HW hooks (topology & electrical control)

• Segmentation: switches/muxes to quarantine legacy segments and cut off a hung branch.
• Isolation: safety/functional isolation with a defined delay budget and CMTI requirement.
• Protection: low-C ESD arrays + series-R/RC damping to reduce false hangs and spurious edges.
• Observability: test pads / sense points for SDA/SCL and segment enable/reset lines.

FW hooks (state machines & guarded transitions)

• Enumeration: dynamic addressing flow + address table reconciliation after resets/hot-plug.
• Capability gate: allow escalation only after consistent capability exchange and bus “purity” proof.
• Degrade & recover: deterministic timeouts, retries, bus-clear ladder, segment reset, and re-enumeration.
• Telemetry: structured logs (reason codes, retry counters, timestamps), not a single “timeout” bucket.

TEST hooks (verification & production acceptance)

• Fault injection: emulate SDA/SCL stuck-low, brown-out, and “slow target” behaviors.
• Health metrics: track NAK rate, retry distribution, recovery success rate, and time-to-recover.
• Production pins/paths: BIST/loopback entry points and a fast “mixed-bus acceptance” script.

Typical mixed-bus boundaries

• Base case: 1× I3C master + (I3C targets + legacy I2C devices) sharing SDA/SCL.
• Multi-rail: pull-ups to different domains, isolated segments, and power sequencing constraints.
• Hot-plug & brown-out: devices appear/disappear; partial state machines cause stuck lines.
• Upgrade attempts: push-pull/HDR entry must be prevented unless preconditions are satisfied.

KPI-style pass criteria (placeholders)

• Enumeration success: ENTDAA / discovery success rate ≥ X% across N boots.
• Recovery time: hang detected → bus restored ≤ X ms (95th percentile).
• HDR escalation reliability: HDR entry fail rate ≤ X ppm (or ≤ X%/day).
• Observability: failures mapped to reason codes (timeout subtype, stuck-line type, capability mismatch).

Out-of-scope (kept for sibling pages)

• Full I2C pull-up derivations and rise-time tables (only mixed-bus implications appear here).
• Protocol encyclopedias (command-by-command coverage); only engineering gates and failure patterns are retained.
• Deep PHY/HDR theory; only “why HDR needs gating/segmentation” and guarded transitions are covered here.

Red line #1: legacy devices can disrupt escalation

Consequence: HDR entry fails, bus enters unstable states, or transactions become non-deterministic.
First guard: capability gate + segmentation (HDR only on an I3C-only segment).

Red line #2: a single legacy hang can stall the entire bus

Consequence: discovery/ENTDAA/CCC can time out, causing system-wide communication loss.
First guard: deterministic timeouts + recovery ladder + segment cut capability.

Red line #3: address & recovery state consistency is fragile

Consequence: address tables drift from real bus state; devices “disappear” after recovery; mis-targeted writes occur.
First guard: reconcile/verify after recovery; re-enumerate when invariants fail.

Phase 1 · Common denominator (safe mixed-bus mode)

• OD behavior enforced: conservative timing and bounded edge-rate.
• Discovery & basic access first: ensure read/write stability before any performance upgrade.
• Timeout policy active: “slow” and “stuck” are separated (retry vs recover).

Capability gate · Proof before escalation

• Bus is idle: no stuck-low, stable rails, stable segment connectivity.
• Capability exchange is consistent: targets respond predictably to required capability queries.
• Legacy is absent or isolated: escalation only on an I3C-only segment or a proven “clean” segment.

Phase 2 · Escalation (PP / HDR only behind the gate)

• Escalate on a controlled segment: avoid sharing PP/HDR with unknown legacy devices.
• Rollback is mandatory: failed entry exits to Phase 1 quickly and records a reason code.
• Verify after upgrade: quick post-check before long transfers and production acceptance.

Pass criteria: escalation decisions are repeatable; rollback restores stable communications within X ms.

Pull-up rail selection (rule-of-thumb, mixed-bus safe)

• Choose a rail with defined behavior during brown-out: prevent “ghost powering” through IO structures.
• Preserve OD semantics across level/isolation: avoid translators that can drive ambiguous push-pull during noise.
• Budget static power explicitly: pull-ups that are “too strong” waste power; “too weak” create slow edges and false triggers.

Edge-rate & ringing control (mixed-bus sensitivity)

• Fast edges amplify artifacts: ringing → mis-sampling → retries → timeout → “fake hang”.
• Simple damping helps: small source series-R (or RC shaping) at the edge source reduces Q and overshoot.
• Return path continuity matters: split grounds and long stubs increase common-mode noise and false edges.

Quick verification (minimal but decisive)

• Compare Phase 1 vs Phase 2 waveforms: overshoot/ringing must not grow beyond threshold X.
• Track error signatures: retries/NAKs rising with PP/HDR indicates electrical gating is insufficient.
• Log gate decisions: allow/deny/rollback must emit reason codes and time-to-recover.

Recommended triggers to re-run discovery/addressing

• Cold boot / warm reset: DA table starts “stale” unless verified.
• Hot-plug / segment change: topology change invalidates assumptions.
• Post-recovery: bus clear / segment reset requires reconcile + verify.
• Invariant failure: repeated verify failures, identity mismatch, or abnormal disappearance rate.

Coexistence with I2C static addresses (avoid mis-targeted access)

• Separate access paths: legacy devices are accessed only via a compatibility path; I3C targets via DA table.
• Type confirmation before writes: a write must confirm target type from the DA table/capability gate.
• Same-model multiplicity: require an identity tuple or topology anchor; otherwise mapping is unstable.

ENTDAA stalls / times out

• First check: stuck line vs slow target vs legacy hang dragging a segment.
• Fix direction: isolate the suspect segment, recover, then re-run discover/assign behind a gate.
• Log contract: record timeout subtype + segment identity + recovery action taken.

DA table drifts from real bus state

• First check: verify/reconcile skipped after recovery, reset, or topology change.
• Fix direction: enforce reconcile on triggers; stale entries become “untrusted” until verified.
• Safety: block writes when identity mismatches; quarantine until a clean re-enumeration.

Same-model instances become indistinguishable

• First check: identity tuple is missing or not stable across boots.
• Fix direction: add a topology anchor (segment/port mapping) and require identity verification post-assign.
• Rule: avoid “best-guess mapping”; it breaks production and recovery determinism.

Stage 1 · Detect legacy / non-responsive targets

• Output: bus_purity = i3c_only / mixed / unknown
• Rule: “unknown” must behave like “mixed” (no escalation).

Stage 2 · Read the minimal “escalation-critical” capability set

• Capture (placeholders): max_data_rate / hdr_support / ibi_support
• Consistency: repeated reads must converge (no flip-flop behavior).
• Output: cap_snapshot + cap_consistency = pass/fail

Stage 3 · Allow escalation only behind the gate (otherwise fallback)

• Allow PP/HDR: only if bus_purity=i3c_only AND cap_consistency=pass.
• Fallback: compatibility mode (OD/limited rate) + reason code.
• Rollback: failed entry returns to safe mode within X ms.

Pass criteria: gate decisions are repeatable; false-allow rate ≤ X.

• timestamp — event time
• segment_id — which branch/switch path
• scan_result — i3c_only / mixed / unknown
• cap_set — capability items queried (minimal set)
• resp_code — response/timeout subtype (placeholder)

• retry_count — number of retries
• cap_snapshot_hash — stable summary for comparison
• gate_decision — allow_pp / allow_hdr / fallback / hold_safe
• reason_code — no_response / inconsistent_caps / mixed_bus / stuck_line / timeout_subtype
• time_to_recover — p95 ≤ X ms (placeholder)

Fallback triggers (minimal set)

• bus_purity != i3c_only (mixed/unknown)
• cap_consistency=fail or repeated no-response
• bus_idle=fail or stuck/timeout subtype observed
• post-assign verify fails above threshold X

Fallback actions (must be reversible)

• Lock compatibility mode: OD + limited rate.
• Isolate suspect segments: switch/mux a branch when a legacy hang drags the bus.
• Emit reason codes: enable field correlation and production triage.

Escalation criteria (aligns with H2-5)

• i3c_only segment + consistent caps
• DA table verified (identity + address mapping stable)
• Rollback path active with time-to-recover p95 ≤ X ms

Invalidation conditions (DA table becomes stale)

• Topology change: segment switch state changes.
• Power domain drop: a target may reboot and lose its dynamic address.
• Identity mismatch: verify fails or device signature changes unexpectedly.
• Recovery event: bus clear/segment reset occurred without reconcile.

Re-enumeration triggers (how to re-enter the flow)

• Hot-plug detected → return to Light Probe.
• Post-recovery → reconcile + verify, then gate.
• Invariant failure → quarantine stale entries, re-run discovery.

1) Bus-only-I3C proof (from capability gate)

• Required: bus_purity = i3c_only
• Record: gate_snapshot_hash / segment_id / gate_timestamp
• Deny: mixed or unknown segments

2) Health proof (no hang, no storm)

• Required: bus_idle=pass (guard time ≥ X)
• Limits: hang_rate ≤ X (windowed)
• IBI: ibi_storm_flag = 0 (placeholder)

3) Critical targets ready (defined set)

• Required: target_ready_mask covers the critical set
• Output: missing_ready_list (if any)
• Rule: missing ready → no HDR entry

Entry budgets (placeholders)

• entry_timeout_budget = X ms
• entry_retry ≤ X
• fallback_budget_p95 ≤ X ms

Failure handling (must be deterministic)

• On entry fail: immediate fallback to compat mode (OD/limited rate).
• Always log: hdr_fail_reason_code + segment_id + retry_count.
• No silent retry loops: bounded attempts, then rollback.

Exit + verify (don’t assume “exit = safe”)

• After exit: verify bus_idle + critical target responsiveness.
• If verify fails: compat mode + re-enter discovery/reconcile.
• Evidence: verify_result + time_to_stable.

Retry / CRC / timeout (placeholders)

• retry_limit ≤ X (exceed → exit HDR)
• short timeout → bounded retry
• long timeout → rollback + verify

Error taxonomy (for statistics)

• bus-class (idle/line anomalies)
• target-class (identity/ready mismatches)
• link-class (CRC/retry/timeout)

SDA stuck-low

Bus becomes unusable; must detect with line sampling and isolate the segment before recovery attempts.

SCL stuck-low

Clock is held; transactions time out and may be misdiagnosed unless timeout subtypes are logged.

Infinite clock stretching

Legacy slave delays indefinitely; requires stretch timeout + bounded recovery ladder.

Brown-out half state-machine

Partial reset causes unpredictable line behavior and identity drift; table invalidation + re-enumeration is required after recovery.

Line-state sampling (idle proof)

• sda_level / scl_level (sampled)
• idle_guard_time ≥ X (continuous)
• stuck_low_counter (windowed)

Per-transaction timeouts

• txn_timeout (per transaction)
• stretch_timeout (clock stretch guard)
• timeout_subtype (no_response / stretch / stuck_line)

Metrics (for acceptance)

• hang_rate ≤ X (windowed)
• recovery_success_rate ≥ X%
• time_to_recover_p95 ≤ X ms

Level 1 · Soft

• bus-clear (clock pulses)
• bounded retries
• exit if bus_idle=pass within X

Level 2 · Segment reset

• disconnect/reconnect suspect segment
• validate trunk stability
• re-probe before reintegration

Level 3 · Target reset

• reset the target (if available)
• verify identity + responsiveness
• failure → escalate ladder

Level 4 · Power cycle

• power-domain reset (last resort)
• invalidate DA table
• re-enumerate + re-gate before HDR

Template 1 · Single bus

• Best for: few targets, short traces, low legacy risk.
• Main risk: one hang can stall the entire bus.
• HDR posture: usually disabled or highly constrained.
• Must-have hooks: strict timeouts + recovery + telemetry.

Template 2 · Switched segments

• Best for: multiple branches and unknown legacy behavior.
• Main benefit: fault containment + controlled reintegration.
• HDR posture: allowed only on proven i3c-only segments.
• Must-have hooks: segment health states + re-enumeration triggers.

Template 3 · Isolated domains

• Best for: cross-ground/noisy systems or safety boundaries.
• Main benefit: domain faults do not propagate across isolation.
• HDR posture: per-domain policy; escalation requires stable evidence.
• Must-have hooks: delay budget + OD semantics preservation.

Budget items (placeholders)

• added_delay (switch/isolator)
• cap_increment (port input + switch parasitics)
• edge_rate_change (slew / ringing)
• recovery_time (isolate + recover + re-enumerate)

Acceptance checks (placeholders)

• compat: transaction success ≥ X%, bus_idle pass
• i3c_only HDR: entry success ≥ X%, fallback p95 ≤ X ms
• isolation: cross-domain faults do not propagate (test-case verified)

Pitfall 1 · Fault containment failure

• legacy hang corrupts bus-wide state (DA table, gate evidence)
• solution: per-segment isolation + per-segment health + re-gate after recovery
• evidence: segment_id tagged on every gate / recovery / entry log

Pitfall 2 · Ghost powering

• powered-off segment is back-fed via pull-ups / protection paths → half state-machine
• solution: pull-up to the correct rail, ensure true hi-Z when off, isolate by segment when needed
• acceptance: off segment must not sink SDA/SCL; recovery must force re-enumeration

Discover

Line-state checks + lightweight probing; no escalation allowed.

Assign

Build identity and address table; record retries and outcomes.

Run

Normal operation; separate compat-run from i3c-run; HDR only if gate says i3c-only.

Degrade

Uncertainty or failure trend → compat-only, no HDR/PP, minimal safe transactions.

Recover

Isolation + recovery ladder; then return to Discover/Reconcile with DA-table hygiene.

Protocol outcomes

• ccc_failure_code, ccc_retry_count
• entdaa_retry_count
• hdr_entry_attempts, hdr_entry_fail_reason

Bus/segment context

• bus_purity (i3c_only/mixed/unknown)
• segment_id, segment_health
• gate_snapshot_id

Line/hang visibility

• line_stuck_duration (SDA/SCL)
• timeout_subtype distribution
• fallback_time_ms (p50/p95)