The Image Update Model
In the Image Update model, a Windows Mobile powered device does not have a single firmware, but instead has ROM regions segmented into different ROM packages that can be updated individually. Packages can be added, updated, or resized as part of an update process, without the need to reload all the firmware on the mobile device.
Before Windows Mobile 5.0, Microsoft used Multi-XIP to support multiple, independently updateable regions in the system ROM. Although this enabled a portion of the system firmware to be updated without completely reloading the ROM, Multi-XIP regions wasted memory by being at fixed memory locations. This limited the ability to create flexible, customized versions of the operating system to meet equipment manufacturers' market segmentation needs.
In Windows Mobile 5.0 and later, Image Update replaced the Multi-XIP mechanism. Image Update supports both NAND and NOR ROM flash technologies. It is designed to handle software evolution from one update to the next without erasing user data, including mechanisms for full or incremental updating of the file system, the operating system image, and registry.
The Image Update model contains a new partitioning scheme consisting of the loader, kernel, and system partitions for the run-time image in flash memory or non-volatile storage. It uses packages and manifest files that specify how to divide software modules or files into groups based on functional characteristics.
The OMA DM server can offer all or part of an update package to a mobile device as appropriate for its hardware and its current ROM package versions.
Security in the Image Update Model
Security concerns are addressed in the Image Update model in three ways:
- Image Update packages are signed with the software signing tool when built.
- Updates are validated and checked against a list of approved certificates before they are allowed to run.
- ROM packages and partitions are protected during normal device operation.
Update packages are created for specific ROM packages. The update packages contain a provisioning XML file and must be signed using the software signing tool and a certificate appropriate for the security on the devices to be updated. Update packages are stored on an OMA DM server or in a download server where they can be accessed for download by mobile devices during an Image Update DM session.
Update packages downloaded onto a Windows Mobile powered device can be processed either during cold boot or during the Image Update process. In both cases, the Configuration Manager on the mobile device processes the XML files:
- During a cold boot, all files in all packages are processed.
- During the image update process, only files in packages that have been updated during the current device management session will be processed.