[SECURE_BOOT_V2] How to OTA device without WiFi via command line (IDFGH-13123)

[ravinder-bb]

Answers checklist.

• [X] I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• [X] I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• [X] I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

We have flashed MANY OF Devices with secured bootloader and application binaries. However, the devices that were connected to Wi-Fi experienced bugs in the code. How can I perform an over-the-air (OTA) update of all my devices using the command line? I've tried several methods, but haven't been successful.

otatool.py command - but not work

idf.py -p /dev/ttyUSB1 encrypted-flash - but not work is Flas

sdkconfig

#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_BOOT_V2_RSA_ENABLED=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
# CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE is not set
# CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT is not set
# CONFIG_SECURE_BOOT_INSECURE is not set
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_AES128=y
# CONFIG_SECURE_FLASH_ENCRYPTION_AES256 is not set
# CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT is not set
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
CONFIG_SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE=y
# CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART is not set
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
CONFIG_SECURE_ROM_DL_MODE_ENABLED=y
# CONFIG_SECURE_DISABLE_ROM_DL_MODE is not set
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
# CONFIG_SECURE_INSECURE_ALLOW_DL_MODE is not set
# end of Security features

[ravinder-bb]

Any update ?

[mahavirj]

@ravinder-bb

• How was the flash encryption key generated for these devices? Was it externally programmed or it was internally generated while enabling the flash encryption for first time?
• CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE this means that secure ROM DL mode has been enabled on these devices and hence loading the stub code is not possible anymore (please see docs here). If the flash encryption key was internally generated then encrypting the artifacts is not possible and hence serial flashing without stub also won't work.
• Can the currently executing firmware on the device reach to OTA update server?

[ravinder-bb]

Thank you for your replay.

• Internally generated - CONFIG_SECURE_BOOT_SIGNING_KEY key to flash devices.

• Devices were connected to WiFi, but By mistake added some wrong code. I need to update the application over the air (OTA), but I can't connect to the OTA server.

I have a signing key, but I'm having trouble flashing Devies Is there another way to flash the Devies?

[ravinder-bb]

Any update ?

[mahavirj]

@ravinder-bb

CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y

Problem is with flash encryption scheme and not the secure boot. Since you have enabled release mode and the key was generated randomly on the device, it is not possible to encrypt the artifacts outside of the chip. Unfortunately, there is no way to flash the device. OTA update is the only recovery option here.

Just to double confirm, please share output of following commands:

esptool.py get_security_info
espefuse.py summary

[ravinder-bb]

@mahavirj,

esptool.py --chip esp32s2 --port /dev/ttyUSB1 get_security_info

esptool.py v3.0 Serial port /dev/ttyUSB1 Connecting.... Chip is ESP32-S2 in Secure Download Mode WARNING: Stub loader is not supported in Secure Download Mode, setting --no-stub Enabling default SPI flash mode... Flags: 0x000006f5 (0b11011110101) Flash_Crypt_Cnt: 0x1 Key_Purposes: (9, 4, 0, 0, 0, 0, 0) Hard resetting via RTS pin...

espefuse.py --chip esp32s2 --port /dev/ttyUSB1 -p /dev/ttyUSB1 summary

Connecting..... Traceback (most recent call last): File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espefuse.py", line 131, in _main() File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espefuse.py", line 124, in _main main() File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espefuse.py", line 104, in main efuses, efuse_operations = get_efuses(esp, just_print_help, debug_mode, args1.do_not_confirm) File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espefuse.py", line 69, in get_efuses return (efuse.EspEfuses(esp, skip_connect, debug_mode, do_not_confirm), efuse.operations) File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/esp32s2/fields.py", line 81, in init self.blocks = [EfuseBlock(self, self.Blocks.get(block), skip_read=skip_connect) for block in self.Blocks.BLOCKS] File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/esp32s2/fields.py", line 81, in self.blocks = [EfuseBlock(self, self.Blocks.get(block), skip_read=skip_connect) for block in self.Blocks.BLOCKS] File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/esp32s2/fields.py", line 39, in init super(EfuseBlock, self).init(parent, param, skip_read=skip_read) File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 133, in init self.read() File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 179, in read words = self.get_words() File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 176, in get_words return [self.parent.read_reg(offs) for offs in get_offsets(self)] File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 176, in return [self.parent.read_reg(offs) for offs in get_offsets(self)] File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 337, in read_reg return self._esp.read_reg(addr) File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/esptool.py", line 562, in read_reg val, data = self.command(self.ESP_READ_REG, struct.pack('<I', addr)) File "/home/shivay/esp/esp-idf/components/esptool_py/esptool/esptool.py", line 398, in command raise UnsupportedCommandError(self, op) esptool.UnsupportedCommandError: This command (0xa) is not supported in Secure Download Mode

[ravinder-bb]

Any update ?

[mahavirj]

@ravinder-bb

Based on the above efuse summary, looks like pretty much all security configurations are in their release mode. One thing that I am not sure is if you have flash encryption feature in development mode or release mode, because the sdkconfig suggest that its release mode but the flash crypt count value (0x1) suggests that it might be development mode. Maybe you can confirm this once?

You may try following command and see if it helps (please use latest esptool version for this):

esptool.py --no-stub write_flash  --encrypt  <address> <filename>

This command will work if the efuse bit DIS_DOWNLOAD_MANUAL_ENCRYPT was not programmed (flash encryption development mode). If this command fails, then there is no way to reflash the device (unless you have flash encryption key in your possession).

Hope this helps!

[ravinder-bb]

We have tried but got this error.

esptool.py v4.7.0
Serial port /dev/ttyUSB1
Connecting......
Chip is ESP32-S2 in Secure Download Mode
Changing baud rate to 460800
Changed.
Enabling default SPI flash mode...
Configuring flash size...
Flash will be erased from 0x00040000 to 0x00190fff...
Erasing flash...

A fatal error occurred: Failed to enter Flash download mode (result was 01640000: Unknown result)

[ravinder-bb]

@mahavirj, Any other way is possiable just like otatool.py to update only OTA files?

[ravinder-bb]

@mahavirj, Any suggestion ?

[mahavirj]

@ravinder-bb Sorry, I don't have any other suggestions here. I gave you all possible information. If you don't have access to flash encryption key for these devices then unfortunately updating the firmware is not possible over serial in their current state.