api/bluetooth: restart Bluetooth after firmware upgrade

benma · benma · commit 9bd222b0d807 · 2025-05-08T15:13:06.000+02:00
This will disconnect any open Bluetooth connection and make the chip load
the new upgraded firmware.
diff --git a/src/rust/bitbox02-rust/src/async_usb.rs b/src/rust/bitbox02-rust/src/async_usb.rs
@@ -101,6 +101,9 @@ where
 
             *state = UsbTaskState::Running(Some(task), WaitingForNextRequestState::Idle);
         }
+        // This panic could happen e.g. if someone reconnects to the BitBox while a task is running,
+        // before the 500ms timeout cancels the task. The proper way to handle would be to let the
+        // host know we are busy so the host can re-retry after some time.
         _ => panic!("spawn: wrong state"),
     }
 }
@@ -149,7 +152,13 @@ pub fn spin() {
         _ => None,
     };
     if let Some(ref mut task) = popped_task {
-        match spin_task(task) {
+        let spin_result = spin_task(task);
+        if matches!(*USB_TASK_STATE.0.borrow(), UsbTaskState::Nothing) {
+            // The task was cancelled while it was running, so there is nothing to do with the
+            // result.
+            return;
+        }
+        match spin_result {
             Poll::Ready(result) => {
                 *USB_TASK_STATE.0.borrow_mut() = UsbTaskState::ResultAvailable(result);
             }
@@ -208,6 +217,11 @@ pub fn copy_response(dst: &mut [u8]) -> Result<usize, CopyResponseErr> {
 
 /// Cancel and drop a running task. Returns true if a task was cancelled, false if no task was
 /// running.
+///
+/// Call this inside a running task only if you expect that the host may not be able to read the
+/// result (e.g. when resetting the BLE chip as part of a task), so another task can spawn
+/// afterwards immediately (before the timeout auto-cancles it), which currently would run into a
+/// panic until the response was read and the current task concluded. See the comment in `spawn()`
 pub fn cancel() -> bool {
     let mut state = USB_TASK_STATE.0.borrow_mut();
     if let UsbTaskState::Running(_, _) = *state {
diff --git a/src/rust/bitbox02-rust/src/hww/api/bluetooth.rs b/src/rust/bitbox02-rust/src/hww/api/bluetooth.rs
@@ -163,6 +163,11 @@ async fn process_upgrade(
 
     if response.is_ok() {
         hal.ui().status("Upgrade\nsuccessful", true).await;
+        bitbox02::reset_ble();
+        // Since the Bluetooth host will not be there anymore to read this response, this task will
+        // not be cleared by the executor. We do it manually to make space for the next task upon
+        // reconnection.
+        crate::async_usb::cancel();
     } else {
         hal.ui().status("Upgrade failed", false).await;
     }
diff --git a/src/rust/bitbox02-sys/build.rs b/src/rust/bitbox02-sys/build.rs
@@ -120,6 +120,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "random_mock_reset",
     "reboot_to_bootloader",
     "reset_reset",
+    "reset_ble",
     "screen_print_debug",
     "screen_process",
     "screen_saver_disable",
diff --git a/src/rust/bitbox02/src/lib.rs b/src/rust/bitbox02/src/lib.rs
@@ -113,6 +113,10 @@ pub fn reset(status: bool) {
     unsafe { bitbox02_sys::reset_reset(status) }
 }
 
+pub fn reset_ble() {
+    unsafe { bitbox02_sys::reset_ble() }
+}
+
 pub struct Tm {
     tm: bitbox02_sys::tm,
 }

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,10 @@ pub fn reset(status: bool) {`
`113`	`113`	`unsafe { bitbox02_sys::reset_reset(status) }`
`114`	`114`	`}`
`115`	`115`
	`116`	`+pub fn reset_ble() {`
	`117`	`+ unsafe { bitbox02_sys::reset_ble() }`
	`118`	`+}`
	`119`	`+`
`116`	`120`	`pub struct Tm {`
`117`	`121`	`tm: bitbox02_sys::tm,`
`118`	`122`	`}`