[Openec] fail-safe startup code?

Frieder Ferlemann frieder.ferlemann at web.de
Fri Aug 3 14:21:01 EDT 2007 

Hello Richard,

Richard A. Smith schrieb:
> Frieder Ferlemann wrote:
> 
>> the openec repository now has a first go at this kind of routine at:
>> http://dev.laptop.org/git.do?p=projects/openec;a=blob;f=main.c;hb=c6492dfd4ab6eae7b9d4c58750ea43b26a4a9e46
> 
> I'll point out that the minimum erase size of the SPI flash is 64k and 
> we don't have any boot block protection so every time you update the EC 
> code you have to erase all of it.
> 
> Thus this will never be 100% safe. If you fail a flash you are stuck

There might be a slight chance to even get around that.
I'm not sure but I think register XBISEGn could give
us a chance to survive even that.

That registers seems to allow to remap the (lower two 16k blocks of the)
code memory of the 8051 on a 16k basis.

Unfortunately there are only two of them (XBISEG0 and XBISEG1
at 0xfea0 and 0xfea1 respectively) specified in the data sheet.
It would be natural to assume the existence of XBISEG2 and XBISEG3
(at at 0xfea2 and 0xfea3 respectively) as table 4.6.2 of
the datasheet does not otherwise assign these addresses.

And the data sheet mentions the existence of
"XBI registers A0-A3h(bank select)" in the descripion for
Bit 4 in XBICS so presumably for some versions of silicon
these registers might be there.

If XBISEG2 and XBISEG3 are implemented then we'd need a
hefty extra portion of flash but using a fancy memory map
like:

0x000000-0x003fff  for the fail-safe routine
0x004000-0x00ffff  unused (or used for stuff never expected to be changed)

0x010000-0x01ffff  for normal openec code (visible at 0x0000-0xffff
                   to the 8051 after the fail-safe routine decides to
                   remap it there)

the fail-safe code could then survive even if 0x010000-0x01ffff
is spoiled (due to buggy openec code OR due to power failure during
the flashing itself).

(If XBISEG2 and XBISEG3 are not implemented then we could
use this scheme for 0x010000-0x017fff leaving us with
only 32kByte code memory for the EC)


I do not say (or imply) this _should_ be done. Currently
a problem due to buggy openec code is so much more likely
than a problem due to failure during flash that
we probably almost safely can ignore it.



> But I really like the idea.  Right now openfirmware depends on the EC 
> responding to the 6c/68 commands.  I've gacked up my XO a couple of 
> times by screwing up the 6c protocol.  I so far I've been able to use 
> the 'i' to interact and patch out the 6c stuff.  This let me get OFW up 
> to a point where I could use the 'flash' command.
> 
> We could use some sort of RAM location or unused register to indicate 
> that the EC is in failsafe mode and open firmware can only do a minimum 
> init to get the serial port up and USB. So that you could use the 
> 'flash' command to recover.

Yes:)

Greetings,

Frieder

More information about the Openec mailing list