ESP32-S2 - UART ROM Download Mode - Secure - disables USB
Posted: Sun Jun 07, 2026 8:44 am
Hi,
I have a question regarding the UART ROM Download Mode → Permanently Switch to Secure Mode setting.
I have an ESP32-S2-MINI-2 custom board, with all security features enabled (Secure Boot V2, Flash Encryption, Release Mode (using my own encryption key)), and everything works correctly in this configuration.
I recently enabled Security Features → UART ROM Download Mode → Permanently Switch to Secure Mode
After booting the device, the eFuse was successfully burned, and the behavior initially matched my expectations:
- espefuse.py summary no longer worked
- I could still communicate with the device through Download Mode
- I was able to read the device's MAC address using esptool.py
However, after approximately 10 seconds, the USB COM port disappeared from Device Manager and I could no longer communicate with the chip through Download Mode.
The application itself continues to boot and run normally, and all application functionality is working as expected.
I am using a native USB (USB D+/D- connected directly to the ESP32-S2) connection and no external UART connected (GPIO43/GPIO44 are not exposed).
My expectation was that enabling Secure Download Mode would restrict available ROM commands, but not completely remove access to Download Mode over USB.
Is this expected behavior on ESP32-S2 when using native USB, or could there be another eFuse or security setting interacting with Secure Download Mode? I looked in the code (esp-idf 5.5.1), but I don't see any additional fuse burned.
Thank you
I have a question regarding the UART ROM Download Mode → Permanently Switch to Secure Mode setting.
I have an ESP32-S2-MINI-2 custom board, with all security features enabled (Secure Boot V2, Flash Encryption, Release Mode (using my own encryption key)), and everything works correctly in this configuration.
I recently enabled Security Features → UART ROM Download Mode → Permanently Switch to Secure Mode
After booting the device, the eFuse was successfully burned, and the behavior initially matched my expectations:
- espefuse.py summary no longer worked
- I could still communicate with the device through Download Mode
- I was able to read the device's MAC address using esptool.py
However, after approximately 10 seconds, the USB COM port disappeared from Device Manager and I could no longer communicate with the chip through Download Mode.
The application itself continues to boot and run normally, and all application functionality is working as expected.
I am using a native USB (USB D+/D- connected directly to the ESP32-S2) connection and no external UART connected (GPIO43/GPIO44 are not exposed).
My expectation was that enabling Secure Download Mode would restrict available ROM commands, but not completely remove access to Download Mode over USB.
Is this expected behavior on ESP32-S2 when using native USB, or could there be another eFuse or security setting interacting with Secure Download Mode? I looked in the code (esp-idf 5.5.1), but I don't see any additional fuse burned.
Thank you