"invalid header" error with Secure boot and flash encryption enabled
Posted: Wed Dec 23, 2020 5:53 am
Platform: ESP32 LYRATD SYNS V1.3
ESP IDF: ESP IDF 4.0
I enabled Secure boot and Flash encyption using following options in menuconfig:
size of bootloader.bin --> 0x9B70
I have custom partition table
Build and flashed bootloader and applicaiton using following commands:
After reset board boot up properly and I saw logs related to encryption being performed. Following was the efuse summary:
For testing reflashing, I made a minor change in application (added a log) , built app and signed with same key and flashed application using following command:
I got following error:
I thought that this is becuse of insufficient partition table offset so inscrased partition table offset to 0x10000
After incresing parting table offset, I built bootloader, partition table and application using the steps mentione earlier and flashed all of them.
After this I am stuck in a situation where I always get following error:
This is the second board that I seem to have bricked (First one was https://www.esp32.com/viewtopic.php?f=13&t=18272).
Please help me recover this board.
ESP IDF: ESP IDF 4.0
I enabled Secure boot and Flash encyption using following options in menuconfig:
Code: Select all
Bootloader Config -> Bootloader log verbosity-> Info
Security Features->
Enable hardware secure boot in bootloader-> Selected
Secure bootloader mode -> Reflashable
Sign binaries during build -> Not selected
Secure boot public signature verification key -> /home/mydir/secure_boot_signing_key_pub.bin
Hardware key Encoding -> No encoding
Allow potentially insecure options -> Selected
Enable flash encryption on boot-> Selected
Enable usages mode -> Development
Potentially insecure options->
Leave ROM BASIC Interpreter available on reset -> Selected
Allow JTAG debugging -> Selected
Allow app partition length not 64 KB aligned -> Not Selected
Leave UART bootloader encryption enabled -> Selected
Leave UART bootloader decryption enabled -> Selected
Leave UART bootloader flash cache enabled -> Selected
Require flash encryption to be already enabled -> Not selected
Partition table ->
Offset of partition table -> 0xb000
I have custom partition table
Code: Select all
nvs, data, nvs, , 0x6000,
phy_init, data, phy, , 0x1000,
factory, app, factory, , 2M,
otadata, data, ota, , 0x2000,
ota_0, app, ota_0, , 2M,
ota_1, app, ota_1, , 2M,
spiffs, data, spiffs, 0x00630000, 8M,
Code: Select all
openssl ecparam -name prime256v1 -genkey -noout -out secure_boot_signing_key.pem
python espsecure.py extract_public_key --keyfile secure_boot_signing_key.pem secure_boot_signing_key_pub.bin
espsecure.py digest_private_key --keylen 256 --keyfile secure_boot_signing_key.pem secure-bootloader-key-256.bin
idf.py bootloader
python espefuse.py burn_key secure_boot secure-bootloader-key-256.bin
python esptool.py --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 80m --flash_size 16MB -u 0x1000 bootloader.bin
python esptool.py --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 80m --flash_size 16MB -u 0x0 bootloader-reflash-digest.bin (On subsequent flash)
idf.py build
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem myApp.bin
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem partition-table.bin
idf.py -p /dev/ttyUSB0 flash
Code: Select all
EFUSE_NAME Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 1 R/W (0x1)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/W (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/W (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 0 R/W (0x0)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/W (0x0)
BLK1 Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Efuse fuses:
WR_DIS Efuse write disable mask = 384 R/W (0x180)
RD_DIS Efuse read disablemask = 3 R/W (0x3)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)
Config fuses:
XPD_SDIO_FORCE Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = 0 R/W (0x0)
XPD_SDIO_REG If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = 0 R/W (0x0)
XPD_SDIO_TIEH If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V = 0 R/W (0x0)
CLK8M_FREQ 8MHz clock freq override = 53 R/W (0x35)
SPI_PAD_CONFIG_CLK Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0x0)
SPI_PAD_CONFIG_Q Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0x0)
SPI_PAD_CONFIG_D Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0x0)
SPI_PAD_CONFIG_HD Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0 Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0x0)
DISABLE_SDIO_HOST Disable SDIO host = 0 R/W (0x0)
Identity fuses:
MAC Factory MAC Address
= 7c:9e:bd:cf:11:c8 (CRC 0xd0 OK) R/W
CHIP_VER_REV1 Silicon Revision 1 = 1 R/W (0x1)
CHIP_VER_REV2 Silicon Revision 2 = 1 R/W (0x1)
CHIP_VERSION Reserved for future chip versions = 2 R/W (0x2)
CHIP_PACKAGE Chip package identifier = 1 R/W (0x1)
Calibration fuses:
BLK3_PART_RESERVE BLOCK3 partially served for ADC calibration data = 0 R/W (0x0)
ADC_VREF Voltage reference calibration = 1065 R/W (0x15)
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
Code: Select all
idf.py build
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem myApp.bin
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem partition-table.bin
idf.py -p /dev/ttyUSB0 flash
Code: Select all
rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:1
load:0x3fff0018,len:4
load:0x3fff001c,len:11068
load:0x40078000,len:23980
ho 0 tail 12 room 4
load:0x40080400,len:4644
entry 0x400806ec
0;32mI (100) boot: Chip Revision: 30m
0;32mI (100) boot_comm: chip revision: 3, min. bootloader chip revision: 10m
0;32mI (46) boot: ESP-IDF e192eb7 2nd stage bootloader0m
0;32mI (46) boot: compile time 14:18:260m
0;32mI (46) boot: Enabling RNG early entropy source...0m
0;32mI (51) boot: SPI Speed : 80MHz0m
0;32mI (55) boot: SPI Mode : DIO0m
0;32mI (59) boot: SPI Flash Size : 16MB0m
0;31mE (63) flash_parts: partition 0 invalid magic number 0x2caa0m
0;31mE (69) boot: Failed to verify partition table0m
0;31mE (74) boot: load partition table error!0m
ets Jul 29 2019 12:21:46
After incresing parting table offset, I built bootloader, partition table and application using the steps mentione earlier and flashed all of them.
After this I am stuck in a situation where I always get following error:
Code: Select all
rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
invalid header: 0x1fc44fe3
invalid header: 0x1fc44fe3
invalid header: 0x1fc44fe3
invalid header: 0x1fc44fe3
Please help me recover this board.