2024-03-06 12:36 AM
Hi
We want to use STM32U575 Watchdog Mechanism in our operational FW, but have the following concerns:
1. Can MCU ST Bootloader kick the WD in general, and especially duringca FW update, when it is busy writing/reading to flash the new FW to update or during its execution prior to jumping to the FW?
2. How can we maintain debug capabilities - no resets during debugging - is there a debug settings taking care of it?
3. How can we log events of resets which happened due to WD - can the RCC be examined during startup to analyze if the reset was due to a watchdog?
4. How can we log events of resets which happened due to WD - can an early IWDG interrupt be used and how? Would I have enough time to log info to some non-volatile memory (e.g. EEPROM)?
5. When is best to initialize and activate the watchdog during the FW startup - especially when we have some long wait (seconds) during the FW startup to overcome some initialization problem we currently face?
6. Can the watchdog setting be changed or disabled AFTER it was already activated?
7. What are the main considerations to choose to work in Software or hardware watchdog mode?
Thanks in advance for any relevant info.
2024-03-06 06:37 AM
1. The ST bootloader does not interact with the watchdog. If it's enabled when you jump to the bootloader, the watchdog will eventually reset the device.
2. You can halt the watchdog during debugging. Look at DBG_IWDG_STOP in DBGMCU registers.
3. Yes, see IWDGRSTF in RCC_CSR register.
4. Yes, there is an early watchdog interrupt that should give you enough time to write to EEPROM.
5. It's up to you, but generally, when your program is done initialization and starts running user code. Errors before that point are generally fatal (i.e. won't be fixed by a reset) while errors in user code often will be.
6. You cannot disable it once started. Fairly sure you can change the duration.
7. Hardware watchdog is always enabled, so enabled immediately after reset. Software watchdog needs to be started. Again, up to you what you want to do. I would say generally the watchdog interrupt is more common.
The reference manual goes into detail on most of these topics.
2024-03-10 12:54 AM
Thanks for a detailed answer.
There are three items I want to further clarify
Item 1:
Q1. Can MCU ST Bootloader kick the WD in general, and especially during a FW update, when it is busy writing/reading to flash the new FW to update or during its execution prior to jumping to the FW?
A1. The ST bootloader does not interact with the watchdog. If it's enabled when you jump to the bootloader, the watchdog will eventually reset the device.
Q. My question now:
I look at https://www.st.com/resource/en/application_note/an2606-stm32-microcontroller-system-memory-boot-mode-stmicroelectronics.pdf
Chapter 4.8 for IWDG usage in Bootloader,
Chapter 76 for IWDG & relevant STM32U575xx
And the info is not clear to me.
How in general can we perform a procedure of a SW update using the STM32U575xx Bootloader, if we enable the WD by the SW program (after it's done initialization and starts running user code), and then the SW program jumps to Bootloader (per a host request to start a SW update)? How can we make sure the WD will not reset during bootloader is busy in the SW update (it involves getting SW program fragments via FDCAN and writing them to the flash memory, and reading back from flash to verify write was ok)?
Item 2:
Q4. How can we log events of resets which happened due to WD - can an early IWDG interrupt be used and how? Would I have enough time to log info to some non-volatile memory (e.g. EEPROM)?
A4. Yes, there is an early watchdog interrupt that should give you enough time to write to EEPROM.
Q. My question now: can the early watchdog interrupt set to any time before the actually reset expected due the WD itself? Is there any difference in the WD mechanism of reset or any other aspect when using or not using the early interrupt option?
Item 3:
Q6. Can the watchdog setting be changed or disabled AFTER it was already activated?
A6. You cannot disable it once started. Fairly sure you can change the duration.
Q. My question now:
I look at https://www.st.com/resource/en/product_training/STM32WB-WDG_TIMERS-Independent-Watchdog-IWDG.pdf and it says one can set the WD to any period between from 125 microseconds to 32 seconds. So, can I freely change the duration of the WD once started in this time range?
Thanks for your support.
2024-03-11 06:47 AM
Don't enable the watchdog before you jump. Consider setting a flag in your program, resetting, and checking for that flag on startup, before you set watchdog, and jumping to the bootloader.
The other questions are covered in detail in the reference manual (and/or my previous post).
2024-03-12 04:09 AM - edited 2024-03-12 04:10 AM
Thanks for a prompt answer.
I'm not sure I've understood your suggestion.
After its initialization is done, our FW requires that the WD would be activated, during its execution, to catch malfunctioning.
It can receive a request in CAN from the host to perform a FW update during its execution, thus it needs to jump to ST bootloader for the FW update procedure.
How do you suggest we can achieve both functionalities - the WD to protect during our FW execution, and the need of FW update using the ST bootloader?
Thank you
2024-03-12 06:55 AM
> How do you suggest we can achieve both functionalities - the WD to protect during our FW execution, and the need of FW update using the ST bootloader?
By this:
Consider setting a flag in your program, resetting, and checking for that flag on startup, before you set watchdog, and jumping to the bootloader.
I can step through this in a little more detail:
2024-03-14 12:41 AM
Thanks for elaborating.
Ok, that seems like an optional solution, though it will add have complexity impact on the FW update procedure, and the flag will need to mark both the need for not activating the WD and the need for a FW update:
2024-03-14 06:55 AM
If the check comes before activating the watchdog (which it should), you don't need to worry about that complexity. Just adding more things that can go wrong by having another flag.
2024-09-26 03:47 AM - edited 2024-09-26 04:26 AM
It's due to other priorities, that I abandoned this issue, and now time is back to handle it.
Your recommendation: