After reading so much on the forum and getting help from ESP admins and mods, I have written a simple BAT script to burn the required fuses to protect ESP incase someone wants to burn pre-flashed keys.
Please replace :
<PORT> to your actual connected port
<KEY> Path to your Key.bin
::*** from 2 lines if you want to disable UART DOWNLOAD mode (recommended)
Please note that once you protect FLASH_CRYPT_CNT, Status of UART Download Mode also gets frozen.
Script :
Code: Select all
espefuse.py -p <PORT> burn_efuse FLASH_CRYPT_CNT 1 --do-not-confirm
espefuse.py -p <PORT> burn_efuse FLASH_CRYPT_CONFIG 0xF --do-not-confirm
espefuse.py -p <PORT> burn_efuse DISABLE_DL_ENCRYPT 1 --do-not-confirm
espefuse.py -p <PORT> burn_efuse DISABLE_DL_DECRYPT 1 --do-not-confirm
espefuse.py -p <PORT> burn_efuse DISABLE_DL_CACHE 1 --do-not-confirm
espefuse.py -p <PORT> burn_efuse JTAG_DISABLE 1 --do-not-confirm
espefuse.py -p <PORT> burn_key flash_encryption <KEY> --do-not-confirm
:: This is Pre-Burnt
espefuse.py -p <PORT> burn_efuse CONSOLE_DEBUG_DISABLE 1 --do-not-confirm
:: Burn this if you want to disable UART Download (Recommended)
:: *** espefuse.py -p <PORT> burn_efuse UART_DOWNLOAD_DIS 1 --do-not-confirm
::Write Protecting FLASH_CRYPT_CNT & UART_DOWNLOAD_DIS
:: *** espefuse.py -p <PORT> write_protect_efuse FLASH_CRYPT_CNT --do-not-confirm
::Write Protecting FLASH_CRYPT_CONFIG (which also protects : CODING_SCHEME, KEY_STATUS, BLK3_PART_RESERVE)
::espefuse.py -p <PORT>write_protect_efuse FLASH_CRYPT_CONFIG --do-not-confirm
1. Is it required to write protect the fuses ?