XO-1.75 may brick OpenFirmware by power button press during flash

[Quozl]

With XO-1 and XO-1.5 we disabled the power button during bulk write to the SPI FLASH, in order to reduce the risk of bricking caused by the user pressing the power button during flashing.

With XO-1.75 we have two SPI FLASH chips. When reflashing the EC, the power button is already disabled. When reflashing OpenFirmware, it is not.

Provide a method to disable the power button.

[Quozl]

patch proposed for review

[Quozl]

additional patch on top of previous patch to ensure the inhibit is not persistent over host power cycle

[rsmith]

Replying to Quozl:

Provide a method to disable the power button.

I think the best way to handle may be to put the EC into reset while updating the host SPI flash. A reboot happens after the reflash anyway. I worry that adding commands to enable/disable the power button will just result in power button behavior bugs.

[Quozl]

Please explain further. I don't see any way to put the EC into reset and keep it there.

• EC_RST# (U20.36) is not connected, according to the schematic,

• there's no command in sdicmd.c for putting the EC into reset that doesn't also let the EC restart again,

• the reflash after reboot requires the EC to be running, since it uses 0x4b CMD_POWER_CYCLE, so putting it into reset and keeping it there would prevent reboot, and this does not seem right.

[rsmith]

Replying to Quozl:

Please explain further. I don't see any way to put the EC into reset and keep it there.

Same way its done when you re-program the EC. The EDI interface has access to all the registers and one of those allows you to put the EC into reset.

[Quozl]

Spent a few hours on q4b09jf which used EDI to put the EC into reset before trying to flash OpenFirmware ... but found that the generic SPI layer is set up for one use at a time, and OpenFirmware uses it both for the EDI interface to the EC and for the SPI interface to the SPI FLASH. More time will be required to get this right. I'm worried about reflash bugs.

[wmb@…]

Approximate recipe:

: ignore-power-button  ( -- )
   edi-spi-start
   ['] reset-8051 catch if reset-8051 then
   use-ssp-spi
;
: ec-spi-reprogrammed   ( -- )
   edi-spi-start
   unreset-8051
;

' ec-spi-reprogrammed to spi-reprogrammed

[Quozl]

Implemented in svn 2523 and under local test in q4b09jg. Should be in Q4B10.

[Quozl]

Fixed in q4b10, please test.

Test case: momentarily press and release power button and observe flicker of power indicator, then verify that the flicker does not occur while OpenFirmware Q4B10 is reflashing Q4B10. (It won't pass test if Q4B09 is reflashing to Q4B10.)

[greenfeld]

Tried to flash an XO 1.75 B1 with Q4C02 on it to Q4C04 after verifying the power button blinked briefly when the power button was pressed without reflashing.

Pressed the button while Writing was displayed during the update and the power button flashed. Held the button down while writing was still going on and the XO shut down without completing the update of OFW, bricking itself.

I need to know if this was expected or not, but don't think it was.

[Quozl]

Worked fine in Q4B10, but apparently broke some time after that. I've reproduced the flicker during write on Q4C04ja.

Note that the test case did not involve holding the button down. That was intentional. It is sufficient to prove that the LED does not flicker, since the EC always flickers the LED on a power button press if the EC is operating. You should not have proceeded having observed the LED flicker.

(Unrelated to the ticket, it is likely that CForth is intact, and so debricking might only require serial port and rotate button on power up.)

[Quozl]

Was fixed in Q4B10, broke in Q4B11 due to svn 2561, fixed in svn 2680, will be included in next release of OpenFirmware.

Developer release available for testing q4c04jc.rom built 2011-11-10 01:02:38.

There is no need to hold the button down in testing, however if you wish to do so check first that the power LED does not flicker.

As an additional precaution, one may check to see if the fix is present. On Q4C04jc and later, the following output shows the fix is present:

ok see flash-vulnerable(
: flash-vulnerable(   
   ignore-power-button hdd-led-on 
; 
ok 

On Q4C04 and earlier, the following output shows the fix is absent:

ok see flash-vulnerable(
: flash-vulnerable(   
   hdd-led-on 
; 
ok 

This check is relevant only to the firmware version performing the reflashing.

[Quozl]

Fixed in Q4C05.