[RFC] Add flash-complete integrity flag and startup bootloader timeout#183
Open
benjamin-nomadic wants to merge 3 commits into
Open
[RFC] Add flash-complete integrity flag and startup bootloader timeout#183benjamin-nomadic wants to merge 3 commits into
benjamin-nomadic wants to merge 3 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
In CAN-only systems with no physical reset button, two failure modes exist:
Feature 1: Flash-complete integrity flag
Reserves the last 2KB flash page as a completion marker:
Page erased (0xFFFFFFFF) = flash incomplete → stay in bootloader indefinitely
First word 0x00000001 = flash complete → normal boot
command_write_block (first call) erases the flag page. command_eof writes the magic. bootentry_check() treats an absent flag identically to !application_check_valid().
Files: src/stm32/flash.c, src/stm32/flash.h, src/flashcmd.c, src/bootentry.c
Flash layout (STM32G431CB, as implemented)
0x08000000 Katapult bootloader (8KB)
0x08002000 Application firmware (110KB, reduced from 112KB)
0x0801D800 Flash complete flag (2KB reserved page) ← new
0x0801E000 Application config (8KB, unchanged)
0x08020000 End of flash
Feature 2: Startup bootloader timeout
On normal boot with a valid app and no explicit request, the bootloader stays active for 5 seconds before jumping to the application. The timer resets while flashcmd_is_in_transfer() is true so it never fires mid-upload. Explicit bootloader requests (RAM magic, no valid app, button) are unaffected — bootloader stays indefinitely as before.
Files: src/bootentry.c
What needs rework before merging
FLASH_FLAG_ADDRESS hardcoded for STM32G431CB — needs derivation from Kconfig + page size
Flash flag only implemented for STM32 — RP2040/LPC176x equivalents needed
Timeout and flag should be opt-in Kconfig options with configurable duration
Comments and help on properly integrating the changes into katapult would be greatly appreciated! Katapult itself worked great, thank you for your work.