I think you're missing the point... thus far, there has not been a sufficiently robust method proposed that would have the following features:
- no false positives
- no true negatives
- no potential 'failsafe' related collisions/conflicts with the network infrastructure/topology/hosts.
It's not that I'm saying it cannot be done (although I do think it's a rather hard nut to crack)... but rather that nothing presented so far provides a path that would be considered safe for implementation insofar as a generic/universal method to be embedded into the core OpenWrt firmware.
If someone comes up with a robust and safe mthod, I will change my mind, of course. That may be you and/or others -- I'll give credit where due.
This is not necessarily true. There are threads where people with dual boot systems have had their devices mysteriously boot into a previous OpenWrt version (or stock firmware) with no apparent explanation of why. It turns out that they had power issues and it just so happened that it triggered the Linksys failover method (which is, btw, done at the boot loader level, so well before OpenWrt could affect such a thing). Although it is statistically very unlikely, it is still far more likely that an external power event could trigger the buttonless-failsafe than it is that the hardware button itself would be triggered unintentionally.
Regarding the special "failsafe-magic-packet" idea... maybe this is a possible path. But until someone designs a detailed proposal that could actually work, I still don't know that it is realistic. Fundamentally, if OpenWrt can't bring up the LAN or has some other major fault due to misconfiguration, there's no way to guarantee that it could listen on a given interface for said magic packet.
Yes, that's true. But, remember that we need to guarantee false positive triggers won't happen (it could disable the entire network). And, as I said previously, the button-based approach does mean there is physical proximity which means it is possible to manipulate the connections. If a buttonless method was triggered, even if intentionally, there is still a risk that the physical connections might need to be changed but without an easy way to do this without breaking out the ladder... in which case, what is the purpose of the buttonless method?
IMO, for your scenario, you'd probably benefit from a dual-partition device that switches partitions based on code in the and the boot loader, actuated by a specific power cycling sequence (for example, a Linksys device). There is a more significant benefit for this -- you could have a known good configuration (valid for your unique network topology) on the alternate partition, so although it's not easy to fix the other partition, at least you're back to where you were.