4 Replies Latest reply on Dec 28, 2018 2:31 AM by PriyaM_16

    CYW43907 watchdog and OTA2_bootloader


      in ota2_bootloader.c, at line 186, it tests to see if the reset was caused by a WDT. If it has then load from staging area or failsafe.


      So if the application is running normally and hits an obscure infinite loop or some assert condition, on the WDT reset the bootloader will force a extraction of the failsafe app (assuming no valid image)? This seems wrong. I understand that if the OTA image is corrupt then this provides a chance of recovery but if the image is really valid, I do not want the failsafe app loading, which in my case could be a much older out of date version of the main application.


      Am I correct in how I read this?

        • 1. Re: CYW43907 watchdog and OTA2_bootloader

          The ota2 bootloader functions as below:

          It checks if the reset was due to Watchdog? If its a WDT reset, it checks if there is a valid image in the staged area. If there is a valid image, it sets up the boot type to extract from staging area(OTA2_BOOT_FAILSAFE_UPDATE ) and runs failsafe app and OTA2 extract app. Hence the valid image from staged area is loaded. If there is no valid image in staged area, (boot type is set to OTA2_BOOT_FAILSAFE_ FACTORY_RESET ) the factory reset image is loaded.


          To answer the use case mentioned in this thread:

          The boot type variable takes care of the reset condition. If the reset has occured due to WDT, the failsafe app always comes into picture as it is not the normal behavior under which the reset occurred(i.e., NOT POR). The failsafe is responsible to extract the application LUT and ota2_extract to allow full extraction on reboot.

          • 2. Re: CYW43907 watchdog and OTA2_bootloader

            The queston is if application hangup can cause WDT reset or not.

            If yes, it will switch to failsafe app. This seems quite surprising behavior.

            • 3. Re: CYW43907 watchdog and OTA2_bootloader


              Correct, while a WDT is not included by design, given the sheer compelxity of a Wi-Fi base dproject with the stack and FreeRTOS it is a given that we may encounter a WDT in normal operation.


              I have seen the failsafe app become corrupted after an OTA update due to the build size of the failsafe app and how external flash is sectioned, see my other post "CYW43907/1GC fails up boot after update".


              So if a random WDT in the application resets the processor and the failsafe app runs then it is possible to have a bricked system because the failsafe app is corrupted.





              • 4. Re: CYW43907 watchdog and OTA2_bootloader

                There is no way to update failsafe and bootloader in a device which is out in the field.

                We have increased the failsafe application size in image defines to 100KB to address this problem in future. Really sorry for the inconvenience.