Flash Encryption key write protection.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Flash Encryption key write protection.

Postby snahmad75 » Mon May 07, 2018 4:36 pm

Hi,

espefuse.py --port COM155 burn_key flash_encryption my_flash_encryption_key.bin

I am getting this error:
A fatal error occurred: The efuse block has already been write protected.

I think I already burn key. Can I delete and reburn key on esp32 board. I lost my previous key.

I also tried

// to disable encryption.

espefuse.py --port COM155 burn_efuse FLASH_CRYPT_CNT

espefuse.py --port COM155 burn_efuse DISABLE_DL_DECRYPT
espefuse.py --port COM155 write_protect_efuse DISABLE_DL_ENCRYPT

but no luck. how to remove write protection.

I am following this documentation.

http://esp-idf.readthedocs.io/en/latest ... ption.html


Thanks,
Naeem

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash Encryption key write protection.

Postby WiFive » Mon May 07, 2018 10:12 pm

Efuse is permanent, no erasing and no unlocking. That is why it is secure.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Tue May 08, 2018 7:55 am

ok, Can I read the key using C/C++ code the one I burn via efuse and print it on console.

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash Encryption key write protection.

Postby WiFive » Tue May 08, 2018 8:18 am

Use espefuse.py summary command to check

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Tue May 08, 2018 9:06 am

I tried.
https://github.com/espressif/esptool/wiki/espefuse

espefuse.py --port /dev/ttyUSB1 dump
espefuse.py v2.0-dev
Connecting....
EFUSE block 0:
00000000 c40042xx xxxxxxxx 00000000 00000033 00000000 00000000

I saw my EFUSE block 0

How I can generate flash encrypion key bin file from it?

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Tue May 08, 2018 9:13 am

1-
espsecure.py generate_flash_encryption_key acti_flash_encryption_key.bin

2-
espefuse.py --port COM155 burn_key flash_encryption acti_flash_encryption_key.bin

3-
espsecure.py encrypt_flash_data --keyfile acti_flash_encryption_key.bin --address 0x10000 -o ./build/app-encrypted.bin ./build/app-template.bin

4-

esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-encrypted.bin


Are these steps correct. Am I missing any steps?


My partition_table is custom.

No factory.

# Name, Type, SubType, Offset, Size
nvs, data, nvs, 0x9000, 0x4000
otadata, data, ota, 0xd000, 0x2000
phy_init, data, phy, 0xf000, 0x1000
ota_0, app, ota_0, 0x10000, 0x1f0000
ota_1, app, ota_1, , 0x1f0000

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash Encryption key write protection.

Postby WiFive » Tue May 08, 2018 10:43 am

Show summary command not dump command, it is easier to read

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Tue May 08, 2018 10:50 am

Summary command shows this

Flash encryption key is all 00. Is this correct. Can I set Flash encryption key again and how?


Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 3 R/- (0x3)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/- (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 0 R/W (0x0)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/- (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/- (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/- (0x0)
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
BLK2 Secure boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Efuse fuses:
WR_DIS Efuse write disable mask = 32900 R/W (0x8084)
RD_DIS Efuse read disablemask = 1 R/W (0x1)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)

Config fuses:
XPD_SDIO_FORCE Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = 0 R/W (0x0)
XPD_SDIO_REG If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = 0 R/W (0x0)
XPD_SDIO_TIEH If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V = 0 R/W (0x0)
SPI_PAD_CONFIG_CLK Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0x0)
SPI_PAD_CONFIG_Q Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0x0)
SPI_PAD_CONFIG_D Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0x0)
SPI_PAD_CONFIG_HD Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0 Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0x0)
DISABLE_SDIO_HOST Disable SDIO host = 0 R/W (0x0)

Identity fuses:
MAC MAC Address
= 30:ae:a4:3b:7a:c0 (CRC 5f OK) R/W
CHIP_VERSION Chip version = 8 -/W (0x8)
CHIP_PACKAGE Chip package identifier = 0 -/W (0x0)

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash Encryption key write protection.

Postby WiFive » Tue May 08, 2018 11:09 am

It shows as all zero because it is read and write protected. So you cannot read it and cannot change it. You could still let esp32 encrypt the flash but you won't have the key so think carefully about the limitations.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Tue May 08, 2018 11:20 am

ok got it.

I have more esp32 boards. will keep my private key generate file from now onward.

Thanks,
Naeem

Who is online

Users browsing this forum: No registered users and 140 guests