I set below options:
https://iv.pl/image/GtBgqND
https://iv.pl/image/GtBgpSY
and partition table in csv.
https://iv.pl/image/GtBg13e
Before encryption I could read every partition using: target.read_partition(PartitionType(<type>, <subtype>), "file.bin")
I undertood that by default only app partitions are encrypted and partitions marked as encrypted in csv file.
In my case I leave storage data as decrypted and now the question is: whether partition storage should be readable by target.read_partition() after encryption?
I try do this but I get error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8d in position 0: invalid start byte
Flash encryption
Re: Flash encryption
Is it possible to flash new bootloader without secure boot and encryption? These are my security fuses:
I can't back to normal flash using.
I can't back to normal flash using.
Code: Select all
Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 7 R/W (0x7)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/W (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 1 R/W (0x1)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/W (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/W (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 1 R/W (0x1)
BLK1 Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Re: Flash encryption
Hi filip,
Sorry noone replied to you before now.
If you're getting this Python error then can you please post the full error backtrace with all lines of context, and also please let us know which ESP-IDF version you're using and what operating system you're doing this on? It may be a bug.
As it looks like Flash Encryption is enabled in "Development" mode then it should be possible to flash new signed apps with the encrypted-flash target.
It may also be possible to flash a new bootloader if you enabled Secure Boot in "Reflashable" mode, meaning you can generate the digest to match a new bootloader binary. Unfortunately the screenshot links no longer work so I can't see exactly what config was used.
Sorry noone replied to you before now.
If the data is not encrypted then it should be possible to read it out on the host using partition tool, same as if encryption was not enabled.filipESP wrote: ↑Thu May 21, 2020 8:44 amIn my case I leave storage data as decrypted and now the question is: whether partition storage should be readable by target.read_partition() after encryption?
I try do this but I get error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8d in position 0: invalid start byte
If you're getting this Python error then can you please post the full error backtrace with all lines of context, and also please let us know which ESP-IDF version you're using and what operating system you're doing this on? It may be a bug.
It's not possible to disable secure boot once it's enabled in hardware (efuse ABS_DONE_0 is set to 1), and the FLASH_CRYPT_CNT efuse is already at its maximum value (0x7) so flash encryption cannot be disabled again. FLASH_CRYPT_CNT is set to the maximum if you enable flash encryption and secure boot together to prevent undoing any security protections.filipESP wrote: Is it possible to flash new bootloader without secure boot and encryption? These are my security fuses:
As it looks like Flash Encryption is enabled in "Development" mode then it should be possible to flash new signed apps with the encrypted-flash target.
It may also be possible to flash a new bootloader if you enabled Secure Boot in "Reflashable" mode, meaning you can generate the digest to match a new bootloader binary. Unfortunately the screenshot links no longer work so I can't see exactly what config was used.
Re: Flash encryption
sdk config - boot options:
https://zapodaj.net/images/d89faae4a2ac7.png
sdk config - partition table:
https://zapodaj.net/images/3b66441118ba7.png
csv file - partition table:
https://zapodaj.net/images/88d8d83e3603a.png
attempt to read partition with type data:
https://zapodaj.net/images/36cea10773801.png
My OS is Win10 and idf version is 4,0.
https://zapodaj.net/images/d89faae4a2ac7.png
sdk config - partition table:
https://zapodaj.net/images/3b66441118ba7.png
csv file - partition table:
https://zapodaj.net/images/88d8d83e3603a.png
attempt to read partition with type data:
https://zapodaj.net/images/36cea10773801.png
My OS is Win10 and idf version is 4,0.
Re: Flash encryption
Hi Filip,
Sorry I missed a detail in my first reply.
The error posted in the last screenshot indicates a problem reading the partition table back from flash, the magic byte doesn't match the expected magic byte for a partition.
This is because the partition table itself has been encrypted, you won't be able to use this approach to read out any partition table entries from the host.
However if you know the offset of the unencrypted data partition (can find this from the "idf.py partition_table" target) then you can read the bytes from that address in flash directly (using esptool.py read_flash or a similar approach), as they are unencrypted.
Sorry I missed a detail in my first reply.
The error posted in the last screenshot indicates a problem reading the partition table back from flash, the magic byte doesn't match the expected magic byte for a partition.
This is because the partition table itself has been encrypted, you won't be able to use this approach to read out any partition table entries from the host.
However if you know the offset of the unencrypted data partition (can find this from the "idf.py partition_table" target) then you can read the bytes from that address in flash directly (using esptool.py read_flash or a similar approach), as they are unencrypted.
Who is online
Users browsing this forum: No registered users and 307 guests