关于ESP32 flash加密 和secrue boot 的咨询
关于ESP32 flash加密 和secrue boot 的咨询
请教各位大神,产品需要加密,是不是只要烧录3次后,这个模块就相当于没有用了,还有什么办法或者命令救吗?如下图所示,谢谢您的回复
- Attachments
-
- ESP32打印输出.png (64.34 KiB) Viewed 9567 times
-
- ESP32错误.png (18.36 KiB) Viewed 9567 times
Re: 关于ESP32 flash加密 和secrue boot 的咨询
Hi xjjiang,
Have you enabled FLASH ENCRYPTION and SECURE BOOT both or only SECURE BOOT?
From the boot up log it looks like the FLASH_CRYPT_CNT is set to indicate the flash contains encrypted image however you seem to have programmed plaintext image. Perhaps you have programmed the plaintext image after updating FLASH_CRYPT_CNT to 0xFF?? If this is the case device will fail to boot since ROM is trying to read an encrypted bootloader but flash memory has plaintext bootloader
From the espefuse command log it seems all the bits in FLASH_CRYPT_CNT are set (value = 0xFF) and hence you can not further update FLASH_CRYPT_CNT but you are still trying to do so and hence the error
Once FLASH_CRYPT_CNT is set to 0xFF it is not possible to update flash with new plaintext image. So there are only 3 plaintext update possible as mentioned in flash encryption document
1. Could you please provide the complete efuse dump by running “./espefuse.py —port /dev/ttyUSB0 summary” command
2. Another option is with the latest esptool.py you can do an “encrypted write” i.e. the plaintext image would be written after internally encrypting so you can have unlimited plaintext updates
For e.g.
$ ./esptool.py —port /dev/ttyUSB0 write_flash —encrypt 0x10000 image.bin
Where image.bin is plaintext application image
Please run above command with appropriate address and application binary file. You will have to also reprogram the bootloader as well as partition table with above command
Have you enabled FLASH ENCRYPTION and SECURE BOOT both or only SECURE BOOT?
From the boot up log it looks like the FLASH_CRYPT_CNT is set to indicate the flash contains encrypted image however you seem to have programmed plaintext image. Perhaps you have programmed the plaintext image after updating FLASH_CRYPT_CNT to 0xFF?? If this is the case device will fail to boot since ROM is trying to read an encrypted bootloader but flash memory has plaintext bootloader
From the espefuse command log it seems all the bits in FLASH_CRYPT_CNT are set (value = 0xFF) and hence you can not further update FLASH_CRYPT_CNT but you are still trying to do so and hence the error
Once FLASH_CRYPT_CNT is set to 0xFF it is not possible to update flash with new plaintext image. So there are only 3 plaintext update possible as mentioned in flash encryption document
1. Could you please provide the complete efuse dump by running “./espefuse.py —port /dev/ttyUSB0 summary” command
2. Another option is with the latest esptool.py you can do an “encrypted write” i.e. the plaintext image would be written after internally encrypting so you can have unlimited plaintext updates
For e.g.
$ ./esptool.py —port /dev/ttyUSB0 write_flash —encrypt 0x10000 image.bin
Where image.bin is plaintext application image
Please run above command with appropriate address and application binary file. You will have to also reprogram the bootloader as well as partition table with above command
Re: 关于ESP32 flash加密 和secrue boot 的咨询
Hi esp_Hemal:
Thanks for your reply very much!
Have you enabled FLASH ENCRYPTION and SECURE BOOT both or only SECURE BOOT?
answer:YES
Once FLASH_CRYPT_CNT is set to 0xFF it is not possible to update flash with new plaintext image. So there are only 3 plaintext update possible as mentioned in flash encryption document
answer::Is there other methed to set FLASH_CRYPT_CNT zero?JTAG?
1. Could you please provide the complete efuse dump by running “./espefuse.py —port /dev/ttyUSB0 summary” command
answer:pls get the attach file
2. Another option is with the latest esptool.py you can do an “encrypted write” i.e. the plaintext image would be written after internally encrypting so you can have unlimited plaintext updates
answer:my esptool.py version is V2.6
For e.g.
$ ./esptool.py —port /dev/ttyUSB0 write_flash —encrypt 0x10000 image.bin
answer:i can write the image.bin,but it can not run
Where image.bin is plaintext application image
Please run above command with appropriate address and application binary file. You will have to also reprogram the bootloader as well as partition table with above command
[/quote]
Thanks for your reply very much!
Have you enabled FLASH ENCRYPTION and SECURE BOOT both or only SECURE BOOT?
answer:YES
Once FLASH_CRYPT_CNT is set to 0xFF it is not possible to update flash with new plaintext image. So there are only 3 plaintext update possible as mentioned in flash encryption document
answer::Is there other methed to set FLASH_CRYPT_CNT zero?JTAG?
1. Could you please provide the complete efuse dump by running “./espefuse.py —port /dev/ttyUSB0 summary” command
answer:pls get the attach file
2. Another option is with the latest esptool.py you can do an “encrypted write” i.e. the plaintext image would be written after internally encrypting so you can have unlimited plaintext updates
answer:my esptool.py version is V2.6
For e.g.
$ ./esptool.py —port /dev/ttyUSB0 write_flash —encrypt 0x10000 image.bin
answer:i can write the image.bin,but it can not run
Where image.bin is plaintext application image
Please run above command with appropriate address and application binary file. You will have to also reprogram the bootloader as well as partition table with above command
[/quote]
- Attachments
-
- ESP32 错误.png (161.13 KiB) Viewed 9525 times
Re: 关于ESP32 flash加密 和secrue boot 的咨询
Hi Xjjiang,
Thanks for providing the efuse dump and other information.
Unfortunately once the efuses are programmed you can not revert the values. So FLASH_CRYPT_CNT can not be set to zero now, not even with JTAG. It is permanently set to 0xFF
As mentioned before you need to reprogram the bootloader and partition table also with the "--encrypt" option. It seems you have only reprogrammed application image. The error you get indicates the bootloader could not be decrypted (since it seems to be in plaintext format) and hence you can not run the code
Could you take the latest esptool and try the encrypted write?
https://github.com/espressif/esptool
Please send me the log of programming bootloader, partition and application image using write_flash --encrypt command
Thanks for providing the efuse dump and other information.
Unfortunately once the efuses are programmed you can not revert the values. So FLASH_CRYPT_CNT can not be set to zero now, not even with JTAG. It is permanently set to 0xFF
As mentioned before you need to reprogram the bootloader and partition table also with the "--encrypt" option. It seems you have only reprogrammed application image. The error you get indicates the bootloader could not be decrypted (since it seems to be in plaintext format) and hence you can not run the code
Could you take the latest esptool and try the encrypted write?
https://github.com/espressif/esptool
Please send me the log of programming bootloader, partition and application image using write_flash --encrypt command
Re: 关于ESP32 flash加密 和secrue boot 的咨询
Hi esp_Hemal:
thanks for you suggest.when i down load follow your option,it is get stuck at 22% everytime,and then esptool tips download timeout .I had try mang times.
i am looking forward your reply.thanks!
thanks for you suggest.when i down load follow your option,it is get stuck at 22% everytime,and then esptool tips download timeout .I had try mang times.
i am looking forward your reply.thanks!
- Attachments
-
- Error.png (74.48 KiB) Viewed 9471 times
Re: 关于ESP32 flash加密 和secrue boot 的咨询
Hi esp_Hemal:
in addtion,is there a methed that i encrypt the plaintext in PC, down load the encrypted file to the esp32
in addtion,is there a methed that i encrypt the plaintext in PC, down load the encrypted file to the esp32
Who is online
Users browsing this forum: No registered users and 37 guests