fw/coredump: wake LCPU during dump so BLE crashes capture its RAM

gmarull · claude · gmarull · commit 8c9f0177b8eb · 2026-06-05T16:13:03.000+02:00
The LCPU (BLE controller) RAM lives in the LPSYS domain and is only
reachable while that domain is powered. NimBLE host asserts (e.g.
ble_hs.c start_stage2) crash through the generic assert path, which
leaves the LCPU asleep, so their coredumps dropped the 24 KB LCPU
region entirely.

Wake the LCPU from prv_dump_lcpu_ram() so the controller RAM is captured
for every crash type. If the LCPU is fully powered down the wake blocks
until the watchdog reboots us, costing only this dump. The two
special-case wake calls in the NimBLE init path are now redundant and
removed, along with the wrapper.

Fixes FIRM-2292

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
Signed-off-by: Gerard Marull-Paretas &lt;gerard@teslabs.com&gt;
diff --git a/src/bluetooth-fw/nimble/init.c b/src/bluetooth-fw/nimble/init.c
@@ -27,9 +27,6 @@ static const uint32_t s_bt_stack_start_stop_timeout_ms = 10000;
 
 extern void pebble_pairing_service_init(void);
 extern void nimble_discover_init(void);
-#ifdef CONFIG_SOC_SF32LB52
-extern void ble_transport_ll_wake_lcpu(void);
-#endif
 
 #if NIMBLE_CFG_CONTROLLER
 static TaskHandle_t s_ll_task_handle;
@@ -60,9 +57,8 @@ static void prv_sync_cb(void) {
 static void prv_reset_cb(int reason) {
   PBL_LOG_D_WRN(LOG_DOMAIN_BT, "NimBLE host reset (reason: 0x%04x)", (uint16_t)reason);
 #ifdef CONFIG_SOC_SF32LB52
-  // Controller stopped answering HCI. Keep the LCPU reachable and crash so the
-  // coredump captures LCPU RAM; the reboot cold-recovers the controller.
-  ble_transport_ll_wake_lcpu();
+  // Controller stopped answering HCI. Crash so the coredump captures LCPU RAM
+  // (core_dump wakes the LCPU itself); the reboot cold-recovers the controller.
   PBL_CROAK("NimBLE host reset 0x%04x; captured LCPU RAM", (uint16_t)reason);
 #endif
 }
@@ -155,10 +151,7 @@ bool bt_driver_start(BTDriverConfig *config) {
   ble_hs_sched_start();
   f_rc = xSemaphoreTake(s_host_started, milliseconds_to_ticks(s_bt_stack_start_stop_timeout_ms));
   if (f_rc != pdTRUE) {
-#ifdef CONFIG_SOC_SF32LB52
-    // Keep the LCPU reachable so the coredump captures its RAM.
-    ble_transport_ll_wake_lcpu();
-#endif
+    // core_dump wakes the LCPU itself, so its RAM is captured here too.
     PBL_CROAK("NimBLE host start timed out");
   }
 
diff --git a/src/fw/kernel/core_dump.c b/src/fw/kernel/core_dump.c
@@ -447,14 +447,14 @@ static void prv_write_memory_regions(const MemoryRegion *regions, unsigned int c
 }
 
 #if defined(CONFIG_SOC_SF32LB52)
-// LCPU RAM lives in the LPSYS domain; reading it while that domain is powered
-// down hangs/faults. LP_ACTIVE reports whether it is reachable.
+// Wake the LCPU so its LPSYS RAM is reachable, letting BLE crashes (e.g. NimBLE
+// host asserts) capture the controller RAM. HAL_HPAON_WakeCore busy-waits for
+// the LCPU to ack; if it is fully powered down this blocks until the watchdog
+// reboots us, costing only this dump. We reset right after, so the wake request
+// is never balanced.
 static void prv_dump_lcpu_ram(uint32_t flash_base) {
-  if (hwp_hpsys_aon->ISSR & HPSYS_AON_ISSR_LP_ACTIVE) {
-    prv_write_memory_regions(&LCPU_MEMORY_REGION, 1, flash_base);
-  } else {
-    prv_debug_str("CD: LCPU domain off, skipping LCPU RAM");
-  }
+  HAL_HPAON_WakeCore(CORE_ID_LCPU);
+  prv_write_memory_regions(&LCPU_MEMORY_REGION, 1, flash_base);
 }
 #endif
 
diff --git a/third_party/nimble/transport/hci_sf32lb52.c b/third_party/nimble/transport/hci_sf32lb52.c
@@ -336,12 +336,6 @@ void ble_transport_ll_init(void) {
   PBL_ASSERTN(s_hci_task_handle);
 }
 
-// Hold the LP active request (no cancel) so LPSYS RAM stays reachable from the
-// HCPU while the coredump runs after a crash on host reset.
-void ble_transport_ll_wake_lcpu(void) {
-  HAL_HPAON_WakeCore(CORE_ID_LCPU);
-}
-
 void ble_transport_ll_deinit(void) {
   NVIC_DisableIRQ(LCPU2HCPU_IRQn);
   ipc_queue_close(s_ipc_port);
