Cannot disable flash encrytion after enabled it on development mode

minhbka
Posts: 8
Joined: Mon Dec 18, 2023 3:15 am

Cannot disable flash encrytion after enabled it on development mode

Postby minhbka » Mon Dec 18, 2023 3:38 am

Hi everybody,
I am testing with flash encryption for ESP32 using ESP-IDF version 4.4.
I have enabled flash encryption in development and test mode following the instructions in the ESP-IDF sample flash_encryption project.
Now I want to disable flash encryption. I have followed the steps as per the instructions at the following link: https://docs.espressif.com/projects/esp ... encryption
The result I received from the command line is:

Code: Select all

A fatal error occurred: New value required for efuse 'FLASH_CRYPT_CNT' (given None).
When I set the value for FLASH_CRYPT_CNT to 2 with the command:

Code: Select all

espefuse.py burn_efuse FLASH_CRYPT_CNT 2
the result I received is:

Code: Select all

The efuses to burn:
  from BLOCK0
     - FLASH_CRYPT_CNT

Burning efuses:

    - 'FLASH_CRYPT_CNT' (Flash encryption is enabled if this field has an odd number of bits set) 0b0000001 -> 0b0000010

A fatal error occurred:         New value contains some bits that cannot be cleared (value will be 0b0000011)
Then I retrieve the espsfuse summary (espefuse.py summary) and get bellow results:

Code: Select all

espefuse.py v4.6.2
Connecting..........
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting..........
Detecting chip type... ESP32

=== Run "summary" command ===
EFUSE_NAME (Block) Description  = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
ADC_VREF (BLOCK0)                                  True ADC reference voltage                         = 1107 R/W (0b00001)

Config fuses:
WR_DIS (BLOCK0)                                    Efuse write disable mask                           = 128 R/W (0x0080)
RD_DIS (BLOCK0)                                    Disable reading from BlOCK1-3                      = 1 R/W (0x1)
DISABLE_APP_CPU (BLOCK0)                           Disables APP CPU                                   = False R/W (0b0)
DISABLE_BT (BLOCK0)                                Disables Bluetooth                                 = False R/W (0b0)
DIS_CACHE (BLOCK0)                                 Disables cache                                     = False R/W (0b0)
CHIP_CPU_FREQ_LOW (BLOCK0)                         If set alongside EFUSE_RD_CHIP_CPU_FREQ_RATED; the = False R/W (0b0)
                                                    ESP32's max CPU frequency is rated for 160MHz. 24
                                                   0MHz otherwise
CHIP_CPU_FREQ_RATED (BLOCK0)                       If set; the ESP32's maximum CPU frequency has been = True R/W (0b1)
                                                    rated
BLK3_PART_RESERVE (BLOCK0)                         BLOCK3 partially served for ADC calibration data   = False R/W (0b0)
CLK8M_FREQ (BLOCK0)                                8MHz clock freq override                           = 54 R/W (0x36)
VOL_LEVEL_HP_INV (BLOCK0)                          This field stores the voltage level for CPU to run = 0 R/W (0b00)
                                                    at 240 MHz; or for flash/PSRAM to run at 80 MHz.0
                                                   x0: level 7; 0x1: level 6; 0x2: level 5; 0x3: leve
                                                   l 4. (RO)
CODING_SCHEME (BLOCK0)                             Efuse variable block length scheme
   = NONE (BLK1-3 len=256 bits) R/W (0b00)
CONSOLE_DEBUG_DISABLE (BLOCK0)                     Disable ROM BASIC interpreter fallback             = True R/W (0b1)
DISABLE_SDIO_HOST (BLOCK0)                                                                            = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0)                          Disable flash cache in UART bootloader             = True R/W (0b1)

Flash fuses:
FLASH_CRYPT_CNT (BLOCK0)                           Flash encryption is enabled if this field has an o = 1 R/W (0b0000001)
                                                   dd number of bits set
FLASH_CRYPT_CONFIG (BLOCK0)                        Flash encryption config (key tweak bits)           = 15 R/W (0xf)

Identity fuses:
CHIP_PACKAGE_4BIT (BLOCK0)                         Chip package identifier #4bit                      = False R/W (0b0)
CHIP_PACKAGE (BLOCK0)                              Chip package identifier                            = 0 R/W (0b000)
CHIP_VER_REV1 (BLOCK0)                             bit is set to 1 for rev1 silicon                   = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0)                                                                                = False R/W (0b0)
WAFER_VERSION_MINOR (BLOCK0)                                                                          = 0 R/W (0b00)
WAFER_VERSION_MAJOR (BLOCK0)                       calc WAFER VERSION MAJOR from CHIP_VER_REV1 and CH = 1 R/W (0b001)
                                                   IP_VER_REV2 and apb_ctl_date (read only)
PKG_VERSION (BLOCK0)                               calc Chip package = CHIP_PACKAGE_4BIT << 3 + CHIP_ = 0 R/W (0x0)
                                                   PACKAGE (read only)

Jtag fuses:
JTAG_DISABLE (BLOCK0)                              Disable JTAG                                       = True R/W (0b1)

Mac fuses:
MAC (BLOCK0)                                       MAC address
   = ac:67:b2:3c:62:7c (CRC 0x02 OK) R/W
MAC_CRC (BLOCK0)                                   CRC8 for MAC address                               = 2 R/W (0x02)
MAC_VERSION (BLOCK3)                               Version of the MAC field                           = 0 R/W (0x00)

Security fuses:
UART_DOWNLOAD_DIS (BLOCK0)                         Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0)
                                                    newer; only
ABS_DONE_0 (BLOCK0)                                Secure boot V1 is enabled for bootloader image     = False R/W (0b0)
ABS_DONE_1 (BLOCK0)                                Secure boot V2 is enabled for bootloader image     = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0)                        Disable flash encryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0)                        Disable flash decryption in UART bootloader        = True R/W (0b1)
KEY_STATUS (BLOCK0)                                Usage of efuse block 3 (reserved)                  = False R/W (0b0)
SECURE_VERSION (BLOCK3)                            Secure version for anti-rollback                   = 0 R/W (0x00000000)
BLOCK1 (BLOCK1)                                    Flash encryption key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2)                                    Security boot key
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK3 (BLOCK3)                                    Variable Block 3
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Spi Pad fuses:
SPI_PAD_CONFIG_HD (BLOCK0)                         read for SPI_pad_config_hd                         = 0 R/W (0b00000)
SPI_PAD_CONFIG_CLK (BLOCK0)                        Override SD_CLK pad (GPIO6/SPICLK)                 = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0)                          Override SD_DATA_0 pad (GPIO7/SPIQ)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0)                          Override SD_DATA_1 pad (GPIO8/SPID)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0)                        Override SD_CMD pad (GPIO11/SPICS0)                = 0 R/W (0b00000)

Vdd fuses:
XPD_SDIO_REG (BLOCK0)                              read for XPD_SDIO_REG                              = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0)                             If XPD_SDIO_FORCE & XPD_SDIO_REG                   = 1.8V R/W (0b0)
XPD_SDIO_FORCE (BLOCK0)                            Ignore MTDI pin (GPIO12) for VDD_SDIO on reset     = False R/W (0b0)

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V)
As you can see the FLASH_CRYPT_CNT keep enabled(value: 1) means the flash encryption is not disabled.

Could you please help me to disable it?
Thank you

ESP_Sprite
Posts: 9757
Joined: Thu Nov 26, 2015 4:08 am

Re: Cannot disable flash encrytion after enabled it on development mode

Postby ESP_Sprite » Mon Dec 18, 2023 5:12 am

Base issue is that you cannot 'un-burn' eFuse bits. You initially set it to 0001 (1), and you want to set it to 0010 (2), which requires 'un-burning' the 1st fuse. You probably want to set it to 0011 (3) instead.

ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Cannot disable flash encrytion after enabled it on development mode

Postby ESP_Mahavir » Mon Dec 18, 2023 5:22 am

Please use the command specified in the docs section here https://docs.espressif.com/projects/esp ... encryption. This will correctly program the `FLASH_CRYPT_CNT` value to disable the flash encryption.

minhbka
Posts: 8
Joined: Mon Dec 18, 2023 3:15 am

Re: Cannot disable flash encrytion after enabled it on development mode

Postby minhbka » Mon Dec 18, 2023 3:43 pm

ESP_Sprite wrote:
Mon Dec 18, 2023 5:12 am
Base issue is that you cannot 'un-burn' eFuse bits. You initially set it to 0001 (1), and you want to set it to 0010 (2), which requires 'un-burning' the 1st fuse. You probably want to set it to 0011 (3) instead.
Thank you, now I can burn and test dev kit without flash encryption.

Who is online

Users browsing this forum: No registered users and 231 guests