encryption is working on one device not other
encryption is working on one device not other
1-
Device # 1 works but Device #2 is not working. Device #2 works without encryption
I am using same key to burn efuse. but they looks different. also CODING_SCHEME is different. kindly help me
Device #1 is working ( WROOM)
espefuse.py --port COM182 summary
BS_DONE_0 secure boot enabled for bootloader = 0 R/W (0x0)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
espefuse.py --port COM182 dump
EFUSE block 0:
00710080 a41d3960 007b30ae 00008000 00000036 f0000000 00000004
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 3:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
2-
Device #2 is not booting ( WROVER)
espefuse.py --port COM184 summary
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
CODING_SCHEME Efuse variable block length scheme = 1 R/W (0x1)
espefuse.py --port COM184 dump
EFUSE block 0:
00710080 2dc914d9 00b1b4e6 0000e000 00000235 f0000000 00000015
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 3:
00000000 00000000 00000000 f5c0fd06 00000000 00000000 00000000 00000000
I ran these commands against both devices to burn same key
espefuse.py --port COM184 burn_key flash_encryption acti_flash_encryption_key.bin
may be this command only against Device #2
espefuse.py --port COM184 burn_efuse ABS_DONE_0 1
Thanks,
Naeem
Device # 1 works but Device #2 is not working. Device #2 works without encryption
I am using same key to burn efuse. but they looks different. also CODING_SCHEME is different. kindly help me
Device #1 is working ( WROOM)
espefuse.py --port COM182 summary
BS_DONE_0 secure boot enabled for bootloader = 0 R/W (0x0)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
espefuse.py --port COM182 dump
EFUSE block 0:
00710080 a41d3960 007b30ae 00008000 00000036 f0000000 00000004
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 3:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
2-
Device #2 is not booting ( WROVER)
espefuse.py --port COM184 summary
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
CODING_SCHEME Efuse variable block length scheme = 1 R/W (0x1)
espefuse.py --port COM184 dump
EFUSE block 0:
00710080 2dc914d9 00b1b4e6 0000e000 00000235 f0000000 00000015
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 3:
00000000 00000000 00000000 f5c0fd06 00000000 00000000 00000000 00000000
I ran these commands against both devices to burn same key
espefuse.py --port COM184 burn_key flash_encryption acti_flash_encryption_key.bin
may be this command only against Device #2
espefuse.py --port COM184 burn_efuse ABS_DONE_0 1
Thanks,
Naeem
Re: encryption is working on one device not other
now I set block 2 as with my encryption key for working device # 1
espefuse.py --port COM182 burn_key --no-protect-key BLK2 acti_flash_encryption_key.bin
I tried to set
espefuse.py --port COM182 burn_key --no-protect-key BLK1 acti_flash_encryption_key.bin
no luck.
now
espefuse.py --port COM182 dump
EFUSE block 0:
00710080 a41d3960 007b30ae 00008000 00000036 f0000000 00000004
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
11c1eae6 256e9a77 8c5f49a2 04116324 79f20ae5 cd41b677 b84a3771 290bef6e
EFUSE block 3:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
before I go further need some one input. I already disable encryption by increment count once on my not working second device. I do not want to lose it. I only have 2 tries left.
espefuse.py --port COM182 burn_key --no-protect-key BLK2 acti_flash_encryption_key.bin
I tried to set
espefuse.py --port COM182 burn_key --no-protect-key BLK1 acti_flash_encryption_key.bin
no luck.
now
espefuse.py --port COM182 dump
EFUSE block 0:
00710080 a41d3960 007b30ae 00008000 00000036 f0000000 00000004
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
11c1eae6 256e9a77 8c5f49a2 04116324 79f20ae5 cd41b677 b84a3771 290bef6e
EFUSE block 3:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
before I go further need some one input. I already disable encryption by increment count once on my not working second device. I do not want to lose it. I only have 2 tries left.
Re: encryption is working on one device not other
My script is this works on Device # 1 but not on Device #2
I used same key for both bootloader and main application to encrypt.
partitions="partitions.bin"
firmware="W2K-1-Release.bin"
port="COM182"
baud="921600"
flash_key="acti_flash_encryption_key.bin"
echo "encrypting bootloader"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-bootloader.bin --address 0x1000 ./build/bootloader/bootloader.bin
echo "Encrypting partitions"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-$partitions --address 0x8000 ./build/$partitions
echo "encrypting firmware"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-$firmware --address 0x10000 ./build/$firmware
echo "uploading files"
esptool.py --port $port --baud $baud write_flash 0x1000 ./build/encrypted-bootloader.bin 0x8000 ./build/encrypted-$partitions 0x10000 ./build/encrypted-$firmware
I am encrypting all flash partitions.
I used same key for both bootloader and main application to encrypt.
partitions="partitions.bin"
firmware="W2K-1-Release.bin"
port="COM182"
baud="921600"
flash_key="acti_flash_encryption_key.bin"
echo "encrypting bootloader"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-bootloader.bin --address 0x1000 ./build/bootloader/bootloader.bin
echo "Encrypting partitions"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-$partitions --address 0x8000 ./build/$partitions
echo "encrypting firmware"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-$firmware --address 0x10000 ./build/$firmware
echo "uploading files"
esptool.py --port $port --baud $baud write_flash 0x1000 ./build/encrypted-bootloader.bin 0x8000 ./build/encrypted-$partitions 0x10000 ./build/encrypted-$firmware
I am encrypting all flash partitions.
Re: encryption is working on one device not other
My Device #2 showing
espefuse.py --port COM184 summary
FLASH_CRYPT_CNT Flash encryption mode counter = 15 R/W (0xf)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
Have reached limit. so I cannot do any more make flash that is upload non-encrypted bin via serial.
now I am getting make monitor this
rst:0x10 (RTCWDT_RTC_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:5844
load:0x40078000,len:7796
ho 0 tail 12 room 4
load:0x40080400,len:7376
secure boot check fail
ets_main.c 371
Have I reached my device limit.
espefuse.py --port COM184 summary
FLASH_CRYPT_CNT Flash encryption mode counter = 15 R/W (0xf)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
Have reached limit. so I cannot do any more make flash that is upload non-encrypted bin via serial.
now I am getting make monitor this
rst:0x10 (RTCWDT_RTC_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:5844
load:0x40078000,len:7796
ho 0 tail 12 room 4
load:0x40080400,len:7376
secure boot check fail
ets_main.c 371
Have I reached my device limit.
Re: encryption is working on one device not other
Unfortunately we don't currently support flash encryption and secure boot on 3/4 Coding Scheme (
"CODING_SCHEME Efuse variable block length scheme = 1").
A small number of WROVER modules were shipped with this coding scheme. They are no longer being shipped with this coding scheme.
Support for 3/4 Coding Scheme in ESP-IDF will be added soon. Unfortunately, any devices which already have keys burned will probably not be able to be used.
If you have a significant number of modules with 3/4 Coding Scheme, please PM me on the forum and we'll work out a solution.
"CODING_SCHEME Efuse variable block length scheme = 1").
A small number of WROVER modules were shipped with this coding scheme. They are no longer being shipped with this coding scheme.
Support for 3/4 Coding Scheme in ESP-IDF will be added soon. Unfortunately, any devices which already have keys burned will probably not be able to be used.
If you have a significant number of modules with 3/4 Coding Scheme, please PM me on the forum and we'll work out a solution.
Re: encryption is working on one device not other
OK Thanks for information. I believe flash encryption only does not work on ESP32 WROVER only
I still want to use my device without encryption. I thought I can still use device after encryption is permanently disable after 4 retries.
espefuse.py --port COM184 burn_efuse FLASH_CRYPT_CNT
no luck. make monitor is getting this.
rst:0x10 (RTCWDT_RTC_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
My summary of efuse is
espefuse.py --port COM184 summary
FLASH_CRYPT_CNT Flash encryption mode counter = 127 R/W (0x7f)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/- (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/- (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/- (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/- (0x0)
I still want to use my device without encryption. I thought I can still use device after encryption is permanently disable after 4 retries.
espefuse.py --port COM184 burn_efuse FLASH_CRYPT_CNT
no luck. make monitor is getting this.
rst:0x10 (RTCWDT_RTC_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
My summary of efuse is
espefuse.py --port COM184 summary
FLASH_CRYPT_CNT Flash encryption mode counter = 127 R/W (0x7f)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/- (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/- (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/- (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/- (0x0)
Re: encryption is working on one device not other
ESP_Angus wrote:Unfortunately we don't currently support flash encryption and secure boot on 3/4 Coding Scheme (
"CODING_SCHEME Efuse variable block length scheme = 1").
A small number of WROVER modules were shipped with this coding scheme. They are no longer being shipped with this coding scheme.
Support for 3/4 Coding Scheme in ESP-IDF will be added soon. Unfortunately, any devices which already have keys burned will probably not be able to be used.
If you have a significant number of modules with 3/4 Coding Scheme, please PM me on the forum and we'll work out a solution.
We want to use flash encryption with WROVER module. When ESP-IDF SDK (version ?) will support 3/4 Coding Scheme. I guess ESP-IDF version=3.2 will support flash encryption on WROVER . any release dates or can I use alpha/beta version of SDK. how i check my SDK version.
Can you explain difference between wroom and WROVER coding_scheme. any documentation?
Can we use wroom module and solder out external RAM our self.
Can we set efuse CODING_SCHEME=0 on the board some how or programmatic via c/C++
Re: encryption is working on one device not other
Only some WROVER modules were shipped with 3/4 Coding Scheme. If you can source new modules then they won't have this coding scheme. If you speak to Espressif sales then they can help you with this, or I can put you in touch.snahmad75 wrote: We want to use flash encryption with WROVER module.
It's planned for v3.2 but this support is not available right now. I'll update this topic once it is.snahmad75 wrote: When ESP-IDF SDK (version ?) will support 3/4 Coding Scheme. I guess ESP-IDF version=3.2 will support flash encryption on WROVER . any release dates or can I use alpha/beta version of SDK. how i check my SDK version.
There is some documentation in the ESP32 TRM. It's to do with the internal representation of efuse bits for BLK1, BLK2, BLK3 which are used for key storage. It doesn't change any other features of the chip.snahmad75 wrote: Can you explain difference between wroom and WROVER coding_scheme. any documentation?
You could, or you can swap the ESP32 chip on an existing WROVER module. The easiest approach is probably to source new WROVER module(s) as mentioned.snahmad75 wrote: Can we use wroom module and solder out external RAM our self.
I'm afraid not. efuses can only be changed 0->1.snahmad75 wrote: Can we set efuse CODING_SCHEME=0 on the board some how or programmatic via c/C++
Re: encryption is working on one device not other
If we use the ESP-WROVER-B will Flash encryption work?
Does ESP-WROVER-B willl have efuse CODING_SCHEME=0?
The documentation also says ESP-WROVER-B support OTA encrypted bin. is this true?
We found out. I need to use unencrypted bin for OTA. when we do OTA write. I needs to be not encrypted.
Hi Angus,
Do reply. we are waiting for your reply. so we can order ESP WROVERin bulk from he distributor. we already sort out our distributor from where we are buying it.
Does ESP-WROVER-B willl have efuse CODING_SCHEME=0?
The documentation also says ESP-WROVER-B support OTA encrypted bin. is this true?
We found out. I need to use unencrypted bin for OTA. when we do OTA write. I needs to be not encrypted.
Hi Angus,
Do reply. we are waiting for your reply. so we can order ESP WROVERin bulk from he distributor. we already sort out our distributor from where we are buying it.
-
- Posts: 8
- Joined: Tue Sep 25, 2018 11:13 am
Re: encryption is working on one device not other
Can you urgently answer these two questions:
If we use the ESP-WROVER-B will Flash encryption work?
Does ESP-WROVER-B willl have efuse CODING_SCHEME=0?
If we use the ESP-WROVER-B will Flash encryption work?
Does ESP-WROVER-B willl have efuse CODING_SCHEME=0?
Who is online
Users browsing this forum: No registered users and 91 guests