Yesterday I accidentally flashed buggy code to a core and it crashed. Connected to USB, I could simply reset and reflash. Out in the field, are there any mechanisms for initiating a reboot so that a crashed core can be reset? I am thinking of a state where it can be set to ‘listening’ to be flashed. Can a physical button be connected to a pin to initiate this type of reset?
@BulldogLowell, Spark.function() won’t work on a crashed core!
@Kevin, the Core’s behavior after a crash has been bantered about by @AndyW, myself and @mdma for a while. Specifically, letting the user choose the behavior of the Core based on the type of crash would be desirable. For example, if a Core crashes due to a “hard” crash (heap overrun, etc) or due to a watchdog timeout then the Core should go into an OTA mode, waiting for new code.
Unfortunately, this functionality is not included in the present firmware and I am not aware of any plans to do so. With FreeRTOS, the Photon/Electron will handle these events in a different way.
As for the physical button, new functionality has been added in the upcoming release of the 0.4 firmware which will allow a user to use the MODE button on the Core to put the core in OTA mode without doing a factory reset. 
ideally the former would be idea - crashed Core goes into OTA mode. Seems an obvious requirement for a remote device. The button may be an option (but adds cost and complication to the product design and physical enclosure. The solution is to triple test any changes before flashing to a population of remote devices… but I can still see accidents happening.
In your firmware crashes hard enough then the bootloader will decide to run the back up firmware which is the default Tinker app unless you have taken special measures to change that. This is a great safety valve and it seems to me that the feature you are asking for is already there. In deployed hardware, you can set the back up firmware to be whatever you want, not just Tinker, before the part leaves your factory.
I don’t know enough about the bootloader to accurately describe what “crashing hard enough” means technically, but I know that two crashes seems to force a safe boot into Tinker. Reading the code it looks like if all else fails, it will enter DFU mode waiting to be programmed over USB. There is also separate code to handle failed OTA updates.
The code is here:
3 Likes
shame on me for not reading his post too thoroughly! 
1 Like