[WIP] DFUService Implementation #13
Conversation
AGlass0fMilk
changed the title
|
Need to define what happens when client attempts to write beyond the size of the underlying slot. Perhaps this can be communicated using the status field? In reality, this should never occur... the tools used to generate the binary will probably give errors long before any attempt to use the binary as an update. Exceeding the address space of the slot can be considered a critical failure and cause the DFU procedure to be aborted. A new binary will have to be written in this case anyways. |
|
A buffer flushing operation is an internal implementation detail. To prevent the client from writing any binary stream data during a buffer flush operation, the server will set the flow control bit in the control characteristic. |
|
@AGlass0fMilk That is excellent, thank you for starting the discussion on this service 👍 . Version informationFrom a very high level view I was seeing the DFU process as follow:
It mostly matches what you are proposing at one exception, it is not possible to get information about the installed firmware. These informations are used by the client to decide if the device requires an update or not. Binary transferThis could be a service of its own 😁 . I believe the size of the Binary Stream Characteristic should be equal to the size of the MTU to maximize speed. A flow control bit raised when the local device is busy or not available seems appropriate. Why did you choose to add it into the control characteristic rather than the status ? How does the presented system deals with loss of write w/o response ? It seems that the Offset Pointer Characteristic can be used to that effect but how does it works in practice ? Is it up to the application ? Control CharacteristicWhat is the benefit of having a bit set rather than specific commands such as:
Ideally this should be extendable to support application specific control commands, selecting an update slot might be considered as such (but it is so common that it could be defined directly). ImplementationI don't think the DFU service should be tied to Block device. I'd rather see the DFU service as forwarding events to a companion class that actually does the update. In events, I can think of:
Of course the class realizing the DFU should report things back into the DFU service for example report failures, report state changes, block transfer until buffer are free, etc... |
I see what you're saying. That could work. We could have an optional One unknown now:
I suppose it could be, how would you split this off from DFU? We would then be kind of specifying a partial "DFU Profile". We could potentially make the
Agreed. That is currently what the service defaults to. It allows space for the maximum configured MTU: mbed-os-experimental-ble-services/services/inc/DFUService.h Lines 35 to 45 in f794a51
So the control characteristic I was thinking of more like a register. Originally, the flow control bit was its own characteristic. However, I like to try and keep the number of separate characteristics as low as reasonably possible. I've encountered issues in the past with having too many custom UUID characteristics (Old Nordic softdevice only allowed a certain number) and there is a noticeable delay incurred during service discovery as the number of characteristics goes up... of course this can be solved by using a faster connection interval. My thoughts were: The status characteristic is used for major events like a failure or success. There will usually only be one status update per DFU session (at the end). My thought was that this characteristic could be read by the client after a reboot to check the result of the update. Somewhat of a tangent: In my specific use case, I am using mcuboot to validate and install firmware updates. This allows me to reduce code size in my application by not adding the various crypto functions to perform digital signature verification and whatever else on the firmware update -- the bootloader takes care of it. This makes the status reporting more complicated because the BLE must be disconnected before the status will be available. I tried to capture this use case as well as the use case where the validation is performed by the application itself in this specification. A failed update can be detected by checking the firmware version has been updated. If the update failed, the status characteristic will contain the most recent reason why.
In my experience, write w/o response has significantly less latency when compared to a regular write (w/ response). This is mostly true for BLE stacks operating in a higher-level OS (Linux, Android, Mac, Windows, etc). My thought is that for quick firmware updates, write w/o response can be sufficient as long as the application is okay with the occasional failed update. The application may or may not check the Offset Pointer Characteristic to ensure the data has been received and written properly. I guess with a large enough MTU, using write w/ response can be fast as well. So perhaps we just get rid of the write w/o response option? What is your experience with this @pan- ?
I like the idea of application-specific control commands.
Why not? I think it's a pretty beautiful and clean architecture. I'm a huge fan of the BlockDevice API.
If you can expand on this use case it might help convince me not to tie this to BlockDevice 😄 |
|
Regarding the block device conversation above: I thought about it a bit and I see why you would want to have some sort of DFU abstraction between the service and the memory which is operated on. It would be useful in the case of updating firmware on a remote device. However, I also think this: The BlockDevice API is well established and fairly clean. Perhaps it would be satisfactory to tie the DFUService implementation to BlockDevice. In the case where a DFU targets a remote device in the system, the developer must implement a 'RemoteBlockDevice' that forwards the calls to the remote device as if it were a local BlockDevice. This prevents us from having to create another API for some sort of "DFU Manager" class. Thoughts, @pan- ? Can you see a case where this is still insufficient? |
|
Thanks for sharing your thoughts, that's it is useful for me to understand the reasoning behind design decisions!
Here is how its done for Battery services (multiple battery service can be exposed by a single server): There is not format for the namespace/description, it is up to the application. By default if a single service is on the server, the client should not care about it. (Not that even if I brought the subject, I don't think we should think too much about it as long as an option is available for improvement).
Regular write is not an option, the power of notification and write w/o response is that you can stack severals in a single connection event. In my latest experience, we used a rolling counter in the first byte to identify the fragment id. The server was sending a notification containing the expected fragment ID whenever an an unexpected fragment ID was received so the client can retry the transfer at the fragment indicated by the server. It worked well and the latency to detect an error was good (at most two connection events).
I'm thinking of testing and extendibility but at the same time, a block device implementation would solve 95% of the use cases out there 😅 . I'm probably overthinking it at this stage. If there's a need it should be easy to split BLE handling from the BD logic. There will probably be some DFU Manager like class from users if they integrate things such as image verification in the application but I really like the idea of the default use case where all of these operations are made in the bootloader and therefore not exposed in the base implementation of the DFU service! |
This seems like a good solution to me. I will add this to the final specification and add a string name parameter that must be provided when enabling the optional firmware version characteristic. I think having a unique Characteristic User Description Descriptor associated with the firmware version characteristic of a DFUService instance is sufficient. We do not need to complicate things by adding arbitrary namespace/description enums... unless you think this would be useful in some way.
My goal of the DFUService is to simply act as a transport that covers the most use cases. Things like validation and installation can be triggered and monitored using the DFUService but need not be handled directly by the DFUService itself. After all, BLE is simply a transport for firmware updates. Adding anything more makes the service less reusable/extensible. I think BlockDevice provides a suitable API for DFU. Most, if not all, DFU implementations aim to accomplish writing a new binary to memory as fast as possible. With the BlockDevice API, there are many possible configurations just with what Mbed OS provides, eg: writing to a RAM-based BlockDevice, joining multiple memory regions together, support for a number of underlying memory devices. If anything more advanced is needed, the user simply needs to implement the BlockDevice API for whatever device/transport they are using. I think it's a nice abstraction for writing to memory -- which I think all DFU use cases require. @pan- I appreciate your feedback as I may not be able to see a use case where this implementation is not ideal (please let me know if you can think of them)! If someone wants to implement a DFUService subclass that provides on-the-fly image verification, we could make the data handling function virtual so they can add whatever logic they want before calling the base class implementation (or not). eg: Override the original data handling function, add the incoming bytes to an ongoing SHA hash, then call the base class implementation to write the bytes to memory. Of course this may not be a great idea if packets are lost... SHA hashing should probably be done once the transfer is complete! I have an immediate need for such a DFUService so I will be working on a first cut of this service as we develop the final specification for V1. Let me know if you have any other thoughts! |
|
Forgot to respond to this above:
I figured it would be painfully slow.
This is a clever idea. Maybe it would be possible to implement a similar "retry" mechanism using the offset pointer characteristic: Perhaps we could make the I think for now I will implement your fragment ID method since it is simpler. Side conversation @pan- : In my speed testing, I have been unable to successfully configure the MTU above 256 bytes. The build succeeds but all the characteristics become blank (corruption of the BLE memory?) There is a comment in the cordio "rx-acl-buffer-size": {
"help": "Size of the buffer holding the reassembled complete ACL packet. This will limit the effective ATT_MTU (to its value minus 4 bytes for the header). The size of the buffer must be small enough to be allocated from the existing cordio pool. If this value is increased you may need to adjust the memory pool.",
"value": 70
},Highlighting this part due to extreme scrolling requirement: How does one go about adjusting the memory pool of the Cordio stack so the rx-acl-buffer-size can be increased to support an MTU of 512? This should be added to the configuration help string. |
|
So for our implementation here, I think we can use the existing status characteristic to accomplish the fragment ID error correction scheme you described. If the highest bit of the 8-bit status characteristic value is set, the 7LSB will be the expected sequence ID that did not match what the client sent. The client should then restart transmission from that sequence ID. It rolls over at 127, which should be more than enough to detect errors and return the to appropriate spot in the binary. @pan- What do you think? |
That's would be hard to get it right because the client does multiple write w/o request in a connection event and won't get an answer before the next connection event. It is much simpler to signal failures than acknowledge success.
Seems good.
Your right, the documentation should be amended, the adjustment depends on whether these buffers are rx or tx and how many do you want. The computation is here. Adjustment is (ACL config - default ACL config) * (rx count + tx count). |
|
I suggest we make it mandatory to have a For the DFU Service, it is optional to have the FW Rev Characteristic if and only if the following are all true:
If there is only one Firmware Revision String Characteristic available on the server, the Characteristic User Description descriptor becomes optional. |
|
@AGlass0fMilk I must find time to review this service in depth but it looks very good. What I want to personally try is transfer performances and write on the internal flash to see how it affect BLE. What do you think of the service controlling the connection parameters ? Reducing the connection interval should increase transfer speed while increasing slave latency could work around the problem that arise when the internal flash is written (block the MCU, a connection event might be missed). The service could also negotiate the 2MPhy to be used as well as the MTU size. I see these QoL improvements being guard behind defines so it doesn't increase the footprint if it's not required. What would be the starting point if we want to help you with this ? How do you test the service today ? Side note: A service that allows a client to make the server send a connection parameter update request would be a useful addition, mobile platforms generally accepts new connection parameters but do not have options to tune it. |
|
@pan- Writing this as you commented 😁 I have created a very rough test script and Mbed application to test throughput. You can see the working repo here: https://github.com/AGlass0fMilk/mbed-ble-dfu-testing Currently, the throughput isn't super great but it is acceptable given the poor BLE support of most desktop operating systems. My laptop's chipset supports BLE 5 but the software apparently doesn't. So my testing is done with the default 1M Phy. I am on Ubuntu 20.04 and using the python library With my current setup, transferring 384 bytes at a time (MTU is set to 512 but I didn't feel like tuning the delays to work properly), I was able to reliably transfer a 512kB random binary (created with: It might even be worth it to make an Mbed DFU Client that simply copies a binary from on-board flash... Ultimately it would be nice to make open source clients for the major platforms (Mac/Windows/Linux, iOS, Android) Some timely reading that was just published by Punch Through: https://punchthrough.com/ble-throughput-part-4/ I read part 3 and was wondering how throughput could be improved by the 2M phy! |
|
@pan- Regarding how your team can help: The DFUService code itself is okay, I haven't put much thought into mutexes and how to offload flash writes from the BLE process. Ideally it would be compatible with baremetal but it may complicate things if writing to flash can block BLE event processing for a long time. That being said, I think the next steps would be: I think as part of the automated testing development (1) we can add a test case for throughput to accomplish (2) with minimal extra code. (3) would come after the DFUService has been fully tested. The bleak client I have should work on Windows and Mac (probably will need a couple modifications) but I have not tested this. The way I have been testing with the client and server applications mentioned above is:
@pan- Let me know what your thoughts are or if you need any more information about my testing process. I have some projects that need BLE DFU now so I will be working with this "beta" version for now. I can help with the automated/throughput testing as well. |
|
Thanks for sharing how you test the DFU service, that is really helpful for anyone that wants to be involved!
Performances also depends on the controller used, in our testing some had terrible performances outside of DBUS latency. In the end we were transferring block of data that to not roll over the fragment counter. Blocks were acknowledged with an indication upon full reception (there was some mechanism to set up the size of the transfer too).
I think it is the best to go with something and iterate but it would be better if services and characteristics are settled before you go in production 😅 .
Unit test usually shine in these area and it is easy to setup. Eventually a compilation of both unit test and integration test would be the best. I will try for myself the code and test this week to provide more feedback. Thanks George. I realized that there is no way in mbed-os to enable the data length extension from the server. There is no calls to |
|
My below response is related to your previous comments:
I'm not sure if the service should control these things as it starts introducing many dependencies and centralizing a lot of functionality all in one place. Perhaps a better way to handle this would be through documentation and guides that detail best practices for DFU throughput and reliability. There must be an example application for this service once it is done and we should document any considerations when setting up connection parameters, etc. Perhaps as an extension this could be added.
I agree, see below comments.
I like to take advantage of Bluetooth's existing control mechanisms as much as possible. I think negotiating the MTU is acceptable for this. However, there seem to be many customizations that are useful in some cases. I would like to design an extensible way to add these features in the future (or have users add their own) while still having some base compatibility. This would let us develop basic, maybe even universal, DFU clients. A client can try to enable an extension and the server can reject the write request if it does not support it. @pan- What do you think the best way to design this into the DFUService would be? We could extend the control flags characteristic to 32-bits (or more) and reserve some for future use by the DFUService spec and some for use by application. Incrementally we could add features like delta mode, fragment size negotiation, initiating a peripheral-negotiated connection parameter update requests, etc. Perhaps we could instead have optional characteristics that provide these extensions and define these as we revise the DFUService specification? This would be the most "Bluetoothy" (if you will) way to do it in my opinion.
No problem, the projects I am talking about are prototypes/proof-of-concepts at this stage.
@pan- Could you reply with an initial test plan that you're thinking of? I'd like some input and then I can add my thoughts and start the implementation. I'm thinking we will go with what you suggested in another issue I raised -- use the BLE test suite by itself without using greentea and all that... ultimately simpler I suppose. If you're feeling like it, you can start a boilerplate test app 😄 I will probably start working on this after the long holiday weekend here in the US. 🦃
I'm sure we will uncover more functions that are currently unavailable in the C++ API while going through this! It will be a good way to test (and subsequently expand) the capabilities of the current Cordio BLE API 😄 |
|
I have been working with this a bit more this week and have performed updates using it with mcuboot. A few thoughts:
|
|
I also think we should introduce a read only bit in the control characteristic that tells the client whether a reboot (and thus a disconnection) is required to perform a DFU commit (ie: must reboot so bootloader can install/validate the update candidate). |
services/inc/DFUService.h
Outdated
| * Maximum number of slots available | ||
| */ | ||
| #ifndef MBED_CONF_BLE_DFU_SERVICE_MAX_SLOTS | ||
| #define MBED_CONF_BLE_DFU_SERVICE_MAX_SLOTS 3 |
There was a problem hiding this comment.
config like that could be part of the mbed_lib.json which would provide the default values
services/inc/DFUService.h
Outdated
|
|
||
| protected: | ||
|
|
||
| DFUService& _dfu_svc; |
There was a problem hiding this comment.
doesn't appear that storing this is needed for anything
services/inc/DFUService.h
Outdated
| * @note If the application does not explicitly reject the control request, | ||
| * the request will be accepted by default. | ||
| */ | ||
| void on_dfu_control_request(mbed::Callback<GattAuthCallbackReply_t(ControlChange&)> cb) { |
There was a problem hiding this comment.
We're trying to standardise on one callback model in BLE - the EventHandler model, I think it would work just as well in this case and have the benefit of uniformity with others.
services/inc/DFUService.h
Outdated
| /** | ||
| * Schedule a serialized call to process_buffer on the event queue. | ||
| * | ||
| * @note this function has no effect if a write has already been scheduled |
There was a problem hiding this comment.
maybe it should return an error then, otherwise it's a programming error and should be at least an assert
| _dfu_control = 0; | ||
| _status = 0; | ||
| _flush_bin_buf = false; | ||
| _scheduled_write = 0; |
There was a problem hiding this comment.
if it's not 0 you should cancel the event
| _scheduled_write = 0; | ||
| return; | ||
| } | ||
| uint8_t *temp_buf = new uint8_t[write_size]; |
There was a problem hiding this comment.
maybe the solution is not to use a circular buffer and just use a normal one
There was a problem hiding this comment.
I'm thinking of making a sort of BlockDevice decorator class with a built-in buffer (BufferedBlockDevice is already taken 😖). This way, the data can be moved from the BLE stack buffers into the BlockDevice buffer and we can eliminate the need to allocate a separate buffer when writing the data.
@pan- The major decision I'm facing with this is: writing to flash can take a long time -- possibly long enough to cause timeouts for BLE. I want to come up with a way that allows the user to decide whether to process the buffered flash writes in separate thread or in the same context as the BLE (for baremetal users).
In my testing, I tried to process flash writes in the BLE thread but it seemed to cause disconnections/timeouts. Though maybe this was related to other issues, as realistically flash writes shouldn't take that long, probably less than the number of milliseconds required to even miss a connection event.
My idea for enabling both the multi-threaded and baremetal use cases is (assuming event queues are available in baremetal) to let the user provide the event queue on which to process flash writes. This way, they can pass in the existing event queue used for BLE events as well or a separate EventQueue that is dispatched on another thread.
Perhaps we also eliminate writing multiples of the BlockDevice's program size and simply queue writes of the program size. The drawback here is it will take more calls to empty the flash buffer (ie: longer overall write times). However, each write event will be shorter and prevent the flash writes from blocking the BLE stack for too long.
We could potentially make this configurable as well if there's any real performance difference between the two methods.
| tr_err("programming memory error: %d", result); | ||
| set_status(DFU_STATE_FLASH_ERROR); | ||
| } | ||
| _current_offset += write_size; |
There was a problem hiding this comment.
what if it failed to program?
| } | ||
|
|
||
| _scheduled_write = 0; | ||
| schedule_write(); |
There was a problem hiding this comment.
why? you just drained it
| int result = slot->program(temp_buf, _current_offset, write_size); | ||
| if(result) { | ||
| tr_err("programming memory error: %d", result); | ||
| set_status(DFU_STATE_FLASH_ERROR); |
There was a problem hiding this comment.
should we continue even with this error?
|
|
||
| /** | ||
| * TODO is there a better way to do this? Without dynamic allocation, we would | ||
| * have to program byte-by-byte. This would likely be a significant hit in speed. |
There was a problem hiding this comment.
maybe we can just do it in a loop with the write size set to program size to avoid code duplication
|
I have some security concerns here - I think you need to put checks on every data written over the air that allows writing to arbitrary memory locations |
The intent is that the application can define the security requirements. The application is responsible for defining the I didn't want to encumber the base implementation of the DFUService with these things because in some cases it may only be used for development. Putting the onus of security on the application makes this service more modular. Our (future) example projects can mention security best practices and show how to implement them. Your other review comments are valid though -- there are definitely pointer bugs as it stands now. The actual memory-writing code needs a major rewrite. |
This commit introduces a subclass of GattAttribute that implements the Bluetooth SIG defined descriptor, Characteristic User Description Descriptor defined in Bluetooth Core Specification 5.2, Volume 3, Part G, Section 3.3.3.2 It allows the user to provide a string that will be used as the descriptor's value.
AGlass0fMilk
force-pushed
the
dfu-service
branch
from
72c44ba to
da96c11
Compare
|
Closing as this has been reimplemented as the |
BLE Standard Service:
Proposed UUIDs:
Service Name: DFUService
UUID: 53880000-65fd-4651-ba8e-91527f06c887
Characteristic Name: Update Slot Characteristic
UUID: 53880001-65fd-4651-ba8e-91527f06c887
Mandatory?
This characteristic may be omitted if the application only supports a single update candidate slot.
Mandatory Properties: Read, Write w/ response
Optional Properties: None
Security Requirements: Determined by application
Characteristic Name: Offset Pointer Characteristic
UUID: 53880002-65fd-4651-ba8e-91527f06c887
Mandatory?
Mandatory Properties: Read, Write w/ response
Optional Properties: None
Security Requirements: Determined by application
Characteristic Name: Binary Data Stream Characteristic
UUID: 53880003-65fd-4651-ba8e-91527f06c887
Mandatory?
Mandatory Properties: Write w/ response (TBD: for writes that are synchronized with underlying flash programming?)
Optional Properties: Write w/o response (for fast, buffered operation if device has enough resources/RAM to support)
Security Requirements: Determined by application
Characteristic Name: DFU Control Characteristic
UUID: 53880004-65fd-4651-ba8e-91527f06c887
Mandatory?
Mandatory Properties: Read, Write w/ response, Notify, Indicate
Optional Properties: None
Security Requirements: Determined by application
Characteristic Name: DFU Status Characteristic
UUID: 53880005-65fd-4651-ba8e-91527f06c887
Mandatory?
Mandatory Properties: Read, Notify, Indicate
Optional Properties: None
Security Requirements: Determined by application
Other proposed constants:
Application Layer ATT Error Response Codes:
mbed-os-experimental-ble-services/services/inc/DFUService.h
Lines 128 to 140 in f794a51
Overview:
The DFU Service implements a flexible API enabling in-field updates to be transferred to a GattServer over BLE.
The primary goal of the DFU service is to enable fast, error-free binary transfers. The processes to perform validation and installation of the update binaries are not specified by the DFUService. However, the DFUService does implement features that facilitate communication of update candidate validation and installation results. This allows the DFUService to be used in a wider variety of DFU applications, both secure and non-secure.
TODO - more details... I'm getting tired of typing at the moment...
Detailed Description
Update Slot Characteristic
The Update Slot Characteristic is an optional characteristic of the DFUService. It allows the peer to select from an array of valid update slots offered by the GattServer.
An update slot is a contiguous memory address space where an update candidate binary can be written for validation and installation. The method of validation and installation is outside the scope of this service specification.
Typically, an update slot will be a contiguous region of non-volatile memory. This is not a requirement of the service, but the underlying memory must be mapped such that the update slot address range is contiguous (eg: using a
ChainingBlockDeviceto join disjoint regions of underlying flash memory together).The number of slots supported is determined by the application but is limited to between 1 and 255 by the width of the slot characteristic data (
uint8_t). A write request attempting to write an invalid slot index (ie: one that does not have a registered/valid backing BlockDevice) will be rejected with the application-defined response code:AUTH_CALLBACK_REPLY_ATTERR_APP_INVALID_SLOT_NUMThe Update Slot Characteristic may be omitted from the DFUService if the application only supports one update slot.
Attempting to write the Update Slot Characteristic while the application is busy processing buffered binary stream data may result in the write being rejected with the application-defined response code:
AUTH_CALLBACK_REPLY_ATTERR_APP_BUSYImplementation Considerations:
BlockDeviceis deinitialized and the newly-selected slotBlockDeviceis initialized.Offset Pointer Characteristic
The Offset Pointer Characteristic exposes the write offset pointer of the DFUService. The write offset pointer is the offset address of the underlying slot memory that serial binary data will be sequentially written to. It is incremented automatically when data is written to the Binary Stream Characteristic. The offset may be read by the client to validate the expected number of bytes have been processed by the DFUService. The offset may be written by the client to skip a region of memory or revisit a previously-written region of memory.
Similar to the Update Slot Characteristic, attempting to write the Offset Pointer Characteristic while the application is busy processing buffered binary stream data may result in the write being rejected with the application-defined response code:
AUTH_CALLBACK_REPLY_ATTERR_APP_BUSYImplementation Considerations:
Binary Stream Characteristic
The Binary Stream Characteristic is the characteristic the peer will write to transfer update candidate binary data to the DFUService. Data written to the Binary Stream Characteristic will be subsequently written sequentially to the underlying slot
BlockDevice. For each byte written to the Binary Stream Characteristic, the Offset Pointer Characteristic will be incremented.If the peer has previously initiated a flush of the binary stream buffer, writes to this characteristic will be ignored until the flushing operation is complete. This is to prevent unintended writing after the peer has requested an offset change of slot change.
TODO - When are flush operations initiated? Offset write w/ buffered data, slot write w/ buffered data, DFU commit bit set in DFU ctrl.
Similarly, writes will be ignored while the flow control bit is set (indicating data stream should pause) in the DFU Control Characteristic.
Implementation Considerations:
Control Characteristic
The Control Characteristic is a set of bitflags, each with a specified meaning:
Bit 0:
DFU_ENABLE_BIT. Setting this bit to 1 enables DFU mode. The application may reject a write attempting to set this bit if a DFU operation is currently disallowed. Upon a successful write, the application may use the change in value of this bit to trigger application-specific actions. Eg: perform various preparations such as erasing a flash region or indicate DFU mode to the device user in some way. Manually clearing theDFU_ENABLE_BITmay be interpreted by the application as a "DFU abort" event.BIT 1:
DFU_COMMIT_BIT. Setting this bit to 1 triggers a commit of the DFU operation. The actions taken by the application upon aDFU_COMMITevent are application-defined but may include (but not be limited to): Validating the update candidate binary, installing the update candidate binary, issuing a device reset to validate and install the update candidate. Upon writing theDFU_COMMIT_BITto 1, theboth the DFU_COMMIT and DFU_ENABLEbits will be cleared. This effectively ends the DFU session.Bit 2:
DELTA_MODE_EN_BIT. Setting this bit to 1 enables the delta mode feature of the DFU service. In some cases, an update candidate binary may have regions where the binary data is the same as the currently installed application. In this case, the duplicate program data does not need to be transferred to the DFUService. If this bit is set when a forward-moving offset write occurs, program data between the old offset and the new offset will be copied to the selected update candidate slot. The use of this feature requires prior knowledge of the installed application binary and the update candidate to be installed. Therefore, the GattClient application bears the burden of using the delta mode feature properly.Bit 7:
FLOW_CONTROL_PAUSE_BIT. This bit is read-only. If set, the client should pause writes to the Binary Stream Characteristic. Any writes to the Binary Stream Characteristic while this bit is set will be ignored.TBD: other assigned bits. Perhaps this should be a 32-bit field so future additions are less limited?
The Control Characteristic may be written by the client or the server. The client is encouraged to subscribe to notifications/indications from this characteristic if write w/o response (ie: buffered mode) will be used. This is so the client can be notified when the flow control pause bit is set or cleared by the GattServer.
The application can reject requests to write this control characteristic as needed (eg: if DFU mode is not allowed at this time, the write to set
DFU_ENABLE_BITto 1 will be rejected). A write attempting to change any read only bits will be rejected by the DFUService automatically.TODO define read only bits, define application ATT error for read only bits and DFU unavailable errors.
TBD use
std::bitset?Status Characteristic
The Status Characteristic is intended to report the status of the DFU operation. The DFUService does not require the DFU operation to be completed during the BLE connection facilitating the DFU transfer. ie: Validating and/or installing the transferred update candidate binary may or may not be performed during the server's current power cycle. It is application-defined if the update candidate binary is validated immediately after a DFU commit has been performed or if validation and installation is deferred to another software component (eg: secure bootloader).
In the latter case (deferred validation/installation), the success of the DFU operation may be obtained by reading the Status Characteristic during the next connection after the update has been applied. It may also be inferred if the GattServer implements the
DeviceInformationServiceand exposes the current installed application version(s).TBD: Status codes
Reviewers
@pan- @paul-szczepanek-arm
This is a WIP PR to open up the DFUService design process for comment. My goal is to have a somewhat generic update service that leaves most decisions up to the application.
Decisions such as:
This is PR constitutes a draft of my first cut at designing such a DFU API.
I would appreciate your comments and feedback!