DFU issues on Android 10

Hi,

Both these issues could be explained by missing service changed. Have you made sure the NRF_SDH_BLE_SERVICE_CHANGED is set to the same value in both the applications and bootloaders sdk_config.h? What is it?

Hi again,

Here is another screenshot from my OnePlus 5 running Android 9, attempting DFU through the NRF Connect App.

I've never had any issues on this phone before.

Update on problem 2:

<info> app: Retriving Peer data returned err_code: 0
<info> app: Setting peer data for bootloader returned err_code: 8
<error> app: Request to enter bootloader mode failed asynchroneously.

Hi,

So I just finished a longer test session.

It seems like the GATT Service changed notifications is not working properly in the bootloader.

If I take these steps:

1. In the application, write to the DFU characteristic to enter bootloader
2. Enters bootloader
3. Reconnect
4. Still shows the attribute table from the application. Logs indicate that the Indication was sent successfully (returns NRF_SUCCESS inside nrf_dfu_ble.c)
5. Disconnect and then reconnect. Now displays the DFU service/characteristic (Sometimes requires more than one disconnect/reconnect in order to display the new attribute table).
6. Start FW upload

With the above sequence DFU was successful 10 out of 10 tries.

Automatic DFU from the application fails on either GATT_INVALID_HANDLE or GATT_ERROR which can be explained by the behavior above.

Hi,

I see. We could confirm with a sniffer trace, but your tests strengthen the theory of a timing difference. Different mobile devices, operating systems, SW/DFU library changes, all affect timing slightly. The fix is probably to do the same workaround as you did in your application in the bootloader as well.

For problem 2 to you get a return value 8, which is NRF_ERROR_INVALID_STATE. From which function?

Hi,

I see. We could confirm with a sniffer trace, but your tests strengthen the theory of a timing difference. Different mobile devices, operating systems, SW/DFU library changes, all affect timing slightly. The fix is probably to do the same workaround as you did in your application in the bootloader as well.

- In the application I currently trigger pm_local_database_has_changed() in the peer manager event handler when we get the event CACHE_APPLY_FAILED, If I understand you correctly I should implement the same in the bootloader?

Currently the bootloader does not make use of the Peer Manager.

Hi,

The service changed indication in the bootloader in SDK 15.0 is sent by the call to service_changed_send() on line 882 in nrf_dfu_ble.c.

Hi,

The service changed indication in the bootloader in SDK 15.0 is sent by the call to service_changed_send() on line 882 in nrf_dfu_ble.c.

I will implement the fix and see what happens.

Regarding problem 2:

ret = nrf_dfu_set_peer_data(&m_peer_data);

is the function that returns INVALID_STATE, row 178 in ble_dfu_bonded.c

Here's the changes I made to nrf_dfu_ble.c. I copied the service_changed_cccd function and In case the softdevice call to service_changed fails I call that function. If I understand the code in gatt_cache_manager.c that's how it works there aswell.

It does not seem to help.

static ret_code_t service_changed_cccd(uint16_t conn_handle, uint16_t * p_cccd)
{
    bool       sc_found = false;
    uint16_t   end_handle;

    ret_code_t err_code = sd_ble_gatts_initial_user_handle_get(&end_handle);
    ASSERT(err_code == NRF_SUCCESS);

    for (uint16_t handle = 1; handle < end_handle; handle++)
    {
        ble_uuid_t uuid;
        ble_gatts_value_t value = {.p_value = (uint8_t *)&uuid.uuid, .len = 2, .offset = 0};

        err_code = sd_ble_gatts_attr_get(handle, &uuid, NULL);
        if (err_code != NRF_SUCCESS)
        {
            return err_code;
        }
        else if (!sc_found && (uuid.uuid == BLE_UUID_GATT_CHARACTERISTIC_SERVICE_CHANGED))
        {
            sc_found = true;
        }
        else if (sc_found && (uuid.uuid == BLE_UUID_DESCRIPTOR_CLIENT_CHAR_CONFIG))
        {
            value.p_value = (uint8_t *)p_cccd;
            return sd_ble_gatts_value_get(conn_handle, handle, &value);
        }
    }
    return NRF_ERROR_NOT_FOUND;
}


#if (NRF_DFU_BLE_REQUIRES_BONDS)
static uint32_t service_changed_send(void)
{
    uint32_t err_code;

    NRF_LOG_DEBUG("Sending Service Changed indication");

    err_code = sd_ble_gatts_sys_attr_set(m_conn_handle,
                                         m_peer_data.sys_serv_attr,
                                         sizeof(m_peer_data.sys_serv_attr),
                                         BLE_GATTS_SYS_ATTR_FLAG_SYS_SRVCS);
    VERIFY_SUCCESS(err_code);

    err_code = sd_ble_gatts_sys_attr_set(m_conn_handle,
                                         NULL,
                                         0,
                                         BLE_GATTS_SYS_ATTR_FLAG_USR_SRVCS);
    VERIFY_SUCCESS(err_code);

    err_code = sd_ble_gatts_service_changed(m_conn_handle, m_dfu.service_handle, 0xFFFF);

    if (   (err_code == BLE_ERROR_INVALID_CONN_HANDLE)
        || (err_code == NRF_ERROR_INVALID_STATE)
        || (err_code == NRF_ERROR_BUSY))
    {
        uint16_t cccd;
        err_code = service_changed_cccd(m_conn_handle, &cccd);
        if ((err_code == NRF_SUCCESS) && cccd)
        {
            NRF_LOG_DEBUG("Service changed cccd returned err_code: %d", err_code);
            // Possible ATT_MTU exchange ongoing.
            // Do nothing, treat as busy.
            return err_code;
        }
        else
        {
            if (err_code != NRF_SUCCESS)
            {
                NRF_LOG_WARNING("Client did not have the Service Changed indication set to enabled."
                        "Error: 0x%08x", err_code);
                err_code = NRF_SUCCESS;

                //NRF_LOG_DEBUG("Unexpected error when looking for service changed CCCD: %s",
                //              nrf_strerror_get(err_code));
            }
            // CCCDs not enabled or an error happened. Drop indication.
            // Fallthrough.
        }
        /* These errors can be expected when trying to send a Service Changed indication */
        /* if the CCCD is not set to indicate. Thus, set the returning error code to success. */
    }

    return err_code;
}
#endif

The service changed notification is still sent from the events (no changes there):

case BLE_GAP_EVT_CONN_SEC_UPDATE:
case BLE_GATTS_EVT_SYS_ATTR_MISSING:
    {
        #if (NRF_DFU_BLE_REQUIRES_BONDS)
            err_code = service_changed_send();
        #else
            err_code = sd_ble_gatts_sys_attr_set(p_gap->conn_handle, NULL, 0, 0);
        #endif
        APP_ERROR_CHECK(err_code);
        NRF_LOG_DEBUG("Finished handling conn sec update");
    } break;

Hi,

I see. Then I think it would be very useful with a sniffer trace and a log from the bootloader to know exactly what is going on (we have based it on assumptions up to now).

Regarding problem 2, that is also a bit of a mystery. We may get a bit close if you look at the implementation in components\libraries\bootloader\dfu\nrf_dfu_svci_handler.c, an put breakpoints on all conditions that cause a NRF_ERROR_INVALID_STATE return value. I fail to see the reason, but reading this thread might suggest a link with problem 1.

2816.sniffer.pcapng

Hi,

Here's the sniffer trace from wireshark. At package 6130 the connection to the bootloader starts.

Hopefully you can read the data, I'm not very experienced with wireshark so I dont know if this is the correct way to do it.

The sequence is here is write to DFU characteristic to "manually" put it in bootloader and then connect.

Hi,

Thanks. All looks good here as far as I can see. I am wondering if there could be a timing issue in the Android DFU library itself, as you suggested earlier. Perhaps fixed by this. I am checking with the library developer and will get back to you.