Flash Encryption + SSL server

Post Reply
lucaste
Posts: 3
Joined: Thu May 15, 2025 8:54 am

Flash Encryption + SSL server

Postby lucaste » Thu May 15, 2025 9:24 am

Hello,

I am using an ESP32-C3-DevKitM-1 board which features an ESP32-C3-MINI-1U module.
I downloaded the AT command firmware from GitHub and used the idf.py script to configure and install it, following the procedure described here:
https://docs.espressif.com/projects/esp ... partitions
to enable flash encryption.

The procedure completes successfully, and by sending the AT+GMR command I get the following result:

AT version:3.5.0.0-dev(2a11c83 - ESP32C3 - May 8 2025 11:26:22)
SDK version:v5.4.1-643-g8ad0d3d8f2-dirty
compile time(e0acd9b0):May 15 2025 09:17:04
Bin version:v4.1.0.0-dev(MINI-1)
After that, I start an SSL server with CA disabled by sending the following commands:

Code: Select all

AT+CWMODE=1  
*OK*

AT+CWJAP=<ssid>,<pass>  
*WIFI CONNECTED*  
*WIFI GOT IP*  
*OK*

AT+CIPSNTPCFG=1,0  
*OK*  
*+TIME_UPDATED*

AT+CIPMUX=1  
*OK*

AT+CIPSERVER=1,333,"SSL",0  
*OK*
When I open a connection from a PC using OpenSSL, I get the error shown here:

Code: Select all

W (3758396) at-wifi: wifi disconnected, rc:8
ESP-ROM:esp32c3-api1-20210207
Build:Feb  7 2021
rst:0xc (RTC_SW_CPU_RST),boot:0xc (SPI_FAST_FLASH_BOOT)
Saved PC:0x40380806
SPIWP:0xee
mode:DIO, clock div:2
load:0x3fcd5990,len:0x27cc
load:0x403cc710,len:0xc18
load:0x403ce710,len:0x4b18
entry 0x403cc71a
I (47) boot: ESP-IDF v5.4.1-643-g8ad0d3d8f2-dirty 2nd stage bootloader
I (47) boot: compile time May 15 2025 09:16:43
I (47) boot: chip revision: v0.3
I (49) boot: efuse block revision: v1.1
I (53) boot.esp32c3: SPI Speed      : 40MHz
I (56) boot.esp32c3: SPI Mode       : DIO
I (60) boot.esp32c3: SPI Flash Size : 4MB
I (64) boot: Enabling RNG early entropy source...
I (68) boot: Partition Table:
I (71) boot: ## Label            Usage          Type ST Offset   Length
I (77) boot:  0 otadata          OTA data         01 00 0000d000 00002000
I (84) boot:  1 phy_init         RF data          01 01 0000f000 00001000
I (90) boot:  2 nvs              WiFi data        01 02 00010000 0000e000
I (97) boot:  3 at_customize     unknown          40 00 0001e000 00042000
I (103) boot:  4 ota_0            OTA app          00 10 00060000 001d0000
I (110) boot:  5 ota_1            OTA app          00 11 00230000 001d0000
I (117) boot: End of partition table
I (120) esp_image: segment 0: paddr=00060020 vaddr=3c170020 size=2be60h (179808) map
I (168) esp_image: segment 1: paddr=0008be88 vaddr=3fc99a00 size=04190h ( 16784) load
I (173) esp_image: segment 2: paddr=00090020 vaddr=42000020 size=16c1e0h (1491424) map
I (513) esp_image: segment 3: paddr=001fc208 vaddr=3fc9db90 size=000e0h (   224) load
I (513) esp_image: segment 4: paddr=001fc2f0 vaddr=40380000 size=19850h (104528) load
I (543) esp_image: segment 5: paddr=00215b48 vaddr=50000000 size=00200h (   512) load
I (544) esp_image: segment 6: paddr=00215d50 vaddr=50000200 size=0001ch (    28) load
I (554) boot: Loaded app from partition at offset 0x60000
I (555) boot: Checking flash encryption...
I (556) flash_encrypt: flash encryption is enabled (1 plaintext flashes left)
I (563) boot: Disabling RNG early entropy source...
I (1046) at-init: at param mode: 0
I (1134) at-uart: AT cmd port:uart1 tx:7 rx:6 cts:5 rts:4 baudrate:115200
I (1136) at-init: v4.1.0.0-dev (unknown)
I (2339) at-wifi: negotiated phy mode: 4
W (23105) at-wifi: wifi disconnected, rc:8
I (24180) at-wifi: negotiated phy mode: 4
I (60599) at-net: cert_len=0
W (60600) at-net: close link: 0
I (60602) at-net: cert_len=0
W (60602) at-net: close link: 0
I (60603) at-net: cert_len=0
W (120531) at-net: close link: 0
I (120535) at-net: cert_len=0
W (120537) at-net: close link: 0
I (120541) at-net: cert_len=0
W (120543) at-net: close link: 0
I (120546) at-net: cert_len=0
W (120549) at-net: close link: 0
I (120552) at-net: cert_len=0
W (120554) at-net: close link: 0
I (120558) at-net: cert_len=0
W (120560) at-net: close link: 0
I (120563) at-net: cert_len=0
... more identical lines  ...
W (120565) at-net: close link: 0
I (120569) at-net: cert_len=0
W (120571) at-net: close link: 0
I (120575) at-net: cert_len=0
W (120577) at-net: close link: 0
I (120580) at-net: cert_len=0
W (120582) at-net: close link: 0
I (120586) at-net: cert_len=0
W (120588) at-net: close link: 0
I (120591) at-net: cert_len=0
W (120594) at-net: E (120595) task_wdt: Task watchdog got triggered. The following tasks/users did not reset the watchdog in time:
E (120595) task_wdt:  - IDLE (CPU 0)
E (120595) task_wdt: Tasks currently running:
E (120595) task_wdt: CPU 0: at_socket_task
E (120595) task_wdt: Aborting.


Core  0 register dump:
MEPC    : 0x42007364  RA      : 0x42007d6c  SP      : 0x3fcbed90  GP      : 0x3fc9a200  
TP      : 0x3fcbf120  T0      : 0x4005890e  T1      : 0x4200c4bc  T2      : 0x00000000  
S0/FP   : 0x00000013  S1      : 0x00000000  A0      : 0x00000000  A1      : 0x00000063  
A2      : 0x00000004  A3      : 0x60000000  A4      : 0x00000001  A5      : 0xe07f8000  
A6      : 0x42007cf8  A7      : 0x0000000a  S2      : 0x00000063  S3      : 0x00000021  
S4      : 0x3fca70dc  S5      : 0xffffffff  S6      : 0x0000000a  S7      : 0x00000025  
S8      : 0x00000001  S9      : 0x00000001  S10     : 0x00000000  S11     : 0x00000000  
T3      : 0x00000000  T4      : 0x00000000  T5      : 0x00000000  T6      : 0x00000000  
MSTATUS : 0x0000000a  MTVEC   : 0x3c1769ec  MCAUSE  : 0xffffffff  MTVAL   : 0x63007d2c  
MHARTID : 0x3fcbee98  

Stack memory:
3fcbed90: 0x0000000a 0x3c1769ec 0xffffffff 0x63007d2c 0x3fcbee98 0x3fcbf18c 0xffffffff 0x3fcbf18c
3fcbedb0: 0x00000021 0x3fca70dc 0x00000000 0x4200c6ec 0x00000004 0x3fca702c 0x3fcbee1c 0x3fcbf18c
3fcbedd0: 0x3fca70dc 0x3fca5bf8 0x00000021 0x4200ba00 0x00000021 0x3fca70dc 0x00000003 0x4200c6ec
3fcbedf0: 0x3fcbf18c 0x3fcbf18c 0x3fca702c 0x3fca70dc 0x00000021 0x3fcbf18c 0x3fca6e94 0x42158ce8
3fcbee10: 0x3fcbee5c 0x00000000 0x3fcbee90 0x0000000a 0x3fcbf18c 0x3fcbf18c 0x3fca6e94 0x42158d58
3fcbee30: 0x0000000a 0x0000000a 0x3fca6e94 0x42159cc6 0x3fca6e94 0x3fcbf18c 0x3fcbee90 0x3fca6e94
3fcbee50: 0x3fcbf18c 0x3fcbef52 0x3fcbef51 0x421622be 0x0000000a 0xffffffff 0x00000001 0x3fcbf18c
3fcbee70: 0x3fcbef51 0x3fca6e94 0x3fcbef52 0x421623c6 0x3fcbef5e 0x00000000 0x3fca731c 0x3fcbefb0
3fcbee90: 0x00000000 0xffffffff 0xffffffff 0x00000000 0x00000001 0x00000020 0x3f302064 0x00000000
3fcbeeb0: 0x00000001 0x0000001e 0x3f302064 0x0000000a 0x4038e1da 0x4038e26a 0x3fcbef40 0x3c1769ec
3fcbeed0: 0x0030efac 0x3fcbef30 0x3c176174 0x40393032 0x0030efac 0x3fcbef30 0x00000000 0x4216c186
3fcbeef0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000057 0x3fcbef70 0x3c176174 0x3c1769ec
3fcbef10: 0x3fcbefac 0x3fcbef30 0x00000002 0x403930e8 0x00000032 0x00000002 0x3fcbefa0 0x4201014c
3fcbef30: 0x31282057 0x39353032 0x61202934 0x656e2d74 0x63203a74 0x65736f6c 0x6e696c20 0x25203a6b
3fcbef50: 0x63000a64 0x5f747265 0x3d6e656c 0x000a6425 0x00000004 0x3fcbf0d0 0x00000000 0x00000000
3fcbef70: 0x3fcbf0d0 0x3fcbefac 0x4957454e 0x42165644 0x00000000 0x00000000 0x00000000 0x00000000
3fcbef90: 0x00000000 0x3fc9a424 0x00000000 0x4202c760 0x00000000 0x00000000 0x00000000 0x00000000
3fcbefb0: 0x00000000 0x600c2000 0x60023000 0x0000000a 0x00000000 0x3fcbf0d0 0x00000004 0x00000000
3fcbefd0: 0x3fcbf020 0x00000033 0x00000032 0x420aeef2 0x3fcbf0d0 0x00000000 0x3fcab190 0x4038e3f0
3fcbeff0: 0x00000000 0x00000000 0x3fcab190 0x42169258 0x00000005 0x00000004 0x00000014 0x00000000
3fcbf010: 0x00000001 0x00001000 0x00000014 0x00000004 0x00000001 0x00000032 0x3fcbfe50 0x40391356
3fcbf030: 0x00000004 0x3fcbff88 0x3fca6830 0x40391304 0x3fcbfe50 0x3fcbff88 0x00000001 0x40380d0c
3fcbf050: 0x00000004 0x3fcbff88 0x00000001 0x40394324 0x00000004 0x3fcbff88 0x00000001 0x4200d1d4
3fcbf070: 0x00000000 0x00000000 0x00000000 0x3fcbf18c 0x00000000 0x00000000 0x00000000 0x00000000
3fcbf090: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbf0b0: 0x00000031 0x3fcbf0d8 0x00000000 0x4202c7d4 0x00000031 0x3fcbf0d8 0x00000000 0x4202db76
3fcbf0d0: 0x00000000 0x00040000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x4038e15e
3fcbf0f0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbf110: 0x00000000 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
3fcbf130: 0x00000150 0x3fcbed10 0x00000000 0x3fc9de7c 0x3fc9de7c 0x3fcbf134 0x3fc9de74 0x00000015
3fcbf150: 0x3fcbf384 0x3fcbf384 0x3fcbf134 0x00000000 0x00000004 0x3fcbd930 0x735f7461 0x656b636f
3fcbf170: 0x61745f74 0x00006b73 0x3fcbf120 0x00000004 0x00000002 0x3fcbf3b0 0x42006e5c 0x0000006d



ELF file SHA256: ec0bbd4d2

Rebooting...
ESP-ROM:esp32c3-api1-20210207
Build:Feb  7 2021
rst:0xc (RTC_SW_CPU_RST),boot:0xc (SPI_FAST_FLASH_BOOT)
Saved PC:0x40380806
SPIWP:0xee
mode:DIO, clock div:2
load:0x3fcd5990,len:0x27cc
load:0x403cc710,len:0xc18
load:0x403ce710,len:0x4b18
entry 0x403cc71a
I (47) boot: ESP-IDF v5.4.1-643-g8ad0d3d8f2-dirty 2nd stage bootloader
I (47) boot: compile time May 15 2025 09:16:43
I (47) boot: chip revision: v0.3
I (49) boot: efuse block revision: v1.1
I (53) boot.esp32c3: SPI Speed      : 40MHz
I (56) boot.esp32c3: SPI Mode       : DIO
I (60) boot.esp32c3: SPI Flash Size : 4MB
I (64) boot: Enabling RNG early entropy source...
I (68) boot: Partition Table:
I (71) boot: ## Label            Usage          Type ST Offset   Length
I (77) boot:  0 otadata          OTA data         01 00 0000d000 00002000
I (84) boot:  1 phy_init         RF data          01 01 0000f000 00001000
I (90) boot:  2 nvs              WiFi data        01 02 00010000 0000e000
I (97) boot:  3 at_customize     unknown          40 00 0001e000 00042000
I (103) boot:  4 ota_0            OTA app          00 10 00060000 001d0000
I (110) boot:  5 ota_1            OTA app          00 11 00230000 001d0000
I (117) boot: End of partition table
I (120) esp_image: segment 0: paddr=00060020 vaddr=3c170020 size=2be60h (179808) map
I (168) esp_image: segment 1: paddr=0008be88 vaddr=3fc99a00 size=04190h ( 16784) load
I (173) esp_image: segment 2: paddr=00090020 vaddr=42000020 size=16c1e0h (1491424) map
I (513) esp_image: segment 3: paddr=001fc208 vaddr=3fc9db90 size=000e0h (   224) load
I (513) esp_image: segment 4: paddr=001fc2f0 vaddr=40380000 size=19850h (104528) load
I (543) esp_image: segment 5: paddr=00215b48 vaddr=50000000 size=00200h (   512) load
I (544) esp_image: segment 6: paddr=00215d50 vaddr=50000200 size=0001ch (    28) load
I (554) boot: Loaded app from partition at offset 0x60000
I (555) boot: Checking flash encryption...
I (556) flash_encrypt: flash encryption is enabled (1 plaintext flashes left)
I (563) boot: Disabling RNG early entropy source...
I (1046) at-init: at param mode: 0
I (1139) at-uart: AT cmd port:uart1 tx:7 rx:6 cts:5 rts:4 baudrate:115200
I (1141) at-init: v4.1.0.0-dev (unknown)
I (2245) at-wifi: negotiated phy mode: 4
This issue did not occur before flash encryption was enabled.
My question is: do AT commands like the one used to create an SSL server support flash encryption?
What could I have done wrong?

Thank you for your attention, have a nice day.
Top
esp-at
Espressif staff
Espressif staff
Posts: 335
Joined: Mon May 09, 2022 3:00 am

Re: Flash Encryption + SSL server

Postby esp-at » Fri May 23, 2025 9:07 am

It seems that AT read a invalid client certificate (cert_len=0).
what if you send the command:
AT+SYSMFG=1,"client_cert","client_cert.0"

This issue should be an unmatched encrypt/decrypt issue.
this client certificate is stored in a nvs partition (name: mfg_nvs). READ and WRITE via https://github.com/espressif/esp-at/blo ... #L133-L140.

I'm not sure if you encrypt this binary (build/customized_partitions/mfg_nvs.bin).
Could you please enable more debug logs to see what happened, especially about nvs read/write part.
Top
lucaste
Posts: 3
Joined: Thu May 15, 2025 8:54 am

Re: Flash Encryption + SSL server

Postby lucaste » Tue May 27, 2025 1:06 pm

Hi,
if I send the command:
AT+SYSMFG=1,"client_cert","client_cert.0"
the module responds:
ERROR.

I take a new ESP32-C3-DevKitM-1 board and retry the steps documented here https://docs.espressif.com/projects/esp ... partitions.

Everything is working correctly until when I re-flashing updated partitions:
if I use the

Code: Select all

idf.py encrypted-app-flash monitor
command, everything works correctly, whereas if I use

Code: Select all

idf.py encrypted-flash monitor
, I get the issue mentioned in the post.
Top
esp-at
Espressif staff
Espressif staff
Posts: 335
Joined: Mon May 09, 2022 3:00 am

Re: Flash Encryption + SSL server

Postby esp-at » Mon Jun 09, 2025 12:05 pm

1. you can override the following APIs to implement some encrypt nvs key-values. such as some certificates and keys, ca, etc.
https://github.com/espressif/esp-at/blo ... #L123-L141

2. You can override more nvs APIs to redefine the function. Refer to this example for more details:
https://github.com/espressif/esp-idf/tr ... m/wrappers

Something like:
target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=nvs_set_blob")
Top
Post Reply

Return to “ESP-AT”

Who is online

Users browsing this forum: No registered users and 1 guest