A chip system comprising ROM code including a bootloader which runs whenever the chip is powered on; and programmable fuse array memory storing version identifiers, NVMs in which copies of a version of bootable firmware are stored, wherein a first identifier is stored including active major number and minor numbers, signed with a private key; wherein a second identifier is stored including recovery major and minor numbers, signed with said private key; and hardware which obeys a first command by the boot ROM code to disable until next system reset, writing to the recovery NVM other than to the bootloader, and obeys a second command, to lift write protection of the recovery NVM, wherein firmware images associated with both said versions, and both said identifiers, are signed with said private key, and the boot ROM code authenticates firmware image/s and said identifiers.