ESP32S2 Crypted OTA bin err uploading: Could Not Activate The Firmware

[whoim2]

Hey.
- Lolin S2 mini
- sketch compiled with Arduino 1.8.19 && 3.3.1 framework
- sketch have Wifi.softAP and OTA functions

Code: Select all

#include <Update.h>
..
const uint8_t OTA_KEY[32] = {'0','v','R','u','e','o','B','n','S','v','t','B','P','l','e','Q','4','D','s','0','1','q','Q','U','5','g','x','7','Z','u','3','5'};
#define OTA_ADDRESS 0x0
#define OTA_CFG 0x0
#define OTA_MODE U_AES_DECRYPT_ON
..
void start_ota() {
  if(!Serial) Serial.begin(115200);
  server.on("/ota", HTTP_GET, []() { server.sendHeader("Connection", "close"); server.send(200, "text/html", otahtml); });
  server.on("/upl_fw", HTTP_POST, []() {
  server.sendHeader("Connection", "close");
  server.send(200, "text/plain", (Update.hasError()) ? String(Update.getError()) : "OK");
  if(Update.hasError()) Update.printError(Serial);
  server.handleClient();
  delay(100);
  resetModule();
  }, []()
    {   esp_task_wdt_reset();
        delay(1);
        HTTPUpload &upload = server.upload();
        if (upload.status == UPLOAD_FILE_START) {
            Serial.printf("upd: %s\n", upload.filename.c_str());
            if (!Update.begin(UPDATE_SIZE_UNKNOWN)) { Update.printError(Serial); } // start with max available size
        } else if (upload.status == UPLOAD_FILE_WRITE) {
          //secure
          if (!Update.setupCrypt(OTA_KEY, OTA_ADDRESS, OTA_CFG, OTA_MODE)) {
            Serial.println("Update.setupCrypt failed!");
          }
          //flashing firmware
          if (Update.write(upload.buf, upload.currentSize) != upload.currentSize) { Update.printError(Serial); }
          Serial.print(F("."));
        } else if (upload.status == UPLOAD_FILE_END) {
          if (Update.end(true)) { Serial.println("upd_succ\nreboot\n"); LITTLEFS.remove("/config.txt"); } // true to set the size to the current progress && clear old config
          else { Update.printError(Serial); }
        }
   });
}

I prepare ota file, use this bin:

Code: Select all

espsecure.exe encrypt_flash_data -k ota_key.txt --flash_crypt_conf 0x0 -a 0x0 -o %%f.ota %%f

ota_key.txt containing 32byte as OTA_KEY.
When I upload an encrypted image, I get an error "Could Not Activate The Firmware"
This err generating by esp_ota_set_boot_partition(_partition)

Help me figure out where I went wrong.

Without Update.setupCrypt and without image encryption, everything updates well.

[lbernstone]

This functionality requires secure boot and flash encryption. arduino-esp32 does not directly support these features, so you need to install them and flash the fuses with esp-idf. You can then use Update.setupCrypt to OTA flash code written in arduino-esp32 (and the IDE).

[whoim2]

This functionality requires secure boot and flash encryption. arduino-esp32 does not directly support these features, so you need to install them and flash the fuses with esp-idf. You can then use Update.setupCrypt to OTA flash code written in arduino-esp32 (and the IDE).

I moved setupCrypt to the setup() section and now the encrypted firmware update is successful. The next problem: I had prepared dev and release bootloaders and I had previously flashed them successfully, they turned on secure boot v2 and automatically generated keys. After updating the esp32 framework to 3.3, this does not happen, apparently, you need to install a new version of the IDF IDE and recreate the bootloaders.