How can i program/update a device with security bits, without using the IDE?
Posted: Thu Aug 28, 2025 12:31 pm
Hello.
First of all, i've already read the Flash Download Tool User Guide, but i'm still having trouble.
I have a new project using ESP32-H2 that will enter production soon, and it's the first project using an ESP32 doing so. Via VSCode / ESP-IDF i managed to enable flash encryption and download the image. Currently set in Development mode, as i want to use the UART1 to update the firmware, and i haven't figured out "OTA" through UART1 or BLE yet, or a way to implement a custom bootloader to do so.
But now i lack an option to program the device in production. When i was testing i used the Flash Download Tool to produce a combined image of bootloader (at offset 0x0000), partition (at offset 0x8000) and firmware (at offset 0x10000). I could then program the combined BIN starting at offset 0x0000.
After enabling the encryption i also had to move the partition which was placed at offset 0x10000. Application turned out to be at 0x20000 so i made a new combined firmware changing the offset of partition and firmware at the respecive places. Then i took a blank board and flashed this new combined firmare. This worked: the firmware was written, then i had to remove power and when i applied it again the monitor showed it was encrypting the image, after which the device started, and data read back is encrypted. So far so good.
However, after this operation i can't erase or rewrite the device. I can through the IDE, but i can't with the flash download tool.
When trying to write, or to erase:
What do i need to do then, do i need to mess with the Flash Tool configuration file? But i don't really understand what values should i change with what. Also, can't the Flash tool detect that from the device / firmware file somehow and act accordingly?
Thanks.
First of all, i've already read the Flash Download Tool User Guide, but i'm still having trouble.
I have a new project using ESP32-H2 that will enter production soon, and it's the first project using an ESP32 doing so. Via VSCode / ESP-IDF i managed to enable flash encryption and download the image. Currently set in Development mode, as i want to use the UART1 to update the firmware, and i haven't figured out "OTA" through UART1 or BLE yet, or a way to implement a custom bootloader to do so.
But now i lack an option to program the device in production. When i was testing i used the Flash Download Tool to produce a combined image of bootloader (at offset 0x0000), partition (at offset 0x8000) and firmware (at offset 0x10000). I could then program the combined BIN starting at offset 0x0000.
After enabling the encryption i also had to move the partition which was placed at offset 0x10000. Application turned out to be at 0x20000 so i made a new combined firmware changing the offset of partition and firmware at the respecive places. Then i took a blank board and flashed this new combined firmare. This worked: the firmware was written, then i had to remove power and when i applied it again the monitor showed it was encrypting the image, after which the device started, and data read back is encrypted. So far so good.
However, after this operation i can't erase or rewrite the device. I can through the IDE, but i can't with the flash download tool.
When trying to write, or to erase:
Code: Select all
[2025-08-28 14:26:11,635][ESP8266Loader_spi[1]][espDownloader.py][line:2328][ERROR]: ESP32 efuse secure check fail:Already flash encryption,NOT allow download again!!!
[2025-08-28 14:26:11,635][ESP8266Loader_spi[1]][espDownloader.py][line:833][ERROR]: ESP32H2 Secure Encrypt check error esp_write_flash. Thanks.