I am working on ti-am335x(BeagleBone Black).
I have done successful upgrade of uboot,kernel and filesystem after upgrade and restart the mlo choose the latest upgraded u-boot and booted, but it hangs in between before loading the kernel, that means (the u-boot image was corrupted), Now if this happens in real product the user will get his device bricked, my question is that "is there a way to make sure this doesn't happen in real device even if it happens, we can role back to the last working firmware set."
There are common methods of building a fail-safe upgrade process.
Let's assume your u-boot image is of a release quality, and a header with size and checksum has been added to it.
You can allocate space for 2 such similar u-boot copies.
During upgrade process, the 2nd image checksum is verified, then 1st is replaced. Now 1st image (that was just programmed) checksum is verified, and if successfull, 2nd image is replaced.
If anything goes wrong during upgrade process, you are left with at least one working copy.
To make this work, you will need to create a small bootstrap that has information about starting offset of each image, is capable of calculating checksum, and can decide which u-boot image will be executed. This bootstrap should be simple enough and thoroughly tested to have no bugs at all, and so will be programmed to flash only once during production, and never replaced.