A data protection method and apparatus based on star network amplifiers
By storing multiple copies of the program in the StarNet amplifier and employing a two-stage startup method and watchdog bit monitoring, combined with hardware ECC functionality, the problem of data anomalies in the StarNet amplifier in the space environment was solved, achieving reliable program startup and data integrity protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ACCELINK TECHNOLOGIES CO LTD
- Filing Date
- 2026-02-09
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technology is unable to identify and correct data anomalies in the Star Network amplifier without interrupting existing services, leading to hardware and software malfunctions and inability to function properly.
Multiple copies of the bootloader and application program are stored in non-volatile memory. A two-level boot method is used for verification and error correction. The application program is loaded through the bootloader, and data comparison and error correction are performed during application runtime. Watchdog bits are used to monitor data integrity, and hardware ECC function is used for data protection.
This ensures reliable program startup, prevents modules from failing to start or becoming disconnected due to data anomalies, improves data integrity and reliability, and reduces maintenance costs.
Smart Images

Figure CN122240389A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of product software design technology, and in particular to a data protection method and apparatus based on a star network amplifier. Background Technology
[0002] In recent years, with the development of space-air-ground integrated communication, there are increasingly more application scenarios. Among them, communication between satellites uses optical communication unit optical amplifier modules, and the space-air-ground amplifier in this invention refers to this amplifier. The space-air-ground amplifier operates in space, and substances in the space environment can cause radiation to the semiconductor devices in the working circuit of the space-air-ground amplifier, leading to the failure of the hardware electronic components of the space-air-ground amplifier, or bit flipping of the software data; thus, due to abnormal software function and / or abnormal hardware circuit function, the space-air-ground amplifier cannot work properly.
[0003] Existing technologies use Cyclic Redundancy Check (CRC) to identify data anomalies (e.g., integrity errors) in the Star Network Amplifier. However, this method cannot identify anomalies without interrupting existing services or affecting product users; it also cannot correct errors after identification to ensure the hardware and software function properly. This is to prevent modules in the Star Network Amplifier from failing to start, becoming unresponsive, inoperable, or losing communication due to data anomalies in the Bootloader (i.e., the bootloader).
[0004] Therefore, overcoming the shortcomings of the existing technology is an urgent problem to be solved in this technical field. Summary of the Invention
[0005] The technical problem to be solved by the present invention is that the existing technology cannot ensure data integrity and cannot perform data error correction during software operation, thus ensuring the reliability of program startup.
[0006] Firstly, a data protection method based on a star network amplifier is provided, including: Multiple copies of the bootloader and application programs are stored in non-volatile memory; After the module is powered on or reset, the boot program starts running from address zero of the non-volatile memory, and the application program is loaded and run through the boot program; When the application is running, the checksums of all bootloaders are calculated and compared with the original values; the correct bootloader is used to overwrite the incorrect bootloader to achieve error correction.
[0007] Furthermore, the method also includes: Starting from the zero address of the non-volatile memory, multiple copies of the boot program are stored at a preset fixed offset address.
[0008] Furthermore, the method also includes: The read-only memory is started to sequentially perform integrity checks on the boot programs stored at each of the fixed offset addresses until a boot program that passes the check is found. The boot program that passes the check is then used to complete the startup process.
[0009] Furthermore, the method also includes: Store multiple copies of key variable data in memory; When the key variable data needs to be used, the multiple copies are compared pairwise. The copies that match pairwise are identified as the correct data for the key variable, so that the correct data can be used.
[0010] Furthermore, the method also includes: When the bootloader runs, it calculates the checksums of all applications and compares them with the original values. To correct errors, use the correct application to override the incorrect application.
[0011] Furthermore, the method also includes: Determine the physical storage area corresponding to the data to be monitored in the module; within the physical storage area, determine the preset number of bits that are closest to the sun as the watchdog bits of the physical storage area; Based on whether the watchdog bit has flipped, the data in the physical storage area is selectively verified to ensure that the number of abnormal bits in the monitored data is less than a preset value through error correction.
[0012] Furthermore, the watchdog bits include warning bits and periodic bits; The step of determining the watchdog bits of the physical storage area, which are the preset number of bits with the smallest distance from the sun, includes: If the data to be monitored needs to be monitored in real time, then a warning bit is set for the physical storage area so as to determine in real time whether the warning bit has been flipped. If the data to be monitored needs to be monitored periodically, periodic bits are set for the physical storage area so as to determine whether the periodic bits have flipped at preset intervals.
[0013] Furthermore, the step of selectively verifying the data in the physical storage area based on whether the watchdog bit has undergone a bit flip includes: When the watchdog bit flips, the type of the data to be monitored is determined; If the type of data to be monitored is data to be protected, then the data in the physical storage area is verified; when the verification result is abnormal, the corresponding normal value is obtained for error correction. If the type of data to be monitored is variable data, then the bit flip that occurred in the watchdog bit is ignored.
[0014] Secondly, a data protection device based on a star network amplifier is provided, the data protection device based on a star network amplifier includes: a processor and a memory for storing processor-executable instructions; The processor is configured to execute the data protection method based on the star network amplifier.
[0015] Thirdly, a non-volatile computer storage medium is provided, the computer storage medium storing computer-executable instructions, which are executed by one or more processors to perform the data protection method based on the star network amplifier described in the first aspect.
[0016] Fourthly, a computer program product containing instructions is provided that, when executed on a computer or processor, causes the computer or processor to perform the data protection method based on the star network amplifier as described in the first aspect.
[0017] Compared with the prior art, the beneficial effects of the present invention are as follows: This invention employs a two-level startup mechanism. The system spends a short period (e.g., milliseconds) in the bootloader execution phase, then remains in the application execution phase, with the entire normal runtime confined to this phase. Regardless of errors or runtime anomalies in the application code, the impact of these errors is limited to the application execution phase, without affecting the bootloader or causing modules to fail to start, become unresponsive, inoperable, or lose communication. Furthermore, this invention verifies and corrects the bootloader's program data during application runtime, allowing for error correction and modification even after bit flips have occurred during boot. This ensures the integrity of the bootloader's data, solves the problem of inability to perform data error correction, and thus guarantees reliable program startup. Attached Figure Description
[0018] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0019] Figure 1 This is a schematic flowchart of a data protection method based on a star network amplifier provided in an embodiment of the present invention; Figure 2 This is a schematic diagram illustrating a specific example of Flash memory address mapping provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of a fault-tolerant startup process during program loading provided by an embodiment of the present invention; Figure 4 This is a schematic diagram illustrating a specific example of reading on-chip Flash memory using a chip BootROM, as provided in an embodiment of the present invention. Figure 5 This is a schematic diagram illustrating a specific example of storing multiple copies of bootloader code provided in an embodiment of the present invention; Figure 6 This is a schematic diagram of a process for protecting dynamic data according to an embodiment of the present invention; Figure 7 This is a schematic diagram illustrating a specific example of data protection for dynamic data provided in an embodiment of the present invention; Figure 8 This is a schematic diagram of an application integrity verification and error correction process provided in an embodiment of the present invention; Figure 9 This is a flowchart illustrating a data security mechanism provided in an embodiment of the present invention; Figure 10 This is a schematic flowchart illustrating a specific example of the spatial relationship and distance between the sun and a star network amplifier provided in an embodiment of the present invention; Figure 11 This is a schematic diagram illustrating a specific example of the spatial relationship and distance between the watchdog bit and the physical address bit inside a solar and star network amplifier, provided by an embodiment of the present invention. Figure 12 This is a flowchart illustrating step 701 provided in an embodiment of the present invention; Figure 13 This is a flowchart illustrating step 702 provided in an embodiment of the present invention; Figure 14 This is a schematic diagram of a data protection device based on a star network amplifier provided in an embodiment of the present invention. Detailed Implementation
[0020] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.
[0021] Unless the context otherwise requires, throughout the specification and claims, the term "comprising" is interpreted as openly inclusive, meaning "including, but not limited to." In the description of the specification, terms such as "one embodiment," "some embodiments," "exemplary embodiment," "example," "specific example," or "some examples" are intended to indicate that a particular feature, structure, material, or characteristic associated with that embodiment or example is included in at least one embodiment or example of this disclosure. The illustrative representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics mentioned may be included in any suitable manner in any one or more embodiments or examples; that is, although they may be incorporated into embodiments or examples using the above terms for reasons such as order and position, it does not limit them to be incorporated in combination by a single embodiment or example.
[0022] In the description of this invention, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of indicated technical features. Thus, a feature defined with "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of embodiments of this disclosure, unless otherwise stated, "a plurality of" means two or more. Furthermore, for example, the description may use the prefix "A" or "B" to describe the same type of nouns as two independent entities. In this case, the corresponding features defined with "A" and "B" are used only to distinguish between similar entities and should not be construed as indicating or implying relative importance or implicitly specifying the number of indicated technical features.
[0023] In describing some embodiments, the terms "coupled," "coupled," and "connected," and their derivative expressions, may be used. For example, the term "connected" may be used in describing some embodiments to indicate that two or more components have direct physical or electrical contact with each other. Similarly, the term "coupled" may be used in describing some embodiments to indicate that two or more components have direct physical or electrical contact. However, the terms "connected" or "coupled" may also refer to two or more components that do not have direct contact with each other but still cooperate or interact with each other, such as "optical coupling," "wireless connection," etc. The embodiments disclosed herein are not necessarily limited to the scope of this invention.
[0024] Furthermore, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not conflict with each other.
[0025] Since the StarNet amplifier operates in space, the space radiation particles and rays can radiate the semiconductor devices in the StarNet amplifier's operating circuit. This radiation can cause the failure of hardware electronic components or bit flipping of software data. The data protection method based on the StarNet amplifier provided in the following embodiment of the invention is a protection method for identifying and correcting bit flipping of software data caused by space particle radiation.
[0026] Space radiation can cause data bit flipping in programs running on semiconductor chips and in the data stored on them. This error is called the Soft Error Rate (SER). The SER affects the data state of memory and timing components and is caused by random radiation events naturally occurring in the terrestrial environment. Unlike hard errors caused by defect mechanisms or reliability degradation mechanisms, soft errors usually do not damage the circuit itself, hence the name "soft" error. However, they can damage the stored data or the state of the involved circuitry. In digital circuits, this is equivalent to incorrectly flipping a "1" data state to a "0" data state, or vice versa.
[0027] Hardware circuits are like the skeleton of a person, a carrier for operation, while the software running on them is the soul of the entire product. A product can exhibit a wide variety of characteristics and functions on a single piece of hardware. The data used by the software, such as calibration data, algorithm data, real-time operating status data, and sampling feedback data, is the core of this "soul." If the software data is abnormal, all software functions will malfunction, and the program may even fail to load and execute, rendering the hardware circuitry meaningless.
[0028] The space environment increases the probability of data anomalies. Furthermore, due to the equipment being in space, software maintenance, upgrades, problem localization, and analysis are extremely inconvenient. Therefore, there is an urgent need for a data protection method to identify data anomalies in the StarNet amplifier, correct errors to the greatest extent possible after identification, and ensure that the software continues to operate normally, thereby not interrupting existing services and not affecting product users.
[0029] Traditional data protection methods use CRC (Corrective Chronology) to determine if data integrity errors have occurred. This method is simple and easy to implement, but it has two significant drawbacks: First, the original CRC value needs to be pre-calculated for subsequent verification. For static data (i.e., data whose content remains unchanged), such as calibration data and upgrade files, the CRC value can be easily pre-calculated and appended to the original data. However, for dynamic data (such as sampling data and in-memory computation data), a pre-calculated CRC value cannot be provided. Second, CRC only identifies whether data integrity errors have occurred, but it cannot perform any calibration operations; it is merely a verification method and is not suitable for situations requiring error correction.
[0030] To address the problems of existing technologies, this embodiment proposes a data protection method based on a star network amplifier. In one embodiment, such as... Figure 1 As shown, it includes: Step 10: Store multiple copies of the bootloader and application program in non-volatile memory.
[0031] Since both the program and data run on the main control chip (i.e., the hardware platform), the main control chip can be a microcontroller (MCU), a microprocessor (MPU), or other system-on-chip (SoC) chip. To achieve data protection, the selection of the main control chip is explained below: From a hardware perspective, a main control chip that supports error checking and correction (ECC) functions must be selected. Early main control chips typically did not support ECC or had weak ECC correction capabilities; therefore, a main control chip supporting ECC functionality should be selected. It's important to note that if the main control chip is an MCU (Microcontroller Unit), its program is stored in the MCU's on-chip Flash memory, and its data is stored in the MCU's on-chip Random-Access Memory (SRAM). If the main control chip is an MPU (Multi-Purpose Microcontroller Unit), its program is stored in external Flash memory and external Double Data Rate Synchronous Dynamic Random-Access Memory (DDR). Both types of chips need to support ECC (Electronic Control Class) functionality. Taking an MCU as an example, its on-chip Flash memory typically ranges from 512 kilobytes (KB) to 2 megabits (MB), and its on-chip Static Random-Access Memory (RAM) ranges from 192 KB to 1 MB.
[0032] Redundancy and error correction designs are implemented in the storage space of the main control chip. As mentioned earlier, if the software cannot run, the hardware cannot start, suspends, and stops responding, unable to handle any external responses. Therefore, the integrity and reliability of the program are key aspects of data protection. To enhance program reliability (including the ability to start under abnormal conditions and recover from errors), this invention provides a "dual backup + secondary redundancy" data protection method. The type of non-volatile memory and the number of copies of the bootloader and application program stored therein are determined by those skilled in the art based on the specific application scenario and are not limited here. In one embodiment, such as... Figure 2 As shown, the non-volatile memory can be a Flash memory, which can store two copies of the boot program and two copies of the application program; the number of copies of the boot program and the application program stored can be determined according to the storage space of the Flash memory.
[0033] Step 20: After the module is powered on or reset, the boot program is run starting from address zero of the non-volatile memory, and the application program is loaded and run through the boot program.
[0034] To ensure reliable program startup, in one embodiment of the present invention, a two-level startup method is provided: after the module in the star network amplifier is powered on or reset, the system starts from the zero address of the Flash memory and loads and runs the boot program. The boot program can be boot program code A or multiple saved copies, such as boot program backup code B. Figure 2 The middle arrow indicates the Flash memory address mapping. Then, the bootloader loads and runs application code A or application backup code B.
[0035] Step 30: When the application is running, calculate the checksum of all bootloaders and compare it with the original value; use the correct bootloader to overwrite the incorrect bootloader to achieve error correction.
[0036] The effectiveness of two-level communication in ensuring the module never crashes depends on the correctness of the bootloader and application program. That is, regardless of whether there is a two-level or multi-level boot process, if the bootloader used for startup is faulty, the module will fail to run, resulting in a hang and unresponsive state. Specifically, if a bit flip occurs during startup, the program will fail to start, the system will hang up, and stop responding. If no bit flip occurs during startup, the program can execute normally, and the system will proceed with startup, initialization, and operation sequentially. If a bit flip is sent after startup, the system can start normally this time, but when performing operations such as reset or restart, the system will hang and stop responding on the next startup attempt.
[0037] Since the main control chips used in the current industry all boot from address 0, the system always boots from Bootloader address 0. However, the bootloader code A stored at Bootloader address 0 may also experience bit flips. If bootloader code A has many bit flips, especially exceeding the range that hardware ECC can correct, the system may experience boot anomalies, failing to boot normally and thus hanging and stopping responding. Therefore, to improve program correctness, dual redundancy backups are performed according to step 10, and the integrity of the aforementioned bootloader and application program is verified and corrected. During the application program runtime phase, integrity verification is performed on all bootloaders (i.e., including bootloader backups). This embodiment of the invention calculates the verification value of all bootloaders and compares it with the original value to check the integrity of all bootloaders. If the verification finds an error in the bootloader backup and a correct bootloader exists, the correct bootloader backup is used to overwrite and repair the incorrect bootloader backup.
[0038] Specifically, after the system starts from bootloader code A, it will then start application code A or application backup code B. At this time, when the application code is running, the integrity of the program in bootloader code A and bootloader backup code B is checked, that is, the CRC32 value of bootloader code A is calculated to see if it is consistent with the original. If it is consistent, the integrity of the program is reliable; if it is inconsistent, it means that a bit flip error has occurred. Similarly, the CRC32 value of bootloader backup code B is calculated to see if it is consistent with the original.
[0039] If the CRC32 value of bootloader code A matches the original value, but the CRC32 value of bootloader backup code B does not match the original value, then the program data of bootloader code A is copied to bootloader backup code B to repair the bit flipping error in bootloader backup code B. Similarly, if the CRC32 value of bootloader code A does not match the original value, but the CRC32 value of bootloader backup code B matches the original value, then the program data of bootloader backup code B is copied to bootloader code A to repair the bit flipping error in bootloader code A. When the CRC32 value of both bootloader code A and bootloader backup code B matches the original value, it indicates that both bootloaders are complete and no recovery operation is required.
[0040] This invention employs a two-level startup mechanism. The system spends a short period (e.g., milliseconds) in the bootloader execution phase, then remains in the application execution phase, with the entire normal runtime confined to this phase. Regardless of errors or runtime anomalies in the application code, the impact of these errors is limited to the application execution phase, without affecting the bootloader or causing modules to fail to start, become unresponsive, inoperable, or lose communication. Furthermore, this invention verifies and corrects the bootloader's program data during application runtime, allowing for error correction and modification even after bit flips have occurred during boot. This ensures the integrity of the bootloader's data, solves the problem of inability to perform data error correction, and thus guarantees reliable program startup.
[0041] Due to the importance of the bootloader code, many solutions design it to be read-only or prevent unauthorized external modification (e.g., private key signature protection, debug port disconnection, etc.). This method can solve most cases of human modification or tampering, but it cannot solve cases of non-human modification, such as bit-flipping soft errors. Therefore, there is an urgent need for a method to verify and correct bit-flipping errors. The most common and universal method is to use hardware ECC for verification and correction. The industry-standard method is that 1-bit flips can be verified and corrected, while 2-bit flips can be verified, identified, and reported as alarms, but cannot be corrected or repaired.
[0042] The present invention addresses this problem through two methods. One method, as described in step 30 above, repairs the bit-flipped firmware through bootloader backup and verification. This method can correct multi-bit-flip errors that occur after normal startup. However, if bit flips are sent during bootloader startup, the system will hang and stop responding during startup. To solve this problem, the present invention provides another method as follows: In one embodiment, to achieve fault-tolerant startup during program loading, such as Figure 3 As shown, the method further includes: Step 401: Starting from the zero address of the non-volatile memory, store multiple copies of the boot program at a preset fixed offset address.
[0043] The preset fixed offset address is determined by those skilled in the art based on the specific use case.
[0044] To address bit flips that occur during startup, embodiments of this invention implement multi-address startup in the chip's boot read-only memory (BootROM) program. For example... Figure 4 The diagram shows a chip's BootROM reading on-chip Flash memory, where the BootROM executes Bootloader code. That is, as shown... Figure 5 As shown, starting from address 0 of the Flash memory, multiple copies of boot program code (such as...) are stored at fixed offset addresses. Figure 5 The bootloader code A, bootloader code A1, bootloader code A2 and bootloader code A3 are specified in the code. The preset fixed offset address is offset 1 and its multiples.
[0045] Based on this, in one embodiment, such as Figure 3 As shown, the method further includes: Step 402: Start the read-only memory to perform integrity checks on the boot programs stored at each of the fixed offset addresses in sequence until a boot program that passes the check is found, and use the boot program that passes the check to complete the startup.
[0046] When the BootROM executes boot program code A from address 0, it first checks its integrity. If the integrity is normal, the boot program is used to start normally. If the integrity check fails, it is considered that a bit flip has occurred, and the execution of boot program code A1 continues. Similarly, the integrity check is performed on it first, and the above operation is repeated until the boot is normal, or until all four backups (i.e., boot program code A1, boot program code A2, boot program code A3 and boot program backup code B) have been checked.
[0047] This invention, through spatial redundancy, significantly reduces the probability of system failure, suspension, and unresponsiveness caused by bit flip errors occurring during or after the boot process, thereby improving system reliability. Since the bootloader code is executed by the chip's BootROM, this multi-address boot scheme is implemented within the chip's internal BootROM, rather than within the user's bootloader or application code.
[0048] For dynamically changing data (e.g., real-time acquired data), the original CRC32 value cannot be pre-calculated, therefore existing technologies cannot perform verification of dynamic data. To address this issue, in one embodiment, such as... Figure 6 As shown, the method further includes: Step 501: Store multiple copies of the key variable data in memory.
[0049] For critical variable data in the program, such as sampling feedback data and drive control data, multiple copies of this critical variable data are stored in memory. The specific number of copies is determined by those skilled in the art based on the specific use case. In one embodiment, such as Figure 7 The diagram shows an SRAM address mapping. For a key variable, three copies are stored in memory (i.e., Figure 7 The key variable data includes data 1, data 2, and data 3. In actual implementation, more copies of the data can be stored for comparison to improve reliability; only the balance between storage space overhead and execution overhead needs to be considered.
[0050] Step 502: When the key variable data needs to be used, perform pairwise comparisons of the multiple copies.
[0051] Step 503: Identify the pairs of identical copies as the correct data for the key variable, so that the correct data can be used.
[0052] In one embodiment, when the key variable data is needed, the three sets of data are compared pairwise, and the data that matches in each pairwise comparison is selected, while the inconsistent data is discarded. For example, data 1 is compared with data 2, data 2 is compared with data 3, and data 1 is compared with data 3. When data 1, data 2, and data 3 all match, the value of the matching data is determined to be the correct key variable data. When data 1 and data 2 match, the value of the matching data is determined to be the correct key variable data, and data 3 is discarded. When data 2 and data 3 match, the value of the matching data is determined to be the correct key variable data, and data 1 is discarded. When data 1 and data 3 match, the value of the matching data is determined to be the correct key variable data, and data 2 is discarded.
[0053] The integrity verification and correction process of the application is described below. In one embodiment, such as... Figure 8 As shown, the method further includes: Step 601: When the bootloader is running, calculate the checksum of all applications and compare it with the original value.
[0054] The primary function of the bootloader is to load and run the correct application. During runtime, the bootloader checks the integrity of application code A and its backup code B. The method for checking integrity is determined by those skilled in the art based on the specific use case; in one embodiment, it may be achieved through CRC32 calculation and comparison.
[0055] The bootloader reads application code A to calculate the CRC32 value and compares it with the original CRC32 value. At the same time, the bootloader reads application backup code B to calculate the CRC32 value and compares it with the original CRC32 value.
[0056] Step 602: Overwrite the incorrect application with the correct application to achieve error correction.
[0057] If the CRC32 checksum of application code A passes but the checksum of application backup code B fails, then application code A is copied to the address of application backup code B, and the bit flipping in application backup code B is corrected. Then, application code A is loaded and run to complete the boot process.
[0058] Conversely, if the CRC32 checksum of application code A fails, but the checksum of application backup code B passes, then application backup code B is copied to the address of application code A to correct the bit flipping in application code A. Application backup code B is then loaded and run to complete the boot process.
[0059] If the CRC32 value of application code A passes verification and application backup code B also passes verification, no copying action will be performed, and application code A will be loaded and run directly to complete the boot process.
[0060] If the CRC32 value verification of application code A passes, but the verification of application backup code B fails, an error is reported, indicating that the application code is abnormal and needs to be upgraded and restored.
[0061] This invention protects data through both hardware design and software. On the hardware side, a main control chip supporting Error-Correcting Codes (ECC) is used to detect two-bit flips and correct one-bit flips. On the software side, data integrity detection and recovery are achieved through data redundancy backup comparison and a CRC mechanism.
[0062] Compared to traditional data protection designs, this invention offers three significant advantages. First, unlike traditional solutions that only identify errors, it incorporates an error correction and recovery mechanism. For static data, it uses dual redundant backups for comparison; for dynamic data, it compares two out of three copies, improving data reliability. Second, it achieves data integrity detection and correction through hardware ECC functionality. This advantage is that it does not consume the main control chip's resources, and the detection and correction process does not affect the execution and real-time performance of the main control tasks. This invention effectively solves the problems of existing technologies failing to ensure data integrity and error correction during software operation, improving data reliability and enhancing product quality. It also reduces hardware and software maintenance costs and workload while achieving data integrity detection and correction.
[0063] Based on this, since the StarNet amplifier is threatened by various types of radiation in space, with solar radiation being one of the main sources; to prevent bit flips caused by solar radiation from compromising data integrity and thus causing the module to malfunction or fail to start, in one embodiment of the present invention, a data security mechanism is also provided, such as... Figure 9 As shown, the method further includes: Step 701: Determine the physical storage area corresponding to the data to be monitored in the module; in the physical storage area, determine the preset number of bits that are closest to the sun as the watchdog bits of the physical storage area.
[0064] The preset number and the data to be monitored are determined by those skilled in the art based on the specific application scenario, and are not limited here. The data to be monitored may include the multiple sets of data stored in steps 10, 401, and 501.
[0065] The applicable scenario for steps 701 to 702 in this embodiment of the invention is: the current spatial position relationship of each module within the star network amplifier and inside the satellite can be predetermined, predicted, and calculated during each operating cycle of the star network amplifier, thus the spatial position relationship between the monitored data in the module and the sun at each period can be determined. For example... Figure 10 As shown, since satellites typically operate in Earth-centered orbits, their main motion is orbital motion around the Earth. The Earth itself revolves around the Sun, and the satellite and the modules in its onboard StarNet amplifier also participate in the Earth's orbital motion. Therefore, the corresponding StarNet amplifier exhibits a periodic rotational motion relative to the Sun. That is, the StarNet amplifier rotates with the Earth around the Sun, and the distance between the StarNet amplifier and the Sun at each moment is a readily available parameter.
[0066] It should be noted that, for the sake of convenience in describing spatial relationships, in the embodiments of the present invention... Figure 10 and Figure 11 In this illustration, the scale of the sun is reduced by a factor of several, while the scale of the satellite is enlarged by a factor of several. The relative sizes of the sun and satellites have significant errors. This illustration is used here only to describe the spatial relationship and distance, provided that the relative size ratio does not affect the technical solution of this invention. It is not intended to limit this invention and will not be elaborated further below.
[0067] In one embodiment, the physical address range of the data to be monitored is obtained based on its logical address range. Within the physical storage region of that physical address range, a predetermined number of bits with the smallest distance to the sun are selected as watchdog bits; wherein the distance between the physical address bits of the data to be monitored and the sun is greater than the distance between the corresponding watchdog bits and the sun. Figure 11 As shown, given that the distance between the StarNet Amplifier and the Sun at various times can be determined, and since the internal structure of the StarNet Amplifier is known and obtainable, the corresponding spatial relationships and distances can also be obtained, for example... Figure 11 The distance between the physical address bit of the data to be monitored and the sun is the first distance, and the distance between the corresponding watchdog bit and the sun is the second distance. When determining the watchdog bit, it is necessary to ensure that the second distance is less than the first distance. In one embodiment, the physical address bit of the data to be monitored is within its corresponding watchdog bit in terms of spatial position relative to the sun.
[0068] In this embodiment of the invention, a watchdog bit that is closer to the physical address bit storing the data to be monitored is used as a probe. Whenever a physical address bit is flipped due to solar radiation, the corresponding watchdog bit will inevitably flip because it is closer to the sun and the physical address bit storing the data to be monitored is within its corresponding watchdog bit. Moreover, the bit flipping time will be earlier than that of the physical address bit.
[0069] In one alternative embodiment, a ring of watchdog bits can be set around the physical storage area of the module relative to the sun, so that all data of the module is protected by the watchdog bits. It should be noted that not all bits around the physical storage area of the module are set as watchdog bits, but only watchdog bits are set for the data to be monitored.
[0070] Step 702: Based on whether the watchdog bit has undergone bit flipping, selectively verify the data in the physical storage area to ensure that the number of abnormal bits in the monitored data is less than a preset value through error correction.
[0071] The specific methods for determining whether a watchdog bit has flipped, for verifying data in the physical storage area, for correcting errors in bits with abnormal numbers, and the preset values are all determined by those skilled in the art based on the specific application scenario and are not limited here. In one embodiment, once a watchdog bit flips, the data in the physical storage area corresponding to that watchdog bit is verified. If the verification result shows that the number of abnormal bits is greater than or equal to a preset value, error correction is performed; in another embodiment, the correct value can be obtained and overwritten by following step 602 above, i.e., by reading backup data or other methods.
[0072] Furthermore, to better meet data protection requirements, in one embodiment, the watchdog bits include alert bits and periodic bits. Based on this, as... Figure 12 As shown, in step 701, determining the predetermined number of bits with the smallest distance from the sun as the watchdog bits of the physical storage area includes: Step 7011: If the data to be monitored needs to be monitored in real time, then a warning bit is set for the physical storage area so as to determine in real time whether the warning bit has been flipped.
[0073] The specific data to be monitored in real time, and the method for determining whether a bit flip has occurred in the warning bit, are determined by those skilled in the art based on the specific application scenario. For example, for certain data storage areas in memory that are always involved in read operations, such as memory areas involving addressing operations, if a certain number of abnormal bits exist (i.e., bit flips occur), cross-reading will occur during the addressing process, leading to program errors. Therefore, the data stored in this type of memory is the data to be monitored in real time.
[0074] Since the data in the module is constantly susceptible to radiation, bit flips can occur at any time. For data that needs to be monitored in real time and kept correct at all times, a corresponding watchdog bit is set to determine in real time whether a warning bit has flipped. In one embodiment, when a warning bit flips, for the program code that needs to be monitored in real time, a backup can be used, and the methods in steps 501 to 503 can be employed to perform real-time verification of each bit of the program code and correct the error when a bit flip occurs.
[0075] In one embodiment, real-time monitoring can be high-frequency or ultra-high-frequency monitoring, thereby achieving the effect of real-time monitoring; the difference between the frequency of real-time monitoring and the periodic monitoring described below is determined by those skilled in the art based on the specific application scenario.
[0076] Step 7012: If the data to be monitored needs to be monitored periodically, then periodic bits are set for the physical storage area so as to determine whether the periodic bits have flipped at preset intervals.
[0077] The data to be monitored periodically, and the preset period, are determined by those skilled in the art based on the specific application scenario, and are not limited herein. In one embodiment, the preset period can be determined based on the maximum fault-tolerant period of each monitored data point that will not affect the normal operation of the module even if bit flips occur.
[0078] For example, if a certain number of bits undergo a bit flip, since these bits do not belong to the continuously running code, no error will occur if the code does not reach these bits; therefore, these bits are data that only need to be monitored periodically. For example, if the bits corresponding to the bootloader undergo a bit flip during application runtime, it will not affect the normal operation of the system; therefore, the bootloader is data that only needs to be monitored periodically.
[0079] After setting corresponding watchdog bits for the data to be monitored that require periodic monitoring, the bits on the corresponding physical storage area are periodically checked for bit flips according to the preset period corresponding to each data to be monitored. In one embodiment, when a periodic bit flip occurs, the data to be monitored is checked to verify whether the data to be monitored has undergone a bit flip, and error correction is performed when a bit flip occurs.
[0080] In one embodiment, when there is a manual decision to reset the module, the corresponding monitored data is routinely verified based on watchdog bit triggering according to steps 7011 and 7012. Simultaneously, according to steps 10 to 30, 401 to 402, 501 to 503, and 601 to 602 of this embodiment, integrity verification is performed on all bootloaders (i.e., including bootloader backups) during the application runtime phase; and integrity verification is performed on all applications (i.e., including application backups) during the bootloader runtime phase. Combining steps 701 to 702, this embodiment improves the data security of the backup copy, thereby minimizing the possibility of bit flipping in the main file (e.g., bootloader code A) and all its backups (e.g., bootloader code A1, bootloader code A2, bootloader code A3, and bootloader backup B), resulting in the inability to obtain the correct values.
[0081] Furthermore, in one embodiment, such as Figure 13 As shown, step 702 includes: Step 7021: When the watchdog bit flips, determine the type of the data to be monitored.
[0082] Determine whether the data to be monitored is data to be protected or variable data. In one embodiment, data to be protected can be data that does not change under normal circumstances and can only be changed by manual operation, such as bootloader code. Variable data can be data that can be legally changed in addition to manual operation, such as parameter values in the calculation process required during the operation of an application.
[0083] Step 7022: If the type of the data to be monitored is data to be protected, then the data in the physical storage area is verified; when the verification result is abnormal, the corresponding normal value is obtained for error correction.
[0084] In one embodiment, normal values can be obtained in accordance with step 602 for error correction.
[0085] Step 7023: If the type of the data to be monitored is variable data, then ignore the bit flip that occurred in the watchdog bit.
[0086] Since variable data is often changing, there is no need to allocate too many resources to ensure that it remains unchanged.
[0087] In one embodiment, those skilled in the art can switch the data to be monitored between data to be protected and variable data according to the needs of a specific use case.
[0088] Based on the aforementioned backup bootloader and application data, this embodiment of the invention avoids the wasted computational resources and other costs associated with rereading and comparing content during each periodic verification in the absence of a response trigger state by setting a watchdog bit. This specifically improves the system's response sensitivity to bit flips and is highly practical.
[0089] The foregoing embodiments provided a data protection method based on a star network amplifier. In this embodiment, another data protection device based on a star network amplifier will be proposed. The data protection device based on a star network amplifier includes: a processor and a memory for storing processor-executable instructions; wherein, the processor is configured to execute the data protection method based on a star network amplifier described in the foregoing embodiments.
[0090] like Figure 14 As shown, the data protection device based on the star network amplifier includes a processor 21 and a memory 22, wherein the processor 21 and the memory 22 can be connected by a bus or other means.
[0091] Processor 21 can be a CPU. Processor 21 can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of the above types of chips.
[0092] The memory 22, as a non-transitory computer-readable storage medium, can be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as the program instructions / modules corresponding to the data protection method based on the star network amplifier in the aforementioned embodiments. The processor executes various functional applications and training processes by running the non-transitory software programs, instructions, and modules stored in the memory.
[0093] The memory 22 may include a program storage area and a training storage area. The program storage area may store the operating system and applications required for at least one function; the training storage area may store training data created by the processor. Furthermore, the memory may include high-speed random access memory and non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 22 may optionally include memory remotely located relative to the processor, which can be connected to the processor via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof. The one or more modules stored in the memory 22, when executed by the processor 21, perform the data protection method based on a star-network amplifier as shown in the embodiments of the present invention. Specific details of the above-described data protection method based on a star-network amplifier can be understood by referring to the corresponding descriptions and effects in the embodiments of the present invention, and will not be repeated here.
[0094] This embodiment also provides a computer storage medium storing a computer program that can be executed by a processor to perform the data protection method based on the star network amplifier described in the foregoing embodiments.
[0095] The computer storage medium stores computer-executable instructions, which can execute the data protection method based on the star network amplifier in any of the above method embodiments. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), random access memory (RAM), flash memory, hard disk drive (HDD), or solid-state drive (SSD), etc.; the storage medium may also include combinations of the above types of memory.
[0096] The specific steps of the data protection method based on the star network amplifier are described in the foregoing embodiments and will not be repeated in this embodiment.
[0097] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A data protection method based on a star network amplifier, characterized in that, include: Multiple copies of the bootloader and application programs are stored in non-volatile memory; After the module is powered on or reset, the boot program starts running from address zero of the non-volatile memory, and the application program is loaded and run through the boot program; When the application is running, the checksums of all bootloaders are calculated and compared with the original values; the correct bootloader is used to overwrite the incorrect bootloader to achieve error correction.
2. The data protection method based on a star network amplifier according to claim 1, characterized in that, The method further includes: Starting from the zero address of the non-volatile memory, multiple copies of the boot program are stored at a preset fixed offset address.
3. The data protection method based on a star network amplifier according to claim 2, characterized in that, The method further includes: The read-only memory is started to sequentially perform integrity checks on the boot programs stored at each of the fixed offset addresses until a boot program that passes the check is found. The boot program that passes the check is then used to complete the startup process.
4. The data protection method based on a star network amplifier according to claim 1, characterized in that, The method further includes: Store multiple copies of key variable data in memory; When the key variable data needs to be used, the multiple copies are compared pairwise. The copies that match pairwise are identified as the correct data for the key variable, so that the correct data can be used.
5. The data protection method based on a star network amplifier according to claim 1, characterized in that, The method further includes: When the bootloader runs, it calculates the checksums of all applications and compares them with the original values. To correct errors, use the correct application to override the incorrect application.
6. The data protection method based on a star network amplifier according to claim 1, characterized in that, The method further includes: Determine the physical storage area corresponding to the data to be monitored in the module; within the physical storage area, determine the preset number of bits that are closest to the sun as the watchdog bits of the physical storage area; Based on whether the watchdog bit has flipped, the data in the physical storage area is selectively verified to ensure that the number of abnormal bits in the monitored data is less than a preset value through error correction.
7. The data protection method based on a star network amplifier according to claim 6, characterized in that, The watchdog bits include warning bits and periodic bits; The method includes: If the data to be monitored needs to be monitored in real time, then a warning bit is set for the physical storage area so as to determine in real time whether the warning bit has been flipped. If the data to be monitored needs to be monitored periodically, periodic bits are set for the physical storage area so as to determine whether the periodic bits have flipped at preset intervals.
8. The data protection method based on a star network amplifier according to claim 6, characterized in that, The method includes: When the watchdog bit flips, the type of the data to be monitored is determined; If the type of data to be monitored is data to be protected, then the data in the physical storage area is verified; when the verification result is abnormal, the corresponding normal value is obtained for error correction. If the type of data to be monitored is variable data, then the bit flip that occurred in the watchdog bit is ignored.
9. A data protection device based on a star network amplifier, characterized in that, The data protection device based on the star network amplifier includes: a processor and a memory for storing processor-executable instructions; The processor is configured to perform the data protection method based on a star network amplifier as described in any one of claims 1 to 8.
10. A non-volatile computer storage medium, characterized in that, The computer storage medium stores computer-executable instructions, which are executed by one or more processors to perform the data protection method based on a star network amplifier as described in any one of claims 1 to 8.