Start conditions:
1. We have a pre-signed and pre-encrypted binary for the bootloader, partition table, and factory app.
2. We are using 192-bit keys for flash encryption and secure boot.
3. We need to burn to eFuse some additional parameters, that are not listed at security.conf file and this part of manual
- burn_efuse FLASH_CRYPT_CONFIG 0xF
- burn_efuse CODING_SCHEME 1
- burn_efuse FLASH_CRYPT_CNT
- write_protect_efuse FLASH_CRYPT_CNT
- burn_efuse CONSOLE_DEBUG_DISABLE
- burn_efuse ABS_DONE_0
4. Also, we need to log all console out from espefuse.py and esptool.py to separate files for every controller (_MAC_ADDRESS_-flash.log and _MAC_ADDRESS_-efuse.log for example).
Now we are using this bash script to flash FW end burn eFuse. There is no handling for esptool and espefuse exit codes yet, and its work fine, but only for single programmer setup.
Code: Select all
#!/bin/bash
# SET PATH TO ESP TOOLS AND PROGRAMMER
ESP_TOOL_PATH=/home/user/esptool
FLASH_CONN_PARAM=" --chip esp32 --port /dev/ttyUSB1 --baud 2000000"
EFUSE_CONN_PARAM="/espefuse.py -b 115200 -p /dev/ttyUSB1 --do-not-confirm"
# DON'T TOUCH IT!
RESET_PARAM=" --before default_reset --after hard_reset "
FLASH_PARAM=" -z --flash_mode dio --flash_freq 40m --flash_size detect"
PAYLOAD=" 0x0 fw/enc/bootloader-digest_192_enc_192.bin 0x8000 fw/enc/partitions_16MB_sign_enc_192.bin 0x10000 fw/enc/firmware_sign_enc_192.bin"
function burn_efuse {
MAC_DOTED=$($ESP_TOOL_PATH/esptool.py$FLASH_CONN_PARAM flash_id | grep MAC | cut -c 6-)
MAC="${MAC_DOTED//:}"
echo "$MAC" $(date "+%F %T.%3N %z") >> LOGS/efuse.log
exec > >(tee -ia LOGS/"$MAC"_efuse.log)
exec 2> >(tee -ia LOGS/"$MAC"_efuse.log >&2)
echo "========================"
echo "burn_efuse script START"
echo "TARGET: "$MAC
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse FLASH_CRYPT_CONFIG 0xF
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse CODING_SCHEME 1
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_key flash_encryption crypt/flash_encryption_key_192.bin
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_key secure_boot crypt/secure_boot_digest_private_key_192.bin
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse FLASH_CRYPT_CNT
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM write_protect_efuse FLASH_CRYPT_CNT
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse DISABLE_DL_ENCRYPT
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse DISABLE_DL_DECRYPT
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse DISABLE_DL_CACHE
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse JTAG_DISABLE
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse CONSOLE_DEBUG_DISABLE
echo "Exit Code: $?"
echo "========================"
date "+%F %T.%3N %z"
$ESP_TOOL_PATH$EFUSE_CONN_PARAM burn_efuse ABS_DONE_0
echo "Exit Code: $?"
echo "========================"
echo "burn_efuse script END"
date "+%F %T.%3N %z"
echo "========================"
echo -e '\n'
echo "########################"
echo -e '\n'
exec >/dev/tty
exec 2>/dev/tty
$ESP_TOOL_PATH/esptool.py$FLASH_CONN_PARAM run
echo -e '\n'
echo "########################"
echo -e '\n'
return 0
}
function flash_fw {
MAC_DOTED=$($ESP_TOOL_PATH/esptool.py$FLASH_CONN_PARAM flash_id | grep MAC | cut -c 6-)
MAC="${MAC_DOTED//:}"
echo "$MAC" $(date "+%F %T.%3N %z") >> LOGS/flash.log
exec > >(tee -ia LOGS/"$MAC"_flash.log)
exec 2> >(tee -ia LOGS/"$MAC"_flash.log >&2)
echo "========================"
echo "flash_fw script START"
echo "TARGET: "$MAC
date "+%F %T.%3N %z"
echo "========================"
echo "ERASE FLASH START"
date "+%F %T.%3N %z"
echo "========================"
$ESP_TOOL_PATH/esptool.py$FLASH_CONN_PARAM erase_flash
echo "========================"
echo "ERASE FLASH END, Exit Code: $?"
date "+%F %T.%3N %z"
echo "========================"
echo "WRITE FLASH START"
date "+%F %T.%3N %z"
echo "========================"
$ESP_TOOL_PATH/esptool.py$FLASH_CONN_PARAM$RESET_PARAM write_flash$FLASH_PARAM$PAYLOAD
echo "========================"
echo "WRITE FLASH END, Exit Code: $?"
date "+%F %T.%3N %z"
echo "========================"
echo "flash_pix script END"
date "+%F %T.%3N %z"
echo "========================"
echo -e '\n'
echo "########################"
echo -e '\n'
exec >/dev/tty
exec 2>/dev/tty
return 0
}
echo "====================================="
echo "Choose action comfirmation type:"
echo "1) execute immediately"
echo "2) press <ENTER> to comfirm"
echo "====================================="
echo -e "Please type code and press <ENTER> \c"
read conf_type
echo "Action comfirmation type: "$conf_type
while :
do
echo "=== WHAT I CAN DO FOR YOU, MASTER? ==="
echo "1) flash fw"
echo "2) burn eFuse"
echo "3) flash fw & burn eFuse"
echo "4) EXIT"
echo "====================================="
if [[ $conf_type == 1 ]]; then
echo -e "Please type code \c"
read -n 1 c
echo ''
else
echo -e "Please type code and press <ENTER> \c"
read c
fi
echo "executing code: "$c
case $c in
1) flash_fw;;
2) burn_efuse;;
3) burn_efuse; flash_fw;;
4) exit
esac
done
it looks like FLASH_DOWNLOAD_TOOL requires not-signed and not-encrypted bin images will re-sign and re-encrypt them every time. And it is not clear, does it can burn additional efuses and work with 192-bit keys.
So, the questions are:
1. Can FLASH_DOWNLOAD_TOOL be configured for our conditions?
2. If not - can you provide the source code of FLASH_DOWNLOAD_TOOL for customization.
3. Additional question - we are using the ESP-prog programmer, from Linux PC we can flash at 2M baud, but from WIN10 PC only 1.152.000 baud can be chosen. Is it possible to set up higher baud rate on WIN10 PC?