search

espressif / qemu

Fork of QEMU with Espressif patches. See Wiki for details.
https://github.com/espressif/esp-toolchain-docs/blob/main/qemu/README.md
Other
230 stars 61 forks source link

Failed to burn efuses (QEMU-158) #81

Closed artua closed 1 year ago

artua commented 1 year ago

I'm trying to play with flash encryption efuses on qemu, but seems this part is not working stable.

espefuse.py -d --port socket://localhost:5555 -b 2000000 --chip esp32 --do-not-confirm burn_key flash_encryption my_flash_encryption_key.bin 

espefuse.py v3.3.2espefuse.py v3.3.2
Connecting...
Device PID identification is only supported on COM and /dev/ serial ports.

BLOCK0          (                ) [0 ] read_regs: 00000000 33445566 00481122 00008000 00000000 00100000 00000000
BLOCK1          (flash_encryption) [1 ] read_regs: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
BLOCK2          (secure_boot_v1 s) [2 ] read_regs: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
BLOCK3          (                ) [3 ] read_regs: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

EFUSE_REG_DEC_STATUS        0x00000000

=== Run "burn_key" command ===
Burn keys to blocks:
 - BLOCK1 -> [b3 c3 d7 0b 8e 01 85 2d da e0 85 7a 96 9b 83 cf f7 94 78 51 23 36 72 52 52 bd 08 1e 90 15 80 73]
    Reversing the byte order
    Disabling read to key block
    Disabling write to key block

Burn keys in efuse blocks.
The key block will be read and write protected (no further changes or readback) 

Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
[00] BLOCK0               is not empty
    (written ): 0x00000000001000000000000000008000004811223344556600000000
    (to write): 0x00000000000000000000000000000000000000000000000000010080
    (coding scheme = NONE)
[01] BLOCK1               is empty, will burn the new value
[02] BLOCK2               nothing to burn
[03] BLOCK3               nothing to burn
. 
This is an irreversible operation!
BLOCK1          (flash_encryption) [1 ] to_write: 0bd7c3b3 2d85018e 7a85e0da cf839b96 517894f7 52723623 1e08bd52 73801590
Write data to BLOCK1
Addr 0x3ff5a098, data=0x0bd7c3b3

A fatal error occurred: Failed to write target memory. Only got 2 byte status response.

Qemu is running by following command: 

build/qemu-system-xtensa -nographic \
    -machine esp32 \
    -drive file=../gpr/qemu/qemu_flash_image.bin,if=mtd,format=raw \
    -global driver=esp32.gpio,property=strap_mode,value=0x0f \
    -drive file=../gpr/qemu/qemu_efuse-mac.bin,if=none,format=raw,id=efuse \
    -global driver=nvram.esp32.efuse,property=drive,value=efuse \
    -serial tcp::5555,server,nowait
igrr commented 1 year ago

@artua Could you please try running espefuse.py without -b 2000000 argument and see if that works any better?

artua commented 1 year ago

Thanks! Yes, without this option or with one of standard baud rates it seemed to be working! Now the encrypted image doesn't run.. But it's another issue