ESPHome: esphome/components/safe_mode/safe_mode.cpp Source File

#include "safe_mode.h"


#include "esphome/core/application.h"

#include "esphome/core/hal.h"

#include "esphome/core/log.h"

#include "esphome/core/util.h"


#include <cerrno>

#include <cinttypes>

#include <cstdio>


#ifdef USE_OTA_ROLLBACK

#ifdef USE_ZEPHYR

#include <zephyr/dfu/mcuboot.h>

#elif defined(USE_ESP32)

#include <esp_ota_ops.h>

#include <esp_system.h>

#endif

#endif


namespace esphome::safe_mode {


static const char *const TAG = "safe_mode";


void SafeModeComponent::dump_config() {

  ESP_LOGCONFIG(TAG,

                "Safe Mode:\n"

                "  Successful after: %" PRIu32 "s\n"

                "  Invoke after: %u attempts\n"

                "  Duration: %" PRIu32 "s",

                this->safe_mode_boot_is_good_after_ / 1000,  // because milliseconds

                this->safe_mode_num_attempts_,

                this->safe_mode_enable_time_ / 1000);  // because milliseconds

#if defined(USE_ESP32) && defined(USE_OTA_ROLLBACK)

  const char *state_str;

  if (this->ota_state_ == ESP_OTA_IMG_NEW) {

    state_str = "not supported";

  } else if (this->ota_state_ == ESP_OTA_IMG_PENDING_VERIFY) {

    state_str = "supported";

  } else {

    state_str = "support unknown";

  }

  ESP_LOGCONFIG(TAG, "  Bootloader rollback: %s", state_str);

#endif


  if (this->safe_mode_rtc_value_ > 1 && this->safe_mode_rtc_value_ != SafeModeComponent::ENTER_SAFE_MODE_MAGIC) {

    auto remaining_restarts = this->safe_mode_num_attempts_ - this->safe_mode_rtc_value_;

    if (remaining_restarts) {

      ESP_LOGW(TAG, "Last reset too quick; invoke in %" PRIu32 " restarts", remaining_restarts);

    } else {

      ESP_LOGW(TAG, "SAFE MODE IS ACTIVE");

    }

  }


#if defined(USE_ESP32) && defined(USE_OTA_ROLLBACK)

  const esp_partition_t *last_invalid = esp_ota_get_last_invalid_partition();

  if (last_invalid != nullptr) {

    ESP_LOGW(TAG, "OTA rollback detected! Rolled back from partition '%s'", last_invalid->label);

    ESP_LOGW(TAG, "The device reset before the boot was marked successful");

    if (esp_reset_reason() == ESP_RST_BROWNOUT) {

      ESP_LOGW(TAG, "Last reset was due to brownout - check your power supply!");

      ESP_LOGW(TAG, "See https://esphome.io/guides/faq.html#brownout-detector-was-triggered");

    }

  }

#endif

}


float SafeModeComponent::get_setup_priority() const { return setup_priority::AFTER_WIFI; }


void SafeModeComponent::mark_successful() {

  this->clean_rtc();

  this->boot_successful_ = true;

#if defined(USE_OTA_ROLLBACK)

// Mark OTA partition as valid to prevent rollback

#if defined(USE_ZEPHYR)

  if (!boot_is_img_confirmed()) {

    boot_write_img_confirmed();

  }

#elif defined(USE_ESP32)

  // Mark OTA partition as valid to prevent rollback

  esp_ota_mark_app_valid_cancel_rollback();

#endif

#endif

  // Disable loop since we no longer need to check

  this->disable_loop();

}


void SafeModeComponent::loop() {

  if (!this->boot_successful_ && (millis() - this->safe_mode_start_time_) > this->safe_mode_boot_is_good_after_) {

    // successful boot, reset counter

    ESP_LOGI(TAG, "Boot seems successful; resetting boot loop counter");

    this->mark_successful();

  }

}


void SafeModeComponent::set_safe_mode_pending(const bool &pending) {

  uint32_t current_rtc = this->read_rtc_();


  if (pending && current_rtc != SafeModeComponent::ENTER_SAFE_MODE_MAGIC) {

    ESP_LOGI(TAG, "Device will enter on next boot");

    this->write_rtc_(SafeModeComponent::ENTER_SAFE_MODE_MAGIC);

  }


  if (!pending && current_rtc == SafeModeComponent::ENTER_SAFE_MODE_MAGIC) {

    ESP_LOGI(TAG, "Safe mode pending has been cleared");

    this->clean_rtc();

  }

}


bool SafeModeComponent::get_safe_mode_pending() {

  return this->read_rtc_() == SafeModeComponent::ENTER_SAFE_MODE_MAGIC;

}


bool SafeModeComponent::should_enter_safe_mode(uint8_t num_attempts, uint32_t enable_time,

                                               uint32_t boot_is_good_after) {

  this->safe_mode_start_time_ = millis();

  this->safe_mode_enable_time_ = enable_time;

  this->safe_mode_boot_is_good_after_ = boot_is_good_after;

  this->safe_mode_num_attempts_ = num_attempts;

  this->rtc_ = global_preferences->make_preference<uint32_t>(RTC_KEY, false);


#if defined(USE_ESP32) && defined(USE_OTA_ROLLBACK)

  // Check partition state to detect if bootloader supports rollback

  const esp_partition_t *running = esp_ota_get_running_partition();

  esp_ota_get_state_partition(running, &this->ota_state_);

#endif


  uint32_t rtc_val = this->read_rtc_();

  this->safe_mode_rtc_value_ = rtc_val;


  bool is_manual = rtc_val == SafeModeComponent::ENTER_SAFE_MODE_MAGIC;


  if (is_manual) {

    ESP_LOGI(TAG, "Manual mode");

  } else {

    ESP_LOGCONFIG(TAG, "Unsuccessful boot attempts: %" PRIu32, rtc_val);

  }


  if (rtc_val < num_attempts && !is_manual) {

    // increment counter

    this->write_rtc_(rtc_val + 1);

    return false;

  }


  this->clean_rtc();


  if (!is_manual) {

    ESP_LOGE(TAG, "Boot loop detected");

  }


  this->status_set_error();

  this->set_timeout(enable_time, []() {

    ESP_LOGW(TAG, "Timeout, restarting");

    App.reboot();

  });


  // Delay here to allow power to stabilize before Wi-Fi/Ethernet is initialised

  delay(300);  // NOLINT

  App.setup();


  ESP_LOGW(TAG, "SAFE MODE IS ACTIVE");


#ifdef USE_SAFE_MODE_CALLBACK

  this->safe_mode_callback_.call();

#endif


  return true;

}


void SafeModeComponent::write_rtc_(uint32_t val) {

  this->rtc_.save(&val);

  global_preferences->sync();

}


uint32_t SafeModeComponent::read_rtc_() {

  uint32_t val;

  if (!this->rtc_.load(&val))

    return 0;

  return val;

}


void SafeModeComponent::clean_rtc() {

  // Save without sync - preferences will be written at shutdown or by IntervalSyncer.

  // This avoids blocking the loop for 50+ ms on flash write. If the device crashes

  // before sync, the boot wasn't really successful anyway and the counter should

  // remain incremented.

  uint32_t val = 0;

  this->rtc_.save(&val);

}


void SafeModeComponent::on_safe_shutdown() {

  if (this->read_rtc_() != SafeModeComponent::ENTER_SAFE_MODE_MAGIC)

    this->clean_rtc();

}


}  // namespace esphome::safe_mode

application.h

esphome::Application::setup
void setup()
Reserve space for components to avoid memory fragmentation.
Definition application.cpp:88

esphome::Application::reboot
void reboot()
Definition application.cpp:274

esphome::Component::status_set_error
void status_set_error()
Definition component.cpp:407

esphome::Component::set_timeout
ESPDEPRECATED("Use const char* or uint32_t overload instead. Removed in 2026.7.0", "2026.1.0") void set_timeout(const std voi set_timeout)(const char *name, uint32_t timeout, std::function< void()> &&f)
Set a timeout function with a unique name.
Definition component.h:451

esphome::Component::disable_loop
void disable_loop()
Disable this component's loop.
Definition component.cpp:299

esphome::ESPPreferenceObject::save
bool save(const T *src)
Definition preferences.h:21

esphome::ESPPreferenceObject::load
bool load(T *dest)
Definition preferences.h:27

esphome::ESPPreferences::sync
virtual bool sync()=0
Commit pending writes to flash.

esphome::ESPPreferences::make_preference
virtual ESPPreferenceObject make_preference(size_t length, uint32_t type, bool in_flash)=0

esphome::safe_mode::SafeModeComponent::read_rtc_
uint32_t read_rtc_()
Definition safe_mode.cpp:175

esphome::safe_mode::SafeModeComponent::should_enter_safe_mode
bool should_enter_safe_mode(uint8_t num_attempts, uint32_t enable_time, uint32_t boot_is_good_after)
Definition safe_mode.cpp:114

esphome::safe_mode::SafeModeComponent::safe_mode_enable_time_
uint32_t safe_mode_enable_time_
The time safe mode should remain active for.
Definition safe_mode.h:48

esphome::safe_mode::SafeModeComponent::on_safe_shutdown
void on_safe_shutdown() override
Definition safe_mode.cpp:191

esphome::safe_mode::SafeModeComponent::loop
void loop() override
Definition safe_mode.cpp:88

esphome::safe_mode::SafeModeComponent::mark_successful
void mark_successful()
Definition safe_mode.cpp:70

esphome::safe_mode::SafeModeComponent::boot_successful_
bool boot_successful_
set to true after boot is considered successful
Definition safe_mode.h:52

esphome::safe_mode::SafeModeComponent::safe_mode_start_time_
uint32_t safe_mode_start_time_
stores when safe mode was enabled
Definition safe_mode.h:50

esphome::safe_mode::SafeModeComponent::safe_mode_boot_is_good_after_
uint32_t safe_mode_boot_is_good_after_
The amount of time after which the boot is considered successful.
Definition safe_mode.h:47

esphome::safe_mode::SafeModeComponent::get_setup_priority
float get_setup_priority() const override
Definition safe_mode.cpp:68

esphome::safe_mode::SafeModeComponent::ota_state_
esp_ota_img_states_t ota_state_
Definition safe_mode.h:55

esphome::safe_mode::SafeModeComponent::safe_mode_rtc_value_
uint32_t safe_mode_rtc_value_
Definition safe_mode.h:49

esphome::safe_mode::SafeModeComponent::dump_config
void dump_config() override
Definition safe_mode.cpp:25

esphome::safe_mode::SafeModeComponent::set_safe_mode_pending
void set_safe_mode_pending(const bool &pending)
Set to true if the next startup will enter safe mode.
Definition safe_mode.cpp:96

esphome::safe_mode::SafeModeComponent::clean_rtc
void clean_rtc()
Definition safe_mode.cpp:182

esphome::safe_mode::SafeModeComponent::write_rtc_
void write_rtc_(uint32_t val)
Definition safe_mode.cpp:170

esphome::safe_mode::SafeModeComponent::rtc_
ESPPreferenceObject rtc_
Definition safe_mode.h:58

esphome::safe_mode::SafeModeComponent::get_safe_mode_pending
bool get_safe_mode_pending()
Definition safe_mode.cpp:110

esphome::safe_mode::SafeModeComponent::ENTER_SAFE_MODE_MAGIC
static const uint32_t ENTER_SAFE_MODE_MAGIC
a magic number to indicate that safe mode should be entered on next boot
Definition safe_mode.h:63

esphome::safe_mode::SafeModeComponent::safe_mode_callback_
CallbackManager< void()> safe_mode_callback_
Definition safe_mode.h:60

esphome::safe_mode::SafeModeComponent::safe_mode_num_attempts_
uint8_t safe_mode_num_attempts_
Definition safe_mode.h:53

util.h

hal.h

log.h

val
mopeka_std_values val[3]
Definition mopeka_std_check.h:8

esphome::safe_mode
Definition automation.h:6

esphome::safe_mode::RTC_KEY
constexpr uint32_t RTC_KEY
RTC key for storing boot loop counter - used by safe_mode and preferences backends.
Definition safe_mode.h:15

esphome::setup_priority::AFTER_WIFI
constexpr float AFTER_WIFI
For components that should be initialized after WiFi is connected.
Definition component.h:41

esphome::global_preferences
ESPPreferences * global_preferences
Definition preferences.cpp:204

esphome::delay
void HOT delay(uint32_t ms)
Definition core.cpp:28

esphome::millis
uint32_t IRAM_ATTR HOT millis()
Definition core.cpp:26

esphome::App
Application App
Global storage of Application pointer - only one Application can exist.

uint32_t
static void uint32_t
Definition crash_handler.cpp:141

safe_mode.h