Esoteric: DFU push of a tiny app firmware fails on second iteration (Espruino SDK12, nRF52832)

[thandal]

On nRF52832 with Espruino's SDK12 DFU bootloader, DFU-pushing a sub-page-sized application (≲4 KB) twice in succession produces a corrupted bank_1 staging region. The first push works; the second push completes successfully according to the Web IDE, and the device reboots but immediately re-enters DfuTarg and stays there — the new app's reset vector lands at a corrupted address and HardFaults on boot.

The corrupted bytes at the bank_1 staging address (0x20000 when bank_0 is a 1-page app) are a strict bit-subset of the expected .bin bytes — NVMC's 1→0-only programming applied to two writes at the same flash address.

To Reproduce:

1. Flash an MDBT42Q with stock Espruino: SoftDevice S132 v3.1.0 + Espruino SDK12 bootloader + Espruino app firmware (~276 KB).
2. Build a ~1.9 KB application that fits in one flash page. Package as a signed DFU zip:

   nrfutil pkg generate --application-version 0xff --hw-version 52 --sd-req 0x8C,0x91 ...
   

3. Enter DFU mode (BTN1-hold + power-cycle on the MDBT42Q breakout). Push the zip via Web IDE. Succeeds.
4. Re-enter DFU the same way, push the same zip again. Tool reports success.
5. Device is stuck in DfuTarg. LED stuck on (corrupted reset vector faults immediately).

SWD-read at 0x20000 to confirm:

expected (.bin first 32 bytes):
  20010000 0001F629 0001F651 0001F653 0001F655 0001F657 0001F659 00000000

observed after failed push #2:
  00000000 0001F628 0000B000 0000B400 0000F654 00002000 00004610 00000000

For every word, observed & expected == observed — the NVMC AND-of-two-writes signature.

One possible mechanism:

dfu_req_handling.c receives DFU data into a 4-slot cyclic buffer (m_data_buf[4][256]) and queues each filled slot to fstorage via nrf_dfu_flash_store(), passing a pointer to the slot rather than a copy. On a small transfer that fits in fewer chunks than fstorage can drain in time, the producer wraps the buffer index and overwrites a slot whose earlier store is still in flight. This is one plausible path to two writes landing at the same flash address with different intended payloads.

A targeted fix would copy each chunk into a dedicated single-owner buffer before calling nrf_dfu_flash_store(), or otherwise gate buffer reuse on m_flash_operations_pending draining. SDK15's nrf_dfu_req_handler.c rewrite addresses this class architecturally.

Related / adjacent reports

• Nordic DevZone #25872 — "DFU - problem with moving data from external to internal flash" — user describes the same producer-vs-fstorage race against dfu_req_handling.c's buffer scheme on SDK13.
• DevZone #60683 — "Secure DFU race condition" — Nordic recommends nrf_fstorage_is_busy() polling as the mitigation pattern.
• DevZone #23779 — recursive app_sched_execute in DFU — SDK13→14 DFU rework context.
• Nordic SDK15 release notes: dfu_req_handling.c → nrf_dfu_req_handler.c rewrite (request handling moved to app_scheduler, explicit drain barriers).
• A targeted search of Espruino GitHub issues / Discussions found no matching report.

Workaround

Pad the application past ~70 KB (not sure the exact size necessary) before packaging the DFU zip. Larger transfers don't exhibit the bug. Use a forced .rodata array referenced via a runtime-indexed read so the compiler/linker can't strip it:

const uint8_t pad[80 * 1024] = { 0xAA };  // first byte non-zero forces .rodata, not .bss

// in main():
pad_keepalive = pad[NRF_FICR->DEVICEID[0] % sizeof(pad)];  // runtime index defeats constant folding

Three back-to-back DFU pushes of an >80 KB app empirically work; the same code without padding fails 100% on the second push.

Environment

• Chip: nRF52832 (MDBT42Q module)
• SoftDevice: S132 v3.1.0 (FWID 0x8C, also 0x91)
• SDK: nRF5 SDK 12
• Bootloader source: Espruino/targets/nrf5x_dfu/sdk12/
• Tools: nrfutil ≥ 8.x, Espruino Web IDE for DFU uploads

[gfwilliams]

Thanks for the report! Was this filed with AI out of interest? It seems very thorough!

I'm still unsure quite how this could happen as I'd have expected each flash write to be prefixed by a page erase, so even if the wrong data was written, you wouldn't expect the ANDing you're seeing. It's possible there's some rounding error in the page erase code.

... or it might be some configuration issue because we're running in a single-bank configuration here - perhaps some code in the bootloader is still assuming that sub-80k firmwares get put in bank_1, but other code is assuming single-bank so isn't clearing it?

Am I right in thinking that this doesn't break the bootloader in any way - so it's not bricking the device or anything, it just means you can't upload these smaller binaries reliably? If you upload an Espruino binary and then your small binary, it will then work again?

I'm amazed this hasn't been reported previously with Nordic - those links you posted seem to mention SDK12? I guess likely any application that uses the softdevice would end up quite large so this never really got noticed.

I don't provide any way of updating the bootloader on Espruino devices (only Bangle.js). While it would be possible for me to make such a tool, I'm not sure if the potential risks of bricking the device with a botched update are worth it to fix something like this - it might make more sense for me to just document it somewhere.

[thandal]

Re AI: yes, I have been using Claude. But the experimental design and verification was done by me, and I beat on this summary until it removed the speculation and over-confidence. I felt like detail was necessary given the weirdness of the bug!

Re Thorough: to your point, I was also really surprised that it wasn't mentioned upstream, and I tried very hard to find other evidence and/or some sort of smoking gun in terms of a bug. One thing to note is that Nordic seems to have reimplemented this functionality, but without explicitly mentioning a bug.

The workaround is simple enough, and I think you're right about it not being worth the potential risk to upgrade the bootloader on existing devices (especially since I at least haven't been able to find a fix!)... I just wanted to file this because it cost me many hours of work to figure out what the heck was going on!

[thandal]

Re breaking the bootloader: while it doesn't break the bootloader, it does put the device in a state where I can't revert the app firmware to a working version. So DfuTarg is still advertised, I can apparently upload the "rollback" app firmware (eg to roll back to stock Espruino), but it fails due to this issue. So the device is effectively bricked. I haven't figured out any tricks for recovering once it is in this state, other than wiring up SWD and recovering the device with nrfutil and friends.

EDIT: ... let me actually double-check this.

EDIT: Confirmed. The device comes up in the bootloader, and I've tried 4 times to upload the stock Espruino app .zip to it. Each time it appears to complete, and the device resets, but it immediately comes up in the bootloader again. I tried explicitly entering the bootloader with the button on power-on, with the same result. Effectively bricked.

[gfwilliams]

AI

Thanks! I couldn't be sure because it was formatted a bit like an AI did it, but it actually all made sense - so thanks for taking the time to really refine it!

I just wanted to file this

Yes, absolutely - thanks for posting it!

One thing to note is that Nordic seems to have reimplemented this functionality

Nordic have a history of reimplementing/refactoring/renaming bits of their SDK for no good reason, so while it may well be because of a bug I wouldn't always assume it!

Effectively bricked.

Ok, wow - that changes things then. Just to save a bit of time, please could you post up that sub-4k firmware update zip you have so I can reproduce it?

While obviously the main intent of the Espruino bootloader is to allow updates of the Espruino firmware, it's worrying that you could brick the device by uploading the wrong file to it.

[thandal]

Sure thing! See attached

alive_tiny.zip
alive_tiny_src.zip

[thandal]

Another verbose explanation from Claude, but I think I have a fix (see the attached patch)

dfu_dualbank_robustness_fix.patch

Diagnosis

Bank choice is made by nrf_dfu_find_cache from free space and the settings state:

• Push 1 lands on a chip whose settings mark bank_0 INVALID (fresh after an SWD
  flash). find_cache takes its "no valid app → use bank_0" branch and writes the new
  image directly to 0x1F000 (single-bank) — no staging, no copy. Works.
• Push 2 now sees bank_0 = VALID_APP, so find_cache goes dual-bank: stage
  to bank_1 = 0x1F000 + align_page(bank_0.size) = 0x20000, then on reboot copy down.
  This is the first time nrf_dfu_app_continue runs, and that's where it breaks.

(Large apps that don't fit alongside the old one are forced single-bank, so they never
hit the copy path — which is why "pad past ~80 KB" used to mask the bug. That workaround
is now obsolete.)

Root cause — three defects in the copy/boot path

1. Byte/word length bug (the "corruption"). nrf_dfu_app_continue copies bank_1→
   bank_0 with nrf_dfu_flash_store(target, src, cur_len, NULL), but cur_len is a
   byte count and nrf_dfu_flash_store's parameter is words. It writes 4×. With
   src = 0x20000 only one page (4 KB) above dest = 0x1F000, a ~7.6 KB copy is
   self-overlapping and writes back over the un-erased bank_1 staging area — NVMC
   ANDs new data into 0x20000, producing the "structured garbage" we saw. (Stock SDK12
   bug; the SD-copy path divides by 4, the app-copy path forgot to.)

2. Async copy, no wait. With the SoftDevice enabled, nrf_dfu_flash_erase/_store
   are asynchronous (fstorage). app_continue issues them with a NULL callback and
   never calls the existing nrf_dfu_flash_wait(), then immediately runs
   nrf_dfu_mbr_compare/CRC against flash that hasn't been written yet → spurious
   compare failure, and the queued writes drain later and corrupt flash. (app_continue
   runs early in nrf_dfu_init, before the scheduler is up, so this race is built in.)

3. No fallback to the valid bank. When the copy "fails", nrf_dfu_init sets
   enter_bootloader_mode = 1 and the if (enter_bootloader_mode || !dfu_app_valid)
   forces DfuTarg — even though nrf_dfu_app_is_valid() returns true for the intact
   bank_0. Worse, app_continue only CRC-checks the image after copying it onto
   bank_0, so a corrupt bank_1 destroys the last-good app instead of being rejected.

The fix (dfu_dualbank_robustness_fix.patch)

In nrf_dfu_app_continue (nrf_dfu_utils.c):

• Verify bank_1 BEFORE copying. CRC the source image; if it doesn't match
  bank_1.image_crc, refuse the copy, invalidate bank_1, and return success leaving
  bank_0 intact. A corrupt/incomplete staged image can no longer clobber the good app.
• Wait for each async op (nrf_dfu_flash_wait()) after erase / store / settings
  write, before compare/CRC.
• Fix the length: pass words (CEIL_DIV(cur_len, 4)) to nrf_dfu_flash_store.

In nrf_dfu_init (nrf_dfu.c):

• Don't force DFU on a failed continuation. Always evaluate nrf_dfu_app_is_valid()
  and boot bank_0 if it's valid — fall back to the last-good app instead of bricking.

Net result is the behaviour you'd expect from a dual-bank loader: stage in the inactive
bank, validate before switching, and on any failure keep running the last-good app.
(Note: this bootloader is copy-down, not symmetric A/B — the app is linked for 0x1F000
and only runs there; bank_1 is scratch. "Fall back to the other valid bank" therefore
means bank_0, the only runnable one.)

Validation (on-device, SWD + RTT instrumentation)

1. Single-bank push (alive_tiny): boots. RTT: Valid App → app_is_valid → boot.
2. Dual-bank update with a distinct app (alive_tiny2, different blink): the new
   image installs. RTT: app_continue → Setting app as valid; bank_0 now holds
   alive_tiny2's vectors (0001F60D); bank_1 invalidated. The dual-bank path works
   end-to-end.
3. Injected corrupt bank_1 (SWD-fabricated settings: bank_current=1,
   bank_1.crc=0xDEADBEEF over garbage at 0x20000): RTT shows
   Bank 1 corrupt (crc … != …). Refusing copy; keeping bank 0 → boots the intact
   bank_0 app. No brick.

[gfwilliams]

Thanks for this! I'll be out of the office for the next week, so I don't feel confident doing anything on a friday just before then!

Does the fix appear to work for you?

I'm not entirely sure about verifying the CRC as I'm not sure we do set the CRC correctly for Bangle.js 1 when updating via external flash - while the flash waits might be a good plan (although I'm not convinced they are 100% needed), I'd prefer to fix this by actually disabling bank 1, which might also have the nice effect of reducing the bootloader size a little.

[thandal]

Yes, the fix appears to work for me. My goal was to fix the underlying bug, and also to restore the "fall back to good firmware in case DFU goes wrong" feature -- which is lost if bank 1 is always disabled. But its definitely simpler to just disable it! And of course for larger firmwares (>80k) bank 1 is disabled anyway, so I think it might be the most surgical change.

…

On Fri, May 22, 2026 at 10:32 AM Gordon Williams ***@***.***> wrote: *gfwilliams* left a comment (espruino/Espruino#2708) <#2708 (comment)> Thanks for this! I'll be out of the office for the next week, so I don't feel confident doing anything on a friday just before then! Does the fix appear to work for you? I'm not entirely sure about verifying the CRC as I'm not sure we do set the CRC correctly for Bangle.js 1 when updating via external flash - while the flash waits might be a good plan (although I'm not convinced they are 100% needed), I'd prefer to fix this by actually disabling bank 1, which might also have the nice effect of reducing the bootloader size a little. — Reply to this email directly, view it on GitHub <#2708 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAT6ESETRCTM7KSGHRQKG5344BQJFAVCNFSM6AAAAACZFEMLYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKMJZGYYTQMBZHE> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>