Timeout exit from the boot loader

Hello,

Please correct me if I'm wrong, but is my understanding correct that you're fine with the bootloader always enter serial recovery mode on startup, but you prefer not to expose any mcumgr commands in the application?

Thanks,

Vidar

No, I don't want the bootloader to start during normal boot.

In other words, the bootloader will only start with
bootmode_set(BOOT_MODE_TYPE_BOOTLOADER);

Possible options that come to mind:

1. Create a patch file that you apply that you and your coworkers can apply to the SDK during installation

2. Submit a PR to propose your change at https://github.com/mcu-tools/mcuboot 

3. Create a workspace application that includes a fork of the https://github.com/nrfconnect/sdk-mcuboot repository (see Forking a repository of the nRF Connect SDK). 

I'd like to +1 this functionality. We have a product with a permanently installed battery. We want mcuboot serial recovery via USB (ACM) when a button is pushed;but, if a user accidentally presses that button on turn on, mcuboot sits there forever waiting for a command. We're up for creative ideas, such as having a global watchdog of maybe 2 minutes, and not feeding the watchdog from mcuboot - which in our understanding would force a reboot and allow up to 2 minutes for a device recovery, which seems sufficient.

Thanks!

Looking at this commit it looks like it should be possible already to have it timeout automatically: https://github.com/mcu-tools/mcuboot/pull/2277/commits/ab2d7bc44f3b658f870f2a93bef58e6f59bf6872 if you use CONFIG_BOOT_USB_DFU_GPIO together with CONFIG_BOOT_USB_DFU_WAIT. Are you using CONFIG_BOOT_USB_DFU_GPIO as your entry method? 

I have reviewed the main.c code and it appears (interestingly) that CONFIG_BOOT_USB_DFU_WAIT is being used in two ways.

1. If CONFIG_BOOT_USB_DFU_GPIO=n

Pin DFU is not used - so, enters DFU mode for the duration of CONFIG_BOOT_USB_DFU_WAIT_DELAY_MS.

2. If CONFIG_BOOT_USB_DFU_GPIO=y along with CONFIG_BOOT_USB_DFU_WAIT=y

mcuboot does NOT enter DFU automatically. The CONFIG_BOOT_USB_DFU_GPIO rule changes the operation of CONFIG_BOOT_USB_DFU_WAIT. DFU is only entered if the DFU pin is active. DFU times out after CONFIG_BOOT_USB_DFU_WAIT_DELAY_MS.

My observation is that DFU boot never exits if DFU has been started in any way, including error bytes being written into the serial RX. I will look ito enabling the watchdog in mcuboot.

Thank you for the update. I will report this internally for review and to (re)consider what the expected behavior should be. I think it makes sense to fall back to the application, or at least provide the option to do so, even in cases where serial recovery mode has been entered but then stopped (for example with an inactivity timer). Allowing the WD to be started from the bootloader could also be something to consider.

EDIT: I see someone already contributed a solution for setting up the WD in the bootloader here: https://github.com/mcu-tools/mcuboot/pull/2566/commits 

Thank you for the update. I will report this internally for review and to (re)consider what the expected behavior should be. I think it makes sense to fall back to the application, or at least provide the option to do so, even in cases where serial recovery mode has been entered but then stopped (for example with an inactivity timer). Allowing the WD to be started from the bootloader could also be something to consider.

EDIT: I see someone already contributed a solution for setting up the WD in the bootloader here: https://github.com/mcu-tools/mcuboot/pull/2566/commits 

The scenario is where the device is in the hands of an end customer and they have limited ability to troubleshoot or do anything technical. When enough devices are manufactured, all possible error states do occur.

If the end customer has managed to get the device into a dead-end state (e.g. reset while holding the recovery button, with a USB plugged in, which has been observed to half-trigger the DFU.) it needs to recover in the most sensible way.

I think being able to enable the watchdog from mcuboot Kconfig flags (and set the timeout) is the most sensible approach that solves requirements for a number of different cases, and also being able to choose whether mcuboot feeds the watchdog, or not. This would allow the device to reset if mcuboot ended up waiting for DFU bytes forever. It also protects against other unforseen future niche bugs with mcuboot.

EDIT: Noted that a WD update has been created. We'll integrate this once it reaches the nrf SDK.

I agree with your points. In case you didn't see it, I updated my previous about WDT setup in bootloader already being supported in upstream mcuboot which should be included in our next SDK release.