Initial flash encryption not working
Posted: Tue Mar 04, 2025 8:21 am
My project is configured to enable flash encryption on boot. I have successfully used this command in the past to flash new chips:
Note that the encrypt flag is not set. Per documentation, I rely on the bootloader to detect that encryption is required and set the fuses automatically - BLOCK_KEY0 and SPI_BOOT_CRYPT_CNT.
This used to work - the image was encrypted on first boot as expected. Recently this has stopped working, possibly due to updated silicon? After issuing the same command I see that BLOCK_KEY0 is set to XTS_AES_128_KEY but SPI_BOOT_CRYPT_CNT remains at 0. I have to manually increment this (espefuse.py burn_efuse) then run the command again with encrypt flag set to get it to work. Any explanation for this?
Chip is ESP32-S3 (QFN56) (revision v0.2)
esptool.py v4.7.0 - Espressif chips ROM Bootloader Utility
Code: Select all
esptool.py --port COM10 --baud 460800 --before default_reset --after hard_reset write_flash --flash_mode dio --flash_freq 80m --flash_size detect 0x0 bootloader.bin 0x8000 partition-table.bin 131072 application.binThis used to work - the image was encrypted on first boot as expected. Recently this has stopped working, possibly due to updated silicon? After issuing the same command I see that BLOCK_KEY0 is set to XTS_AES_128_KEY but SPI_BOOT_CRYPT_CNT remains at 0. I have to manually increment this (espefuse.py burn_efuse) then run the command again with encrypt flag set to get it to work. Any explanation for this?
Chip is ESP32-S3 (QFN56) (revision v0.2)
esptool.py v4.7.0 - Espressif chips ROM Bootloader Utility