cards, and TF Card storage media.

[0163] The OTA update package includes a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image.

[0164] The first main control unit 141 writes the first stage file system image to the NOR Flash storage medium; writes the first stage file system image, the second stage file system image, the third stage file system image, and the fourth stage file system image to the TF Card storage medium; writes the first stage file system image, the second stage file system image, the third stage file system image, and the fourth stage file system image to the EMMC storage medium; and writes the second stage file system image, the third stage file system image, and the fourth stage file system image to the NVME storage medium.

[0165] like Figure 13 As shown, the first main control unit 141 further includes a Boot management module and a Dynamic Random Access Memory (DDR). If the Boot management module detects that the functions of at least two storage media in the first main control unit are abnormal, it will select a backup second main control unit as the first main control unit. The first main control unit writes the OTA update package to the DDR, performs security verification on the OTA update package in the DDR, and if the security verification passes, writes the file system image in the OTA update package to at least two storage media of the first main control unit respectively; wherein, the security verification includes at least one of integrity verification and digital signature verification.

[0166] It should be noted that at least one of the second master control units also includes at least two of the following: NOR Flash storage medium, NVME storage medium, EMMC storage medium for embedded multimedia cards, and TF Card storage medium, as well as a Boot management module and DDR.

[0167] The following section uses an electronic device as an example of a satellite base station, and provides a detailed explanation of the OTA update process with reference to the accompanying drawings. The purpose of this application is to provide a radiation-resistant redundant motherboard architecture for satellite base stations and a collaborative OTA update method. This aims to significantly improve the reliability and stability of OTA updates for satellite base stations in high-radiation environments by introducing a redundant main control unit architecture with health management, an OTA management mechanism for storage media in the main control unit, and a multi-storage-media collaborative OTA update strategy in the main control unit.

[0168] Figure 14 The schematic diagram of the redundant motherboard architecture for satellite base stations provided in this application shows a hardware structure comprising N main control units, a health management unit, and a switch. All main control units exchange data with the health management unit and the switch via a communication bus. This architecture aims to improve the reliability and system stability of satellite base stations in high-radiation environments through the coordinated operation of multiple redundant main control units. The health management unit can be an MCU.

[0169] The main control unit is the core processor of the satellite base station, responsible for executing various critical tasks. To improve the radiation resistance of the satellite base station, this application designs N redundant main control units (N≥2). Each main control unit has independent processing capabilities and can quickly take over tasks when other main control units fail.

[0170] The main control unit interacts with the health management unit and the switch via a communication bus to ensure smooth data transmission during system operation.

[0171] The health management unit is responsible for monitoring the operational status of all main control units. This unit collects operating parameters of the main control units, such as voltage, current, temperature, and power consumption, to assess their health status in real time. When a main control unit that is powered on is detected to have experienced performance degradation or malfunction due to radiation or other environmental factors, the health management unit will send an alarm to the satellite base station and trigger a redundancy switching mechanism, automatically switching to a healthy backup main control unit to ensure continuous and stable system operation.

[0172] The switch is the core hub for data exchange, responsible for data routing and distribution between different master control units and between master control units and external network management systems or other devices or networks. Each master control unit is connected to the switch via a communication bus, ensuring the real-time and efficient transmission of all data. When redundancy switching occurs, the switch automatically adjusts the data flow to ensure that the currently operating master control unit can continue to receive and send data without data loss or delay due to master control unit switching.

[0173] The communication bus is the basic data transmission channel of the redundant motherboard architecture, connecting the main control unit, health management unit, and switch.

[0174] In one alternative implementation, the communication bus can use a model with high bandwidth and high reliability, capable of withstanding electromagnetic interference in high-radiation environments, ensuring the accuracy and stability of data transmission.

[0175] To address the shortcomings of commercial storage devices, such as lack of radiation resistance and susceptibility to damage during repeated read / write operations, this application designs a multi-backup storage and DDR file system architecture. Each main control unit includes multiple types of storage media to enhance radiation resistance and reliability. Specifically, these include: NOR Flash: used to store core firmware and bootloaders, offering good radiation resistance but with a limited number of write cycles; NVME, eMMC, and TFCard: serving as the primary file storage media for storing data, logs, and applications. By redundantly backing up critical data across multiple storage media, the system can recover data from other backup media even in the event of a single storage media failure, effectively improving data security in radiation-resistant environments.

[0176] In one alternative implementation, in order to reduce write operations to fragile storage media (such as NVME, EMMC, TFCard), the file system image is not run directly on these commercial storage media in this application. Instead, the file system image is run through dynamic random access memory (DDR). This not only reduces the frequent write operations to flash storage media such as NVME, EMMC, and TFCard, extending the service life of the storage media, but also improves the overall operating speed and radiation resistance of the system.

[0177] In an optional implementation, the main control unit further includes a boot selection pin and a boot management module for system startup, booting, and management. This module is responsible for receiving instructions from the health management unit to load the bootloader from different storage media, including a boot circuit and firmware burning and debugging interfaces. The boot control circuit controls the system's power-on sequence, boot sequence, and boot recovery in abnormal situations. The burning interface is used for firmware burning and debugging. Through these interfaces, firmware burning, debugging, and recovery operations can be performed on the ground or in orbit, further improving the system's maintainability and flexibility. Optionally, the burning interface uses USB, UART, JTAG, or a combination of multiple interfaces.

[0178] The multi-backup storage media and DDR file system architecture are used to store file system images loaded from NVME, eMMC, or TF Card. Each time the system boots, the file system image is read from the storage media and loaded into the DDR. All read and write operations on the file system image are performed in the DDR, avoiding excessive operations on non-radiation-resistant storage media.

[0179] In one optional implementation, during system startup, the bootloader reads the file system image from multiple backup storage media and loads it completely into DDR for decompression. The decompressed file system image runs entirely in DDR, significantly reducing dependence on the underlying storage media. Data is only written back to the storage media when persistence is required, ensuring the lifespan of the storage media and data security. Specifically, when data persistence is required, the network management system sends a write-back command to the satellite base station, at which point the data is written back to the storage media.

[0180] Figure 15 This is a schematic diagram of the DDR partition structure provided in this application, as shown below. Figure 15 As shown, this application proposes a DDR partition design for multiple backup storage and OTA to ensure the security and efficiency of the OTA update process. By dividing the DDR into multiple functional partitions, especially the OTAreserve partition reserved for OTA upgrade packages, this application ensures the reliability of OTA upgrades while reducing the write frequency to the flash storage medium.

[0181] In this application, during OTA updates, the file system image is read from the at least two storage media, loaded into a second partition in the DDR, and then the file system image is run in the second partition to perform the OTA update. The second partition in the DDR includes... Figure 15The system consists of the ARM Trust Zone partition, Kernel partition, Device Tree Blob (DTB) partition, RAM Disk partition, OTA Reserve partition, and System Memory partition. Different partitions store different types of data. When the file system image is loaded into the second partition in DDR, different data from the file system image is loaded into different partitions. The corresponding data from the file system image is then executed in each partition to achieve OTA updates.

[0182] The ARM Trust Zone partition is used to store security-sensitive data and applications, ensuring the security of the core system components. The ARM Trust Zone provides an isolated environment to prevent potential attacks or malware from compromising system security.

[0183] The kernel partition stores the operating system kernel, which is responsible for controlling the overall operation of the system, including scheduling, memory management, and hardware resource allocation. The kernel partition must have sufficient radiation resistance to ensure system stability even in high-radiation environments.

[0184] The Device Tree Blob (DTB) partition stores device tree information, which describes the system hardware structure, including the processor, memory, and external devices. This device tree information is read by the kernel during system startup to help it correctly initialize and identify hardware resources.

[0185] The microprocessor memory disk (RAM disk) partition is used to store temporary files and cached data generated during system operation. This partition can improve system read and write speeds, reduce reliance on commercial storage media, and ensure that critical data can be processed at high speed in DDR.

[0186] The OTA Reserve partition is specifically designed for OTA upgrades. Whenever the system receives an OTA update package, the update package is first downloaded to this partition. Here, the system performs integrity verification, digital signature verification, and decompression of the OTA package.

[0187] Preferably, the downloaded OTA package is first subjected to integrity verification in the OTA Reserve partition (a specified algorithm is used to calculate the checksum on the original data) to ensure that the package content is not damaged or tampered with. Only after successful verification will its content be written to the corresponding storage partition, avoiding data corruption caused by direct writing to Flash. This partition design not only improves the security of the OTA upgrade process but also prevents data corruption during the update process.

[0188] The System Memory partition is the main operating memory area of ​​the system, storing core data required for system operation, such as file system images. By decompressing the file system from storage devices such as flash memory into this partition, frequent read and write operations on commercial storage devices are reduced, improving the system's radiation resistance.

[0189] In one optional implementation, to ensure the safe and stable firmware updates of the satellite base station while it is in orbit, this application designs an OTA management mechanism for the storage media in the main control unit. This mechanism includes multiple radiation-resistant storage media modules responsible for storing firmware and update packages. The OTA management system performs redundant storage and verification on multiple storage media to ensure that the firmware does not lose data due to the failure of a single storage media under high radiation environments. Firmware update refers to the process of updating or upgrading the internal software of electronic devices or computer systems. Firmware is software embedded in hardware devices that controls the various functions and operations of the device. Firmware updates are typically provided by device manufacturers or developers to fix vulnerabilities, improve performance, provide new features, or fix known problems. Through firmware updates, users can obtain new and improved functions, thereby improving the usability and functionality of the device. Furthermore, firmware updates can also fix vulnerabilities and security issues, ensuring the security of the device and data.

[0190] Figure 16 This application provides a schematic diagram of a multi-storage-media boot partition, and proposes a multi-storage-media partitioning scheme for the main control unit, such as... Figure 16 As shown, this is to support the flexible upgrade requirements of the ground network management system, such as using the 1.0 version of the boot loading unit FDL in TF Card, combined with the 2.0 version of uboot (Universal Boot Loader, an open source project that complies with the General Public License GPL terms) in EMMC, and the 3.0 version of the file system in NVME.

[0191] In one optional implementation, the images for each boot stage are backed up to multiple storage media. During the boot stage, the boot location is selected via a BOOT PIN. The first stage can be selected to boot from EMMC / TF Card / NOR FLASH, and subsequent stages can read the boot location configuration file in the NOR FLASH to select images from different storage media. For example, a file system image may consist of four stages: the first stage is the Boot First stage, the second stage is the Boot Second stage, the third stage is the FileW (ATF / Kenel / DTB, etc.), and the fourth stage is the File System.

[0192] In one optional implementation, the First stage is not upgraded in each stage, so NOR FLASH is the preferred boot location for the First stage and also the backup boot storage medium. If the relevant partition of NOR FLASH is damaged, the image on the EMMC and TF Card will be selected sequentially for booting. At the same time, the boot location configuration file is stored on NOR FLASH, which is used to indicate which partition of which storage medium the boot needs to jump to to obtain the images of each boot stage starting from the Second stage.

[0193] In an optional implementation, this application also proposes a collaborative OTA update strategy for the main control unit across multiple storage media to address the impact of high-radiation environments on data transmission and storage stability. The core of this strategy is to execute a phased update and verification process through the collaborative work of multiple storage media. First, the OTA management system transmits the firmware update package to different storage media in stages, ensuring that each stage's update package undergoes multiple redundant checks, reducing the risk of update failure caused by radiation environments on a single storage media.

[0194] In practice, the system synchronously executes verification, update, and rollback strategies across multiple storage media. Through the collaborative work of multiple storage media, the OTA update process becomes more flexible and secure, reducing the risk of storage damage or data transmission errors caused by radiation. This strategy ensures that OTA updates can be completed with higher reliability and stability even in high-irradiation environments.

[0195] In one optional implementation, this application incorporates an intelligent redundancy switching mechanism. Based on a health management unit and multi-storage media management, the OTA update process and the switching process of redundant master control units can be dynamically coordinated. When a master control unit is performing an OTA update, the system monitors its health status and radiation environment in real time. If the radiation intensity exceeds a safety threshold, the system will pause or postpone the update process to ensure that updates are not performed in high-risk environments. Simultaneously, if the health management unit detects a failure in the master control unit during the update process, the system will immediately switch to the backup master control unit and continue executing the update task on the backup master control unit, ensuring the continuity and stability of the update.

[0196] Specifically, the system monitors the health status of each main control unit in real time through a health management unit, focusing on its operating status, temperature, power consumption, voltage, and current. Simultaneously, the system integrates with an external radiation environment monitoring module (such as a space environment forecasting and early warning system) to obtain real-time information on the intensity of the external radiation environment. During OTA updates, if the intensity of the radiation environment exceeds a preset safety threshold (such as a solar storm or other high-radiation events), the system automatically pauses or postpones the OTA update process to avoid performing update operations in high-risk environments. This design ensures that the OTA process is not executed in adverse environments, reducing update failures or hardware damage to storage devices and core system components due to radiation exposure.

[0197] Before executing an OTA update, if the health monitoring system detects an anomaly or failure in the candidate master unit, such as storage device damage, processor overheating, or hardware failure, the system will immediately trigger a redundancy switching mechanism. This will automatically switch the update task to another healthy master unit, and the OTA update will continue to be executed on that master unit. This mechanism avoids update interruptions caused by the failure of a single master unit, ensuring the continuity of the OTA process.

[0198] While a primary control unit is performing an OTA update, the health monitoring system continuously monitors its operational status. When it detects that the primary control unit is about to enter an unstable state (such as abnormal power consumption or storage device failure), the system will pause the update or proactively switch to a healthy backup unit before a failure occurs, depending on the actual situation.

[0199] Preferably, in high-radiation environments, an intelligent redundancy switching mechanism determines whether OTA update operations need to be delayed. If the radiation environment cannot be restored to a safe threshold within a short time, the system will postpone the update task to a safe environment to avoid damage to the storage media and main control unit under adverse conditions. After the radiation environment returns to normal, the system will automatically resume the previously paused update task and continue the OTA upgrade operation. Due to the system's multi-main control unit redundancy design, even if the OTA task on one main control unit fails to execute successfully, the system can still ensure the smooth completion of the update through other backup units.

[0200] In one optional implementation, to ensure secure and reliable data communication between the main control unit and the health management unit, this application designs an interaction process based on a communication handshake mechanism to guarantee real-time status synchronization and fault feedback between each main control unit and the health management unit. This handshake mechanism is particularly important when the main control unit performs critical tasks (such as OTA updates), ensuring that the health management unit can effectively monitor its health status and trigger redundancy switching in abnormal situations.

[0201] The communication handshake mechanism first requires communication initialization, that is, after each master control unit starts up, it communicates via a preset communication bus (such as I...). 2 The master control unit (MCU) establishes a communication connection with the health management unit via a CAN bus or SPI, etc. The handshake mechanism requires the MCU to first send a handshake request signal to the health management unit upon startup, indicating that the MCU is ready and requests to establish a communication channel. The handshake mechanism requires a response from the health management unit; that is, after receiving the handshake request from the MCU, the health management unit will confirm the successful establishment of the communication channel by sending a handshake response signal. Afterwards, the MCU and the health management unit enter a normal data exchange state.

[0202] In one optional implementation, the handshake mechanism includes a heartbeat detection function. After communication is established, the master control unit and the health management unit maintain heartbeat signal exchange, periodically sending heartbeat packets to ensure the normality of the communication connection. Specifically, the master control unit sends a heartbeat signal to the health management unit at fixed intervals (e.g., several hundred milliseconds), informing it of its current status and health parameters (e.g., temperature, voltage, processing load). The health management unit assesses its operating status by receiving the master control unit's heartbeat signal; if everything is normal, it continues monitoring; if the heartbeat signal is interrupted or the health parameters are abnormal, the health management unit takes appropriate countermeasures.

[0203] In one optional implementation, the master control unit periodically sends status reports to the health management unit during task execution, including information such as running health parameters, task progress, and storage device status. When the master control unit detects a hardware or software failure (such as storage device failure, excessive temperature, etc.), it immediately sends a fault alarm signal to the health management unit, reporting the current problem. The fault alarm signal includes the fault type, fault level, and potential impact range. Upon receiving the fault alarm, the health management unit determines whether to trigger redundancy switching or suspend the task based on the severity of the fault.

[0204] In one optional implementation, the health management unit performs a health status assessment of the main control unit. Based on heartbeat signals and status reports received from the main control unit, the health management unit performs a real-time health status assessment. The assessment includes factors such as temperature, power consumption, radiation exposure, storage media health, and processor load. If the health management unit's assessment indicates that the main control unit is about to fail, it will issue an early warning signal to notify the main control unit or directly trigger a redundancy switch.

[0205] In one optional implementation, when the health management unit receives a fault alarm signal from the main control unit, or detects that the main control unit is unresponsive or in an abnormal state through heartbeat detection, the health management unit will immediately suspend the currently executing task and instruct other redundant main control units to take over the task of the faulty unit. The switched main control unit will continue execution from the task progress point received from the faulty unit, ensuring that the task is not interrupted.

[0206] In one optional implementation, this application proposes a special handshake mechanism after an OTA update is completed. During an OTA update, the handshake mechanism between the health management unit and the main control unit is tightened to ensure that the system's health status is strictly monitored throughout the update process. Before executing the OTA update, the main control unit sends an update task initiation request to the health management unit. The health management unit assesses the health status and confirms that the main control unit is in a healthy state before allowing the OTA update to start. During the OTA update, the main control unit continuously sends update progress and status reports to the health management unit, which dynamically assesses the current environment (such as radiation intensity) and the health status of the main control unit, and decides whether to continue or pause the update based on the assessment results.

[0207] This application provides a highly radiation-resistant redundant motherboard architecture for satellite base stations, comprising N main control units, a health management unit, and a switch. The main control units are connected to the health management unit and the switch via a communication bus, and the health management unit monitors the health status of each main control unit in real time. When a storage device is damaged, the processor exceeds 80°C, or a hardware failure is detected, a redundancy switching mechanism can be triggered.

[0208] Optionally, the multi-storage-media partitioning scheme for the main control unit requires each main control unit to contain multiple storage media, including NOR Flash, NVME, EMMC, and TFCard; and the system reduces write operations to Flash storage through a multi-backup storage design to improve radiation resistance.

[0209] Optionally, each master unit reduces direct operations on the storage media (NVME, EMMC, TFCard) by running the entire file system image on DDR. DDR also includes multiple partitions: arm trust zone, kernel, dtb, ramdisk, OTA reserve, and system memory.

[0210] Optionally, this application applies to DDR partition designs with multiple backup storage and OTA updates, wherein the OTA upgrade package is first downloaded to the OTAreserve partition of the DDR, and after verification, it is then burned to the corresponding Flash partition.

[0211] Optionally, the main control unit's multi-storage-media collaborative OTA update strategy involves multiple storage media working together to execute a phased OTA update and verification process. This includes: transmitting firmware update packages to different storage media in phases, redundantly verifying the update packages in each phase, and determining which storage media and partition to jump to in the current update phase according to the instructions of the health management unit, thereby ensuring the dynamic coordination and switching of the OTA update process and the continuity and stability of the update task.

[0212] This application provides an intelligent redundancy switching mechanism for radiation resistance of satellite base stations, comprising the following steps: real-time monitoring of the health status of the main control unit through a health management unit; pausing OTA updates when the radiation environment exceeds a safety threshold; and when the health management unit detects a failure in the main control unit that is performing an update, the system immediately switches to the backup main control unit and continues to perform the update task.

[0213] Optionally, the health management unit dynamically adjusts the update process based on the real-time monitoring data of the main control unit, and automatically delays or suspends the update task when the radiation environment is detected to exceed the preset safety threshold.

[0214] This application provides a communication handshake mechanism based on a master control unit and a health management unit, including: the master control unit sending a handshake request signal to the health management unit and exchanging status information in real time through a heartbeat detection mechanism; when an abnormal health status or fault is detected in the master control unit, the health management unit triggers redundancy switching and hands over the task to other redundant master control units to continue execution.

[0215] Optionally, during the execution of OTA update tasks, the health management unit will continuously monitor the health status of the main control unit at different stages of the OTA update and assess whether to continue updating, pause, or switch during the OTA stage.

[0216] This application introduces a multi-master control unit redundancy architecture, combined with a health management unit that monitors the status of each master control unit in real time. In the event of radiation exposure or health problems, the system immediately switches to a backup master control unit, thus avoiding interference with system tasks due to radiation. Simultaneously, a backup design using multiple storage media reduces write operations to Flash storage devices, lowering the risk of radiation damage to the memory. This significantly improves the radiation resistance of the satellite base station in high-radiation environments, reduces the probability of radiation-induced failures of the master control unit and storage media, and enhances system reliability.

[0217] The health management unit monitors all main control units in real time and triggers a redundancy switching mechanism when a fault or excessive radiation is detected, transferring tasks to other healthy main control units to ensure system stability and reliability. By designing a redundant architecture with N main control units, switching between multiple main control units is achieved, improving the system's fault tolerance and task continuity. Even in the event of a main control unit failure, the system can still maintain normal operation.

[0218] During OTA updates, the system utilizes a dynamic coordination mechanism between the health management unit and redundant main control units to monitor the status of the main control unit and the external radiation environment in real time. If radiation exceeds a safety threshold or the main control unit malfunctions, the system automatically pauses the update or switches to another main control unit to continue the update task, ensuring the update process is unaffected by the external environment. Furthermore, the collaborative OTA update strategy using multiple storage media of the main control unit executes a phased OTA update and verification process; the firmware update package is transmitted to different storage media in stages, continuously redundantly verifying the update package at each stage, thus improving the flexibility and reliability of the OTA process. This application improves the reliability of OTA updates, avoiding data corruption or system crashes caused by radiation during the update process by pausing or delaying update operations in high-radiation environments, thereby ensuring the success rate of OTA updates.

[0219] In this application, each main control unit is equipped with multiple storage media (such as NOR Flash, NVME, eMMC, TFCard, etc.), and the direct read / write operations on the storage media are reduced by copying the file system image to DDR for operation. This reduces storage media damage caused by frequent read / write operations in high-radiation environments, enhancing the lifespan and stability of the storage device. Through the multi-storage-media backup design, this application improves data storage reliability and reduces reliance on a single storage media. Especially in high-radiation environments, the multi-storage-media backup mechanism effectively prevents data corruption and loss.

[0220] This application utilizes heartbeat signals and status reports to enable the health management unit to continuously acquire the operating parameters of the main control unit and perform status assessments based on preset thresholds. When an impending failure of the main control unit is detected, the system triggers a redundancy switchover mechanism in advance to ensure that tasks are not interrupted due to the failure. By monitoring the health status of each main control unit in the system in real time, this application provides an early warning mechanism that can issue alerts and take appropriate preventative measures before a failure occurs, avoiding system crashes caused by sudden failures.

[0221] In this application, the OTA update package is first downloaded to a dedicated partition (OTAreserve partition) of the DDR memory, and after verification, it is written to the corresponding Flash partition. The DDR partition design includes multiple independent partitions (such as the ARM trust zone, kernel, DTB, etc.), which improves the efficiency and security of OTA updates. By performing OTA partitioning and management on the DDR memory, this application can execute OTA upgrade tasks more efficiently and securely, avoiding frequent writes to the Flash storage device, and improving the success rate of updates and the lifespan of the memory.

[0222] In this application, the main control unit and the health management unit communicate via handshake signals, heartbeat detection, and status reports to ensure synchronization of their states. In the event of a communication anomaly, the health management unit can take timely measures, such as triggering redundancy switching or system restart, to ensure that the system does not fail due to communication problems. This application, by designing a communication handshake mechanism, ensures secure and reliable communication between the main control unit and the health management unit, reduces the risk of failure due to communication interruptions, and improves the system's collaboration and stability.

[0223] This application overcomes the problems of insufficient reliability, low security of OTA updates, and limited lifespan of storage devices in existing technologies by adopting a multi-master unit redundancy architecture, health management unit, multi-backup design of storage media, and intelligent OTA update coordination mechanism. It significantly improves the radiation resistance, system stability, and mission continuity of satellite base stations.

[0224] Figure 17 Another schematic diagram of an OTA update device provided in this application includes:

[0225] The receiving module 161 is used to receive Over-the-Air (OTA) update packages and write the file system image in the OTA update package into at least two storage media of the first main control unit.

[0226] The update module 162 is used to read the file system image from the at least two storage media and perform OTA updates based on the file system image.

[0227] In one alternative embodiment, the device further includes:

[0228] The determining module 163 is configured to, if it is determined that the performance of the first main control unit is abnormal based on the first parameter of the first main control unit, select a second alternative main control unit as the first main control unit; wherein the first parameter includes at least one of voltage, current, temperature and power consumption.

[0229] In an optional implementation, the determining module 163 is further configured to, if it is determined that the first master control unit is in communication abnormality according to the communication handshake mechanism, select the second master control unit as the first master control unit.

[0230] In one optional implementation, the determining module 163 is specifically used to determine that the communication of the first main control unit is abnormal if the interaction process between the microcontroller unit (MCU) and the first main control unit according to the heartbeat signal at the first frequency is abnormal.

[0231] In an optional implementation, the update module 162 is further configured to allow the MCU and the first main control unit to interact with a heartbeat signal at a second frequency, and if the heartbeat signal interaction process is abnormal, to suspend the OTA update process based on the file system image; wherein the second frequency is greater than the first frequency.

[0232] In an optional implementation, the determining module 163 is further configured to, if the functions of the at least two storage media are all abnormal, select the alternative second master control unit as the first master control unit.

[0233] In one alternative implementation, the update module 162 is specifically configured to read the file system image from at least one functional storage medium.

[0234] In one alternative embodiment, the device further includes:

[0235] The verification module 164 is used to perform security verification on the OTA update package. If the security verification is successful, the file system image in the OTA update package is written to at least two storage media of the first main control unit. The security verification includes at least one of integrity verification and digital signature verification.

[0236] In one optional implementation, the verification module 164 is specifically used to write the OTA update package into the dynamic random access memory (DDR) and perform security verification on the OTA update package in the DDR.

[0237] In one optional implementation, the verification module 164 is specifically used to write the OTA update package into a first partition in DDR and perform security verification on the OTA update package in the first partition.

[0238] In one optional implementation, the update module 162 is specifically used to read the file system image from the at least two storage media, load the file system image into the DDR, and run the file system image in the DDR for OTA update.

[0239] In one optional implementation, the update module 162 is specifically configured to read the file system image from the at least two storage media, load the file system image into a second partition in DDR, and run the file system image in the second partition for OTA update.

[0240] In one alternative embodiment, the device further includes:

[0241] The monitoring module 165 is used to pause the OTA update process based on the file system image if the detected radiation intensity is greater than the first radiation intensity threshold.

[0242] In one alternative implementation, the at least two storage media include at least two of the following: non-volatile flash memory (NRFlash) storage media, non-volatile memory transfer specification (NVME) storage media, embedded multimedia card (EMMC) storage media, and flash memory card (TF Card) storage media.

[0243] In one optional implementation, the OTA update package includes a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image.

[0244] The receiving module 164 is specifically used to write the first-stage file system image to the NOR Flash storage medium; write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the TF Card storage medium; write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the EMMC storage medium; and write the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the NVME storage medium.

[0245] This application also provides an electronic device, such as Figure 18 As shown, it includes: processor 171, communication interface 172, memory 173 and communication bus 174, wherein processor 171, communication interface 172 and memory 173 communicate with each other through communication bus 174.

[0246] The memory 173 stores a computer program, which, when executed by the processor 171, causes the processor 171 to perform any of the above method steps.

[0247] The communication bus mentioned in the above electronic devices can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used to represent it in the diagram, but this does not mean that there is only one bus or one type of bus.

[0248] Communication interface 172 is used for communication between the above-mentioned electronic device and other devices.

[0249] The memory may include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory may also be at least one storage device located remotely from the aforementioned processor.

[0250] The processors mentioned above can be general-purpose processors, including central processing units, network processors (NPs), etc.; they can also be digital signal processors (DSPs), application-specific integrated circuits, field-programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.

[0251] This application also provides a computer-readable storage medium storing a computer program executable by an electronic device, which, when run on the electronic device, causes the electronic device to perform any of the above method steps.

[0252] This application provides a computer program product, which includes an executable program that, when executed by a processor, implements the method described herein.

[0253] Although preferred embodiments of this application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this application.

[0254] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. An OTA update method, characterized in that, Applied to electronic devices, the method includes: Receive Over-the-Air (OTA) update packets and write the file system image in the OTA update packets into at least two storage media of the first main control unit; The file system image is read from the at least two storage media, and an OTA update is performed based on the file system image.

2. The method as described in claim 1, characterized in that, Before writing the file system image from the OTA update package into at least two storage media of the first master control unit, the method further includes: If the performance of the first main control unit is determined to be abnormal based on the first parameter of the first main control unit, the alternative second main control unit is selected as the first main control unit; wherein, the first parameter includes at least one of voltage, current, temperature and power consumption.

3. The method as described in claim 1, characterized in that, Before writing the file system image from the OTA update package into at least two storage media of the first master control unit, the method further includes: If it is determined that the first master control unit is experiencing a communication failure, the second master control unit will be selected as the first master control unit.

4. The method as described in claim 3, characterized in that, The communication anomaly of the first main control unit is determined to include: If the interaction process between the microcontroller unit (MCU) and the first main control unit according to the heartbeat signal at the first frequency is abnormal, it is determined that the communication of the first main control unit is abnormal.

5. The method as described in claim 4, characterized in that, During the OTA update process based on the file system image, the method further includes: The MCU and the first main control unit interact with each other using a heartbeat signal at a second frequency. If the heartbeat signal interaction process is abnormal, the OTA update process based on the file system image is suspended. The second frequency is greater than the first frequency.

6. The method as described in claim 1, characterized in that, Before writing the file system image from the OTA update package into at least two storage media of the first master control unit, the method further includes: If the functions of at least two storage media are all abnormal, the alternative second master control unit will be used as the first master control unit.

7. The method as described in claim 1, characterized in that, Reading the file system image from the at least two storage media includes: The file system image is read from at least one functional storage medium.

8. The method as described in claim 1, characterized in that, Before writing the file system image from the OTA update package to at least two storage media of the first master control unit, the method further includes: The OTA update package is subjected to security verification. If the security verification passes, the file system image in the OTA update package is written to at least two storage media of the first main control unit. The security verification includes at least one of integrity verification and digital signature verification.

9. The method as described in claim 8, characterized in that, The security verification of the OTA update package includes: The OTA update package is written into the dynamic random access memory (DDR), and the security of the OTA update package is verified in the DDR.

10. The method as described in claim 9, characterized in that, The security verification of the OTA update package includes: The OTA update package is written to the first partition in DDR, and the security of the OTA update package is verified in the first partition.

11. The method as described in claim 1, characterized in that, Reading the file system image from the at least two storage media and performing OTA updates based on the file system image includes: The file system image is read from the at least two storage media, loaded into the DDR, and then run in the DDR to perform an OTA update.

12. The method as described in claim 11, characterized in that, Reading the file system image from the at least two storage media and performing OTA updates based on the file system image includes: The file system image is read from the at least two storage media, the file system image is loaded into a second partition in DDR, and the file system image is run in the second partition for OTA update.

13. The method as described in claim 1, characterized in that, During the OTA update process based on the file system image, the method further includes: If the detected radiation intensity is greater than the first radiation intensity threshold, the OTA update process based on the file system image is suspended.

14. The method according to any one of claims 1 to 13, characterized in that, The at least two storage media include at least two of the following: NOR Flash storage media, NVME storage media, EMMC storage media for embedded multimedia cards, and TF Card storage media.

15. The method as described in claim 14, characterized in that, The OTA update package includes a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image. Write the first-stage file system image into the NOR Flash storage medium; Write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the TF Card storage medium; Write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the EMMC storage medium; Write the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the NVME storage medium.

16. An OTA update device, characterized in that, The device includes: a first main control unit, a communication bus, and a switch; the first main control unit includes at least two storage media. The first main control unit receives Over-the-Air (OTA) update packages via the communication bus and the switch, writes the file system image in the OTA update package into the at least two storage media respectively, reads the file system image from the at least two storage media, and performs OTA updates based on the file system image.

17. The apparatus as claimed in claim 16, characterized in that, The device further includes: a microcontroller unit (MCU) and at least one second main control unit; The MCU obtains and determines that the first main control unit is malfunctioning based on the first parameter of the first main control unit through the communication bus, and selects the second main control unit as the first main control unit; wherein, the first parameter includes at least one of voltage, current, temperature and power consumption.

18. The apparatus as claimed in claim 16 or 17, characterized in that, The at least two storage media include at least two of the following: NOR Flash storage media, NVME storage media, EMMC storage media for embedded multimedia cards, and TF Card storage media.

19. The apparatus as claimed in claim 18, characterized in that, The OTA update package includes a first-stage file system image, a second-stage file system image, a third-stage file system image, and a fourth-stage file system image. The first main control unit writes the first-stage file system image to the NOR Flash storage medium; and writes the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image to the TF Card storage medium. Write the first-stage file system image, the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the EMMC storage medium; Write the second-stage file system image, the third-stage file system image, and the fourth-stage file system image into the NVME storage medium.

20. An electronic device, characterized in that, It includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus; Memory, used to store computer programs; A processor, when executing a program stored in memory, implements the method according to any one of claims 1-15.

21. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the method described in any one of claims 1-15.

22. A computer program product, characterized in that, The computer program product includes an executable program that is executed by a processor to implement the method of any one of claims 1 to 15.