I recently started looking into the trinity of Flash encryption, NVS encryption and Secure Boot on a ESP32-WROOM-32E module, ESP-IDF v4.3, idf.py, Linux.
First I tackled Flash encryption. As I enabled Flash encryption (Development mode), I simultaneously disabled the UART download (SECURE_DISABLE_ROM_DL_MODE) - as it's marked "Recommended". Flash encryption worked as expected, everything great. On to the next phase.
Now I cannot update anything in Flash which I need for the next phases - neither the NVS keys and data partitions, nor the bootloader - using "idf.py" command. Is there a way out of this dead end (meaning I can enable NVS encryption and Secure Boot), or should I consider this DevkitC lost?
How to update NVS partitions or bootloader after UART download mode is disabled
-
- Posts: 25
- Joined: Mon Jun 28, 2021 4:55 am
Re: How to update NVS partitions or bootloader after UART download mode is disabled
Isn't that an eFuse setting? Last I checked the eFuse was OTP memory, so if you set something in there that you did not want to, then you bricked the board.
Hobbyist and electronic design consultant! (https://PCBArtists.com/)
Re: How to update NVS partitions or bootloader after UART download mode is disabled
Sure, I it's OTP and I can't change the fuse anymore. But the board is not bricked - it runs the bootloader and app just fine, and I can update the app using OTA. And the Flash encryption is in Development mode, so not a total loss.
What I'm looking to do is to update the bootloader (e.g. to further enable Secure Boot) or write into Flash (e.g. enable NVS encryption). I assume there are ways to do both, but I'm looking for some pointers on the particulars, or maybe even examples.
What I'm looking to do is to update the bootloader (e.g. to further enable Secure Boot) or write into Flash (e.g. enable NVS encryption). I assume there are ways to do both, but I'm looking for some pointers on the particulars, or maybe even examples.
-
- Posts: 25
- Joined: Mon Jun 28, 2021 4:55 am
Re: How to update NVS partitions or bootloader after UART download mode is disabled
Ohh okay, I thought you did not have OTA on current firmware. The link posted by WiFive above is a good place to start then.
You can try overwriting the bootloader and partition areas on another board where you have UART download enabled. Once you get that working, you can do the same with the board where UART download is disabled.
I think the only risk is crashing the program when writing to the bootloader area - which will definitely make the module useless.
You can try overwriting the bootloader and partition areas on another board where you have UART download enabled. Once you get that working, you can do the same with the board where UART download is disabled.
I think the only risk is crashing the program when writing to the bootloader area - which will definitely make the module useless.
Hobbyist and electronic design consultant! (https://PCBArtists.com/)
Re: How to update NVS partitions or bootloader after UART download mode is disabled
OK, thank you very much. I suspected something like this. Writing an app which is able to update the bootloader is quite a bit of work and doesn't really justify saving an 8€ board - I'll just head over to TME and order a few spares. Well, I suppose accidents like these are likely when playing around with encryption and secure boot.
Who is online
Users browsing this forum: No registered users and 78 guests