【ESP32 v3.1】基于 esptool 完成 Flash Encrypted(Development)+ SecureBoot V2 + NVS Encrypted
ESP32 ECO4(V3.1)使用 esptool 指令启动 Flash 加密、安全启动、NVS 加密的完整流程说明
·
注意:
使用此流程开启 Secure Boot V2 + Flash 加密功能,需基于 ESP32 ECO4 (V3.1) 版本的芯片。如果拿到的芯片版本是 ESP32 ECO3 (v3.0) 版本的芯片,将无法支持此功能,详细公告参见:有关 ESP32 芯片版本 v3.0 硬件 AES 内核与固件加密漏洞的安全公告 。
-
可以使用 Flash 下载工具的
chipInfoDump界面点击 “Chip Info” 读芯片版本信息,如下:
-
若芯片版本不支持,固件将无法正常启动,如下:
必须使用 ESP32 ECO4(v3.1) 版本的芯片
1、基于 esp-idf/examples/wifi/getting_started/station 例程测试
分区表设置如下:
# Name, Type, SubType, Offset, Size, Flags
# Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap
nvs, data, nvs, , 0x4000,
otadata, data, ota, , 0x2000,
phy_init, data, phy, , 0x1000,
nvs_key, data, nvs_keys, , 0x1000, encrypted,
ota_0, app, ota_0, , 1M,
ota_1, app, ota_1, , 1M,
2、生成各项 Key
参考文档:
2.1、 生成 Secure Boot Key
espsecure.py generate_signing_key secure_boot_signing_key.pem --version 2 --scheme rsa3072
2.2、生成 Secure Boot Key 公钥的摘要
espsecure.py digest_rsa_public_key --keyfile secure_boot_signing_key.pem --output public_key_digest.bin
2.3、生成 Flash 加密 key
espsecure.py generate_flash_encryption_key flash_encryption_key.bin
2.4、生成 NVS key
python E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\components\nvs_flash\nvs_partition_generator\nvs_partition_gen.py generate-key --keyfile nvs_key.bin
3、软件设置如下:
- Flash Size 的设置
Flash Size 的设置不大于硬件的 Flash Size 大小。不小于 分区表设置的分区总和大小。
→ Serial flasher config → Flash size
- 分区表设置:
由于启用 Flash 加密和 Secure Boot 功能将增大引导加载程序,因此需增大分区表偏移量。请参考 引导加载程序大小。
→ Partition Table
- 芯片版本设置:
ESP32 芯片版本高于 ESP32 v3.0 的芯片才支持 安全启动 (secure boot) v2,因此需要设置芯片版本不低于 v3.0 版本。
→ Component config → Hardware Settings → Chip revision → Minimum Supported ESP32 Revision
- Flash 加密和 Secure Boot V2 以及下载模式的设置
→ Security features
→ Security features → UART ROM download mode
- NVS 加密设置
→ Component config → NVS
4、编译固件
idf.py build
- 查看编译日志,获取各分区下载地址:
Partition table binary generated. Contents: ******************************************************************************* # ESP-IDF Partition Table # Name, Type, SubType, Offset, Size, Flags nvs,data,nvs,0xe000,16K, otadata,data,ota,0x12000,8K, phy_init,data,phy,0x14000,4K, nvs_key,data,nvs_keys,0x15000,4K,encrypted ota_0,app,ota_0,0x20000,1M, ota_1,app,ota_1,0x120000,1M, *******************************************************************************
5、工程编译生成的固件
6、使用 Flash 加密 Key 为每个签名的固件进行加密
说明:跟据对应需要烧录的 bin文件用加密指令
需要被加密的固件如下:
0x1000 build\bootloader\bootloader.bin
0xd000 build\partition_table\partition-table.bin
0x12000 build\ota_data_initial.bin
0x20000 build\wifi_station.bin
0x15000 nvs_key.bin
使用 esptool 加密固件的指令如下:
- 手动加密
bootloader.bin
espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0x1000 --output encrypted_bootloader.bin build\bootloader\bootloader.bin
- 手动加密
partition-table.bin
espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0xd000 --output encrypted_partition-table.bin build\partition_table\partition-table.bin
- 手动加密
ota_data_initial.bin
espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0x12000 --output encrypted_ota_data_initial.bin build\ota_data_initial.bin
- 手动加密
app.bin
espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0x20000 --output encrypted_wifi_station.bin build\wifi_station.bin
由于开启了 Flash 加密的 NVS 加密功能,因此还需要使用 flash_encryption_key.bin 加密 nvs_key.bin
- 手动加密
nvs_key.bin
espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0x15000 --output encrypted_nvs_key.bin nvs_key.bin
如果有自定义的 cus_nvs 分区,则自定义的 cus_nvs 分区是通过 nvs_key.bin 进行加密。若自定义的 cus_nvs 分区的固件需要随应用固件一起写入,则需要使用 nvs_key.bin 为自定义的 cus_nvs.bin 进行加密。
python E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\components\nvs_flash\nvs_partition_generator\nvs_partition_gen.py encrypt cus_nvs.csv encrypt_cus_nvs.bin 0x6000 --inputkey nvs_key.bin
7、将加密后的固件写入 Flash
0x1000 encrypted_bootloader.bin
0xd000 encrypted_partition-table.bin
0x12000 encrypted_ota_data_initial.bin
0x20000 encrypted_wifi_station.bin
0x15000 encrypted_nvs_key.bin
esptool 指令如下:
esptool.py -p COM4 write_flash 0x1000 encrypted_bootloader.bin 0xd000 encrypted_partition-table.bin 0x12000 encrypted_ota_data_initial.bin 0x20000 encrypted_wifi_station.bin 0x15000 encrypted_nvs_key.bin
8、写密钥到芯片的 eFuse BLOCK 中
- 可以先读一下芯片的 eFuse 信息
E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\examples\wifi\getting_started\station>espefuse.py -p COM4 summary
espefuse.py v4.8.1
Connecting....
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting......
Detecting chip type... ESP32
=== Run "summary" command ===
EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
ADC_VREF (BLOCK0) True ADC reference voltage = 1156 R/W (0b01000)
Config fuses:
WR_DIS (BLOCK0) Efuse write disable mask = 0 R/W (0x0000)
RD_DIS (BLOCK0) Disable reading from BlOCK1-3 = 0 R/W (0x0)
DISABLE_APP_CPU (BLOCK0) Disables APP CPU = False R/W (0b0)
DISABLE_BT (BLOCK0) Disables Bluetooth = False R/W (0b0)
DIS_CACHE (BLOCK0) Disables cache = False R/W (0b0)
CHIP_CPU_FREQ_LOW (BLOCK0) If set alongside EFUSE_RD_CHIP_CPU_FREQ_RATED; the = False R/W (0b0)
ESP32's max CPU frequency is rated for 160MHz. 24
0MHz otherwise
CHIP_CPU_FREQ_RATED (BLOCK0) If set; the ESP32's maximum CPU frequency has been = True R/W (0b1)
rated
BLK3_PART_RESERVE (BLOCK0) BLOCK3 partially served for ADC calibration data = False R/W (0b0)
CLK8M_FREQ (BLOCK0) 8MHz clock freq override = 55 R/W (0x37)
VOL_LEVEL_HP_INV (BLOCK0) This field stores the voltage level for CPU to run = 0 R/W (0b00)
at 240 MHz; or for flash/PSRAM to run at 80 MHz.0
x0: level 7; 0x1: level 6; 0x2: level 5; 0x3: leve
l 4. (RO)
CODING_SCHEME (BLOCK0) Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
CONSOLE_DEBUG_DISABLE (BLOCK0) Disable ROM BASIC interpreter fallback = True R/W (0b1)
DISABLE_SDIO_HOST (BLOCK0) = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0) Disable flash cache in UART bootloader = False R/W (0b0)
Flash fuses:
FLASH_CRYPT_CNT (BLOCK0) Flash encryption is enabled if this field has an o = 0 R/W (0b0000000)
dd number of bits set
FLASH_CRYPT_CONFIG (BLOCK0) Flash encryption config (key tweak bits) = 0 R/W (0x0)
Identity fuses:
CHIP_PACKAGE_4BIT (BLOCK0) Chip package identifier #4bit = False R/W (0b0)
CHIP_PACKAGE (BLOCK0) Chip package identifier = 1 R/W (0b001)
CHIP_VER_REV1 (BLOCK0) bit is set to 1 for rev1 silicon = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0) = True R/W (0b1)
WAFER_VERSION_MINOR (BLOCK0) = 1 R/W (0b01)
WAFER_VERSION_MAJOR (BLOCK0) calc WAFER VERSION MAJOR from CHIP_VER_REV1 and CH = 3 R/W (0b011)
IP_VER_REV2 and apb_ctl_date (read only)
PKG_VERSION (BLOCK0) calc Chip package = CHIP_PACKAGE_4BIT << 3 + CHIP_ = 1 R/W (0x1)
PACKAGE (read only)
Jtag fuses:
JTAG_DISABLE (BLOCK0) Disable JTAG = False R/W (0b0)
Mac fuses:
MAC (BLOCK0) MAC address
= 04:83:08:62:9b:c4 (CRC 0xe4 OK) R/W
MAC_CRC (BLOCK0) CRC8 for MAC address = 228 R/W (0xe4)
MAC_VERSION (BLOCK3) Version of the MAC field = 0 R/W (0x00)
Security fuses:
UART_DOWNLOAD_DIS (BLOCK0) Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0)
newer; only
ABS_DONE_0 (BLOCK0) Secure boot V1 is enabled for bootloader image = False R/W (0b0)
ABS_DONE_1 (BLOCK0) Secure boot V2 is enabled for bootloader image = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0) Disable flash encryption in UART bootloader = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0) Disable flash decryption in UART bootloader = False R/W (0b0)
KEY_STATUS (BLOCK0) Usage of efuse block 3 (reserved) = False R/W (0b0)
SECURE_VERSION (BLOCK3) Secure version for anti-rollback = 0 R/W (0x00000000)
BLOCK1 (BLOCK1) Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK2 (BLOCK2) Security boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK3 (BLOCK3) Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Spi Pad fuses:
SPI_PAD_CONFIG_HD (BLOCK0) read for SPI_pad_config_hd = 0 R/W (0b00000)
SPI_PAD_CONFIG_CLK (BLOCK0) Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0) Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0) Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0) Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)
Vdd fuses:
XPD_SDIO_REG (BLOCK0) read for XPD_SDIO_REG = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0) If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
XPD_SDIO_FORCE (BLOCK0) Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V)
另外可以使用如下指令查询 burn_key 指令的使用说明:
E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\examples\wifi\getting_started\station>espefuse.py -p COM4 burn_key --help
espefuse.py v4.8.1
usage: __main__.py burn_key [-h] [--no-protect-key] [--force-write-always] [--show-sensitive-info]
{BLOCK1,flash_encryption,BLOCK2,secure_boot_v1,secure_boot_v2,BLOCK3} keyfile [BLOCK] [KEYFILE] [BLOCK] [KEYFILE] [BLOCK]
[KEYFILE] [BLOCK] [KEYFILE] [BLOCK] [KEYFILE] [BLOCK] [KEYFILE]
positional arguments:
{BLOCK1,flash_encryption,BLOCK2,secure_boot_v1,secure_boot_v2,BLOCK3}
Key block to burn. "flash_encryption" (block1), "secure_boot_v1" (block2), "secure_boot_v2" (block2)
keyfile File containing 256 bits of binary key data
BLOCK Key block to burn. "flash_encryption" (block1), "secure_boot_v1" (block2), "secure_boot_v2" (block2)
KEYFILE File containing 256 bits of binary key data
BLOCK Key block to burn. "flash_encryption" (block1), "secure_boot_v1" (block2), "secure_boot_v2" (block2)
KEYFILE File containing 256 bits of binary key data
BLOCK Key block to burn. "flash_encryption" (block1), "secure_boot_v1" (block2), "secure_boot_v2" (block2)
KEYFILE File containing 256 bits of binary key data
BLOCK Key block to burn. "flash_encryption" (block1), "secure_boot_v1" (block2), "secure_boot_v2" (block2)
KEYFILE File containing 256 bits of binary key data
BLOCK Key block to burn. "flash_encryption" (block1), "secure_boot_v1" (block2), "secure_boot_v2" (block2)
KEYFILE File containing 256 bits of binary key data
BLOCK Key block to burn. "flash_encryption" (block1), "secure_boot_v1" (block2), "secure_boot_v2" (block2)
KEYFILE File containing 256 bits of binary key data
optional arguments:
-h, --help show this help message and exit
--no-protect-key Disable default read- and write-protecting of the key. If this option is not set, once the key is flashed it cannot be read
back or changed.
--force-write-always Write the efuse even if it looks like it's already been written, or is write protected. Note that this option can't disable
write protection, or clear any bit which has already been set.
--show-sensitive-info
Show data to be burned (may expose sensitive data). Enabled if --debug is used.
如上信息可以看到 flash_encryption.bin 默认写入 BLOCK1;public_key_digest.bin 默认写入 BLOCK2 。
- 写
Secure Boot V2公钥的摘要到 efuse 中的BLOCK2中 - 写
Flash 加密Key 到 efuse 中的BLOCK1中
espefuse.py -p COM4 --do-not-confirm burn_key flash_encryption flash_encryption_key.bin secure_boot_v2 public_key_digest.bin
9、根据软件设置,写各个 efuse Bit 位
espefuse.py -p COM4 --do-not-confirm burn_efuse DISABLE_DL_ENCRYPT 0x1 DISABLE_DL_DECRYPT 0x1 DISABLE_DL_CACHE 0x1 JTAG_DISABLE 0x1 FLASH_CRYPT_CONFIG 0xF ABS_DONE_1 0x1 FLASH_CRYPT_CNT 0x1
-
DISABLE_DL_ENCRYPT:禁用 UART 引导加载程序加密访问。(非必要置1) -
DISABLE_DL_DECRYPT:禁用 UART 引导加载程序解密访问。(非必要置1) -
DISABLE_DL_CACHE:禁用 UART 引导加载程序 Flash Cache 访问(非必要置1) -
ABS_DONE_1:启用 Secure Boot V2 的 eFuse 位,如果使用的是 Secure Boot V1,则写ABS_DONE_0为1 -
JTAG_DISABLE:禁用 JTAG 调试。默认情况下,当启用 Flash 加密(开发或发布模式)时,将通过 eFuse 禁用 JTAG 调试。引导加载程序在首次启动时执行此操作,同时启用 Flash 加密。 -
FLASH_CRYPT_CNT:通过2^n数字来表示 Flash 的内容是否已被加密。详情参见:Flash 加密过程中使用的 eFuses- 如果设置了奇数个比特位(例如
0b0000001或0b0000111), 表示 Flash 的内容已加密。读取时,内容需要进行透明解密。 - 如果设置了偶数个比特位(例如
0b0000000或0b0000011), 表示 Flash 的内容未被加密 (即明文)。
- 如果设置了奇数个比特位(例如
-
FLASH_CRYPT_CONFIG:决定 Flash 加密密钥中随块偏移“调整”的位数,该 eFuse 共 4 位,每位可对特定范围的密钥位进行 XOR 运算。详情可参考 Flash 加密算法。Bit 1,对密钥的0-66位进行 XOR 运算。Bit 2,对密钥的67-131位进行 XOR 运算。Bit 3,对密钥的132-194位进行 XOR 运算。Bit 4,对密钥的195-256位进行 XOR 运算。
建议将FLASH_CRYPT_CONFIG的值始终保留为默认值0xF,这样所有密钥位都随块偏移进行 XOR 运算。详情可参见 设置 FLASH_CRYPT_CONFIG。
10、重启设备,检查固件运行日志
E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\examples\wifi\getting_started\station>idf.py -p COM4 monitor
Executing action: monitor
Running idf_monitor in directory E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\examples\wifi\getting_started\station
Executing "E:\esp2\Espressif\python_env\idf5.4_py3.9_env\Scripts\python.exe E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\tools/idf_monitor.py -p COM4 -b 115200 --toolchain-prefix xtensa-esp32-elf- --target esp32 --revision 300 E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\examples\wifi\getting_started\station\build\wifi_station.elf --force-color -m 'E:\esp2\Espressif\python_env\idf5.4_py3.9_env\Scripts\python.exe' 'E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\tools\idf.py' '-p' 'COM4'"...
--- Warning: GDB cannot open serial ports accessed as COMx
--- Using \\.\COM4 instead...
--- esp-idf-monitor 1.6.2 on \\.\COM4 115200
--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H
ets Jul 29 2019 12:21:46
rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:2, clock div:2
secure boot v2 enabled
secure boot verification succeeded
load:0x3fff00c0 len:0x34a8
load:0x40078000 len:0x63a0
load:0x40080400 len:0x4
--- 0x40080400: _init at ??:?
load:0x40080404 len:0xf14
entry 0x4008063c
I (59) boot: ESP-IDF v5.4-dev-3602-ga97a7b0962-dirty 2nd stage bootloader
I (59) boot: compile time Apr 27 2025 11:07:10
I (59) boot: Multicore bootloader
I (63) boot: chip revision: v3.1
I (65) boot.esp32: SPI Speed : 40MHz
I (69) boot.esp32: SPI Mode : DIO
I (73) boot.esp32: SPI Flash Size : 4MB
I (76) boot: Enabling RNG early entropy source...
I (81) boot: Partition Table:
I (83) boot: ## Label Usage Type ST Offset Length
I (90) boot: 0 nvs WiFi data 01 02 0000e000 00004000
I (96) boot: 1 otadata OTA data 01 00 00012000 00002000
I (103) boot: 2 phy_init RF data 01 01 00014000 00001000
I (109) boot: 3 nvs_key NVS keys 01 04 00015000 00001000
I (116) boot: 4 ota_0 OTA app 00 10 00020000 00100000
I (122) boot: 5 ota_1 OTA app 00 11 00120000 00100000
I (129) boot: End of partition table
I (132) esp_image: segment 0: paddr=00020020 vaddr=3f400020 size=1eb40h (125760) map
I (185) esp_image: segment 1: paddr=0003eb68 vaddr=3ff80000 size=00018h ( 24) load
I (185) esp_image: segment 2: paddr=0003eb88 vaddr=3ffb0000 size=01490h ( 5264) load
I (191) esp_image: segment 3: paddr=00040020 vaddr=400d0020 size=79bd0h (498640) map
I (374) esp_image: segment 4: paddr=000b9bf8 vaddr=3ffb1490 size=02998h ( 10648) load
I (379) esp_image: segment 5: paddr=000bc598 vaddr=40080000 size=173cch ( 95180) load
I (417) esp_image: segment 6: paddr=000d396c vaddr=00000000 size=0c664h ( 50788)
I (436) esp_image: Verifying image signature...
I (436) secure_boot_v2: Verifying with RSA-PSS...
I (441) secure_boot_v2: Signature verified successfully!
I (452) boot: Loaded app from partition at offset 0x20000
I (453) secure_boot_v2: enabling secure boot v2...
I (453) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (457) boot: Checking flash encryption...
I (461) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)
I (468) boot: Disabling RNG early entropy source...
I (485) cpu_start: Multicore app
I (493) cpu_start: Pro cpu start user code
I (493) cpu_start: cpu freq: 160000000 Hz
I (493) app_init: Application information:
I (493) app_init: Project name: wifi_station
I (497) app_init: App version: v5.4-dev-3602-ga97a7b0962-dirty
I (503) app_init: Compile time: Apr 27 2025 11:05:56
I (508) app_init: ELF file SHA256: 2a749f442...
I (513) app_init: ESP-IDF: v5.4-dev-3602-ga97a7b0962-dirty
I (519) efuse_init: Min chip rev: v3.0
I (523) efuse_init: Max chip rev: v3.99
I (527) efuse_init: Chip rev: v3.1
I (531) heap_init: Initializing. RAM available for dynamic allocation:
I (537) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM
I (542) heap_init: At 3FFB80C0 len 00027F40 (159 KiB): DRAM
I (547) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM
I (552) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM
I (558) heap_init: At 400973CC len 00008C34 (35 KiB): IRAM
I (565) spi_flash: detected chip: generic
I (567) spi_flash: flash io: dio
W (570) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
I (577) nvs_sec_provider: NVS Encryption - Registering Flash encryption-based scheme...
I (586) main_task: Started on CPU0
I (596) main_task: Calling app_main()
I (626) nvs: NVS partition "nvs" is encrypted.
I (626) wifi station: ESP_WIFI_MODE_STA
I (636) wifi:wifi driver task: 3ffc0238, prio:23, stack:6656, core=0
I (646) wifi:wifi firmware version: 0a80d45
I (646) wifi:wifi certification version: v7.0
I (646) wifi:config NVS flash: enabled
I (646) wifi:config nano formatting: disabled
I (656) wifi:Init data frame dynamic rx buffer num: 32
I (656) wifi:Init static rx mgmt buffer num: 5
I (666) wifi:Init management short buffer num: 32
I (666) wifi:Init dynamic tx buffer num: 32
I (676) wifi:Init static rx buffer size: 1600
I (676) wifi:Init static rx buffer num: 10
I (676) wifi:Init dynamic rx buffer num: 32
I (686) wifi_init: rx ba win: 6
I (686) wifi_init: accept mbox: 6
I (686) wifi_init: tcpip mbox: 32
I (696) wifi_init: udp mbox: 6
I (696) wifi_init: tcp mbox: 6
I (696) wifi_init: tcp tx win: 5760
I (696) wifi_init: tcp rx win: 5760
I (706) wifi_init: tcp mss: 1440
I (706) wifi_init: WiFi IRAM OP enabled
I (706) wifi_init: WiFi RX IRAM OP enabled
I (716) phy_init: phy_version 4840,02e0d70,Sep 2 2024,19:39:07
I (806) wifi:mode : sta (04:83:08:62:9b:c4)
I (806) wifi:enable tsf
I (806) wifi station: wifi_init_sta finished.
I (826) wifi:new:<1,1>, old:<1,0>, ap:<255,255>, sta:<1,1>, prof:1, snd_ch_cfg:0x0
I (826) wifi:state: init -> auth (0xb0)
I (866) wifi:state: auth -> assoc (0x0)
I (876) wifi:state: assoc -> run (0x10)
I (1136) wifi:connected with cc2.4, aid = 1, channel 1, 40U, bssid = 7c:b5:9b:6b:d6:c2
I (1136) wifi:security: WPA2-PSK, phy: bgn, rssi: -29
I (1146) wifi:pm start, type: 1
I (1146) wifi:dp: 1, bi: 102400, li: 3, scale listen interval from 307200 us to 307200 us
I (1176) wifi:AP's beacon interval = 102400 us, DTIM period = 1
I (1186) wifi:<ba-add>idx:0 (ifx:0, 7c:b5:9b:6b:d6:c2), tid:0, ssn:3, winSize:64
I (2186) esp_netif_handlers: sta ip: 192.168.1.100, mask: 255.255.255.0, gw: 192.168.1.1
I (2186) wifi station: got ip:192.168.1.100
I (2186) wifi station: connected to ap SSID:cc2.4 password:12345678
I (2186) main_task: Returned from app_main()
由于没有禁用下载模式,可以重新读取芯片 efuse 信息进行检查。
E:\esp2\Espressif\frameworks\esp-idf-master\esp-idf\examples\wifi\getting_started\station>espefuse.py -p COM4 summary
espefuse.py v4.8.1
Connecting....
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting....
Detecting chip type... ESP32
=== Run "summary" command ===
EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
ADC_VREF (BLOCK0) True ADC reference voltage = 1156 R/W (0b01000)
Config fuses:
WR_DIS (BLOCK0) Efuse write disable mask = 384 R/W (0x0180)
RD_DIS (BLOCK0) Disable reading from BlOCK1-3 = 1 R/W (0x1)
DISABLE_APP_CPU (BLOCK0) Disables APP CPU = False R/W (0b0)
DISABLE_BT (BLOCK0) Disables Bluetooth = False R/W (0b0)
DIS_CACHE (BLOCK0) Disables cache = False R/W (0b0)
CHIP_CPU_FREQ_LOW (BLOCK0) If set alongside EFUSE_RD_CHIP_CPU_FREQ_RATED; the = False R/W (0b0)
ESP32's max CPU frequency is rated for 160MHz. 24
0MHz otherwise
CHIP_CPU_FREQ_RATED (BLOCK0) If set; the ESP32's maximum CPU frequency has been = True R/W (0b1)
rated
BLK3_PART_RESERVE (BLOCK0) BLOCK3 partially served for ADC calibration data = False R/W (0b0)
CLK8M_FREQ (BLOCK0) 8MHz clock freq override = 55 R/W (0x37)
VOL_LEVEL_HP_INV (BLOCK0) This field stores the voltage level for CPU to run = 0 R/W (0b00)
at 240 MHz; or for flash/PSRAM to run at 80 MHz.0
x0: level 7; 0x1: level 6; 0x2: level 5; 0x3: leve
l 4. (RO)
CODING_SCHEME (BLOCK0) Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
CONSOLE_DEBUG_DISABLE (BLOCK0) Disable ROM BASIC interpreter fallback = True R/W (0b1)
DISABLE_SDIO_HOST (BLOCK0) = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0) Disable flash cache in UART bootloader = True R/W (0b1)
Flash fuses:
FLASH_CRYPT_CNT (BLOCK0) Flash encryption is enabled if this field has an o = 1 R/W (0b0000001)
dd number of bits set
FLASH_CRYPT_CONFIG (BLOCK0) Flash encryption config (key tweak bits) = 15 R/W (0xf)
Identity fuses:
CHIP_PACKAGE_4BIT (BLOCK0) Chip package identifier #4bit = False R/W (0b0)
CHIP_PACKAGE (BLOCK0) Chip package identifier = 1 R/W (0b001)
CHIP_VER_REV1 (BLOCK0) bit is set to 1 for rev1 silicon = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0) = True R/W (0b1)
WAFER_VERSION_MINOR (BLOCK0) = 1 R/W (0b01)
WAFER_VERSION_MAJOR (BLOCK0) calc WAFER VERSION MAJOR from CHIP_VER_REV1 and CH = 3 R/W (0b011)
IP_VER_REV2 and apb_ctl_date (read only)
PKG_VERSION (BLOCK0) calc Chip package = CHIP_PACKAGE_4BIT << 3 + CHIP_ = 1 R/W (0x1)
PACKAGE (read only)
Jtag fuses:
JTAG_DISABLE (BLOCK0) Disable JTAG = True R/W (0b1)
Mac fuses:
MAC (BLOCK0) MAC address
= 04:83:08:62:9b:c4 (CRC 0xe4 OK) R/W
MAC_CRC (BLOCK0) CRC8 for MAC address = 228 R/W (0xe4)
MAC_VERSION (BLOCK3) Version of the MAC field = 0 R/W (0x00)
Security fuses:
UART_DOWNLOAD_DIS (BLOCK0) Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0)
newer; only
ABS_DONE_0 (BLOCK0) Secure boot V1 is enabled for bootloader image = False R/W (0b0)
ABS_DONE_1 (BLOCK0) Secure boot V2 is enabled for bootloader image = True R/W (0b1)
DISABLE_DL_ENCRYPT (BLOCK0) Disable flash encryption in UART bootloader = True R/W (0b1)
DISABLE_DL_DECRYPT (BLOCK0) Disable flash decryption in UART bootloader = True R/W (0b1)
KEY_STATUS (BLOCK0) Usage of efuse block 3 (reserved) = False R/W (0b0)
SECURE_VERSION (BLOCK3) Secure version for anti-rollback = 0 R/W (0x00000000)
BLOCK1 (BLOCK1) Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2) Security boot key
= d1 26 33 6f b1 09 39 47 f4 c4 49 6a b0 96 1f 66 75 1a 4d 0a 55 be d7 e0 b6 67 d5 2a aa 82 73 6b R/-
BLOCK3 (BLOCK3) Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Spi Pad fuses:
SPI_PAD_CONFIG_HD (BLOCK0) read for SPI_pad_config_hd = 0 R/W (0b00000)
SPI_PAD_CONFIG_CLK (BLOCK0) Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0) Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0) Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0) Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)
Vdd fuses:
XPD_SDIO_REG (BLOCK0) read for XPD_SDIO_REG = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0) If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
XPD_SDIO_FORCE (BLOCK0) Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V)
【说明】
esptool.py -p COM4 write_flash --force 0x1000 encrypted_bootloader.bin 0xd000 encrypted_partition-table.bin 0x12000 encrypted_ota_data_initial.bin 0x20000 encrypted_wifi_station.bin 0x15000 encrypted_nvs_key.bin
esptool.py -p COM4 write_flash --encrypt --force 0x1000 build\bootloader\bootloader.bin 0xd000 build\partition_table\partition-table.bin 0x12000 build\ota_data_initial.bin 0x20000 build\wifi_station.bin 0x15000 nvs_key.bin
若 DISABLE_DL_ENCRYPT(禁用 UART 引导加载程序加密访问)置为 1 了,当使用如上指令重烧明文固件时,会报错如下:
智能硬件社区聚焦AI智能硬件技术生态,汇聚嵌入式AI、物联网硬件开发者,打造交流分享平台,同步全国赛事资讯、开展 OPC 核心人才招募,助力技术落地与开发者成长。
更多推荐
13
0- 0
已为社区贡献9条内容
所有评论(0)