Flash Encryption key write protection.
Flash Encryption key write protection.
Hi,
espefuse.py --port COM155 burn_key flash_encryption my_flash_encryption_key.bin
I am getting this error:
A fatal error occurred: The efuse block has already been write protected.
I think I already burn key. Can I delete and reburn key on esp32 board. I lost my previous key.
I also tried
// to disable encryption.
espefuse.py --port COM155 burn_efuse FLASH_CRYPT_CNT
espefuse.py --port COM155 burn_efuse DISABLE_DL_DECRYPT
espefuse.py --port COM155 write_protect_efuse DISABLE_DL_ENCRYPT
but no luck. how to remove write protection.
I am following this documentation.
http://esp-idf.readthedocs.io/en/latest ... ption.html
Thanks,
Naeem
espefuse.py --port COM155 burn_key flash_encryption my_flash_encryption_key.bin
I am getting this error:
A fatal error occurred: The efuse block has already been write protected.
I think I already burn key. Can I delete and reburn key on esp32 board. I lost my previous key.
I also tried
// to disable encryption.
espefuse.py --port COM155 burn_efuse FLASH_CRYPT_CNT
espefuse.py --port COM155 burn_efuse DISABLE_DL_DECRYPT
espefuse.py --port COM155 write_protect_efuse DISABLE_DL_ENCRYPT
but no luck. how to remove write protection.
I am following this documentation.
http://esp-idf.readthedocs.io/en/latest ... ption.html
Thanks,
Naeem
Re: Flash Encryption key write protection.
Efuse is permanent, no erasing and no unlocking. That is why it is secure.
Re: Flash Encryption key write protection.
ok, Can I read the key using C/C++ code the one I burn via efuse and print it on console.
Re: Flash Encryption key write protection.
Use espefuse.py summary command to check
Re: Flash Encryption key write protection.
I tried.
https://github.com/espressif/esptool/wiki/espefuse
espefuse.py --port /dev/ttyUSB1 dump
espefuse.py v2.0-dev
Connecting....
EFUSE block 0:
00000000 c40042xx xxxxxxxx 00000000 00000033 00000000 00000000
I saw my EFUSE block 0
How I can generate flash encrypion key bin file from it?
https://github.com/espressif/esptool/wiki/espefuse
espefuse.py --port /dev/ttyUSB1 dump
espefuse.py v2.0-dev
Connecting....
EFUSE block 0:
00000000 c40042xx xxxxxxxx 00000000 00000033 00000000 00000000
I saw my EFUSE block 0
How I can generate flash encrypion key bin file from it?
Re: Flash Encryption key write protection.
1-
espsecure.py generate_flash_encryption_key acti_flash_encryption_key.bin
2-
espefuse.py --port COM155 burn_key flash_encryption acti_flash_encryption_key.bin
3-
espsecure.py encrypt_flash_data --keyfile acti_flash_encryption_key.bin --address 0x10000 -o ./build/app-encrypted.bin ./build/app-template.bin
4-
esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-encrypted.bin
Are these steps correct. Am I missing any steps?
My partition_table is custom.
No factory.
# Name, Type, SubType, Offset, Size
nvs, data, nvs, 0x9000, 0x4000
otadata, data, ota, 0xd000, 0x2000
phy_init, data, phy, 0xf000, 0x1000
ota_0, app, ota_0, 0x10000, 0x1f0000
ota_1, app, ota_1, , 0x1f0000
espsecure.py generate_flash_encryption_key acti_flash_encryption_key.bin
2-
espefuse.py --port COM155 burn_key flash_encryption acti_flash_encryption_key.bin
3-
espsecure.py encrypt_flash_data --keyfile acti_flash_encryption_key.bin --address 0x10000 -o ./build/app-encrypted.bin ./build/app-template.bin
4-
esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-encrypted.bin
Are these steps correct. Am I missing any steps?
My partition_table is custom.
No factory.
# Name, Type, SubType, Offset, Size
nvs, data, nvs, 0x9000, 0x4000
otadata, data, ota, 0xd000, 0x2000
phy_init, data, phy, 0xf000, 0x1000
ota_0, app, ota_0, 0x10000, 0x1f0000
ota_1, app, ota_1, , 0x1f0000
Re: Flash Encryption key write protection.
Show summary command not dump command, it is easier to read
Re: Flash Encryption key write protection.
Summary command shows this
Flash encryption key is all 00. Is this correct. Can I set Flash encryption key again and how?
Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 3 R/- (0x3)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/- (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 0 R/W (0x0)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/- (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/- (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/- (0x0)
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
BLK2 Secure boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Efuse fuses:
WR_DIS Efuse write disable mask = 32900 R/W (0x8084)
RD_DIS Efuse read disablemask = 1 R/W (0x1)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)
Config fuses:
XPD_SDIO_FORCE Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = 0 R/W (0x0)
XPD_SDIO_REG If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = 0 R/W (0x0)
XPD_SDIO_TIEH If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V = 0 R/W (0x0)
SPI_PAD_CONFIG_CLK Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0x0)
SPI_PAD_CONFIG_Q Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0x0)
SPI_PAD_CONFIG_D Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0x0)
SPI_PAD_CONFIG_HD Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0 Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0x0)
DISABLE_SDIO_HOST Disable SDIO host = 0 R/W (0x0)
Identity fuses:
MAC MAC Address
= 30:ae:a4:3b:7a:c0 (CRC 5f OK) R/W
CHIP_VERSION Chip version = 8 -/W (0x8)
CHIP_PACKAGE Chip package identifier = 0 -/W (0x0)
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
Flash encryption key is all 00. Is this correct. Can I set Flash encryption key again and how?
Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 3 R/- (0x3)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/- (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 0 R/W (0x0)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/- (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/- (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/- (0x0)
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
BLK2 Secure boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Efuse fuses:
WR_DIS Efuse write disable mask = 32900 R/W (0x8084)
RD_DIS Efuse read disablemask = 1 R/W (0x1)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)
Config fuses:
XPD_SDIO_FORCE Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = 0 R/W (0x0)
XPD_SDIO_REG If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = 0 R/W (0x0)
XPD_SDIO_TIEH If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V = 0 R/W (0x0)
SPI_PAD_CONFIG_CLK Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0x0)
SPI_PAD_CONFIG_Q Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0x0)
SPI_PAD_CONFIG_D Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0x0)
SPI_PAD_CONFIG_HD Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0 Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0x0)
DISABLE_SDIO_HOST Disable SDIO host = 0 R/W (0x0)
Identity fuses:
MAC MAC Address
= 30:ae:a4:3b:7a:c0 (CRC 5f OK) R/W
CHIP_VERSION Chip version = 8 -/W (0x8)
CHIP_PACKAGE Chip package identifier = 0 -/W (0x0)
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
Re: Flash Encryption key write protection.
It shows as all zero because it is read and write protected. So you cannot read it and cannot change it. You could still let esp32 encrypt the flash but you won't have the key so think carefully about the limitations.
Re: Flash Encryption key write protection.
ok got it.
I have more esp32 boards. will keep my private key generate file from now onward.
Thanks,
Naeem
I have more esp32 boards. will keep my private key generate file from now onward.
Thanks,
Naeem
Who is online
Users browsing this forum: No registered users and 140 guests