encryption is working on one device not other

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

encryption is working on one device not other

Postby snahmad75 » Tue Sep 25, 2018 2:53 pm

1-

Device # 1 works but Device #2 is not working. Device #2 works without encryption

I am using same key to burn efuse. but they looks different. also CODING_SCHEME is different. kindly help me

Device #1 is working ( WROOM)

espefuse.py --port COM182 summary

BS_DONE_0 secure boot enabled for bootloader = 0 R/W (0x0)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)

CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)

espefuse.py --port COM182 dump

EFUSE block 0:
00710080 a41d3960 007b30ae 00008000 00000036 f0000000 00000004
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 3:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000



2-

Device #2 is not booting ( WROVER)

espefuse.py --port COM184 summary

ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)

CODING_SCHEME Efuse variable block length scheme = 1 R/W (0x1)



espefuse.py --port COM184 dump

EFUSE block 0:
00710080 2dc914d9 00b1b4e6 0000e000 00000235 f0000000 00000015
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 3:
00000000 00000000 00000000 f5c0fd06 00000000 00000000 00000000 00000000


I ran these commands against both devices to burn same key

espefuse.py --port COM184 burn_key flash_encryption acti_flash_encryption_key.bin

may be this command only against Device #2

espefuse.py --port COM184 burn_efuse ABS_DONE_0 1


Thanks,
Naeem

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: encryption is working on one device not other

Postby snahmad75 » Tue Sep 25, 2018 3:57 pm

now I set block 2 as with my encryption key for working device # 1

espefuse.py --port COM182 burn_key --no-protect-key BLK2 acti_flash_encryption_key.bin

I tried to set

espefuse.py --port COM182 burn_key --no-protect-key BLK1 acti_flash_encryption_key.bin

no luck.

now
espefuse.py --port COM182 dump

EFUSE block 0:
00710080 a41d3960 007b30ae 00008000 00000036 f0000000 00000004
EFUSE block 1:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
EFUSE block 2:
11c1eae6 256e9a77 8c5f49a2 04116324 79f20ae5 cd41b677 b84a3771 290bef6e
EFUSE block 3:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000


before I go further need some one input. I already disable encryption by increment count once on my not working second device. I do not want to lose it. I only have 2 tries left.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: encryption is working on one device not other

Postby snahmad75 » Tue Sep 25, 2018 4:05 pm

My script is this works on Device # 1 but not on Device #2

I used same key for both bootloader and main application to encrypt.

partitions="partitions.bin"
firmware="W2K-1-Release.bin"
port="COM182"
baud="921600"
flash_key="acti_flash_encryption_key.bin"

echo "encrypting bootloader"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-bootloader.bin --address 0x1000 ./build/bootloader/bootloader.bin


echo "Encrypting partitions"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-$partitions --address 0x8000 ./build/$partitions

echo "encrypting firmware"
espsecure.py encrypt_flash_data --keyfile $flash_key --output ./build/encrypted-$firmware --address 0x10000 ./build/$firmware


echo "uploading files"

esptool.py --port $port --baud $baud write_flash 0x1000 ./build/encrypted-bootloader.bin 0x8000 ./build/encrypted-$partitions 0x10000 ./build/encrypted-$firmware


I am encrypting all flash partitions.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: encryption is working on one device not other

Postby snahmad75 » Tue Sep 25, 2018 4:47 pm

My Device #2 showing

espefuse.py --port COM184 summary
FLASH_CRYPT_CNT Flash encryption mode counter = 15 R/W (0xf)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)


Have reached limit. so I cannot do any more make flash that is upload non-encrypted bin via serial.


now I am getting make monitor this

rst:0x10 (RTCWDT_RTC_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:5844
load:0x40078000,len:7796
ho 0 tail 12 room 4
load:0x40080400,len:7376
secure boot check fail
ets_main.c 371

Have I reached my device limit.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: encryption is working on one device not other

Postby ESP_Angus » Wed Sep 26, 2018 6:34 am

Unfortunately we don't currently support flash encryption and secure boot on 3/4 Coding Scheme (
"CODING_SCHEME Efuse variable block length scheme = 1").

A small number of WROVER modules were shipped with this coding scheme. They are no longer being shipped with this coding scheme.

Support for 3/4 Coding Scheme in ESP-IDF will be added soon. Unfortunately, any devices which already have keys burned will probably not be able to be used.

If you have a significant number of modules with 3/4 Coding Scheme, please PM me on the forum and we'll work out a solution.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: encryption is working on one device not other

Postby snahmad75 » Wed Sep 26, 2018 8:44 am

OK Thanks for information. I believe flash encryption only does not work on ESP32 WROVER only

I still want to use my device without encryption. I thought I can still use device after encryption is permanently disable after 4 retries.

espefuse.py --port COM184 burn_efuse FLASH_CRYPT_CNT

no luck. make monitor is getting this.

rst:0x10 (RTCWDT_RTC_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371



My summary of efuse is

espefuse.py --port COM184 summary

FLASH_CRYPT_CNT Flash encryption mode counter = 127 R/W (0x7f)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/- (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/- (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/- (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/- (0x0)

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: encryption is working on one device not other

Postby snahmad75 » Wed Sep 26, 2018 10:18 am

ESP_Angus wrote:Unfortunately we don't currently support flash encryption and secure boot on 3/4 Coding Scheme (
"CODING_SCHEME Efuse variable block length scheme = 1").

A small number of WROVER modules were shipped with this coding scheme. They are no longer being shipped with this coding scheme.

Support for 3/4 Coding Scheme in ESP-IDF will be added soon. Unfortunately, any devices which already have keys burned will probably not be able to be used.

If you have a significant number of modules with 3/4 Coding Scheme, please PM me on the forum and we'll work out a solution.

We want to use flash encryption with WROVER module. When ESP-IDF SDK (version ?) will support 3/4 Coding Scheme. I guess ESP-IDF version=3.2 will support flash encryption on WROVER . any release dates or can I use alpha/beta version of SDK. how i check my SDK version.

Can you explain difference between wroom and WROVER coding_scheme. any documentation?

Can we use wroom module and solder out external RAM our self.

Can we set efuse CODING_SCHEME=0 on the board some how or programmatic via c/C++

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: encryption is working on one device not other

Postby ESP_Angus » Wed Sep 26, 2018 11:35 pm

snahmad75 wrote: We want to use flash encryption with WROVER module.
Only some WROVER modules were shipped with 3/4 Coding Scheme. If you can source new modules then they won't have this coding scheme. If you speak to Espressif sales then they can help you with this, or I can put you in touch.
snahmad75 wrote: When ESP-IDF SDK (version ?) will support 3/4 Coding Scheme. I guess ESP-IDF version=3.2 will support flash encryption on WROVER . any release dates or can I use alpha/beta version of SDK. how i check my SDK version.
It's planned for v3.2 but this support is not available right now. I'll update this topic once it is.
snahmad75 wrote: Can you explain difference between wroom and WROVER coding_scheme. any documentation?
There is some documentation in the ESP32 TRM. It's to do with the internal representation of efuse bits for BLK1, BLK2, BLK3 which are used for key storage. It doesn't change any other features of the chip.
snahmad75 wrote: Can we use wroom module and solder out external RAM our self.
You could, or you can swap the ESP32 chip on an existing WROVER module. The easiest approach is probably to source new WROVER module(s) as mentioned.
snahmad75 wrote: Can we set efuse CODING_SCHEME=0 on the board some how or programmatic via c/C++
I'm afraid not. efuses can only be changed 0->1.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: encryption is working on one device not other

Postby snahmad75 » Thu Sep 27, 2018 8:34 am

If we use the ESP-WROVER-B will Flash encryption work?
Does ESP-WROVER-B willl have efuse CODING_SCHEME=0?

The documentation also says ESP-WROVER-B support OTA encrypted bin. is this true?
We found out. I need to use unencrypted bin for OTA. when we do OTA write. I needs to be not encrypted.

Hi Angus,

Do reply. we are waiting for your reply. so we can order ESP WROVERin bulk from he distributor. we already sort out our distributor from where we are buying it.

Grant.Bradley
Posts: 8
Joined: Tue Sep 25, 2018 11:13 am

Re: encryption is working on one device not other

Postby Grant.Bradley » Fri Sep 28, 2018 12:53 pm

Can you urgently answer these two questions:
If we use the ESP-WROVER-B will Flash encryption work?
Does ESP-WROVER-B willl have efuse CODING_SCHEME=0?

Who is online

Users browsing this forum: No registered users and 139 guests