This patch is based on work of Crubier (LPF) and Cossacs (AxisLock mode).
I've just reworked it a bit by adding a dynamic memory allocation for
static module data.
This detects a locked out state and fails the init. The new
bootfault detection code will automatically drop to default
hwsettings after 3 consecutive boot failures. That will put
the board back into an unlocked state where the user can now
enable a telemetry link using the GCS and everything will be
OK.
NOTE: Any configured telemetry link will be considered enough
to boot up. If you only configure a serial telemetry
link but don't know how to hook anything up to it, this
will not save you.
As the ultimate recovery, you can always load firmware on the
board that wipes the settings entirely and start over.
This module and its associated settings uavo can be used
to test various fault conditions during initialization.
To enable the module, add the TEST_FAULTS=YES to your make
command line:
make fw_coptercontrol TEST_FAULTS=YES
Once this module is part of your firmware load, you can
enable it in the hwsettings uavo and then select the
type of fault to insert by editing the faultsettings uavo.
On the next reset, the configured fault will be inserted
into the init sequence to allow you to test the boot fault
recovery code.
With a fault inserted, you should see 3 failed boot attempts
followed by a successful (recovery) boot. You will see the
BootFault alarm set to Critical, and the RAM version of your
hwsettings will be reset to defaults. Since the defaults have
all optional modules disabled, the fault module will be out of
the way during the recovery boot.
You can then "Load" the flash version of the hwsettings uavo
in the object browser, disable the Fault module and then "Save"
the hwsettings module back to the board. The next reset will
boot normally without the fault inserted.
After 3 failed warm start attempts, the init sequence
will force the RAM version of the HWSettings object
to its defaults. This should allow a user to regain
connectivity to a board that is continually faulting
during init.
This is accomplished by:
- Incrementing a boot counter that is stored in the
STM32 BKP registers. These registers survive a
warm start but are cleared on a cold start (ie. powerup).
- On multiple failures, force hwsettings to defaults
and raise the (new) BootFault alarm to prevent arming.
- Resetting the boot counter whenever the system manages
to successfully run the System Module task.
NOTE: This does not actually change the hwsettings object in
flash. That's up to the user.
This is intended to catch ONLY faults during early initialization.
It should not be used to recover from faults after the application
is up and running.
The GCS hwsettings config widget now disallows any
configuration that disables both HID and VCP telemetry
over the USB port.
The firmware will allow it if the UAVObj is set manually.
This allows a mechanism to reduce RAM usage by another
500 more bytes if USB telemetry can be sacrificed in
certain configurations.
Not all transmitters will continue to run when disconnected.
USB is one example of this. When the USB cable was disconnected,
any transmitter blocked here would wait forever.
This was particularly noticeable when the telemetry Tx task
blocked forever on USB disconnect. This also resulted in
the telemetry Rx task blocking forever waiting on the UAVTalk
connection lock.
We now block for a max of 5s waiting for space in the transmit
buffer.
This allows the HID and VCP functions to be configured
separately so that additional functions can be more easily
bound to the VCP port.
This change also provides a safety net that forces either
the HID or VCP to be configured for USB Telemetry. This
safety net may vanish in the future once the GCS can check
it. Disabling USB Telemetry entirely would save more than
400 bytes of RAM.
The uavtalk layer was previously implementing a poor
version of packet fragmentation based on a hard-coded
max packet size. Since this was hard-coded, there was
no guarantee that it would match the underlying devices.
Now that the COM layer sending routines support fragmentation,
remove fragmentation and use the COM layer directly.
This will support future buffer size reductions in the COM
layer.
PIOS_COM_SendBufferNonBlocking() will now fragment its buffer
to match the max size of the underlying device.
This allows the buffer size of the underlying device to shrink
below the maximum message size, thus allowing us to use smaller
buffers on memory-constrained platforms.
Apple is very particular about requiring the bDeviceClass
to be set to 2 (Commmunication Device) even for composite
devices which seems wrong.
Device is enumerated without error on Mac now. Not sure if it
works though.
Reduced scope of many variables since they were being
exposed unnecessarily.
Renamed pios_usb_hid_prop code to pios_usbhook to reflect
the fact that it implements all of the callout functions
that are hooked into the stm32 usb library.