The problem with any approach to in-situ firmware updates is that when such a feature contains a flaw, the target system may become an expensive doorstop and perhaps injure the user in the process. Many of the potential pitfalls are obvious and straightforward to correct, but other defects may not appear until after a product has been deployed in its application environment. Users are unequaled in their abilities to expose and exploit product defects, and to make matters worse, users also generally fail to heed warnings like, “system damage will occur if power is interrupted while programming is underway”. They will happily attempt to reboot an otherwise functional system in the middle of the update process, and then file a warranty claim for the now “defective” product. Any well-designed, user-ready embedded system must include the ability to recover from user errors and other catastrophic events to the fullest extent possible. The best way to accomplish this is to implement a fundamentally sound firmware update strategy that avoids these problems entirely. This paper presents one such design.