Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOC]Unable to boot firmware with the Secure Boot enabled bootloader #118

Closed
GASEN1216 opened this issue Oct 11, 2024 · 10 comments
Closed

[DOC]Unable to boot firmware with the Secure Boot enabled bootloader #118

GASEN1216 opened this issue Oct 11, 2024 · 10 comments
Labels
documentation Improvements or additions to documentation

Comments

@GASEN1216
Copy link

I followed the steps in the document(https://github.com/FreeRTOS/iot-reference-esp32/blob/main/UseSecurityFeatures.md), but when I got to step 6, something went wrong. After burning it in, it prompted the following error message. I don't know why? Can anyone help me?

invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8b2289f0
invalid header: 0x8ESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0x7 (TG0WDT_SYS_RST),boot:0x2d (SPI_FAST_FLASH_BOOT)
Saved PC:0x40048841
0x40048841: uart_tx_one_char_uart in ROM
@GASEN1216 GASEN1216 added the documentation Improvements or additions to documentation label Oct 11, 2024
@rawalexe
Copy link
Member

Can you please provide more logs and the steps you followed?

@jasonpcarroll
Copy link
Member

jasonpcarroll commented Oct 11, 2024
edited
Loading

HI @GASEN1216,
Originally this repository was created for the C3 - although I imagine it should work for the S3 as well. The errors you are showing are similar to ones one would see if they only flashed the application and not the bootloader - see 5.1 step 2. That could possibly be your problem. I will try to source an S3 myself and follow the same steps. This may take time.

Best,
Jason Carroll

@GASEN1216
Copy link
Author

GASEN1216 commented Oct 12, 2024
edited
Loading

Can you please provide more logs and the steps you followed?

Hi @rawalexe ,
The following logs are the ones that keep looping and reporting the errors I gave above.

Step 1: I have successfully run the example without secure mode

Step 2: I turned on the two options mentioned in the document

Step 3: I turned on the flash encrypted project

Step 4: I burned the encrypted certificate as the document said

Step 5: I generated the certificate and set up secure boot

Step 6: I built and burned the project

Is it because I did not build the bootloader with the certificate and secure boot set up in step 5, and the bootloader burned was the bootloader before the secure boot was built, which caused my error?
In other words, is it because I only ran the idf.py bootloader and did not build the project that caused the error?

Thanks,
Gasen

@GASEN1216
Copy link
Author

HI @GASEN1216, Originally this repository was created for the C3 - although I imagine it should work for the S3 as well. The errors you are showing are similar to ones one would see if they only flashed the application and not the bootloader - see 5.1 step 2. That could possibly be your problem. I will try to source an S3 myself and follow the same steps. This may take time.

Best, Jason Carroll

Hi @jasonpcarroll ,
Thank you!
Is it because I did not build the bootloader with the certificate and secure boot set up in step 5, and the bootloader burned was the bootloader before the secure boot was built, which caused my error?
In other words, is it because I only ran the idf.py bootloader and did not build the project that caused the error?

@jasonpcarroll
Copy link
Member

jasonpcarroll commented Oct 14, 2024
edited
Loading

So first you need to run idf.py menuconfig and set the appropriate flags for secure boot to be enabled. THEN, you need to build the bootloader with idf.py bootloader. After running idf.py bootloader you need to run the command it prints out with (PORT) and (BAUD) replaced with your port and baud rate. In our example, it shows the command below, but it will probably print out a slightly different command for you since you are on an s3. When you use secure boot - idf.py flash will not flash the bootloader. You need to manually do it using the command like the one below that it prints out when you run idf.py bootloader. At least that is my understanding. I hope this helps.

C:/Users/user/.espressif/python_env/idf4.4_py3.8_env/Scripts/python.exe`  C:/Users/user/Desktop/esp-idf-6/components/esptool_py/esptool/esptool.py --chip esp32c3 --port=(PORT) --baud=(BAUD) --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 C:/FreeRTOS-Repositories/lab-iot-reference-esp32c3/build/bootloader/bootloader.bin

@jasonpcarroll
Copy link
Member

@dhavalgujar - would you mind taking a look here?

@dhavalgujar
Copy link
Collaborator

dhavalgujar commented Oct 15, 2024
edited
Loading

Hi @GASEN1216,
Based on your log, it is likely that the first boot up sequence (with flash encryption enabled) that involves encrypting each partition got stopped abruptly. This is how the log would have looked like and the user is expected to wait till the process completes:

I (168) boot: Checking flash encryption...
I (173) efuse: Batch mode of writing fields is enabled
I (179) flash_encrypt: Generating new flash encryption key...
I (188) efuse: Writing EFUSE_BLK_KEY0 with purpose 4
W (194) flash_encrypt: Not disabling UART bootloader encryption
I (197) flash_encrypt: Disable UART bootloader cache...
I (203) flash_encrypt: Disable JTAG...
I (212) efuse: Batch mode. Prepared fields are committed
I (214) esp_image: segment 0: paddr=00000020 vaddr=3fcd0270 size=02598h (  9624)
I (223) esp_image: segment 1: paddr=000025c0 vaddr=403b6000 size=00878h (  2168)
I (230) esp_image: segment 2: paddr=00002e40 vaddr=403ba000 size=03dd4h ( 15828)
I (534) flash_encrypt: bootloader encrypted successfully
I (578) flash_encrypt: partition table encrypted and loaded successfully
I (578) flash_encrypt: Encrypting partition 1 at offset 0x10000 (length 0x1000)...
I (628) flash_encrypt: Done encrypting
I (629) esp_image: segment 0: paddr=00020020 vaddr=3c020020 size=08118h ( 33048) map
I (636) esp_image: segment 1: paddr=00028140 vaddr=3fc8fa30 size=023f4h (  9204)
I (640) esp_image: segment 2: paddr=0002a53c vaddr=40374000 size=05adch ( 23260)
I (651) esp_image: segment 3: paddr=00030020 vaddr=42000020 size=1a710h (108304) map
I (675) esp_image: segment 4: paddr=0004a738 vaddr=40379adc size=05f48h ( 24392)
I (679) esp_image: segment 5: paddr=00050688 vaddr=600fe000 size=00010h (    16)
I (680) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)...
I (11571) flash_encrypt: Done encrypting
I (11571) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)...
I (11617) flash_encrypt: Done encrypting
I (11618) flash_encrypt: Flash encryption completed
I (11623) boot: Resetting with flash encryption enabled...

It should be possible to recover the device by re-flashing all the binaries with the --encrypt flag.

But, in order to better assess the situation, can you please provide the following:

  1. Your sdkconfig file.
  2. The exact commands that you ran.
  3. The efuse summary of your ESP32-S3 device obtained by running espefuse.py summary --port (PORT)

@GASEN1216
Copy link
Author

GASEN1216 commented Oct 16, 2024
edited
Loading

So first you need to run idf.py menuconfig and set the appropriate flags for secure boot to be enabled. THEN, you need to build the bootloader with idf.py bootloader. After running idf.py bootloader you need to run the command it prints out with (PORT) and (BAUD) replaced with your port and baud rate. In our example, it shows the command below, but it will probably print out a slightly different command for you since you are on an s3. When you use secure boot - idf.py flash will not flash the bootloader. You need to manually do it using the command like the one below that it prints out when you run idf.py bootloader. At least that is my understanding. I hope this helps.

C:/Users/user/.espressif/python_env/idf4.4_py3.8_env/Scripts/python.exe`  C:/Users/user/Desktop/esp-idf-6/components/esptool_py/esptool/esptool.py --chip esp32c3 --port=(PORT) --baud=(BAUD) --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 C:/FreeRTOS-Repositories/lab-iot-reference-esp32c3/build/bootloader/bootloader.bin

Hi @jasonpcarroll ,
Thank you very much for your help. I also flashed manually before but I only ran the second line of command under "Secure boot enabled, so bootloader not flashed automatically." This time I tried to sign the bootloader first and then flash it manually and the chip worked.

@jasonpcarroll
Copy link
Member

jasonpcarroll commented Oct 17, 2024
edited
Loading

Awesome! Just to be clear, was there any discrepancy in the documentation?

@GASEN1216
Copy link
Author

Awesome! Just to be clear, was there any discrepancy in the documentation?

The documentation is correct. I don't know if I misunderstood it, but when I first read it I thought it was only the second block that needed to be run. It would be nice if you could add a reminder to the documentation to remind people not to miss the first block.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dhavalgujar @jasonpcarroll @GASEN1216 @rawalexe