How to update NVS partitions or bootloader after UART download mode is disabled

dastoned
Posts: 50
Joined: Fri May 29, 2020 2:52 pm

How to update NVS partitions or bootloader after UART download mode is disabled

Postby dastoned » Thu Jul 08, 2021 1:39 pm

I recently started looking into the trinity of Flash encryption, NVS encryption and Secure Boot on a ESP32-WROOM-32E module, ESP-IDF v4.3, idf.py, Linux.

First I tackled Flash encryption. As I enabled Flash encryption (Development mode), I simultaneously disabled the UART download (SECURE_DISABLE_ROM_DL_MODE) - as it's marked "Recommended". Flash encryption worked as expected, everything great. On to the next phase.

Now I cannot update anything in Flash which I need for the next phases - neither the NVS keys and data partitions, nor the bootloader - using "idf.py" command. Is there a way out of this dead end (meaning I can enable NVS encryption and Secure Boot), or should I consider this DevkitC lost?

pratik2440
Posts: 25
Joined: Mon Jun 28, 2021 4:55 am

Re: How to update NVS partitions or bootloader after UART download mode is disabled

Postby pratik2440 » Fri Jul 09, 2021 10:42 am

Isn't that an eFuse setting? Last I checked the eFuse was OTP memory, so if you set something in there that you did not want to, then you bricked the board.
Hobbyist and electronic design consultant! (https://PCBArtists.com/)

dastoned
Posts: 50
Joined: Fri May 29, 2020 2:52 pm

Re: How to update NVS partitions or bootloader after UART download mode is disabled

Postby dastoned » Fri Jul 09, 2021 12:02 pm

Sure, I it's OTP and I can't change the fuse anymore. But the board is not bricked - it runs the bootloader and app just fine, and I can update the app using OTA. And the Flash encryption is in Development mode, so not a total loss.

What I'm looking to do is to update the bootloader (e.g. to further enable Secure Boot) or write into Flash (e.g. enable NVS encryption). I assume there are ways to do both, but I'm looking for some pointers on the particulars, or maybe even examples.


pratik2440
Posts: 25
Joined: Mon Jun 28, 2021 4:55 am

Re: How to update NVS partitions or bootloader after UART download mode is disabled

Postby pratik2440 » Sat Jul 10, 2021 6:56 am

Ohh okay, I thought you did not have OTA on current firmware. The link posted by WiFive above is a good place to start then.
You can try overwriting the bootloader and partition areas on another board where you have UART download enabled. Once you get that working, you can do the same with the board where UART download is disabled.
I think the only risk is crashing the program when writing to the bootloader area - which will definitely make the module useless.
Hobbyist and electronic design consultant! (https://PCBArtists.com/)

dastoned
Posts: 50
Joined: Fri May 29, 2020 2:52 pm

Re: How to update NVS partitions or bootloader after UART download mode is disabled

Postby dastoned » Mon Jul 12, 2021 8:50 am

OK, thank you very much. I suspected something like this. Writing an app which is able to update the bootloader is quite a bit of work and doesn't really justify saving an 8€ board - I'll just head over to TME and order a few spares. Well, I suppose accidents like these are likely when playing around with encryption and secure boot.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 70 guests