Hi all
I am using the latest IDF. I had several board to program and I was programming them using the windows flash download tool.
Most of them are working however some of them were programmed twice with the bootloader checked. When programmed once they were working but when programmed the second time we are seeing secure boot check failed.
All have secure bootload enabled with one time key encryption as recommended.
Is there a way out of it or have we bricked our boards?
Thanks for your help
same secure bootloader written twice now getting secure boot check failed
Re: same secure bootloader written twice now getting secure boot check failed
Forgot to say I did an erase before the second programming. The erase was done by pressing the button in flash download tools
Re: same secure bootloader written twice now getting secure boot check failed
If encryption is enabled and secure boot is enabled then the chip expects an encrypted bootloader with an encrypted signature. If the encryption key was generated on the chip you can't provide that. If the efuses are write protected you can't turn off encryption. At least you demonstrated why it's secure. 
Re: same secure bootloader written twice now getting secure boot check failed
Hi sorry encryption is not enabled only secure boot is enabled
Both time exactly the same bootloader, partition table and code were loaded.
Both time exactly the same bootloader, partition table and code were loaded.
Re: same secure bootloader written twice now getting secure boot check failed
Hi hacksome,
If you pressed the erase button in the Flash Download Tool then it erased the entire flash, including the digest at offset 0x0. Unless you saved a copy of the digest somewhere (and the matching bootloader) then it's no longer possible to boot any firmware on this ESP32. Sorry.
If you want to be able to erase the flash, or flash an updated bootloader a second time, or if you're messing around in the development stages of a project, then please use the "Reflashable Bootloader" mode instead of the "One-Time Flash" mode.
Full details here: https://docs.espressif.com/projects/esp ... -boot.html
The first time you boot an ESP-IDF bootloader that is built with secure boot enabled in one-time flash mode, it generates a random secret boot key to be stored in efuse, calculates a digest based on the bootloader contents and the key, and then writes this digest to flash at offset 0x0. It's not possible to re-generate this digest because the efuse key is read and write protected now.hacksome wrote: Forgot to say I did an erase before the second programming. The erase was done by pressing the button in flash download tools
If you pressed the erase button in the Flash Download Tool then it erased the entire flash, including the digest at offset 0x0. Unless you saved a copy of the digest somewhere (and the matching bootloader) then it's no longer possible to boot any firmware on this ESP32. Sorry.
If you want to be able to erase the flash, or flash an updated bootloader a second time, or if you're messing around in the development stages of a project, then please use the "Reflashable Bootloader" mode instead of the "One-Time Flash" mode.
Full details here: https://docs.espressif.com/projects/esp ... -boot.html
Re: same secure bootloader written twice now getting secure boot check failed
Thanks Angus
This explains it so well. Many thanks
This explains it so well. Many thanks
Who is online
Users browsing this forum: markkuk, MicroController and 121 guests