Reformatting a Machine 125 Million Miles Away

An anonymous reader writes: NASA's Opportunity rover has been rolling around the surface of Mars for over 10 years. It's still performing scientific observations, but the mission team has been dealing with a problem: the rover keeps rebooting. It's happened a dozen times this month, and the process is a bit more involved than rebooting a typical computer. It takes a day or two to get back into operation every time. To try and fix this, the Opportunity team is planning a tricky operation: reformatting the flash memory from 125 million miles away. "Preparations include downloading to Earth all useful data remaining in the flash memory and switching the rover to an operating mode that does not use flash memory. Also, the team is restructuring the rover's communication sessions to use a slower data rate, which may add resilience in case of a reset during these preparations." The team suspects some of the flash memory cells are simply wearing out. The reformat operation is scheduled for some time in September.

Hey, Bob, this is Jim

[Anonymous Coward]

We're gonna need you to go out to the rover and reboot it. Yeah, it got stuck. You should probably leave ASAP.

Deploy the Paperclip!

[apraetor]

I'm picturing something akin to those Shuttle missions to repair flaws in the Hubble telescope's optics, except involving a NASA-engineered paperclip.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[sillybilly]

It's running on solar power, that's how it lasts 10 years. Though the rechargeable battery must be tough to take so many recarchings.

Ideally, you have redundant systems for such a situation, where you can take one of them down and use the other to do the booting, formatting, programming, as if there were a user sitting right next to it. They say it has a flashless mode of operation, but the way I think of it, as in a regular PC, with a BIOS, you can reformat the harddrive without booting off of and using th

Re:

[Anonymous Coward]

Wow. Talk about missing an obvious joke and over-thinking the response. Seriously epic *WHOOSH*

Re: Simple fix

[Anonymous Coward]

Ass-burgers.

Re: Simple fix

[LinuxLuver]

Don't think he missed it. The previous comment probably just provoked a related tangent.

Re:

[sound+vision]

tl;dr on the whole post BUT... I've had my iPod nano in daily use for the past 8 years and it's still going strong. True, it doesn't need to power any motors - but the design specs probably also allocate a lot less weight to the battery.

Re:

[davester666]

what's this step 4??

Press the reset button.

Who the hell designed this stuff?

And I thought I was cool...

[toygeek]

When I reboot machines in Asia or UK/EU using IPMI from the US.

Re:And I thought I was cool...

[marcello_dl]

And I thought I was cool when I reboot servers around the world thinking I am rebooting mine.

Err, if you're a system admin..

[Viol8]

... you're not cool. Period. Sorry.

Re:

[Anonymous Coward]

Everybody is a system admin when linux is involved, and I like it that way. But I digress.
alias halt='echo Use shutdown instead'
alias reboot='echo Use shutdown instead'

Re:

[marcello_dl]

Err, if taking a server offline, no matter the reason, is a serious problem, then you are not a good - or properly funded - sysadmin.

sad

[electrosoccertux]

can parent be modded funny not insightful? Insightful is too depressing...

Do unto others...

Re:

[Anonymous Coward]

Typing out "Period" makes you look retarded.

Re:Err, if you're a system admin..

[TeknoHog]

Chill out. They're just having that time of the month.

Re:

[bbsalem]

I think he was talking about "In the current directory" :-)

If there is a problem and need to call "support"

[Anonymous Coward]

do they get sombody in or from India?

Re:

[sillybilly]

I'll be glad to help you with that Sir.

Re:

[Noah Haders]

A tech support guy from India helped me with my licensing problem. He was very nice and efficient and solved it right away. No complaints.

Re:

[sillybilly]

Sometimes when I sound mocking, ironic and sarcastic, I'm actually serious, as in ironic-ironic, or sarcastic-sarcastic. A lot of Americans simply smack the phone down on Indian tech support, saying gimme somebody who speaks English. I patiently listen to them struggle through it.

Re:

[Noah Haders]

that makes no sense.

Send someone

[TheDarkMaster]

With a replacement SLC SSD and a screwdriver

ECC?

[TechyImmigrant]

They didn't do any ECC on the flash memory? I thought these people were rocket scientists.

Re:

[Anonymous Coward]

As it happens, for flash, read errors are often transient. A better model than DRAM style ECC is to treat it more like a disk drive with checksums on each block. If you get an error, reread the block. And if you have a problem writing a block (e.g. the readback is wrong), just use a new block. Surely you've noticed that your USB thumbdrive gradually gets smaller with time as blocks wear out. (In space hardware, back in 2000, wear leveling was done manually.. still is as far as I know.. there's no nice rad

Re:

[lightbounce]

ECC use is standard with all flash storage. Flash is so unreliable that it can't be used without it, and it has nothing to do with the hard radiation environment on Mars. As for wear leveling, it's been standard since at least 1990 with the first attempts at flash storage. Why the rovers don't do it, I don't know. Maybe because it requires too many cycles of an already limited processor, plus dedicated storage space to keep "use counts" of all the flash blocks.

Re:

[Agripa]

ECC use is standard with all flash storage. Flash is so unreliable that it can't be used without it, and it has nothing to do with the hard radiation environment on Mars.

NOR Flash does not normally use ECC and has reliability closer to that of EEPROM than NAND Flash.

Re:

[Agripa]

The long duration radiation performance of flash memory (particularly back in 2000, when these things were being designed) was/is not particularly well understood.

Flash is another form of floating gate memory. Wouldn't the known long duration performance of EPROM and EEPROM apply?

Re:

[Anonymous Coward]

The rocket scientists did their job ten years ago. They're working at McDonalds now.

Re: ECC?

[Anonymous Coward]

This would make an interesting movie plot where they have to recall all the older, laid off rocket scientists working at McDonald's and bagging groceries at the supermarket to reboot an idle probe on a far away planet because it's the only one that can be repurposed to save the earth from an asteroid impact. But only the old guys know the hardware and can reprogram the firmware.

Yeah I'm a laid off old guy. Get off my lawn!

Re: ECC?

[rickb928]

And add in the volunteer group that decided to save the project, working out of an abandoned McDonald's.

Oh, wait....

Re:

[daremonai]

No wonder the last quarter-pounder I had tasted a little odd.

Odder than usual, I mean.

Re:

[schlachter]

Well, in their defense, ECC on the flash memory isn't exactly rocket science.

Re:

[TechyImmigrant]

If you're so smart, why aren't you advocating using BCH codes or Reed Solomon codes or some form of forward error correction code over code and data stored in flash so random bit errors in flash won't affect the code that is stored in the flash? What is your super clever alternative?
 

Re:ECC?

[Nimey]

You're a poster child for Dunning-Kruger [wikipedia.org]: some random on the Internet who thinks he's smarter than the folks who designed a Mars rover that lasted over 10 years past its 90-day expected life.

Re:

[DMUTPeregrine]

There's also the matter that better ECCs cost more overhead. You can detect single bit errors with a simple parity bit, but double errors will go undetected. And even something like Reed-Solomon can't correct all the errors it can detect. Spacecraft going to mars have very limited mass budgets, there are often better places to spend the extra mass than on an additional redundant flash chip (and associated circuitry).

Re:

[TechyImmigrant]

>You can detect single bit errors with a simple parity bit

You can detect (2^32-1)/(2^32) of every possible failure pattern with a CRC. With a combination of a multiple bit error correction algorithm (with most correction schemes n bits can be corrected with 2n redundant error correction bits) and then the CRC can be used to tell if you correctly corrected the data.

Re:

[Noah Haders]

They clearly overspecced it. Maybe if had been designed more reasonably they could have sent more.

Re:

[M1FCJ]

Most of the hardware cost is the launch vehicle, not the rover.
Most of the people (salary) cost is the people working on the data generated (all accross the universities around the world who analze the data and write papers), not the designers.

Underspeccing it wouldn't have saved much.

There's one that breaks this rule, the JWST. Just the endless redesigns have gobbled up so much money, I don't believe there will be enough Science generated by it to cover the build & launch costs.

Re:

[WaffleMonster]

You're a poster child for Dunning-Kruger: some random on the Internet who thinks he's smarter than the folks who designed a Mars rover that lasted over 10 years past its 90-day expected life.

Not too often but occasionally the stupid get lucky and in some perverted way lack of knowledge and consideration of detail can lead to better outcomes.

After awhile one has to admit having to be careful when you transmit for fears it would even be possible for commands to be misinterpreted or designing something which knowingly continually writes to flash memory using DOS era FAT filesystems is not a winning play no matter how much you throw the reliability arguments at the wall and expect them to stick.

And

Re:

[TechyImmigrant]

>You're a poster child for Dunning-Kruger

Actually I am an engineer who has designed many error correction circuits for communication and storage systems. I think I know how much I know about error correction systems, which is plenty for this conversation.

While the statement was made in Slashdot jackass style, the question is legitimate. Why didn't they do any or more ECC on the flash that is failing. There is probably a perfectly fine answer like "We knew the expected error rate and It was designed to la

Re:

[romons]

On the other hand, it is all still working. It reboots occasionally. My computer does that. By reformatting, they will map out any bad sectors, which is probably the issue, and it'll run for another 10 years. Sounds like a smart technology tradeoff to me. Use cheap, off the shelf hardware, and KISS it to death. Write a special driver, or build special hardware to do ECC, and you end up with a bug that causes the system to freeze in an unrecoverable way.

Re:Remote management

[ledow]

Not really...

The chances are that "reformat" isn't what we think and includes one of more of:

1) Rewriting cells and allowing wear-levelling and sector-replacement to take place, and make bad sectors as bad.
2) Write-testing and manually avoiding those sectors that don't perform as expected.
3) Rewriting all the critical storage functions to avoid the already-known bad sectors.

It's the kind of thing that anyone can play with. Not saying it's not risky on a remote device, but BadRAM etc. patches have been in places for years and that's a way to run Linux on machines with faulty ***RAM****, not just long-term storage.

Many years ago, a bad sector on your hard drive was something you found out with scandisk (or previous tools) and then it was marked as bad and that was the end of that. Your PC wouldn't use it and so long as it wasn't the boot sector, that was the end of that. It was only the "creeping" bad sectors, where you got more bad sectors over time, that would really worry anyone.

I imagine that it's not at all difficult to make sure that multiple boot sectors were in place if you really wanted to but why bother? The chances are billions to one. Chances are this hardware has MUCH better fault tolerance and multiple hardware watchdogs, firmware, and boot attempts to make sure it eventually gets back up SOMEHOW.

There's a reason that even FAT stores two copies of the allocation table, why Linux ext filesystems store multiple copies of the superblock, etc. They come from a legacy where the occasional bad sector wasn't a problem and where 20Mb of hard drive cost more than the computer did so it was better to cope with the fault than just tell people to buy a new one. And their predecessors were (and still are) mainframes with hardware that's just that fault-tolerant in the first place anyway.

It's not at all hard to write a filesystem that can cope with not only damage, but even recurring damage. You've seen PAR files presumably? The same could easily be done on a filesystem-level basis (and I imagine, somewhere, already is for some specialist niche).

It's not that big a deal once they KNOW that's the problem. The biggest problem is that they only "suspect" that's the problem.

Re:

[pegdhcp]

Ultrix used to mark bad sectors on the fly, as far as I could remember, if the disk was not a SCSI...

Re:

[M1FCJ]

Hah, I remember running the DOS debugger, poking into a certain address in the memory to access the MFM BIOS, then you could do a low level format where you could enter the sectors to mark as bad. Those were the days...

Re:

[M1FCJ]

"g=c800:5."
Hah, I almost remembered that one, good old Seagate controllers. I had the 800 but not the rest. :)

Re:

[lightbounce]

I always thought that the disk controller should do idle scrubbing. Are there any modern SATA disks that do this?

No, the drives themselves don't do this because it pulls the head away from where the host wants/expects it to be. This would result in a lot of unexpected thrashing. If scrubbing is to be done, it is best done by the OS as a background task.

Re:

[lgw]

You've seen PAR files presumably? The same could easily be done on a filesystem-level basis (and I imagine, somewhere, already is for some specialist niche).

While all hard drives now do their own Hamming error correction (or something better), RAID2 is the same idea for "raw" storage that doesn't: you write explicit ECCs to redundant volumes to allow recovery from both drive loss and bad sectors.

RAID5 with modern drives gives all the same resiliency, as the drives do the block-level ECC themselves, so you never see RAID2. But for a pile of flash memory, that's the filesystem-level equivalent of PAR files.

Re:

[MasterOfMagic]

It's not at all hard to write a filesystem that can cope with not only damage, but even recurring damage. You've seen PAR files presumably? The same could easily be done on a filesystem-level basis (and I imagine, somewhere, already is for some specialist niche).

You mean like RAID-5? Because RAID-5 was part of the inspiration for the PAR2 format.

Alternative Title

[wisnoskij]

How to brick a 2.5 billion dollar device.

Re:

[TapeCutter]

Not sure if it was opportunity or its twin, but one of them required a modem reset not long after landing.

Re:Alternative Title

[Zarhan]

Not modem reset. The filesystem on Spirit had bunch of temp files and other stuff from the Earth-Mars flight, and apparently it just ran out of inodes. So basically they had to remote into whatever constitutes a bootloader with 20 mins of latency and remove some of the no-longer-needed files.

See http://science.slashdot.org/st... [slashdot.org]

Re:Alternative Title

[rasmusbr]

I would imagine that the system probably boots itself off of a ROM chip that has a routine for receiving data from Earth and storing it in RAM and then flashing that data onto the flash chip.

If the rover does not boot from ROM then it is a miracle that it hasn't bricked itself yet.

Re:

[Agripa]

I would imagine that the system probably boots itself off of a ROM chip that has a routine for receiving data from Earth and storing it in RAM and then flashing that data onto the flash chip.

I wonder if the ROM would actually be a floating gate ROM instead of mask ROM or fuse based PROM in which case it would be more like EPROM or NOR Flash.

Does anybody even make mask ROM or fuse based PROM any more?

Re:

[rasmusbr]

I checked and it is EEPROM. And there are two EEPROM:s, I presume those are for redundancy in case one gets zapped.

2.5 billion?

[Viol8]

I dunno so much these days. Its 10 years old and got a few miles on the clock plus collection for the new owner would be an issue. On the plus side vandalism won't be a worry. For a few centuries anyway.

Alternative Title

[Whiternoise]

They will almost certainly do a dummy run on an identical piece of flight hardware on Earth. The only difference is how the data are sent.

Re:

[wisnoskij]

And the state of the hardware. Some unknown number of systems on the real curiosity are degraded to the point of malfunctioning; And they have little to no way of exactly measuring what and where.

Re:

[dotancohen]

And the state of the hardware. Some unknown number of systems on the real curiosity are degraded to the point of malfunctioning; And they have little to no way of exactly measuring what and where.

Opportunity. Curiosity is on the other side of Mars, nuturing holes in its wheels and looking for cats to kill.

Re:

[Nimey]

Never attribute to malice that which is adequately explained by stupidity.

Is it running Windows?

[mark_reh]

Is it?

Re:Is it running Windows?

[Psychotria]

You're probably joking, but the OS is VxWorks.

2014-- year of Linux on Mars?

[electrosoccertux]

???

Why is it not trivial?

[nurb432]

Why didn't they plan ahead for this sort of operation in the beginning, making it painless and 'reliable' ( as possible ).

Re:

[beelsebob]

Who says they didn't?

Re:

[SeaFox]

Why didn't they plan ahead for this sort of operation in the beginning, making it painless and 'reliable' ( as possible ).

That's a joke, right? We are talking about one of the two rovers [xkcd.com] that was sent to Mars on a mission planned to only last 90 days. They didn't see "flash memory wearing out from use" as a contingency they needed to plan for.

Re:

[Nimey]

You're a poster child for Dunning-Kruger [wikipedia.org]: some random on the Internet who thinks he's smarter than the folks who designed a Mars rover that lasted over 10 years past its 90-day expected life.

Re:

[Nimey]

Put up or shut up: who are you, really?

Re:

[Nimey]

If you're going to troll and be full of shit, save us both time and say so up front.

Re:

[Nimey]

Boring troll is boring. Put your back into it, boy.

Re:

[Nimey]

I don't believe a word of it.

Re:

[Nimey]

Further, if this is you:
http://www.fiero.nl/cgi-bin/fi... [fiero.nl]

You're conclusively an idiot. Only an idiot believes in homeopathy.

Re:

[nurb432]

Sorry, not the same person. No "nickname" is overly unique in the online world these days. Its not 1980 anymore.

But i dont want to blow my karma.

Re:

[Nimey]

Yeah, bullshit. Your nickname has enough entropy that it's exceedingly unlikely this is not you.

Re:

[nurb432]

Nah, its not. But believe what you wish, it is a free country. ( assuming a US citizen here )

Re:

[Nimey]

You really need to level-up your trolling. This is 101-level shit, son.

Re:

[nurb432]

You are more than welcome to get a court order and demand IP addresses, then compare them. I'm sure both places log IP+posts.

Re:

[Nimey]

*snore*

Re:

[nurb432]

Don't need to prove anything to a potty mouthed coward.

anything starting with "why didn't they just..."

[electrosoccertux]

shoot the asker?

Re:

[sound+vision]

The specifications for this mission were that the rover should last 6 months on the surface. Currently we are at over 100 months.

Re:

[TheDarkMaster]

Do not waste your time with the Nimey, he's just another troll who can not understand what others write and he take pleasure in offending others when writing.

Re:

[nurb432]

Ya, i figured that out, a bit too late.

Re:

[nurb432]

What kind of handwaving armchair wannabe are you?

One that plans ahead well enough that this would not considered 'news'. Instead it would be just SoP.

Assumptions

[DaMattster]

I believe NASA is operating under the assumption that the rover's on board flash memory is still serviceable. 10 years ago flash memory was still in its relative infancy. A reformat and reload risks bricking the rover completely.

Re:

[beelsebob]

I believe you're assuming that the flash used on a rover that went to mars, and encounters all kinds of crazy radiation, is in some way similar to the crappy OCZ thing you stuck in your PC 10 years ago.

Re:

[Nimey]

You're a poster child for Dunning-Kruger [wikipedia.org]: some random on the Internet who thinks he's smarter than the folks who designed a Mars rover that lasted over 10 years past its 90-day expected life.

Re:

[M1FCJ]

Assigned a macro to this reply, haven't you? Clever boy, want a medal?

Re:

[M1FCJ]

Don't forget, we don't hear what the techies are talking about. What we're hearing is what the techies told to the PR guy distilled down to a journo, being summarized in The Register (!) and some other soft-tech sites, finally an inaccurate summary on the frontpage of Slashdot.

I wouldn't be surprised if it were just a "fsck.ext4 -cc" (I know it's not an ext4, it was't even released when Opportunity soft-crashed and bounced around on Mars nor it runs Linux).

Failing flash cells?

[Twinbee]

I didn't realize they used OCZ for the storage tech. ;)

Re:

[Anonymous Coward]

It was designed to last 3 months and failed after 10 years.
If OCZ was involved, it'd be the other way around. ;)

I"d hate to be the guy

[TigerPlish]

I'd hate to be the guy a) pitching this operation at the change control meeting, and b) the guy signing off on this change.

It worked on Spirit

[lemur3]

they had to do this type of thing on spirit shortly after it arrived on mars..

read more here: http://trs-new.jpl.nasa.gov/ds... [nasa.gov]

or the PDF linked therin here http://trs-new.jpl.nasa.gov/ds... [nasa.gov]

its got all sorts of awesome details.

We commanded a shutdown, which terminated the
current communication window, and the loss of signal occurred at the predicted time. Fifty minutes later, we commanded a beep at 7.8125 bps to alert us if the shutdown command did not work, and much to our disappointment, the beep was received!

really a fun read. ..im guessing theyll be doing a lot of similar stuff

stressful job

[lkernan]

Man, hope they don't select the wrong partition.....

Capacitors

[njhunter]

I'm sure they didn't get any of their capacitors from that bad batch a few years past.

Sort of like ...

[PPH]

... handing over remote desktop access to tech support in Bangalore.

Now if only we could get a Martian to IM during the process: "Yes. The little red LED is blinking ....."

The Real Rover Problem Explained

[magicandjewel]

Flash memory isn't the Rover's problem. It's still running XP and there are no more hot fixes. At this point the Rover's system has massive "bit rot," not to mention that it's been hacked countless times by the Chinese. Undeterred by this seemingly insurmountable problem, Microsoft has donated a Windows Phone for communications back to earth and a Surface Pro to power the Rover "because it's just like a computer." They didn't say just who's going to operate their touch-only interfaces. It all makes perfect

Re: Protip

[Anonymous Coward]

They should have used what genius?