Flash Encryption (FLASH_CRYPT_CNT)

[Buffalchill]

Hardware:

Board: ESP32 Dev Module
Core Installation/update date: 11/jul/2017
IDE name: Arduino IDE 1.8.3.
Flash Frequency: 40Mhz
Upload Speed: 115200

Hi,
I'm trying to enable Flash Encryption.
The ESP IDF documentation says (http://esp-idf.readthedocs.io/en/latest/security/flash-encryption.html)

"Flash Encryption Initialisation
The bootloader must be compiled with flash encryption support enabled. In make menuconfig, navigate to “Security Features” and select “Yes” for “Enable flash encryption on boot”.

how is this possible in Arduino IDE ?

[lbernstone]

See my instructions in #1142

[Buffalchill]

Is it possible to set the fuses for the flash encryption in arduino or maybe with the espefuse.py script, and then compile and upload my sketch with arduino ?

[Buffalchill]

OK i have now changed the sdkconfig in the "make menuconfig".
I changed the Security features and did Enable flash encryption on boot.

this new sdkconfig i copied into: C:\Users\Documents\Arduino\hardware\espressiv\esp32\tools\sdk
also I copied build/esp32/libesp32.a into arduino-esp32/tools/sdk/lib/ .
Then i started ardino, built and uploaded it. Then i checked if the FLASH_CRYPT_CNT got increased after upload. but it wasn't, it was still 0.
So does this now mean enable_flash_encryption didn't work in Arduino IDE even with the changed SDKconfig...

[Buffalchill]

i just tried to enable flash encryption it in the ESP-IDF with the blink example, and this worked so far.
now i would like to have this in arduino-esp32 :-/
I checked it with the espefuse.py

[Buffalchill]

Next Try:
Now I used Arduino-esp32 as an ESP-IDF component.
I used "make menuconfig" to change the secutity options -> "enable flash encryption on boot"
Then it compiled with ESP-IDF with msys32.
But flash encryption didn't happen, the FLASH_CRYPT_CNT was still 0.

Can you help me please to get the "flash encryption on boot" running ?

[lbernstone]

You enable encryption by running espefuse.py burn_efuse FLASH_CRYPT_CNT. Did you read the documentation thoroughly?

[Buffalchill]

yes i read the documentation veeeery often :)
If I just do espefuse.py burn_efuse FLASH_CRYPT_CNT the flash and the firmware does not get encrypted. But the bootloader trys to decrypt a unencrypted firmware. That simply ends up with Error message 1000.
It currently seems for me that Flash encryption on boot seems not to work with the arduino-esp32 not even as an ESP-IDF-component. I would be glad to hear if it is somehow it would be possible to copy some files into the Arduino-esp32 to make it work.

[lbernstone]

Getting error 1000 seems like some progress. Follow the serial reflashing procedure from that point and see if it will encrypt on its own.

[Buffalchill]

Ok I tried it like you said but, it seems just like i broke another esp32 board ⚡️

#1 "make menuconfig" -> "sercurity options" -> "enable flash encryption on boot"

#2 "make flash" (at this point, a normal ESP-IDF example got encrypted, but not the "arduino-esp32" as an esp-idf component )

#3 burned the efuse manually by using script espefuse.py

#4 I got the error 1000...

#5 Burn the FLASH_CRYPT_CNT efuse again with the python script

#6 this time i put some code inside my arduino sketch which will figure out if hardware encyption is enabled or not...

the answer is, it is not enabled. It is disabled.

#7 Now, I reset the device, and the documentation says, it will re-encrypt plaintext partitions.
Then I burn the FLASH_CRYPT_CNT efuse again to re-enable encryption.

#8 The flash is not encrypted, but the esp32 board trys to decrypt it, ending up with "Err 100" again.
and another Board is broken 🗡

[Buffalchill]

The point is, i think if arduino-esp32 is used as an ESP-IDF component, flash encryption seems not to work.

In normal ESP-IDF example, i was able to enable flash encryption. 🌵

[Buffalchill]

Next try:

I took a new ESP32 board and tried the Pre-generated-Key Encryption.

#1 flashed my sketch in plain text.

#2 generated the key and burned it to the esp32

#3 Followed the instructions....

#4 Strange things happend: Read_disable and write_disable became set, but the flash "encryption on boot" did not work again, even with the pregenerated key. Flash encryption is still disabled.
Arduino-esp32 as an ESP-IDF Component

Next, I will try the "reflash pregenrated key procedure"...

[lbernstone]

Um, Ok. Then don't do that. Just flash the esp-idf OTA example with the encryption turned on. Then you can put whatever you want on there. There may very well be something in the arduino-esp32 code that overrides the sdkconfig setting, and that is probably a reasonable security feature to keep people that don't understand the consequences from bricking their devices.

[Buffalchill]

Success !
Today I found a way to use flash encryption with Arduino-esp32 👍 👍 👍

#1 Generated the flash Encryption Key and burned it to the ESP32 board

#2 check if the RD_Dis and WR_Dis have changed after BURN the key (before burn they are 0, after burn they must look like on this picture :

3# Use a NORMAL "ESP-IDF" example like Hello World... make menuconfig -> security options -> enable encryption on boot
save that and make the project and flash it to the esp32 board.

#4 after openning serial monitor I had "Err 1000", so I flashed it again. Then the error was gone and my the Hello_world example was running on the board

#5 Then check the FLASH_CRYPT_CNT counter it must be 1 now because the "flash encryption on boot" must have increased it after encrytion of the flash.

in my example i added some code to make the firmware check if the encryption is working:

serial monitor shows, encryption is working:

So far so good, esp-idf flash encryption worked out with our own flash encryption key, which we stored on our PC.

Now lets make the Arduino-ESP32 project as a ESP-IDF component.

#6 this time in this project I DISABLED "encryption on boot"
make menuconfig -> security options -> enable encryption on boot <<- DISABLE that!

#7 make the project. Now the will be a .bin file in the project folder like this : /build/my-app.bin

#8 encrypt this .bin file of the project with our own generated encryption-key by using the espsecure.py script :

#9 Flash the encrypted .bin File to the ESP-32 Board by using the esptool.py script.

#10 Check out the FLASH_CRYPT_CNT with espefuse.py --port "COM3" summary
it should still have the value: 1

#11 The Arduino-esp32 as an ESP-IDF component Firmware should now run... encrypted !!!

🥇 🍦 ⚡️

[Buffalchill]

If i use Arduino-IDE to compile and upload my arduino-esp32 sketch, in which directory can i find the .bin file after compiling, which is used to get uploaded to the esp32 board?

I am asking, because I wanna try to encrypt that file directly without using the arduino as an idf component.

[lbernstone]

If you turn on verbose output during compilation in the preferences, you will see the location in a few places. I really think flashing a basic OTA + CONFIG_FLASH_ENCRYPTION_ENABLED firmware and then having the devices connect to a rpi/esp set up as an AP/webserver will be easier and mass repeatable. You could also get a list of mac addresses that way.

[Buffalchill]

Today I took the .bin file which was compiled by Arduino-IDE and my encryption key which I created yesterday and which is already burned into my ESP32-Board.

Flashed the .bin file into the esp-board with esptool.py
The Arduino-IDE sketch, which was compiled by the Arduino-IDE runs with flash encryption.

Is it possible to use SPIFFS when the flash encryption is enabled ?
My sketch uses spiffs and had error messages : SPIFFS partition not found"
after i removed the Spiffs out of my sketch it worked...

[me-no-dev]

@Buffalchill that is probably the only way that flash encryption will be available for Arduino users. Since it's not for everyone and could cause any novice an issue, it would require you to run Arduino as IDF component.

SPIFFS does not run on encrypted flash ;) FATFS does

[lbernstone]

I don't know whether the partition table has been encrypted or not, but maybe you initially uploaded a partition table without spiffs? Maybe it just needs a format (though that should give you a different error)? Here's some quick code to show the spiffs location:

#include <esp_partition.h>
void setup() {
  Serial.begin(115200);
    const esp_partition_t *data_partition = NULL;
    data_partition = esp_partition_find_first(ESP_PARTITION_TYPE_DATA,
            ESP_PARTITION_SUBTYPE_DATA_SPIFFS, "spiffs");
    if (data_partition != NULL) {
        Serial.printf("partiton addr: 0x%08x; size: %d; label: %s\n", data_partition->address, data_partition->size, data_partition->label);
    }
}
void loop() {}

[Buffalchill]

Ibernstone i tried your code. Thank you for that!
There seems to be no partition table on my ESP32 board

[lbernstone]

Well, there certainly is a partition table, just no spiffs partition. Try running esptool.py read_flash 0x8000 0xc00 /tmp/parts (/tmp/parts is the output file). If that file has readable text in it (nvs, app0, eeprom, etc) then you can directly use esptool to put a new partition table on there. Otherwise, you may have to encrypt the partition table before flashing(?).

[Buffalchill]

Ya i got something but its not plain text :)

T�ØkGEÅÓ�Þ�úmp6m���lXs��¥M¼�k�Ò$‘ò�u_"‚Q�áÕm[��Mf�=Ã^Ï(Òª�sN�ú¤Þx¿Õô‘+¹©3=O­ZŸ+–6ãþ��"Z3(ã…yúd�¹Ï€’ tö®�6.��‰�ˆ00f+G
Iq�Éü:ÞE��¦NЧà¶\©’�æ¬moùa¦NЧà¶\©’�æ¬moùa½©û}Å0¸gC[ñ½·Îù½©û}Å0¸gC[ñ½·ÎùfjΞìi”à÷°³²¶Ùð´fjΞìi”à÷°³²¶Ùð´^%j�÷Ë]‡‡ÂÈßœõ’^%j�÷Ë]‡‡ÂÈßœõ’a]§ÚÜ@i‚¬_�ýò�¦4a]§ÚÜ@i‚¬_�ýò�¦4Îíð�‘ÚéI b=ÎÄÏ�kÎíð�‘ÚéI b=ÎÄÏ�k“_cKRÙ�%‰�ÃN�m
ø“_cKRÙ�%‰�ÃN�m
øÖn“L¥´Þl�±WED�ÑÖn“L¥´Þl�±WED�ÑÃnvYqæÁ‹}™Y�1%2£ÃnvYqæÁ‹}™Y�1%2£ýÕoß)‹…ÛQknd��E�ýÕoß)‹…ÛQknd��E�ÿ‡IQ¨@ô¹O Œìel6“ÿ‡IQ¨@ô¹O Œìel6“ìø»�‰3�HèÇ8�Sâ�ìø»�‰3�HèÇ8�Sâ�”]qbÅQ¤«³ªtbÊÈv”]qbÅQ¤«³ªtbÊÈvÂËßä7õÞÚo$\ž�,�ÝDËßä7õÞÚo$\ž�,�ÝDâ{q°‚ö–^��˜–Q ¦xâ{q°‚ö–^��˜–Q ¦x—Å—¸®Ê�Ÿ�p|w8„Bà—Å—¸®Ê�Ÿ�p|w8„BàëœäîÌà�g�V32èi��ëœäîÌà�g�V32èi��Â’Îiƒ^ÂœvŠ›;:�8ÉÂ’Îiƒ^ÂœvŠ›;:�8É�ìM4ø�Ôò���t�,U�ìM4ø�Ôò���t�,U<i�_½<:bt�Ë�@D/�<i�_½<:bt�Ë�@D/�(°U‡\d+ÿWâqXú
’{(°U‡\d+ÿWâqXú
’{Òο‚d„w� 38�{,:—Òο‚d„w� 38�{,:—<þܨ�¬O™�4ß8�×�È<þܨ�¬O™�4ß8�×�ÈW@uîÏÛÍ:ªI»‹QÉ^üW@uîÏÛÍ:ªI»‹QÉ^üEní{D!ÈÕ©f!»¢C…ÉEní{D!ÈÕ©f!»¢C…É�%Y¼hhnhX¦Ã�¸•aˆ�%Y¼hhnhX¦Ã�¸•aˆ�]öÏ«µ „l¯Ñ��u4<�]öÏ«µ „l¯Ñ��u4<=yL¦¸}ÅYlJõ*{ZÀ5=yL¦¸}ÅYlJõ*{ZÀ5BÍgP>Ð�É¡Q®�ÜÅÜ1BÍgP>Ð�É¡Q®�ÜÅÜ1v½KaÝ4óWB�Ðp-µ¡Fv½KaÝ4óWB�Ðp-µ¡F�©Ô·�aÖVDF�"=Q��©Ô·�aÖVDF�"=Q�#™æÕNq�+‹JŠNÆ�šù#™æÕNq�+‹JŠNÆ�šù4�®•�c¤×5¬ÿ�Á“�4�®•�c¤×5¬ÿ�Á“�£àyI‡�®�Æcê¸�ƒ4£àyI‡�®�Æcê¸�ƒ4H�,.·÷Ђ• N!�;” H�,.·÷Ђ• N!�;” õ�}&n+ô�»Tá�·Òp¥õ�}&n+ô�»Tá�·Òp¥
€'œ�BT�Y@‘zj‚� €'œ�BT�Y@‘zj‚�dr¤=l�SµÜ·úbV$ëdr¤=l�SµÜ·úbV$ë�z�'(Ãk�^Õú)Þ¹[��z�'(Ãk�^Õú)Þ¹[�vQ¥�–R�³|Þð� 30…vQ¥�–R�³|Þð� 30…z?�!¸�–‰öñ;ÔG
Ò¡z?�!¸�–‰öñ;ÔG
Ò¡��qìJ²ùxVËAp�Ì_���qìJ²ùxVËAp�Ì_�”Ä4§@½µ��<¦AK �–”Ä4§@½µ��<¦AK �–�ìw�ÓóB�3˜mÙÙ$Ô�ìw�ÓóB�3˜mÙÙ$Ôþ+ûHL�­Þm/1�
Wq‡þ+ûHL�­Þm/1�
Wq‡Ù³�55ðb= zZ
M•ÙtÙ³�55ðb= zZ
M•Ùt©ó –±—½�ïÙY‡�ù�q©ó –±—½�ïÙY‡�ù�q�°‘7D
5hˆo€uEF�½�°‘7D
5hˆo€uEF�½Û²½›|��;ϸ"Å[09Û²½›|��;ϸ"Å[09ì bä2>²³�<H“Ÿ4�&ì bä2>²³�<H“Ÿ4�&v�½íììvw‡ûóAÎIA�v�½íììvw‡ûóAÎIA�˜3)ƒCN[‰G;�„û�˜3)ƒCN[‰G;�„û�S­Ö¼ÿ«*—ÊNÿ�œzmS­Ö¼ÿ«—ÊNÿ�œzmbpè)¼‹þÁp!À7nÈãØbpè)¼‹þÁp!À7nÈãØÝÈ?�×w°œªošÖ(xËÝÈ?�×w°œªošÖ(xË -S�(JSªyíßÏ�,�ó -S�(JSªyíßÏ�,�ó̯šˆÈÞ� Ö€áò$R2æ̯šˆÈÞ� Ö€áò$R2æç¼4¾�ÐOh��oA6g‡Öç¼4¾�ÐOh��oA6g‡Öêq8ZÆ,#�§4�LDÏ™ˆêq8ZÆ,#�§4�LDÏ™ˆÁ�ÕZÍöz I���hha�Á�ÕZÍöz I���hha��½]�êÈ�PxZQà��G�½]�êÈ�PxZQà��G¿Vž’+‹�A'
t¡Áɨ«¿Vž’+‹�A'
t¡Áɨ«sR²¶8ßþo:�òJˆFsR²¶8ßþo:�òJˆFŸŸÓшˆJ¢ˆÿÃfqŽÊ™ŸŸÓшˆJ¢ˆÿÃfqŽÊ™{ÅŽ—¿„,Š�ÉBïP¤” {ÅŽ—¿„,Š�ÉBïP¤” ä+GéÚp:Ûw31þ‹·�\ä+GéÚp:Ûw31þ‹·�\Áî�B�s«_hŽÇ�<¶Ý'Áî�B�s«_hŽÇ�<¶Ý'î!ÏxnwÑ�yáùZè”-ìî!ÏxnwÑ�yáùZè”-쟤;û„�ý¤�kׂq�©qŸ¤;û„�ý¤�kׂq�©q.ã&æn'[—ÂÆØq»Ù�ê.ã&æn'[—ÂÆØq»Ù�ê�”ï>�ú�%awèº7T–ÿ�”ï>�ú�%awèº7T–ÿy”vÂä𰪼¤~_HQë�y”vÂä𰪼¤~_HQë�iž‡��Èw:ø¦òé%ñ4iž‡�*�Èw:ø¦òé%ñ4&:Ë�A8�¡ÕU¶?Þ|�O&:Ë�A8�¡ÕU¶?Þ|�OÝ"
…�=¦u˜�¿g ®—òÝ"
…�=¦u˜�¿g ®—ò��¹Ôˆ-ajù�óÓ7®-��¹Ôˆ-ajù�óÓ7®-Qý7œ�1ýi�ùB²3BVdQý7œ�1ýi�ùB²3BVdˆm��ó„ÀìŒ�ÿ'!MìȈm��ó„ÀìŒ�ÿ'!MìÈ"^¦¸ÈÜM<îKBT‚ñÇB"^¦¸ÈÜM<îKBT‚ñÇBÍg°ºþYOˆÿpLÓA�ÿBÍg°ºþYOˆÿpLÓA�ÿBª¶bÉn¯S–yú�å•�¾×ª¶bÉn¯S–yú�å•�¾×¦¯“÷"‘°¼v�Ðõ‰�@g¦¯“÷"‘°¼v�Ðõ‰�@g%1ü¦_èJm‘_×$�ýâ8%1ü¦_èJm‘_×$�ýâ8í5™$Œ…Z.;�E"z !í5™$Œ…Z.;�E"z !�ãbºgÎ�ÿæÒOø£+��ãbºgÎ�ÿæÒOø£+�»Ü­¹K´."�é2�i�^»Ü­¹K´."�é2�i�^êx�ÂÌj�]€|�ãL˜îZêx�ÂÌj�]€|�ãL˜îZIµ©�z_Z�Ëô@X5ˆ’Iµ©�z_Z�Ëô@x5ˆ’úÆ:wèVl¥´�N~»h��úÆ:wèVl¥´�N~»h��œkWýÀã$ªl>G 'NÆ¡œkWýÀã$ªl>G 'NÆ¡½Gðšÿ"bòm�逘’^~½Gðšÿ"bòm�逘’^~ÿå¿�×J÷¢F¿�24u�ûÿå¿�×J÷¢F¿�24u�û`

If i wanna flash the partition table only as a bin file, I guess the the adress is 0x8000 ? and Where in the project folder do i find the partition table file ?

[lbernstone]

There are a few available at https://github.com/espressif/arduino-esp32/tree/master/tools/partitions and the doco is at http://esp-idf.readthedocs.io/en/latest/api-guides/partition-tables.html. NB at the very bottom it mentions that make partition_table will give you the command to flash the table.

[Buffalchill]

So far thank you for your help 👍
I didn't have much time the last week to work on this, but maybe i'll get back on track today

[lbernstone]

Bringing in another comment from gitter for reference.

Buffalchill @Buffalchill
Is it possible to use the fatfs with the arduino-esp32 ?

lbernstone @lbernstone
@Buffalchill : Certainly it is possible, but there is not a library written for it. The esp-idf functions are there, though.
https://esp-idf.readthedocs.io/en/latest/api-reference/storage/wear-levelling.html#_CPPv226esp_vfs_fat_spiflash_mountPKcPKcPK26esp_vfs_fat_mount_config_tP11wl_handle_t
and example at https://github.com/espressif/esp-idf/tree/master/examples/storage/wear_levelling

[Buffalchill]

Today i tried to use the NVS ( Preferences ) ...
it works with flash encryption and an pregenerated flash encryption key...

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:7428
load:0x40078000,len:0
load:0x40078000,len:16816
entry 0x4007916c
�[0;32mI (29) boot: ESP-IDF v3.1-dev-661-gf586f5e6 2nd stage bootloader�[0m
�[0;32mI (29) boot: compile time 12:32:30�[0m
�[0;32mI (29) boot: Enabling RNG early entropy source...�[0m
�[0;32mI (35) boot: SPI Speed      : 40MHz�[0m
�[0;32mI (39) boot: SPI Mode       : DIO�[0m
�[0;32mI (43) boot: SPI Flash Size : 4MB�[0m
�[0;32mI (47) boot: Partition Table:�[0m
�[0;32mI (50) boot: ## Label            Usage          Type ST Offset   Length�[0m
�[0;32mI (58) boot:  0 nvs              WiFi data        01 02 00009000 00006000�[0m
�[0;32mI (65) boot:  1 phy_init         RF data          01 01 0000f000 00001000�[0m
�[0;32mI (73) boot:  2 factory          factory app      00 00 00010000 00100000�[0m
�[0;32mI (80) boot:  3 storage          Unknown data     01 82 00110000 000f0000�[0m
�[0;32mI (88) boot: End of partition table�[0m
�[0;32mI (92) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x068e4 ( 26852) map�[0m
�[0;32mI (110) esp_image: segment 1: paddr=0x0001690c vaddr=0x3ffb0000 size=0x0219c (  8604) load�[0m
�[0;32mI (114) esp_image: segment 2: paddr=0x00018ab0 vaddr=0x40080000 size=0x00400 (  1024) load�[0m
�[0;32mI (119) esp_image: segment 3: paddr=0x00018eb8 vaddr=0x40080400 size=0x07158 ( 29016) load�[0m
�[0;32mI (140) esp_image: segment 4: paddr=0x00020018 vaddr=0x400d0018 size=0x158d0 ( 88272) map�[0m
�[0;32mI (171) esp_image: segment 5: paddr=0x000358f0 vaddr=0x40087558 size=0x016b0 (  5808) load�[0m
�[0;32mI (173) esp_image: segment 6: paddr=0x00036fa8 vaddr=0x400c0000 size=0x00000 (     0) load�[0m
�[0;32mI (183) boot: Loaded app from partition at offset 0x10000�[0m
�[0;32mI (183) boot: Checking flash encryption...�[0m
�[0;33mW (188) flash_encrypt: Using pre-loaded flash encryption key in EFUSE block 1�[0m
�[0;32mI (196) flash_encrypt: Setting CRYPT_CONFIG efuse to 0xF�[0m
�[0;32mI (214) flash_encrypt: Disable UART bootloader encryption...�[0m
�[0;32mI (214) flash_encrypt: Disable UART bootloader decryption...�[0m
�[0;32mI (217) flash_encrypt: Disable UART bootloader MMU cache...�[0m
�[0;32mI (223) flash_encrypt: Disable JTAG...�[0m
�[0;32mI (228) flash_encrypt: Disable ROM BASIC interpreter fallback...�[0m
�[0;32mI (246) esp_image: segment 0: paddr=0x00001020 vaddr=0x3fff0018 size=0x00004 (     4) �[0m
�[0;32mI (246) esp_image: segment 1: paddr=0x0000102c vaddr=0x3fff001c size=0x01d04 (  7428) �[0m
�[0;32mI (256) esp_image: segment 2: paddr=0x00002d38 vaddr=0x40078000 size=0x00000 (     0) �[0m
�[0;32mI (262) esp_image: segment 3: paddr=0x00002d40 vaddr=0x40078000 size=0x041b0 ( 16816) �[0m
�[0;32mI (628) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x068e4 ( 26852) map�[0m
�[0;32mI (637) esp_image: segment 1: paddr=0x0001690c vaddr=0x3ffb0000 size=0x0219c (  8604) �[0m
�[0;32mI (641) esp_image: segment 2: paddr=0x00018ab0 vaddr=0x40080000 size=0x00400 (  1024) �[0m
�[0;32mI (645) esp_image: segment 3: paddr=0x00018eb8 vaddr=0x40080400 size=0x07158 ( 29016) �[0m
�[0;32mI (664) esp_image: segment 4: paddr=0x00020018 vaddr=0x400d0018 size=0x158d0 ( 88272) map�[0m
�[0;32mI (695) esp_image: segment 5: paddr=0x000358f0 vaddr=0x40087558 size=0x016b0 (  5808) �[0m
�[0;32mI (697) esp_image: segment 6: paddr=0x00036fa8 vaddr=0x400c0000 size=0x00000 (     0) �[0m
�[0;32mI (701) flash_encrypt: Encrypting partition 2 at offset 0x10000...�[0m
�[0;3⸮ets Jun  8 2016 00:22:57

rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:7428
load:0x40078000,len:0
load:0x40078000,len:16816
entry 0x4007916c
�[0;32mI (28) boot: ESP-IDF v3.1-dev-661-gf586f5e6 2nd stage bootloader�[0m
�[0;32mI (28) boot: compile time 12:32:30�[0m
�[0;32mI (28) boot: Enabling RNG early entropy source...�[0m
�[0;32mI (35) boot: SPI Speed      : 40MHz�[0m
�[0;32mI (39) boot: SPI Mode       : DIO�[0m
�[0;32mI (43) boot: SPI Flash Size : 4MB�[0m
�[0;32mI (47) boot: Partition Table:�[0m
�[0;32mI (50) boot: ## Label            Usage          Type ST Offset   Length�[0m
�[0;32mI (58) boot:  0 nvs              WiFi data        01 02 00009000 00006000�[0m
�[0;32mI (65) boot:  1 phy_init         RF data          01 01 0000f000 00001000�[0m
�[0;32mI (73) boot:  2 factory          factory app      00 00 00010000 00100000�[0m
�[0;32mI (80) boot:  3 storage          Unknown data     01 82 00110000 000f0000�[0m
�[0;32mI (88) boot: End of partition table�[0m
�[0;32mI (92) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x068e4 ( 26852) map�[0m
�[0;32mI (110) esp_image: segment 1: paddr=0x0001690c vaddr=0x3ffb0000 size=0x0219c (  8604) load�[0m
�[0;32mI (114) esp_image: segment 2: paddr=0x00018ab0 vaddr=0x40080000 size=0x00400 (  1024) load�[0m
�[0;32mI (119) esp_image: segment 3: paddr=0x00018eb8 vaddr=0x40080400 size=0x07158 ( 29016) load�[0m
�[0;32mI (140) esp_image: segment 4: paddr=0x00020018 vaddr=0x400d0018 size=0x158d0 ( 88272) map�[0m
�[0;32mI (172) esp_image: segment 5: paddr=0x000358f0 vaddr=0x40087558 size=0x016b0 (  5808) load�[0m
�[0;32mI (175) esp_image: segment 6: paddr=0x00036fa8 vaddr=0x400c0000 size=0x00000 (     0) load�[0m
�[0;32mI (184) boot: Loaded app from partition at offset 0x10000�[0m
�[0;32mI (185) boot: Checking flash encryption...�[0m
�[0;32mI (190) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)�[0m
�[0;32mI (197) boot: Disabling RNG early entropy source...�[0m
�[0;32mI (203) cpu_start: Pro cpu up.�[0m
�[0;32mI (207) cpu_start: Starting app cpu, entry point is 0x40080e40�[0m
�[0;32mI (0) cpu_start: App cpu up.�[0m
�[0;32mI (217) heap_init: Initializing. RAM available for dynamic allocation:�[0m
�[0;32mI (224) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM�[0m
�[0;32mI (230) heap_init: At 3FFB29D0 len 0002D630 (181 KiB): DRAM�[0m
�[0;32mI (236) heap_init: At 3FFE0440 len 00003BC0 (14 KiB): D/IRAM�[0m
�[0;32mI (243) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM�[0m
�[0;32mI (249) heap_init: At 40088C08 len 000173F8 (92 KiB): IRAM�[0m
�[0;32mI (255) cpu_start: Pro cpu start user code�[0m
�[0;32mI (273) cpu_start: Starting scheduler on PRO CPU.�[0m
�[0;32mI (0) cpu_start: Starting scheduler on APP CPU.�[0m

Opening Non-Volatile Storage (NVS) handle... Done
Reading restart counter from NVS ... Done
Restart counter = 78
Updating restart counter in NVS ... Done
Committing updates in NVS ... Done

Restarting in 10 seconds...
Restarting in 9 seconds...
Restarting in 8 seconds...
Restarting in 7 seconds...
Restarting in 6 seconds...
Restarting in 5 seconds...
Restarting in 4 seconds...
Restarting in 3 seconds...
Restarting in 2 seconds...
Restarting in 1 seconds...
Restarting in 0 seconds...
Restarting now.

[Buffalchill]

@me-no-dev are you sure that spiffs don't work when flash encryption is enabled ?
I think i just had a wrong partition table flashed on my board, and would like to investigate that again.
luckily NVS work with arduino-esp32 and flash encryption 🥇

[Buffalchill]

great news.
today I investigated that NVS (preferences) and SPIFFS do work with Flash_encryption !

[venkat3344]

I got the error 1000...

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57

Burn the FLASH_CRYPT_CNT efuse again with the python script getting error : A fatal error occurred : Efuse FLASH_ENCRYPT_CNT failed to burn. Protected?

3. Check out the FLASH_CRYPT_CNT with espefuse.py --port "COM3" summary
   it should still have the value: 1

[mau-lopez]

Hi Buffalchill, thanks a lot for your explanation on encryption and re-flashing, just one silly question because I don't know c and don't seem to be lucky googling for this one : what library(ies) do I have to include in order to use esp_flash_encryption_enabled() in my code and also how do I declare it so I can use it? Thanks in advance

[WebDust21]

There is also an interesting file sdkconfig. There are a lot of settings there. Regarding this topic:

# Security features # # CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT is not set # CONFIG_SECURE_BOOT is not set # CONFIG_SECURE_FLASH_ENC_ENABLED is not set # end of Security features

Assuming the bootloader is recompiled from the ELF in 2.0.6 and newer, I wonder if just uncommenting the "CONFIG_SECURE_FLASH_ENC_ENABLED" line would do the trick...

[workpage2]

The loader DEFINITELY DOES NOT RECOMPILATE!!! The file date does not change. I just replace the bootloader_dio_80m.elf file with the one that created the idf.

[WebDust21]

Yeah, the ELF won't...but the output BIN will.

[WebDust21]

[workpage2]

If arduino wants to create a bin file every time - ok. For encryption, just replace bootloader_dio_80m.elf

[workpage2]

Correctly configured?

[workpage2]

Webdust, did you make the shift memory for the encrypted bootloader?

[WebDust21]

Webdust, did you make the shift memory for the encrypted bootloader?

Huh?

As detailed much further above, all I did was enable encryption in the bootloader, and then swap out the Arduino bootloader file for the encrypted one.
Worth noting that it is extremely easy to overflow the bootloader partition in the ESP32 by turning on too many options in the ESP-IDF configuration; I had to turn off most of the logging to get it to fit into the standard Arduino-ESP32 bootloader partition space. If that's what you're referring to by "shift memory"?

[workpage2]

Yes. That's what I was asking about. What log settings did you set?

[WebDust21]

Yes. That's what I was asking about. What log settings did you set?

I believe I had to set it to "none" to make the bootloader fit. Honestly, it was 3 years ago I was digging into this stuff, so I really don't recall! And thanks to Git context nonsense of ESP-IDF, there's almost zero chance I'll be able to pull up the old settings and find out what I did.

From my very first post on this thread:

[workpage2]

ONLY FOR 16MB ESP32!!!
I tested this file - encryption works. It is enough to replace it with the original one.
After starting, it takes about 1 minute to encrypt the memory.
SDK 2.0.7 Memory parameters: 80mhz, DIO, 6mb app, 3mb spiffs. OTA enable.
bootloader_dio_80m.zip

[workpage2]

ONLY FOR 4MB ESP32!!!
Not tested!!! Please post results here. I'll remove the warning.
SDK 2.0.7 Memory parameters: 80mhz, DIO, 1.2mb app, 1.5mb spiffs. OTA enable.
bootloader_dio_80m.zip

[WebDust21]

Unless I'm mistaken, the partition table shouldn't affect the bootloader file.
Obviously, FLASH setup (DIO/QIO, 80MHz, etc.) does affect the bootloader file, but AFAIK that's about it.

[workpage2]

My board didn't work until I specified the partition table in menuconfig. Perhaps the elf file contains this information.

[VojtechBartoska]

@PilnyTomas Also this, can be explained in FAQ and closed.

[rjjrbatarao]

is there anyway to debrick ecnrypted esp32? like reading the previous working encrypted firmware then manually flashing it later?

[whoim2]

Hi all. I was puzzled by the encryption issue in Arduino. As far as I understand, it is enough to build the bootloader with encryption support from the idf, limited by the functionality so that it fits into its partition.
We are losing the ability to program over the usb wire and standard OTA won't work either. That is - the device will be without any possibility of updating. Am I understanding everything correctly?
Will it work for lolin esp32 s2 mini?
Thank you!

[lbernstone]

Once the flash is encrypted, all writes to the ota partitions (the firmware), will be encrypted. So, OTA becomes the only way to update in release mode.

[WebDust21]

standard OTA won't work either.

So yes, above I noted that the Arduino-ESP32 core's OTA routines were using the only function that didn't support encrypted FLASH--however, I believe this has been fixed for some time in the Arduino-ESP32 core. And as @lbernstone points out, OTA is the only way to update an encrypted ESP32.

FYI you'll need to generate an ESP32-S2 bootloader via ESP-IDF, with encryption enabled. The bootloader binaries provided above were for the original ESP32, and I'm almost certain they won't work on the ESP32-S2 (or ESP32-S3 for that matter).

[whoim2]

Once the flash is encrypted, all writes to the ota partitions (the firmware), will be encrypted. So, OTA becomes the only way to update in release mode.

Thank you! I researched the topic and realized that there was a problem with the standard OTA using the ESP.flash* procedures, which was fixed and now the OTA works well with an encrypted flash, when using the appropriate bootloader.
I implemented OTA into my sketch, it works well, it remains to get the bootloader for lolin s2 mini :)

[whoim2]

standard OTA won't work either.

So yes, above I noted that the Arduino-ESP32 core's OTA routines were using the only function that didn't support encrypted FLASH--however, I believe this has been fixed for some time in the Arduino-ESP32 core. And as @lbernstone points out, OTA is the only way to update an encrypted ESP32.

FYI you'll need to generate an ESP32-S2 bootloader via ESP-IDF, with encryption enabled. The bootloader binaries provided above were for the original ESP32, and I'm almost certain they won't work on the ESP32-S2 (or ESP32-S3 for that matter).

Yes, I understand, while this is a problem, espidf does not support win7. I'll try to persuade friends on win10 to help me :)

[lbernstone]

Make a linux vm. It'll perform better anyhow.

[dsilletti]

Hi All, on the ESP32-S3 I enabled Flash Encryption and Secure Boot v2 by flashing the ESP-IDF generated bootloader and signing the Arduino generated binary
all is fine, I can OTA flash both ESP-IDF and Arduino binaries signed, they both work smooth
Using the Arduino core binaries I get this Error about core dump data check failed:

E (323) esp_core_dump_flash: Core dump data check failed:
Calculated checksum='7c3422e9'
Image checksum='20202020'

I get no Error if I use the ESP-IDF compiled binary
it's not affecting the firmware functionality but I would like to fix this, It could be that Arduino core cannot manage the coredump encrypted partition?
any experience with this? thanks

[whoim2]

Hi All, on the ESP32-S3 I enabled Flash Encryption and Secure Boot v2 by flashing the ESP-IDF generated bootloader and signing the Arduino generated binary all is fine, I can OTA flash both ESP-IDF and Arduino binaries signed, they both work smooth Using the Arduino core binaries I get this Error about core dump data check failed:

E (323) esp_core_dump_flash: Core dump data check failed:
Calculated checksum='7c3422e9'
Image checksum='20202020'

I get no Error if I use the ESP-IDF compiled binary it's not affecting the firmware functionality but I would like to fix this, It could be that Arduino core cannot manage the coredump encrypted partition? any experience with this? thanks

Hello. I also want to try encryption through bootloader substitution, I have Esp32-S2 lolin mini. I can't get an encrypted bootloader, I have win7 and idf doesn't want to install. Are you unable to download the encrypted bootloader, development and release version for me?
Im try too this way and publish results there.

As far as I understand, there is no need to sign the binaries, a regular file is served and the bootloader already encrypts it.

[rftafas]

@Buffalchill that is probably the only way that flash encryption will be available for Arduino users. Since it's not for everyone and could cause any novice an issue, it would require you to run Arduino as IDF component.

SPIFFS does not run on encrypted flash ;) FATFS does

I quoted this as it is important to be aware. Issue already solved, the user was able to make it work.