Page 1 of 1

bootloader problem (encryption/signing)

Posted: Wed Jan 05, 2022 2:12 pm
by Jacek@dtm.pl
I bricked my module...

Code: Select all

secure boot check fail
ets_main.c 371
ets Jun  8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0030,len:5660
ho 0 tail 12 room 4
load:0x40078000,len:14624
load:0x40080400,len:3940
ESP-IDF v4.4-beta1-dirty
I tried secure boot and signing, but something goes wrong and doesn't work. Now, disabled all security features in menuconfig and incremeted FLASH_CRYPT_CNT.

Code: Select all

Calibration fuses:
BLK3_PART_RESERVE (BLOCK0):                        BLOCK3 partially served for ADC calibration data   = False R/W (0b0)
ADC_VREF (BLOCK0):                                 Voltage reference calibration                      = 1107 R/W (0b00001)

Config fuses:
XPD_SDIO_FORCE (BLOCK0):                           Ignore MTDI pin (GPIO12) for VDD_SDIO on reset     = False R/W (0b0)
XPD_SDIO_REG (BLOCK0):                             If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset    = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0):                            If XPD_SDIO_FORCE & XPD_SDIO_REG                   = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0):                               8MHz clock freq override                           = 51 R/W (0x33)
SPI_PAD_CONFIG_CLK (BLOCK0):                       Override SD_CLK pad (GPIO6/SPICLK)                 = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0):                         Override SD_DATA_0 pad (GPIO7/SPIQ)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0):                         Override SD_DATA_1 pad (GPIO8/SPID)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0):                        Override SD_DATA_2 pad (GPIO9/SPIHD)               = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0):                       Override SD_CMD pad (GPIO11/SPICS0)                = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0):                        Disable SDIO host                                  = False R/W (0b0)

Efuse fuses:
WR_DIS (BLOCK0):                                   Efuse write disable mask                           = 384 R/W (0x0180)
RD_DIS (BLOCK0):                                   Efuse read disable mask                            = 3 R/W (0x3)
CODING_SCHEME (BLOCK0):                            Efuse variable block length scheme
   = NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0):                               Usage of efuse block 3 (reserved)                  = False R/W (0b0)

Identity fuses:
MAC (BLOCK0):                                      Factory MAC Address
   = 24:0a:c4:69:f8:f4 (CRC 0x31 OK) R/W
MAC_CRC (BLOCK0):                                  CRC8 for factory MAC address                       = 49 R/W (0x31)
CHIP_VER_REV1 (BLOCK0):                            Silicon Revision 1                                 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0):                            Silicon Revision 2                                 = False R/W (0b0)
CHIP_VERSION (BLOCK0):                             Reserved for future chip versions                  = 0 R/W (0b00)
CHIP_PACKAGE (BLOCK0):                             Chip package identifier                            = 1 R/W (0b001)
MAC_VERSION (BLOCK3):                              Version of the MAC field                           = 0 R/W (0x00)

Security fuses:
FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 3 R/W (0b0000011)
UART_DOWNLOAD_DIS (BLOCK0):                        Disable UART download mode (ESP32 rev3 only)       = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0):                       Flash encryption config (key tweak bits)           = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0):                    Disable ROM BASIC interpreter fallback             = True R/W (0b1)
ABS_DONE_0 (BLOCK0):                               Secure boot V1 is enabled for bootloader image     = True R/W (0b1)
ABS_DONE_1 (BLOCK0):                               Secure boot V2 is enabled for bootloader image     = False R/W (0b0)
JTAG_DISABLE (BLOCK0):                             Disable JTAG                                       = True R/W (0b1)
DISABLE_DL_ENCRYPT (BLOCK0):                       Disable flash encryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0):                       Disable flash decryption in UART bootloader        = True R/W (0b1)
DISABLE_DL_CACHE (BLOCK0):                         Disable flash cache in UART bootloader             = True R/W (0b1)
BLOCK1 (BLOCK1):                                   Flash encryption key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2):                                   Secure boot key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK3 (BLOCK3):                                   Variable Block 3
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).

Is it possible to fix it?

Re: bootloader problem (encryption/signing)

Posted: Fri Jan 07, 2022 8:29 pm
by Jacek@dtm.pl
Still no luck. Please look at exactly steps:
1. I have generated "maxbt_key.bin" for encryption and "secure_boot_signing_key.pem" for signing. It's in "secure" folder in project.
2. Cleaning project

Code: Select all

F:\GitHub\ble_spp_server>idf.py fullclean
Executing action: fullclean
Done
2. I made bootloader

Code: Select all

F:\GitHub\ble_spp_server>idf.py bootloader
Executing action: bootloader
Running cmake in directory f:\github\ble_spp_server\build
Executing "cmake -G Ninja -DPYTHON_DEPS_CHECKED=1 -DESP_PLATFORM=1 -DIDF_TARGET=esp32 -DCCACHE_ENABLE=1 f:\github\ble_spp_server"...
-- Found Git: C:/Program Files/Git/cmd/git.exe (found version "2.21.0.windows.1")
-- ccache will be used for faster recompilation
-- The C compiler identification is GNU 8.4.0
-- The CXX compiler identification is GNU 8.4.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/Users/jacek/.espressif/tools/xtensa-esp32-elf/esp-2021r2-8.4.0/xtensa-esp32-elf/bin/xtensa-esp32-elf-gcc.exe
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Users/jacek/.espressif/tools/xtensa-esp32-elf/esp-2021r2-8.4.0/xtensa-esp32-elf/bin/xtensa-esp32-elf-gcc.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Users/jacek/.espressif/tools/xtensa-esp32-elf/esp-2021r2-8.4.0/xtensa-esp32-elf/bin/xtensa-esp32-elf-g++.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Building ESP-IDF components for target esp32
-- Project sdkconfig file F:/GitHub/ble_spp_server/sdkconfig
Loading defaults file F:/GitHub/ble_spp_server/sdkconfig.defaults...
-- Found PythonInterp: C:/Users/jacek/.espressif/python_env/idf4.4_py3.7_env/Scripts/python.exe (found version "3.7.3") 
-- Could NOT find Perl (missing: PERL_EXECUTABLE)
-- App "maxbt" version: 0102
-- Adding linker script F:/GitHub/ble_spp_server/build/esp-idf/esp_system/ld/memory.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_system/ld/esp32/sections.ld.in
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.api.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.libgcc.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.newlib-data.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.syscalls.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.newlib-funcs.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.newlib-time.ld
-- Adding linker script F:/GitHub/esp-idf/components/soc/esp32/ld/esp32.peripherals.ld
-- Components: app_trace app_update asio bootloader bootloader_support bt cbor cmock coap console cxx driver efuse esp-tls esp32 esp_adc_cal esp_common esp_eth esp_event esp_gdbstub esp_hid esp_http_client esp_http_server esp_https_ota esp_https_server esp_hw_support esp_ipc esp_lcd esp_local_ctrl esp_netif esp_phy esp_pm esp_ringbuf esp_rom esp_serial_slave_link esp_system esp_timer esp_websocket_client esp_wifi espcoredump esptool_py expat fatfs freemodbus freertos hal heap idf_test ieee802154 jsmn json libsodium log lwip main mbedtls mdns mqtt newlib nghttp nvs_flash openssl openthread partition_table perfmon protobuf-c protocomm pthread sdmmc soc spi_flash spiffs tcp_transport tcpip_adapter tinyusb ulp unity usb vfs wear_levelling wifi_provisioning wpa_supplicant xtensa
-- Component paths: F:/GitHub/esp-idf/components/app_trace F:/GitHub/esp-idf/components/app_update F:/GitHub/esp-idf/components/asio F:/GitHub/esp-idf/components/bootloader F:/GitHub/esp-idf/components/bootloader_support F:/GitHub/esp-idf/components/bt F:/GitHub/esp-idf/components/cbor F:/GitHub/esp-idf/components/cmock F:/GitHub/esp-idf/components/coap F:/GitHub/esp-idf/components/console F:/GitHub/esp-idf/components/cxx F:/GitHub/esp-idf/components/driver F:/GitHub/esp-idf/components/efuse F:/GitHub/esp-idf/components/esp-tls F:/GitHub/esp-idf/components/esp32 F:/GitHub/esp-idf/components/esp_adc_cal F:/GitHub/esp-idf/components/esp_common F:/GitHub/esp-idf/components/esp_eth F:/GitHub/esp-idf/components/esp_event F:/GitHub/esp-idf/components/esp_gdbstub F:/GitHub/esp-idf/components/esp_hid F:/GitHub/esp-idf/components/esp_http_client F:/GitHub/esp-idf/components/esp_http_server F:/GitHub/esp-idf/components/esp_https_ota F:/GitHub/esp-idf/components/esp_https_server F:/GitHub/esp-idf/components/esp_hw_support F:/GitHub/esp-idf/components/esp_ipc F:/GitHub/esp-idf/components/esp_lcd F:/GitHub/esp-idf/components/esp_local_ctrl F:/GitHub/esp-idf/components/esp_netif F:/GitHub/esp-idf/components/esp_phy F:/GitHub/esp-idf/components/esp_pm F:/GitHub/esp-idf/components/esp_ringbuf F:/GitHub/esp-idf/components/esp_rom F:/GitHub/esp-idf/components/esp_serial_slave_link F:/GitHub/esp-idf/components/esp_system F:/GitHub/esp-idf/components/esp_timer F:/GitHub/esp-idf/components/esp_websocket_client F:/GitHub/esp-idf/components/esp_wifi F:/GitHub/esp-idf/components/espcoredump F:/GitHub/esp-idf/components/esptool_py F:/GitHub/esp-idf/components/expat F:/GitHub/esp-idf/components/fatfs F:/GitHub/esp-idf/components/freemodbus F:/GitHub/esp-idf/components/freertos F:/GitHub/esp-idf/components/hal F:/GitHub/esp-idf/components/heap F:/GitHub/esp-idf/components/idf_test F:/GitHub/esp-idf/components/ieee802154 F:/GitHub/esp-idf/components/jsmn F:/GitHub/esp-idf/components/json F:/GitHub/esp-idf/components/libsodium F:/GitHub/esp-idf/components/log F:/GitHub/esp-idf/components/lwip F:/GitHub/ble_spp_server/main F:/GitHub/esp-idf/components/mbedtls F:/GitHub/esp-idf/components/mdns F:/GitHub/esp-idf/components/mqtt F:/GitHub/esp-idf/components/newlib F:/GitHub/esp-idf/components/nghttp F:/GitHub/esp-idf/components/nvs_flash F:/GitHub/esp-idf/components/openssl F:/GitHub/esp-idf/components/openthread F:/GitHub/esp-idf/components/partition_table F:/GitHub/esp-idf/components/perfmon F:/GitHub/esp-idf/components/protobuf-c F:/GitHub/esp-idf/components/protocomm F:/GitHub/esp-idf/components/pthread F:/GitHub/esp-idf/components/sdmmc F:/GitHub/esp-idf/components/soc F:/GitHub/esp-idf/components/spi_flash F:/GitHub/esp-idf/components/spiffs F:/GitHub/esp-idf/components/tcp_transport F:/GitHub/esp-idf/components/tcpip_adapter F:/GitHub/esp-idf/components/tinyusb F:/GitHub/esp-idf/components/ulp F:/GitHub/esp-idf/components/unity F:/GitHub/esp-idf/components/usb F:/GitHub/esp-idf/components/vfs F:/GitHub/esp-idf/components/wear_levelling F:/GitHub/esp-idf/components/wifi_provisioning F:/GitHub/esp-idf/components/wpa_supplicant F:/GitHub/esp-idf/components/xtensa
-- Configuring done
CMake Warning (dev) at F:/GitHub/esp-idf/tools/cmake/component.cmake:470 (add_library):
  Policy CMP0115 is not set: Source file extensions must be explicit.  Run
  "cmake --help-policy CMP0115" for policy details.  Use the cmake_policy
  command to set the policy and suppress this warning.

  File:

    F:/GitHub/ble_spp_server/main/SX1231Driver.c
Call Stack (most recent call first):
  main/CMakeLists.txt:12 (idf_component_register)
This warning is for project developers.  Use -Wno-dev to suppress it.

-- Generating done
-- Build files have been written to: F:/GitHub/ble_spp_server/build
Running ninja in directory f:\github\ble_spp_server\build
Executing "ninja bootloader"...
[1/10] Generating ../../partition_table/partition-table-unsigned.bin
Partition table binary generated. Contents:
*******************************************************************************
# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,0xb000,16K,
otadata,data,ota,0xf000,8K,
phy_init,data,phy,0x11000,4K,
factory,app,factory,0x20000,1M,
ota_0,app,ota_0,0x120000,1M,
ota_1,app,ota_1,0x220000,1M,
*******************************************************************************
[2/10] Generating ../../partition_table/partition-table.bin
espsecure.py v3.2-dev
Signed 3072 bytes of data from F:/GitHub/ble_spp_server/build/partition_table/partition-table-unsigned.bin with key F:/GitHub/ble_spp_server/secure/secure_boot_signing_key.pem
[7/10] Performing configure step for 'bootloader'
-- Found Git: C:/Program Files/Git/cmd/git.exe (found version "2.21.0.windows.1")
-- The C compiler identification is GNU 8.4.0
-- The CXX compiler identification is GNU 8.4.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/Users/jacek/.espressif/tools/xtensa-esp32-elf/esp-2021r2-8.4.0/xtensa-esp32-elf/bin/xtensa-esp32-elf-gcc.exe
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Users/jacek/.espressif/tools/xtensa-esp32-elf/esp-2021r2-8.4.0/xtensa-esp32-elf/bin/xtensa-esp32-elf-gcc.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Users/jacek/.espressif/tools/xtensa-esp32-elf/esp-2021r2-8.4.0/xtensa-esp32-elf/bin/xtensa-esp32-elf-g++.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Building ESP-IDF components for target esp32
-- Project sdkconfig file F:/GitHub/ble_spp_server/sdkconfig
-- Adding linker script F:/GitHub/esp-idf/components/soc/esp32/ld/esp32.peripherals.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.api.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.libgcc.ld
-- Adding linker script F:/GitHub/esp-idf/components/esp_rom/esp32/ld/esp32.rom.newlib-funcs.ld
-- Adding linker script F:/GitHub/esp-idf/components/bootloader/subproject/main/ld/esp32/bootloader.ld
-- Adding linker script F:/GitHub/esp-idf/components/bootloader/subproject/main/ld/esp32/bootloader.rom.ld
-- Components: bootloader bootloader_support efuse esp32 esp_common esp_hw_support esp_rom esp_system esptool_py freertos hal log main micro-ecc newlib partition_table soc spi_flash xtensa
-- Component paths: F:/GitHub/esp-idf/components/bootloader F:/GitHub/esp-idf/components/bootloader_support F:/GitHub/esp-idf/components/efuse F:/GitHub/esp-idf/components/esp32 F:/GitHub/esp-idf/components/esp_common F:/GitHub/esp-idf/components/esp_hw_support F:/GitHub/esp-idf/components/esp_rom F:/GitHub/esp-idf/components/esp_system F:/GitHub/esp-idf/components/esptool_py F:/GitHub/esp-idf/components/freertos F:/GitHub/esp-idf/components/hal F:/GitHub/esp-idf/components/log F:/GitHub/esp-idf/components/bootloader/subproject/main F:/GitHub/esp-idf/components/bootloader/subproject/components/micro-ecc F:/GitHub/esp-idf/components/newlib F:/GitHub/esp-idf/components/partition_table F:/GitHub/esp-idf/components/soc F:/GitHub/esp-idf/components/spi_flash F:/GitHub/esp-idf/components/xtensa
-- Configuring done
-- Generating done
-- Build files have been written to: F:/GitHub/ble_spp_server/build/bootloader
[8/10] Performing build step for 'bootloader'
[1/107] Generating project_elf_src_esp32.c
[2/107] Building C object esp-idf/efuse/CMakeFiles/__idf_efuse.dir/src/esp_efuse_api_key_esp32.c.obj
[3/107] Building C object esp-idf/efuse/CMakeFiles/__idf_efuse.dir/esp32/esp_efuse_utility.c.obj
[4/107] Building C object esp-idf/efuse/CMakeFiles/__idf_efuse.dir/esp32/esp_efuse_table.c.obj
[5/107] Generating secure-bootloader-key-256.bin
espsecure.py v3.2-dev
SHA-256 digest of private key F:/GitHub/ble_spp_server/secure/secure_boot_signing_key.pem written to F:/GitHub/ble_spp_server/build/bootloader/secure-bootloader-key-256.bin
[6/107] Building C object esp-idf/esp_system/CMakeFiles/__idf_esp_system.dir/esp_err.c.obj
[7/107] Building C object esp-idf/efuse/CMakeFiles/__idf_efuse.dir/esp32/esp_efuse_fields.c.obj
[8/107] Building C object esp-idf/efuse/CMakeFiles/__idf_efuse.dir/src/esp_efuse_utility.c.obj
[9/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/compare_set.c.obj
[10/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/rtc_clk_init.c.obj
[11/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/cpu_util.c.obj
[12/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/rtc_wdt.c.obj
[13/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/rtc_clk.c.obj
[14/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/rtc_init.c.obj
[15/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/rtc_pm.c.obj
[16/107] Building C object esp-idf/xtensa/CMakeFiles/__idf_xtensa.dir/eri.c.obj
[17/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/chip_info.c.obj
[18/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/rtc_time.c.obj
[19/107] Building C object esp-idf/esp_hw_support/CMakeFiles/__idf_esp_hw_support.dir/port/esp32/rtc_sleep.c.obj
[20/107] Building C object esp-idf/xtensa/CMakeFiles/__idf_xtensa.dir/xt_trax.c.obj
[21/107] Building C object esp-idf/esp_rom/CMakeFiles/__idf_esp_rom.dir/patches/esp_rom_crc.c.obj
[22/107] Building C object esp-idf/esp_rom/CMakeFiles/__idf_esp_rom.dir/patches/esp_rom_uart.c.obj
[23/107] Building C object esp-idf/esp_rom/CMakeFiles/__idf_esp_rom.dir/patches/esp_rom_tjpgd.c.obj
[24/107] Building ASM object esp-idf/esp_rom/CMakeFiles/__idf_esp_rom.dir/patches/esp_rom_longjmp.S.obj
[25/107] Building C object esp-idf/esp_rom/CMakeFiles/__idf_esp_rom.dir/patches/esp_rom_sys.c.obj
[26/107] Building C object esp-idf/esp_common/CMakeFiles/__idf_esp_common.dir/src/esp_err_to_name.c.obj
[27/107] Building C object esp-idf/efuse/CMakeFiles/__idf_efuse.dir/src/esp_efuse_api.c.obj
[28/107] Building C object esp-idf/log/CMakeFiles/__idf_log.dir/log_noos.c.obj
[29/107] Building C object esp-idf/efuse/CMakeFiles/__idf_efuse.dir/src/esp_efuse_fields.c.obj
[30/107] Building C object esp-idf/log/CMakeFiles/__idf_log.dir/log.c.obj
[31/107] Building C object esp-idf/log/CMakeFiles/__idf_log.dir/log_buffers.c.obj
[32/107] Linking C static library esp-idf\log\liblog.a
[33/107] Linking C static library esp-idf\esp_rom\libesp_rom.a
[34/107] Linking C static library esp-idf\esp_common\libesp_common.a
[35/107] Linking C static library esp-idf\xtensa\libxtensa.a
[36/107] Linking C static library esp-idf\esp_hw_support\libesp_hw_support.a
[37/107] Linking C static library esp-idf\esp_system\libesp_system.a
[38/107] Linking C static library esp-idf\efuse\libefuse.a
[39/107] Generating signature_verification_key.bin
espsecure.py v3.2-dev
F:/GitHub/ble_spp_server/secure/secure_boot_signing_key.pem public key extracted to F:/GitHub/ble_spp_server/build/bootloader/esp-idf/bootloader_support/signature_verification_key.bin
[40/107] Generating ../../signature_verification_key.bin.S
[41/107] Building C object CMakeFiles/bootloader.elf.dir/project_elf_src_esp32.c.obj
[42/107] Building C object esp-idf/hal/CMakeFiles/__idf_hal.dir/mpu_hal.c.obj
[43/107] Building C object esp-idf/hal/CMakeFiles/__idf_hal.dir/cpu_hal.c.obj
[44/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/soc_include_legacy_warn.c.obj
[45/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/lldesc.c.obj
[46/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/dac_periph.c.obj
[47/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/i2s_periph.c.obj
[48/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/interrupts.c.obj
[49/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/gpio_periph.c.obj
[50/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/i2c_periph.c.obj
[51/107] Building C object esp-idf/hal/CMakeFiles/__idf_hal.dir/wdt_hal_iram.c.obj
[52/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/adc_periph.c.obj
[53/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/mcpwm_periph.c.obj
[54/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/pcnt_periph.c.obj
[55/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/lcd_periph.c.obj
[56/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/rmt_periph.c.obj
[57/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/ledc_periph.c.obj
[58/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/sdio_slave_periph.c.obj
[59/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/rtc_io_periph.c.obj
[60/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/timer_periph.c.obj
[61/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/touch_sensor_periph.c.obj
[62/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/spi_periph.c.obj
[63/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/uart_periph.c.obj
[64/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/sigmadelta_periph.c.obj
[65/107] Building C object esp-idf/spi_flash/CMakeFiles/__idf_spi_flash.dir/esp32/spi_flash_rom_patch.c.obj
[66/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_flash.c.obj
[67/107] Building C object esp-idf/soc/CMakeFiles/__idf_soc.dir/esp32/sdmmc_periph.c.obj
[68/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_mem.c.obj
[69/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_random.c.obj
[70/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_common_loader.c.obj
[71/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_common.c.obj
[72/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/flash_encrypt.c.obj
[73/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/flash_partitions.c.obj
[74/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_random_esp32.c.obj
[75/107] Building C object esp-idf/micro-ecc/CMakeFiles/__idf_micro-ecc.dir/uECC_verify_antifault.c.obj
[76/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/secure_boot.c.obj
[77/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_init.c.obj
[78/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/esp_image_format.c.obj
[79/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/flash_qio_mode.c.obj
[80/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_efuse_esp32.c.obj
[81/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_utility.c.obj
[82/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_console.c.obj
[83/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_clock_loader.c.obj
[84/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_flash_config_esp32.c.obj
[85/107] Building ASM object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/__/__/signature_verification_key.bin.S.obj
[86/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/secure_boot_v1/secure_boot_signatures_bootloader.c.obj
[87/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/secure_boot_v1/secure_boot.c.obj
[88/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/esp32/flash_encryption_secure_features.c.obj
[89/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/esp32/secure_boot_secure_features.c.obj
[90/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/esp32/bootloader_soc.c.obj
[91/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_console_loader.c.obj
[92/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_panic.c.obj
[93/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/esp32/bootloader_sha.c.obj
[94/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/bootloader_clock_init.c.obj
[95/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/flash_encryption/flash_encrypt.c.obj
[96/107] Building C object esp-idf/main/CMakeFiles/__idf_main.dir/bootloader_start.c.obj
[97/107] Building C object esp-idf/bootloader_support/CMakeFiles/__idf_bootloader_support.dir/src/esp32/bootloader_esp32.c.obj
[98/107] Linking C static library esp-idf\bootloader_support\libbootloader_support.a
[99/107] Linking C static library esp-idf\spi_flash\libspi_flash.a
[100/107] Linking C static library esp-idf\micro-ecc\libmicro-ecc.a
[101/107] Linking C static library esp-idf\soc\libsoc.a
[102/107] Linking C static library esp-idf\hal\libhal.a
[103/107] Linking C static library esp-idf\main\libmain.a
[104/107] Linking C executable bootloader.elf
==============================================================================
Bootloader built and secure digest generated.
Secure boot enabled, so bootloader not flashed automatically.
Burn secure boot key to efuse using:
        C:/Users/jacek/.espressif/python_env/idf4.4_py3.7_env/Scripts/python.exe F:/GitHub/esp-idf/components/esptool_py/esptool/espefuse.py burn_key secure_boot_v1 F:/GitHub/ble_spp_server/build/bootloader/secure-bootloader-key-256.bin
First time flash command is:
        C:/Users/jacek/.espressif/python_env/idf4.4_py3.7_env/Scripts/python.exe  F:/GitHub/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port=(PORT) --baud=(BAUD) --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 F:/GitHub/ble_spp_server/build/bootloader/bootloader.bin
==============================================================================
To reflash the bootloader after initial flash:
        C:/Users/jacek/.espressif/python_env/idf4.4_py3.7_env/Scripts/python.exe  F:/GitHub/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port=(PORT) --baud=(BAUD) --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x0 F:/GitHub/ble_spp_server/build/bootloader/bootloader-reflash-digest.bin
==============================================================================
* After first boot, only re-flashes of this kind (with same key) will be accepted.
* Not recommended to re-use the same secure boot keyfile on multiple production devices.
[105/107] Generating binary image from built executable
esptool.py v3.2-dev
Merged 1 ELF section
Generated F:/GitHub/ble_spp_server/build/bootloader/bootloader.bin
[106/107] cmd.exe /C "cd /D F:\GitHub\ble_spp_server\build\bootloader\esp-idf\esptool_py && C:\Users\jacek\.espressif\python_env\idf4.4_py3.7_env\Scripts\python.exe F:/GitHub/esp-idf/components/partition_table/check_sizes.py --offset 0xa000 bootloader 0x1000 F:/GitHub/ble_spp_server/build/bootloader/bootloader.bin"
Bootloader binary size 0x8bf0 bytes. 0x410 bytes (3%) free.
[107/107] Generating bootloader-reflash-digest.bin
DIGEST F:/GitHub/ble_spp_server/build/bootloader/bootloader-reflash-digest.bin
espsecure.py v3.2-dev
Using 256-bit key
digest+image written to F:/GitHub/ble_spp_server/build/bootloader/bootloader-reflash-digest.bin
[10/10] Completed 'bootloader'

Bootloader build complete.
3. It is not the first time for bootloader programming so encrypting digest:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile F:/GitHub/ble_spp_server/secure/maxbt_key.bin --address 0x0 --output F:/GitHub/ble_spp_server/build/bootloader/bootloader-reflash-digest-encrypted.bin F:/GitHub/ble_spp_server/build/bootloader/bootloader-reflash-digest.bin
espsecure.py v3.2-dev
Using 256-bit key
4. Building the project:

Code: Select all

F:\GitHub\ble_spp_server>idf.py build
Executing action: all (aliases: build)
Running ninja in directory f:\github\ble_spp_server\build
Executing "ninja all"...
[68/1293] Performing build step for 'bootloader'
[1/1] cmd.exe /C "cd /D F:\GitHub\ble_spp_server\build\bootloader\esp-idf\esptool_py && C:\Users\jacek\.espressif\python_env\idf4.4_py3.7_env\Scripts\python.exe F:/GitHub/esp-idf/components/partition_table/check_sizes.py --offset 0xa000 bootloader 0x1000 F:/GitHub/ble_spp_server/build/bootloader/bootloader.bin"
Bootloader binary size 0x8bf0 bytes. 0x410 bytes (3%) free.
[519/1291] Generating ../../signature_verification_key.bin
espsecure.py v3.2-dev
F:/GitHub/ble_spp_server/secure/secure_boot_signing_key.pem public key extracted to F:/GitHub/ble_spp_server/build/signature_verification_key.bin
.....
[1289/1291] Generating binary image from built executable
esptool.py v3.2-dev
Merged 25 ELF sections
Generated F:/GitHub/ble_spp_server/build/maxbt-unsigned.bin
[1290/1291] Generating signed binary image
espsecure.py v3.2-dev
Signed 858288 bytes of data from F:/GitHub/ble_spp_server/build/maxbt-unsigned.bin with key F:/GitHub/ble_spp_server/secure/secure_boot_signing_key.pem
Generated signed binary image F:/GitHub/ble_spp_server/build/maxbt.bin from F:/GitHub/ble_spp_server/build/maxbt-unsigned.bin
[1291/1291] cmd.exe /C "cd /D F:\GitHub\ble_spp_server\bui...tition-table.bin F:/GitHub/ble_spp_server/build/maxbt.bin"
maxbt.bin binary size 0xd18f4 bytes. Smallest app partition is 0x100000 bytes. 0x2e70c bytes (18%) free.

Project build complete. To flash, run this command:
C:\Users\jacek\.espressif\python_env\idf4.4_py3.7_env\Scripts\python.exe ..\esp-idf\components\esptool_py\esptool\esptool.py -p (PORT) -b 460800 --before default_reset --after no_reset --chip esp32  write_flash --flash_mode dio --flash_size detect --flash_freq 40m 0xa000 build\partition_table\partition-table.bin 0xf000 build\ota_data_initial.bin 0x20000 build\maxbt.bin
or run 'idf.py -p (PORT) flash'
5. App encryption:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile F:/GitHub/ble_spp_server/secure/maxbt_key.bin --address 0x20000 --output F:/GitHub/ble_spp_server/build/maxbt-signed-encrypted.bin F:/GitHub/ble_spp_server/build/maxbt.bin
espsecure.py v3.2-dev
Using 256-bit key
Note: Padding with 12 bytes of random data (encrypted data must be multiple of 16 bytes long)
6. ota_data encryption:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile F:/GitHub/ble_spp_server/secure/maxbt_key.bin --address 0xf000 --output F:/GitHub/ble_spp_server/build/ota_data_initial-encrypted.bin F:/GitHub/ble_spp_server/build/ota_data_initial.bin
espsecure.py v3.2-dev
Using 256-bit key
7. partition table encryption:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile F:/GitHub/ble_spp_server/secure/maxbt_key.bin --address 0xa000 --output F:/GitHub/ble_spp_server/build/partition_table/partition-table-encrypted.bin F:/GitHub/ble_spp_server/build/partition_table/partition-table.bin
espsecure.py v3.2-dev
Using 256-bit key
Note: Padding with 12 bytes of random data (encrypted data must be multiple of 16 bytes long)
8. flashing encrypted digest

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python esptool.py --chip esp32 --port=COM5 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x0 F:/GitHub/ble_spp_server/build/bootloader/bootloader-reflash-digest-encrypted.bin
esptool.py v3.2-dev
Serial port COM5
Connecting....
Chip is ESP32-S0WD (revision 1)
Features: WiFi, BT, Single Core, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 24:0a:c4:69:f8:f4
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Flash will be erased from 0x00000000 to 0x00009fff...
Compressed 39936 bytes to 38217...
Wrote 39936 bytes (38217 compressed) at 0x00000000 in 3.5 seconds (effective 92.2 kbit/s)...
Hash of data verified.

Leaving...
Staying in bootloader.
9. flashing encrypted partition table:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python esptool.py --chip esp32 --port=COM5 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0xa000 F:/GitHub/ble_spp_server/build/partition_table/partition-table-encrypted.bin
esptool.py v3.2-dev
Serial port COM5
Connecting....
Chip is ESP32-S0WD (revision 1)
Features: WiFi, BT, Single Core, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 24:0a:c4:69:f8:f4
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Flash will be erased from 0x0000a000 to 0x0000afff...
Compressed 3152 bytes to 1898...
Wrote 3152 bytes (1898 compressed) at 0x0000a000 in 0.2 seconds (effective 111.5 kbit/s)...
Hash of data verified.

Leaving...
Staying in bootloader.
10. flashing encrypted ota data partition:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python esptool.py --chip esp32 --port=COM5 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0xf000 F:/GitHub/ble_spp_server/build/ota_data_initial-encrypted.bin
esptool.py v3.2-dev
Serial port COM5
Connecting....
Chip is ESP32-S0WD (revision 1)
Features: WiFi, BT, Single Core, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 24:0a:c4:69:f8:f4
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Flash will be erased from 0x0000f000 to 0x00010fff...
Compressed 8192 bytes to 4457...
Wrote 8192 bytes (4457 compressed) at 0x0000f000 in 0.5 seconds (effective 128.5 kbit/s)...
Hash of data verified.

Leaving...
Staying in bootloader.
11. flashing encrypted and signed app:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python esptool.py --chip esp32 --port=COM5 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x20000 F:/GitHub/ble_spp_server/build/maxbt-signed-encrypted.bin
esptool.py v3.2-dev
Serial port COM5
Connecting.........
Chip is ESP32-S0WD (revision 1)
Features: WiFi, BT, Single Core, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 24:0a:c4:69:f8:f4
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Flash will be erased from 0x00020000 to 0x000f1fff...
Compressed 858368 bytes to 855043...
Wrote 858368 bytes (855043 compressed) at 0x00020000 in 75.8 seconds (effective 90.6 kbit/s)...
Hash of data verified.

Leaving...
Staying in bootloader.
12. Running app with monitor

Code: Select all

F:\GitHub\ble_spp_server>idf.py -p com5 monitor
Executing action: monitor
Running idf_monitor in directory f:\github\ble_spp_server
Executing "C:\Users\jacek\.espressif\python_env\idf4.4_py3.7_env\Scripts\python.exe F:\GitHub\esp-idf\tools/idf_monitor.py -p com5 -b 115200 --toolchain-prefix xtensa-esp32-elf- --target esp32 --revision 0 f:\github\ble_spp_server\build\maxbt.elf -m 'C:\Users\jacek\.espressif\python_env\idf4.4_py3.7_env\Scripts\python.exe' 'F:\GitHub\esp-idf\tools\idf.py' '-p' 'com5'"...
←[0;33m--- idf_monitor on com5 115200 ---←[0m
--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---
ets Jun  8 2016 00:22:57

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun  8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun  8 2016 00:22:57
Is there something wrong with this steps?

There is eFuse summary:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espefuse.py -p com5 summary
Connecting...
Device PID identification is only supported on COM and /dev/ serial ports.
..
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting...
Device PID identification is only supported on COM and /dev/ serial ports.
.
Detecting chip type... ESP32
espefuse.py v3.2-dev
EFUSE_NAME (Block) Description  = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
BLK3_PART_RESERVE (BLOCK0):                        BLOCK3 partially served for ADC calibration data   = False R/W (0b0)
ADC_VREF (BLOCK0):                                 Voltage reference calibration                      = 1107 R/W (0b00001)

Config fuses:
XPD_SDIO_FORCE (BLOCK0):                           Ignore MTDI pin (GPIO12) for VDD_SDIO on reset     = False R/W (0b0)
XPD_SDIO_REG (BLOCK0):                             If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset    = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0):                            If XPD_SDIO_FORCE & XPD_SDIO_REG                   = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0):                               8MHz clock freq override                           = 51 R/W (0x33)
SPI_PAD_CONFIG_CLK (BLOCK0):                       Override SD_CLK pad (GPIO6/SPICLK)                 = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0):                         Override SD_DATA_0 pad (GPIO7/SPIQ)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0):                         Override SD_DATA_1 pad (GPIO8/SPID)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0):                        Override SD_DATA_2 pad (GPIO9/SPIHD)               = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0):                       Override SD_CMD pad (GPIO11/SPICS0)                = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0):                        Disable SDIO host                                  = False R/W (0b0)

Efuse fuses:
WR_DIS (BLOCK0):                                   Efuse write disable mask                           = 384 R/W (0x0180)
RD_DIS (BLOCK0):                                   Efuse read disable mask                            = 3 R/W (0x3)
CODING_SCHEME (BLOCK0):                            Efuse variable block length scheme
   = NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0):                               Usage of efuse block 3 (reserved)                  = False R/W (0b0)

Identity fuses:
MAC (BLOCK0):                                      Factory MAC Address
   = 24:0a:c4:69:f8:f4 (CRC 0x31 OK) R/W
MAC_CRC (BLOCK0):                                  CRC8 for factory MAC address                       = 49 R/W (0x31)
CHIP_VER_REV1 (BLOCK0):                            Silicon Revision 1                                 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0):                            Silicon Revision 2                                 = False R/W (0b0)
CHIP_VERSION (BLOCK0):                             Reserved for future chip versions                  = 0 R/W (0b00)
CHIP_PACKAGE (BLOCK0):                             Chip package identifier                            = 1 R/W (0b001)
MAC_VERSION (BLOCK3):                              Version of the MAC field                           = 0 R/W (0x00)

Security fuses:
FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 3 R/W (0b0000011)
UART_DOWNLOAD_DIS (BLOCK0):                        Disable UART download mode (ESP32 rev3 only)       = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0):                       Flash encryption config (key tweak bits)           = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0):                    Disable ROM BASIC interpreter fallback             = True R/W (0b1)
ABS_DONE_0 (BLOCK0):                               Secure boot V1 is enabled for bootloader image     = True R/W (0b1)
ABS_DONE_1 (BLOCK0):                               Secure boot V2 is enabled for bootloader image     = False R/W (0b0)
JTAG_DISABLE (BLOCK0):                             Disable JTAG                                       = True R/W (0b1)
DISABLE_DL_ENCRYPT (BLOCK0):                       Disable flash encryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0):                       Disable flash decryption in UART bootloader        = True R/W (0b1)
DISABLE_DL_CACHE (BLOCK0):                         Disable flash cache in UART bootloader             = True R/W (0b1)
BLOCK1 (BLOCK1):                                   Flash encryption key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2):                                   Secure boot key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK3 (BLOCK3):                                   Variable Block 3
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
When i programmed bootloader for the first time, i used after make bootloader:

Code: Select all

 C:/Users/jacek/.espressif/python_env/idf4.4_py3.7_env/Scripts/python.exe  F:/GitHub/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port=COM5 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 F:/GitHub/ble_spp_server/build/bootloader/bootloader.bin
and

Code: Select all

espefuse.py --port COM5 burn_key flash_encryption maxbt_key.bin
but i think that i didn't do this:

Code: Select all

C:/Users/jacek/.espressif/python_env/idf4.4_py3.7_env/Scripts/python.exe F:/GitHub/esp-idf/components/esptool_py/esptool/espefuse.py burn_key secure_boot_v1 F:/GitHub/ble_spp_server/build/bootloader/secure-bootloader-key-256.bin
I tried this just now and have this:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>C:/Users/jacek/.espressif/python_env/idf4.4_py3.7_env/Scripts/python.exe F:/GitHub/esp-idf/components/esptool_py/esptool/espefuse.py --port COM5 burn_key secure_boot_v1 F:/GitHub/ble_spp_server/build/bootloader/secure-bootloader-key-256.bin
Connecting....
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting....
Detecting chip type... ESP32
espefuse.py v3.2-dev
Burn keys to blocks:
 - BLOCK2 -> [there is secure-bootloader-key-256 from file]
        Reversing the byte order

A fatal error occurred:         BLOCK2 is read-protected. The written value can not be read, the efuse/block looks as all 0.
        Burn in this case may damage an already written value.(use '--force-write-always' option to ignore it)
so i'm not sure if it is safety to do this burning.

Please give me some advices.
On monday i will have new esp module. I don't want to brick it also.

Re: bootloader problem (encryption/signing)

Posted: Fri Jan 07, 2022 11:54 pm
by WiFive

Code: Select all

FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 3 R/W (0b0000011)
3 means encryption is disabled so flashing encrypted binaries won't work.

Re: bootloader problem (encryption/signing)

Posted: Mon Jan 10, 2022 6:58 am
by Jacek@dtm.pl
Thank You WiFive for response.
Indeed, I manually incremented FLASH_CRYPT_CNT when tried to disable encryption. So, should i use this one more time?:

Code: Select all

espefuse.py burn_efuse FLASH_CRYPT_CNT
I found that it can be used for disabling flash encryption, but since it increment FLASH_CRYPT_CNT, it can be used also for enabling? I have enabled Enable flash encryption on boot in menuconfig but it appear that it not touch FLASH_CRYPT_CNT.

Re: bootloader problem (encryption/signing)

Posted: Mon Jan 10, 2022 1:23 pm
by Jacek@dtm.pl
I incremented FLASH_CRYPT_CNT and now have:

Code: Select all

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0038,len:8468
load:0x40078000,len:23328
ho 0 tail 12 room 4
load:0x40080400,len:3940
0x40080400: _init at ??:?

secure boot check fail
ets_main.c 371
ets Jun  8 2016 00:22:57
Do You have any suggestions?

Re: bootloader problem (encryption/signing)

Posted: Mon Jan 10, 2022 2:21 pm
by WiFive
Secure boot key was already burned to efuse so if you don't have a copy of this original key then you are stuck

Re: bootloader problem (encryption/signing)

Posted: Wed Jan 12, 2022 2:07 pm
by Jacek@dtm.pl
I replaced module for new one and started again from the beginning. I want sign and encrypt app.
I want share encryptet firmware for customers, that they can self updating device.

1. settings in menuconfig:
Security features:
- Enable hardware Secure Boot in bootloader
- Secure Boot Version 1
- Secure bootloader mode (Reflashable)
- Enable Sign binaries during build
- Secure boot private sisigning key: secure/my_secure_boot_signing_key.pem
- Enable flash encryption on boot
- Enable usage mode: Development
- enabled Check flash Encryption enabled on app startup
Partition tabe:
- factory app, two OTA drinitions
- (0xb000) offset of partition table

2. Generate encryption key:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py generate_flash_encryption_key ../../../../ble_spp_server/secure/maxbt_encryption_key.bin
espsecure.py v3.2-dev
Writing 256 random bits to key file ../../../../ble_spp_server/secure/maxbt_encryption_key.bin
3. Generate secure boot signing key:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py generate_signing_key ../../../../ble_spp_server/secure/my_secure_boot_signing_key.pem
espsecure.py v3.2-dev
ECDSA NIST256p private key in PEM format written to ../../../../ble_spp_server/secure/my_secure_boot_signing_key.pem
4. make bootloader that ends with "Bootloader build complete."

5. Burning secure boot key to eFuse:

Code: Select all

F:/GitHub/esp-idf/components/esptool_py/esptool/espefuse.py --port COM5 burn_key secure_boot_v1 F:/GitHub/ble_spp_server/build/bootloader/secure-bootloader-key-256.bin
ended Successful

6. Burning flash encryption key:

Code: Select all

espefuse.py --port COM5 burn_key flash_encryption ../../../../ble_spp_server/secure/maxbt_encryption_key.bin
ended Successful

7. Manually encrypting booltoader:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile ../../../../ble_spp_server/secure/maxbt_encryption_key.bin --address 0x1000 --output ../../../../ble_spp_server/build/bootloader/bootloader-encrypted.bin ../../../../ble_spp_server/build/bootloader/bootloader.bin
espsecure.py v3.2-dev
Using 256-bit key
8. Manually encrypting partition table:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile ../../../../ble_spp_server/secure/maxbt_encryption_key.bin --address 0xb000 --output ../../../../ble_spp_server/build/partition_table/partition-table-encrypted.bin ../../../../ble_spp_server/build/partition_table/partition-table.bin
espsecure.py v3.2-dev
Using 256-bit key
Note: Padding with 12 bytes of random data (encrypted data must be multiple of 16 bytes long)
9. Building app:

Code: Select all

idf.py build
that generates signed app file

10. Manually encrypt ota_data_initial.bin

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile ../../../../ble_spp_server/secure/maxbt_encryption_key.bin --address 0x10000 --output ../../../../ble_spp_server/build/ota_data_initial-encrypted.bin ../../../../ble_spp_server/build/ota_data_initial.bin
espsecure.py v3.2-dev
Using 256-bit key
11. Manually encrypting app:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python espsecure.py encrypt_flash_data --keyfile ../../../../ble_spp_server/secure/maxbt_encryption_key.bin --address 0x20000 --output ../../../../ble_spp_server/build/maxbt-encrypted.bin ../../../../ble_spp_server/build/maxbt.bin
espsecure.py v3.2-dev
Using 256-bit key
Note: Padding with 12 bytes of random data (encrypted data must be multiple of 16 bytes long)
12. Flashing encrypted bootloader:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python esptool.py --chip esp32 --port=COM5 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 F:/GitHub/ble_spp_server/build/bootloader/bootloader-encrypted.bin
esptool.py v3.2-dev
Serial port COM5
Connecting....
Chip is ESP32-S0WD (revision 1)
Features: WiFi, BT, Single Core, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 4c:11:ae:c0:54:b0
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Flash will be erased from 0x00001000 to 0x0000afff...
Warning: Image file at 0x1000 doesn't look like an image file, so not changing any flash settings.
Compressed 38944 bytes to 38965...
Wrote 38944 bytes (38965 compressed) at 0x00001000 in 4.0 seconds (effective 78.4 kbit/s)...
Hash of data verified.

Leaving...
Staying in bootloader.
13. Flashing encrypted rest:

Code: Select all

F:\GitHub\esp-idf\components\esptool_py\esptool>python esptool.py -p COM5 -b 460800 --before default_reset --after no_reset --chip esp32  write_flash --flash_mode dio --flash_size detect --flash_freq 40m 0xb000 ../../../../ble_spp_server/build/partition_table/partition-table-encrypted.bin 0x10000 ../../../../ble_spp_server/build/ota_data_initial-encrypted.bin 0x20000 ../../../../ble_spp_server/build/maxbt-encrypted.bin
esptool.py v3.2-dev
Serial port COM5
Connecting......
Chip is ESP32-S0WD (revision 1)
Features: WiFi, BT, Single Core, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 4c:11:ae:c0:54:b0
Uploading stub...
Running stub...
Stub running...
Changing baud rate to 460800
Changed.
Configuring flash size...
Auto-detected Flash size: 4MB
Flash will be erased from 0x0000b000 to 0x0000bfff...
Flash will be erased from 0x00010000 to 0x00011fff...
Flash will be erased from 0x00020000 to 0x000fffff...
Compressed 3152 bytes to 1897...
Wrote 3152 bytes (1897 compressed) at 0x0000b000 in 0.1 seconds (effective 264.0 kbit/s)...
Hash of data verified.
Compressed 8192 bytes to 4457...
Wrote 8192 bytes (4457 compressed) at 0x00010000 in 0.2 seconds (effective 285.3 kbit/s)...
Hash of data verified.
Compressed 917504 bytes to 888696...
Wrote 917504 bytes (888696 compressed) at 0x00020000 in 20.6 seconds (effective 356.1 kbit/s)...
Hash of data verified.

Leaving...
Staying in bootloader.
14. Run app with monitor:

Code: Select all

idf.py -p com5 monitor
And have:

Code: Select all

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun  8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun  8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun  8 2016 00:22:57
eFUSE summary:

Code: Select all

Calibration fuses:
BLK3_PART_RESERVE (BLOCK0):                        BLOCK3 partially served for ADC calibration data   = False R/W (0b0)
ADC_VREF (BLOCK0):                                 Voltage reference calibration                      = 1093 R/W (0b10001)

Config fuses:
XPD_SDIO_FORCE (BLOCK0):                           Ignore MTDI pin (GPIO12) for VDD_SDIO on reset     = False R/W (0b0)
XPD_SDIO_REG (BLOCK0):                             If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset    = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0):                            If XPD_SDIO_FORCE & XPD_SDIO_REG                   = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0):                               8MHz clock freq override                           = 54 R/W (0x36)
SPI_PAD_CONFIG_CLK (BLOCK0):                       Override SD_CLK pad (GPIO6/SPICLK)                 = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0):                         Override SD_DATA_0 pad (GPIO7/SPIQ)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0):                         Override SD_DATA_1 pad (GPIO8/SPID)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0):                        Override SD_DATA_2 pad (GPIO9/SPIHD)               = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0):                       Override SD_CMD pad (GPIO11/SPICS0)                = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0):                        Disable SDIO host                                  = False R/W (0b0)

Efuse fuses:
WR_DIS (BLOCK0):                                   Efuse write disable mask                           = 384 R/W (0x0180)
RD_DIS (BLOCK0):                                   Efuse read disable mask                            = 3 R/W (0x3)
CODING_SCHEME (BLOCK0):                            Efuse variable block length scheme
   = NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0):                               Usage of efuse block 3 (reserved)                  = False R/W (0b0)

Identity fuses:
MAC (BLOCK0):                                      Factory MAC Address
   = 4c:11:ae:c0:54:b0 (CRC 0x28 OK) R/W
MAC_CRC (BLOCK0):                                  CRC8 for factory MAC address                       = 40 R/W (0x28)
CHIP_VER_REV1 (BLOCK0):                            Silicon Revision 1                                 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0):                            Silicon Revision 2                                 = False R/W (0b0)
CHIP_VERSION (BLOCK0):                             Reserved for future chip versions                  = 0 R/W (0b00)
CHIP_PACKAGE (BLOCK0):                             Chip package identifier                            = 1 R/W (0b001)
MAC_VERSION (BLOCK3):                              Version of the MAC field                           = 0 R/W (0x00)

Security fuses:
FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 0 R/W (0b0000000)
UART_DOWNLOAD_DIS (BLOCK0):                        Disable UART download mode (ESP32 rev3 only)       = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0):                       Flash encryption config (key tweak bits)           = 0 R/W (0x0)
CONSOLE_DEBUG_DISABLE (BLOCK0):                    Disable ROM BASIC interpreter fallback             = True R/W (0b1)
ABS_DONE_0 (BLOCK0):                               Secure boot V1 is enabled for bootloader image     = False R/W (0b0)
ABS_DONE_1 (BLOCK0):                               Secure boot V2 is enabled for bootloader image     = False R/W (0b0)
JTAG_DISABLE (BLOCK0):                             Disable JTAG                                       = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0):                       Disable flash encryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0):                       Disable flash decryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0):                         Disable flash cache in UART bootloader             = False R/W (0b0)
BLOCK1 (BLOCK1):                                   Flash encryption key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2):                                   Secure boot key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK3 (BLOCK3):                                   Variable Block 3
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
I see that:

Code: Select all

FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 0 R/W (0b0000000)
ABS_DONE_0 (BLOCK0):                               Secure boot V1 is enabled for bootloader image     = False R/W (0b0)
but why? i turned it in menuconfig. What is the problem? Should I use 'One-time flash' not 'Reflashable' Secure bootloader mode in menuconfig?
In point 12, there is:

Code: Select all

Warning: Image file at 0x1000 doesn't look like an image file, so not changing any flash settings.
So I think this is the reason that eFUSEs are not set. But what this warning means?

Re: bootloader problem (encryption/signing)

Posted: Wed Jan 12, 2022 3:08 pm
by WiFive
The first flash you don't encrypt anything and it will encrypt itself when it boots. Or you have to manually enable the efuses if you want to flash encrypted binaries.

Re: bootloader problem (encryption/signing)

Posted: Wed Jan 12, 2022 6:15 pm
by chegewara
I would suggest to test with secure V2 in dev mode, which will save you few devices probably.
In dev mode you may test it without burning any efuses and eventually have efuse partition to emulate it.
https://docs.espressif.com/projects/esp ... ot-v2.html
https://github.com/chegewara/esp32sx-c- ... /secure-v2

Pozdrawiam

Re: bootloader problem (encryption/signing)

Posted: Thu Jan 13, 2022 10:21 am
by Jacek@dtm.pl
WiFive wrote:
Wed Jan 12, 2022 3:08 pm
The first flash you don't encrypt anything and it will encrypt itself when it boots. Or you have to manually enable the efuses if you want to flash encrypted binaries.
Thank You WiFive for information. I didn't know it.

I burned manually:

Code: Select all

espefuse.py burn_efuse ABS_DONE_0
espefuse.py burn_efuse FLASH_CRYPT_CONFIG 0xf
espefuse.py burn_efuse FLASH_CRYPT_CNT
all ended successful

eFuse summary now:

Code: Select all

Calibration fuses:
BLK3_PART_RESERVE (BLOCK0):                        BLOCK3 partially served for ADC calibration data   = False R/W (0b0)
ADC_VREF (BLOCK0):                                 Voltage reference calibration                      = 1093 R/W (0b10001)

Config fuses:
XPD_SDIO_FORCE (BLOCK0):                           Ignore MTDI pin (GPIO12) for VDD_SDIO on reset     = False R/W (0b0)
XPD_SDIO_REG (BLOCK0):                             If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset    = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0):                            If XPD_SDIO_FORCE & XPD_SDIO_REG                   = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0):                               8MHz clock freq override                           = 54 R/W (0x36)
SPI_PAD_CONFIG_CLK (BLOCK0):                       Override SD_CLK pad (GPIO6/SPICLK)                 = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0):                         Override SD_DATA_0 pad (GPIO7/SPIQ)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0):                         Override SD_DATA_1 pad (GPIO8/SPID)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0):                        Override SD_DATA_2 pad (GPIO9/SPIHD)               = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0):                       Override SD_CMD pad (GPIO11/SPICS0)                = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0):                        Disable SDIO host                                  = False R/W (0b0)

Efuse fuses:
WR_DIS (BLOCK0):                                   Efuse write disable mask                           = 384 R/W (0x0180)
RD_DIS (BLOCK0):                                   Efuse read disable mask                            = 3 R/W (0x3)
CODING_SCHEME (BLOCK0):                            Efuse variable block length scheme
   = NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0):                               Usage of efuse block 3 (reserved)                  = False R/W (0b0)

Identity fuses:
MAC (BLOCK0):                                      Factory MAC Address
   = 4c:11:ae:c0:54:b0 (CRC 0x28 OK) R/W
MAC_CRC (BLOCK0):                                  CRC8 for factory MAC address                       = 40 R/W (0x28)
CHIP_VER_REV1 (BLOCK0):                            Silicon Revision 1                                 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0):                            Silicon Revision 2                                 = False R/W (0b0)
CHIP_VERSION (BLOCK0):                             Reserved for future chip versions                  = 0 R/W (0b00)
CHIP_PACKAGE (BLOCK0):                             Chip package identifier                            = 1 R/W (0b001)
MAC_VERSION (BLOCK3):                              Version of the MAC field                           = 0 R/W (0x00)

Security fuses:
FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 1 R/W (0b0000001)
UART_DOWNLOAD_DIS (BLOCK0):                        Disable UART download mode (ESP32 rev3 only)       = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0):                       Flash encryption config (key tweak bits)           = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0):                    Disable ROM BASIC interpreter fallback             = True R/W (0b1)
ABS_DONE_0 (BLOCK0):                               Secure boot V1 is enabled for bootloader image     = True R/W (0b1)
ABS_DONE_1 (BLOCK0):                               Secure boot V2 is enabled for bootloader image     = False R/W (0b0)
JTAG_DISABLE (BLOCK0):                             Disable JTAG                                       = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0):                       Disable flash encryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0):                       Disable flash decryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0):                         Disable flash cache in UART bootloader             = False R/W (0b0)
BLOCK1 (BLOCK1):                                   Flash encryption key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2):                                   Secure boot key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK3 (BLOCK3):                                   Variable Block 3
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).

And now have:

Code: Select all

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0038,len:9716
load:0x40078000,len:25196
load:0x40080400,len:3940
0x40080400: _init at ??:?

secure boot check fail
ets_main.c 371
ets Jun  8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0038,len:9716
load:0x40078000,len:25196
load:0x40080400,len:3940
0x40080400: _init at ??:?

secure boot check fail
ets_main.c 371
ets Jun  8 2016 00:22:57
Should I flash everything one more time after burning eFUSES? Because earlier after first boot it was double encryptet (I flashed ancrypted files and module encrypted one more time on first boot)? Or what else is wrong?

I have enabled "Enable flash encryption on boot". Is it correct when I'm flashing encryptet files or should i disable it?
I would suggest to test with secure V2 in dev mode, which will save you few devices probably.
Thank You chegewara but i have S0 version (without V2). At least for now.

UPDATE:
I disabled "Enable flash encryption on boot" and reflashed bootloader-digest and app and now program starts.
Thank You for help.