I've implemented a bootloader for a Kinetis ARM Cortex-M4 microcontroller.
The main application (starting at 0x10000) is re-programmed via the bootloader over a custom RS232 interface. I've implemented jumpToApplication and jumpToBootloader functions from the bootloader and application perspectives and all works fine so far.
One strategy I'm keen to understand is what to do upon the event of a corrupt main application?
The bootloader currently checks the stack-pointer and program-counter of the main application before deciding whether to jump. However, if the main application is corrupt then either two issues will occur:
The main application will hang and make it difficult to re-program
The microcontroller will reboot and will be stuck in a bootloader > application > bootloader (etc) loop
I have a SharedData structure which allows me to share data (via a fixed RAM location) between both the bootloader and application. I have considered adding a rebootCounter to this structure which would be incremented upon the HardFaultInterrupt being triggered in the main application.
This value could be tested in the bootloader and, depending on the counter value, a decision could be made as to whether to stay in the bootloader or try to launch the application.
Are there more "industry standard" ways of dealing with this?
UPDATE
To clarify, the ultimate reason for asking this question is to cover the following scenario:
Bootloader is programmed into the device during production phase via JTAG
Main application (latest build) is loaded during testing phase
During the testing phase, there is a power-cut or connection issue and the device is only partially programmed
When power is applied again, the bootloader will "assume" that there is a valid program in the main part of flash and will "jump" to this application
The microcontroller is now stuck in no mans land with no way of re-loading flash via the bootloader again without opening up the products enclosure and re-flashing the chip via JTAG - not something we can do when the product is in the field.
During the bootloader programming phase, the firmware is programmed and validated byte-by-byte to ensure that there is no corruption during the data transfer. If corruption occurs during this phase (bad packet due to USB hub issue, for example) then the bootloader will continue to accept re-programming commands.
UPDATE #2
The following post seems to be thinking along similar lines:
https://interrupt.memfault.com/blog/how-to-write-a-bootloader-from-scratch
First I recommend that add some delay in your bootloader that waits for a firmware update process start indicator. I developed something similar; desktop application sends start byte periodically and when you connect your device, it enters bootloader mode and waits for five seconds more to get new firmware information; so it is not important whether there is valid main application on the flash or not.
Another solution to check the existing of the main application use a specific sector of the flash for firmware information, before a firmware update process erase that sector. After a successful firmware update write a specific data to that sector. In the bootloader read this sector and verify that there is a valid application on the flash.
I would add some 'magic' value (say 0xDEAD00D) an the end of the application and only jump to the application of the magic value is there. You can have a pointer to that location at 0x10000.
To make things more robust, program the magic value after the verify is completed.
Related
I'm working on an embedded device based on an NXP i.MX8M mini SoC. It is running Linux based on NXP's "hardknott" Yocto recipe: https://source.codeaurora.org/external/imx/imx-manifest/tree/imx-5.10.52-2.1.0.xml?h=imx-linux-hardknott
Here's the bitbake script for the kernel it is using: https://source.codeaurora.org/external/imx/meta-imx/tree/meta-bsp/recipes-kernel/linux?h=hardknott-5.10.52-2.1.0
I believe it is pulling the kernel sources from here: https://source.codeaurora.org/external/imx/linux-imx/tree/?h=lf-5.10.y
Our device has a digital microphone that is being driven by a modified version of NXP's fsl_micfil.c driver: https://source.codeaurora.org/external/imx/linux-imx/tree/sound/soc/fsl/fsl_micfil.c?h=lf-5.10.y
Our modifications are:
In fsl_micfil_hw_params, where their code does "enable channels" (around line 1592), we've changed it to only enable the channel we care about instead of all of them.
We changed:
ret = regmap_update_bits(micfil->regmap, REG_MICFIL_CTRL1,
0xFF, ((1 << channels) - 1));
To:
ret = regmap_update_bits(micfil->regmap, REG_MICFIL_CTRL1,
0xFF, 1 << 6);
At the start of fsl_micfil_probe (around line 2202), we add code to pull a GPIO line (the mic's enable line) low. If GPIO isn't available at the time, we return -EPROBE_DEFER in order to try again later
Further down in fsl_micfil_probe (around line 2334), we change the DMA channel from 0 to 6 (to align with our enable change).
We changed:
micfil->dma_params_rx.addr = res->start + REG_MICFIL_DATACH0;
To:
micfil->dma_params_rx.addr = res->start + REG_MICFIL_DATACH6;
That having been described, here's the problem.
Our application is trying to read audio from this microphone (we can test it with the arecord command).
We have found that if we launch our application immediately after Linux boots, the device hangs. We need to power-cycle it to recover.
If we wait about 60 seconds after bootup, however, we see the following messages appear on the console:
[ 60.386133] imx-sdma 302c0000.dma-controller: firmware found.
[ 60.392010] imx-sdma 302c0000.dma-controller: loaded firmware 4.6
If we launch our application after these messages appear, everything works fine.
I looked through the implementation of the imx-sdma driver: https://source.codeaurora.org/external/imx/linux-imx/tree/drivers/dma/imx-sdma.c?h=lf-5.10.y
The driver loads some kind of firmware when it starts up. The first message ("firmware found") is presented by the probe function. The second ("loaded firmware") is presented by one of the two power management resume functions (sdma_resume or sdma_runtime_resume).
So it appears that the problem is that this DMA driver is not loading until the system has been running for about 60 seconds. I assume this is due to some kind of lazy initialization that waits until some kernel driver requires access. And my problem is happening because my driver requires access and is initializing before the DMA driver has loaded.
So, what's a good fix for this? I assume I need to add something to the fsl_micfil driver to request startup of the DMA driver. But I don't know how to do this and I don't actually know if that is the correct fix for this problem.
What would you suggest as a proper fix for this bug?
(FWIW, we made very similar changes to an older version of the kernel - based on Yocto's "sumo" branch, running kernel 4.14, and there are no problems there. So clearly something changed between kernel 4.14 and 5.10 that our code needs to deal with, but I don't know what that might be.)
I eventually figured out the reason (but not the best solution) for the problem.
As I wrote in the original message, the micfil driver uses imx-sdma, which tries to load firmware from the file system.
The "Sumo" (kernel 4.14) branch has no problem with this. At the time the driver starts, the root file system has been mounted (read-only), so it has no problem loading its firmware.
With the "Hardknott" (kernel 5.10) and "Kirkstone" (kernel 5.15) branches, however, the SDMA driver tries to load very very early in the boot sequence - before any file systems have mounted. So direct loading fails. It then posts an event via udev, to request that user-space code provide the firmware via sysfs. But the driver appears to be starting so early (within 10-15 ms, according to dmesg) that udev isn't able to queue up the event. I'm not sure about the specific reason why but debugging shows that the event is never delivered to user space.
The kernel side of the udev request times out after 60 seconds, at which point the driver retries the request, which succeeds because all the file systems are fully mounted by that point.
An ideal fix would be to modify the imx-sdma driver so it doesn't start until after the file system mounts, so it can directly load its firmware. Or at minimum, after udev is ready and able to deliver the firmware-load event to user space. I let NXP know about this issue, so maybe they'll fix it in a future release of their driver.
Until that happens, my workaround is to change the kernel configuration so the imx-sdma driver is compiled as a loadable module. This means it can't load and start until after the root file system is available, at which point it has no problem finding its firmware. dmesg shows that this happens about 6s into the boot sequence - later than I'd prefer, but early enough that no application software has started running, so nothing hangs or crashes.
Heading seems kinda weird, I am also not getting what exact should I write there, but hope I am able to make you understand what I want to do exactly!
- I will have Primary bootloader and secondary bootloader both will resides in different areas of memory (may be boot flash or program flash).
- One of bootloader will be active at a time and other will be inactive.
- Let consider, Primary bootloader is active, and now I will download my application firmware. I am also reading the active bootloader version from application firmware so that I can check whether I need to update bootloader.
- And If I need to update bootloader then inactive bootloader will be activated and it will replace previously active bootloader with updated one. And secondary bootloader will switch back to inactive mode. Thus secondary bootloader only become active when it have to update primary bootloader.
- In whole this process, I want to reserve some memory area for Primary bootloader version, secondary bootloader version, and some custom configuration data with fixed memory location and can be accessible from Primary, secondary as well as application firmware.
You'll need to understand the Linker files. I have yet to do this for the MX/MZ line but I have don this sort of thing on MANY dsPIC33's. Pretty much the following way: Bootloader gets a set amount of flash dedicated in the .gld usually a single page so it's easier to erase (0x400) then the Superboot loader (the secondary bootloader) is ONLY loaded into the PIC when you are actually loading a new bootloader. So what the superboot loader is is really a smaller application designed to simply update the bootloader and then jump to the reset address of the bootloader. I personally wouldn't keep the secondary/super bootload code in there all the time simply to avoid confusion later on. You can really do this using update techniques from outside the PIC. Again I can;t offer direct help with the PIC32 line but if you'd like to see example linker files for the dsPIC33 lines I can provide those.
I'm new to these devices and even if they are very cheap, I don't unnecessarily want to brick them.
I've used esptool to flash the NodeMCU firmware onto my modules. When doing so, I need to specify the address where the file(s) get written, which usually is 0x00000. Does that mean that the firmware actually contains the bootloader? Or is it located in a separate region on the flash?
If the bootloader itself is contained in the firmware file, an interrupted flashing process would render the module useless, I suppose?
Thanks for clarification!
You can't damage the module this way. I probably did a hundred flashes, some of which failed (e.g. due to a too high baud rate). The firmware itself does contain the bootloader at 0x000000, but that's a second-stage bootloader which can be exchanged arbitrarily. You shouldn't be able to overwrite the first-stage bootloader. Quoting from the man who created rBoot, an open-source alternative for the properitary Espressif booatloader at http://richard.burtons.org/:
The boot loader is written to the first sector of the SPI flash and is executed like any other program, the built in first stage boot loader does not know it is loading a second stage loader rather than any other program.
So what happens next? Well the second stage boot loader isn’t open source, it’s provided to us as a binary blob to use blindly.
In short: You cannot damage your module by writing nonsense to 0x00000. It will maybe execute some arbitrary code before it finds an invalid opcode, but that's not enough to make the CPU explode or the module to be damaged. Reflashing the firmware is enough to recover from a damaged second-stage bootloader.
So where is that first-stage bootloader exactly? From the comments at richard.burtons.org/2015/05/17/esp8266-boot-process, the creator answered this himself as:
Commentator: I have been figuring out if the first stage boot loader is in the processors ROM or in the Flash. I guess it is in the ROM. If this is in ROM then there is no risk of messing flash and leave the device useless.
Could you please confirm it.
Richard: That’s correct. Stage one is in rom and you can’t do anything to break it.
I am programming a pci device with verilog and also writing its driver,
I have probably inserted some bug in the hardware design and when i load the driver with insmod the kernel just gets stuck and doesnt respond. Now Im trying to figure out what's the last driver code line that makes my computer stuck. I have inserted printk in all relevant functions like probe and init but non of them get printed.
What other code is running when i use insmod before it gets to my init function? (I guess the kernel gets stuck over there)
printks are often not useful debugging such a problem. They are buffered sufficiently that you won't see them in time if the system hangs shortly after printk is called.
It is far more productive to selectively comment out sections of your driver and by process of elimination determine which line is the (first) problem.
Begin by commenting out the entire module's init section leaving only return 0;. Build it and load it. Does it hang? Reboot system, reenable the next few lines (class_create()?) and repeat.
From what you are telling, it is looks like that Linux scheduler is deadlocking by your driver. That's mean that interrupts from the system timer doesn't arrive or have a chance to be handled by kernel. There are two possible reasons:
You hang somewhere in your driver interrupt handler (handler starts its work but never finish it).
Your device creates interrupts storm (Device generates interrupts too frequently as a result your system do the only job -- handling of your device interrupts).
You explicitly disable all interrupts in your driver but doesn't reenable them.
In all other cases system will either crash, either oops or panic with all appropriate outputs or tolerate potential misbehavior of your device.
I guess that printk won't work for such extreme scenario as hang in kernel mode. It is quite heavy weight and due to this unreliable diagnostic tool for scenarios like your.
This trick works only in simpler environments like bootloaders or more simple kernels where system runs in default low-end video mode and there is no need to sync access to the video memory. In such systems tracing via debugging output to the display via direct writing to the video memory can be great and in many times the only tool that can be used for debugging purposes. Linux is not the case.
What techniques can be recommended from the software debugging point of view:
Try to review you driver code devoting special attention to interrupt handler and places where you disable/enable interrupts for synchronization.
Commenting out of all driver logic with gradual uncommenting can help a lot with localization of the issue.
You can try to use remote kernel debugging of your driver. I advice to try to use virtual machine for that purposes, but I'm not aware about do they allow to pass the PCI device in the virtual machine.
You can try the trick with in-memory tracing. The idea is to preallocate the memory chunk with well known virtual and physical addresses and zeroes it. Then modify your driver to write the trace data in this chunk using its virtual address. (For example, assign an unique integer value to each event that you want to trace and write '1' into the appropriate index of bytes array in the preallocated memory cell). Then when your system will hang you can simply force full memory dump generation and then analyze the memory layout packed in the dump using physical address of the memory chunk with traces. I had used this technique with VmWare Workstation VM on Windows. When the system had hanged I just pause a VM instance and looked to the appropriate .vmem file that contains raw memory latout of the physical memory of the VM instance. Not sure that this trick will work easy or even will work at all on Linux, but I would try it.
Finally, you can try to trace the messages on the PCI bus, but I'm not an expert in this field and not sure do it can help in your case or not.
In general kernel debugging is a quite tricky task, where a lot of tricks in use and all they works only for a specific set of cases. :(
I would put a logic analyzer on the bus lines (on FPGA you could use chipscope or similar). You'll then be able to tell which access is in cause (and fix the hardware). It will be useful anyway in order to debug or analyze future issues.
Another way would be to use the kernel crash dump utility which saved me some headaches in the past. But depending your Linux distribution requires installing (available by default in RH). See http://people.redhat.com/anderson/crash_whitepaper/
There isn't really anything that is run before your init. Bus enumeration is done at boot, if that goes by without a hitch the earliest cause for freezing should be something in your driver init AFAIK.
You should be able to see printks as they are printed, they aren't buffered and should not get lost. That's applicable only in situations where you can directly see kernel output, such as on the text console or over a serial line. If there is some other application in the way, like displaying the kernel logs in a terminal in X11 or over ssh, it may not have a chance to read and display the logs before the computer freezes.
If for some other reasons the printks still do not work for you, you can instead have your init function return early. Just test and move the return to later in the init until you find the point where it crashes.
It's hard to say what is causing your freezes, but interrupts is one of those things I would look at first. Make sure the device really doesn't signal interrupts until the driver enables them (that includes clearing interrupt enables on system reset) and enable them in the driver only after all handlers are registered (also, clear interrupt status before enabling interrupts).
Second thing to look at would be bus master transfers, same thing applies: Make sure the device doesn't do anything until it's asked to and let the driver make sure that no busmaster transfers are active before enabling busmastering at the device level.
The fact that the kernel gets stuck as soon as you install your driver module makes me wonder if any other driver (built in to kernel?) is already driving the device. I made this mistake once which is why i am asking. I'd look for the string "kernel driver in use" in the output of 'lspci' before installing the module. In any case, your printk's should be visible in dmesg output.
in addition to Claudio's suggestion, couple more debug ideas:
1. try kgdb (https://www.kernel.org/doc/htmldocs/kgdb/EnableKGDB.html)
2. use JTAG interfaces to connect to debug tools (these i think vary between devices, vendors so you'll have to figure out which debug tools you need to the particular hardware)
Drivers on Windows should be signed and submitted to Microsoft for code signing and this is a requirement for 64 bit systems. The problem is that, when you have to update the driver, you have to submit it again, once for every release.
Is possible to build some kind of proxy or shim driver so that I have to sign and submit it only once, and then have my code in a separate module?
Of course I can't just move the working code in a DLL, as also dynamically loaded modules have to be signed in order to being executed in 64 bit kernel mode. What if I put my code in a raw file, load it in memory (allocated with execution flag enabled) and then execute it? Other ideas?
You don't have to submit a driver to Microsoft. You have to sign your driver with a cross-signing-certificate. You will get a nag screen this way, but this is not forbidden!
There were (are) several attempts to do just what you want to do. These are 'barely' tolerated, but these drivers may be banned at any time. (By revoking your signature)
The process is very easy :
Load the signed driver.
Provide a IoControl in which user mode programs can send memory to the kernel.
Change the execute bit of this memory, and just call an address in this memory.