rudi, I know that your goal is always to be helpful but when posting on the forums please be polite and don't tell people to "RTFM", especially when their post says that they've read the available docs.
doglike wrote: ↑Mon Aug 26, 2019 1:49 pm
At that stage, I have my key on device and have ota1 flashed with my pre-encrypted binary.
Is this right?
Is the device now ready to run or is something missing?
If the only steps you followed are the exact ones shown here, then the device won't work as flash encryption is not actually enabled (FLASH_CRYPT_CNT efuse is still zero), and no bootloader or partition table has been flashed. But it's also not bricked.
For the *first boot* you should flash absolutely everything in plaintext (bootloader, partition table, app) and let the bootloader (compiled with flash encryption enabled in the config) encrypt the device itself and set all the relevant efuses.
If you want to use a pre-generated key then you still follow the same basic process, the only difference is that *before* you flash anything you need to do the "espefuse.py --port *COMport" burn_key flash_encryption MY_KEY.bin" step. Then on first boot the bootloader will see there is already a flash encryption key set and won't generate a new one.
After the first boot the flash will be encrypted and you can do "espsecure.py encrypt_flash_data" and re-flash with updated pre-encrypted binaries, as needed.
Specifically, the set of steps to follow starts from here (IDF v3.2):
https://docs.espressif.com/projects/esp ... yption-key
If you're using ESP-IDF v4.x (master branch) then we added a new "development mode" flash encryption config so it's no longer necessary to save a pre-generated key in order to re-flash the app many times during development. Those steps are here:
https://docs.espressif.com/projects/esp ... pment-mode
doglike wrote: ↑Mon Aug 26, 2019 1:49 pm
I anyway bricked a chip yesterday
The good news is, if flash encryption wasn't enabled permanently (and secure boot is disabled) then the chip is probably not bricked. Specifically, if the FLASH_CRYPT_CNT efuse is still writeable and not at the maximum value. You can check with "espefuse.py summary".
The steps to disable flash encryption are here:
https://docs.espressif.com/projects/esp ... encryption
If you know the flash encryption key that was burned to this chip, you can re-enable flash encryption as if it was a new chip and burn pre-encrypted updates from then on.
If the flash encryption key was randomly generated on first boot then you can only re-enable a few more times, or you can keep this unit as an unencrypted ESP32 from now on.