After Flash Encryption set up, just get "invalid header" errors
Posted: Thu Oct 27, 2022 4:41 am
I've set up my ESP32e for flash encryption, but now I just get this error repeated at start up immediately. I also have the boot logging set to verbose, but this is all I get. Does this refer to the encryption header the second stage bootloader expects to find in the application?
I haven't been able to get out of this, even after erase_flash with esptool. Details about the steps I took below...
I am doing development on Windows with Arduino IDE. I installed IDF-TOOLS 4.4.2. I installed my encryption key and then used one of the example projects to configure flash encryption in the menuconfig. I grabbed the bootloader, partition, and ota bins generated by the IDF project, and the application bin from the Arduino IDE. I used espsecure to encrypt my application with my key. Then I've uploaded them all with esptool.
The first time restarting, log shows it correctly identifying encryption mode. It errored out on the partition though, I wasn't aware menuconfig sets md5 validation on the partition table, so it failed on that at boot up. I fixed that, but now can't get past the invalid header errors. I tried the process again, repeating the steps carefully, but still get the invalid header. I can't figure out where I went wrong, or what to try next.
This is the efuse dump I just took, wondering if anything went wrong.
I haven't been able to get out of this, even after erase_flash with esptool. Details about the steps I took below...
Code: Select all
rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
inv⸮ets Jul 29 2019 12:21:46
rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
invalid header: 0xf37e1716
i⸮ets Jul 29 2019 12:21:46
...
The first time restarting, log shows it correctly identifying encryption mode. It errored out on the partition though, I wasn't aware menuconfig sets md5 validation on the partition table, so it failed on that at boot up. I fixed that, but now can't get past the invalid header errors. I tried the process again, repeating the steps carefully, but still get the invalid header. I can't figure out where I went wrong, or what to try next.
This is the efuse dump I just took, wondering if anything went wrong.
Code: Select all
=== Run "summary" command ===
EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
BLK3_PART_RESERVE (BLOCK0): BLOCK3 partially served for ADC calibration data = False R/W (0b0)
ADC_VREF (BLOCK0): Voltage reference calibration = 1072 R/W (0b10100)
Config fuses:
XPD_SDIO_FORCE (BLOCK0): Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)
XPD_SDIO_REG (BLOCK0): If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0): If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0): 8MHz clock freq override = 54 R/W (0x36)
SPI_PAD_CONFIG_CLK (BLOCK0): Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0): Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0): Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0): Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0): Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0): Disable SDIO host = False R/W (0b0)
Efuse fuses:
WR_DIS (BLOCK0): Efuse write disable mask = 128 R/W (0x0080)
RD_DIS (BLOCK0): Efuse read disable mask = 1 R/W (0x1)
CODING_SCHEME (BLOCK0): Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0): Usage of efuse block 3 (reserved) = False R/W (0b0)
Identity fuses:
MAC (BLOCK0): Factory MAC Address
= (..removed..) R/W
MAC_CRC (BLOCK0): CRC8 for factory MAC address = 156 R/W (0x9c)
CHIP_VER_REV1 (BLOCK0): Silicon Revision 1 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0): Silicon Revision 2 = True R/W (0b1)
CHIP_VERSION (BLOCK0): Reserved for future chip versions = 2 R/W (0b10)
CHIP_PACKAGE (BLOCK0): Chip package identifier = 1 R/W (0b001)
CHIP_PACKAGE_4BIT (BLOCK0): Chip package identifier #4bit = False R/W (0b0)
MAC_VERSION (BLOCK3): Version of the MAC field = 0 R/W (0x00)
Security fuses:
FLASH_CRYPT_CNT (BLOCK0): Flash encryption mode counter = 1 R/W (0b0000001)
UART_DOWNLOAD_DIS (BLOCK0): Disable UART download mode (ESP32 rev3 only) = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0): Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0): Disable ROM BASIC interpreter fallback = True R/W (0b1)
ABS_DONE_0 (BLOCK0): Secure boot V1 is enabled for bootloader image = False R/W (0b0)
ABS_DONE_1 (BLOCK0): Secure boot V2 is enabled for bootloader image = False R/W (0b0)
JTAG_DISABLE (BLOCK0): Disable JTAG = True R/W (0b1)
DISABLE_DL_ENCRYPT (BLOCK0): Disable flash encryption in UART bootloader = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0): Disable flash decryption in UART bootloader = True R/W (0b1)
DISABLE_DL_CACHE (BLOCK0): Disable flash cache in UART bootloader = True R/W (0b1)
BLOCK1 (BLOCK1): Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2): Secure boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK3 (BLOCK3): Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).