Announcements

Help us improve the Power & Sensing Selection Guide. Share feedback

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
NiMc_1688136
Level 5
Level 5
10 sign-ins 50 questions asked 10 solutions authored

in ota2_bootloader.c, at line 186, it tests to see if the reset was caused by a WDT. If it has then load from staging area or failsafe.

So if the application is running normally and hits an obscure infinite loop or some assert condition, on the WDT reset the bootloader will force a extraction of the failsafe app (assuming no valid image)? This seems wrong. I understand that if the OTA image is corrupt then this provides a chance of recovery but if the image is really valid, I do not want the failsafe app loading, which in my case could be a much older out of date version of the main application.

Am I correct in how I read this?

1 Solution

There is no way to update failsafe and bootloader in a device which is out in the field.

We have increased the failsafe application size in image defines to 100KB to address this problem in future. Really sorry for the inconvenience.

View solution in original post

0 Likes
4 Replies
PriyaM_16
Moderator
Moderator
Moderator
250 replies posted 100 replies posted 50 replies posted

The ota2 bootloader functions as below:

It checks if the reset was due to Watchdog? If its a WDT reset, it checks if there is a valid image in the staged area. If there is a valid image, it sets up the boot type to extract from staging area(OTA2_BOOT_FAILSAFE_UPDATE ) and runs failsafe app and OTA2 extract app. Hence the valid image from staged area is loaded. If there is no valid image in staged area, (boot type is set to OTA2_BOOT_FAILSAFE_ FACTORY_RESET ) the factory reset image is loaded.

To answer the use case mentioned in this thread:

The boot type variable takes care of the reset condition. If the reset has occured due to WDT, the failsafe app always comes into picture as it is not the normal behavior under which the reset occurred(i.e., NOT POR). The failsafe is responsible to extract the application LUT and ota2_extract to allow full extraction on reboot.

0 Likes

The queston is if application hangup can cause WDT reset or not.

If yes, it will switch to failsafe app. This seems quite surprising behavior.

axel.lin_1746341

Correct, while a WDT is not included by design, given the sheer compelxity of a Wi-Fi base dproject with the stack and FreeRTOS it is a given that we may encounter a WDT in normal operation.

riya

I have seen the failsafe app become corrupted after an OTA update due to the build size of the failsafe app and how external flash is sectioned, see my other post "CYW43907/1GC fails up boot after update".

So if a random WDT in the application resets the processor and the failsafe app runs then it is possible to have a bricked system because the failsafe app is corrupted.

0 Likes

There is no way to update failsafe and bootloader in a device which is out in the field.

We have increased the failsafe application size in image defines to 100KB to address this problem in future. Really sorry for the inconvenience.

0 Likes