Link to this headingESP32

Link to this headingBootloader

Booting Process
Decompile the Bootloader

Link to this headingSecurity Features

Source

Link to this headingOne Time Programmable eFUSE

Link to this headingSecure Boot

https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v1.html
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html

Enable Secureboot:

## Burn the secure boot key into BLK2 espefuse.py burn_key secure_boot ./hello_world_k1/secure-bootloader-key-256.bin ## Burn the ABS_DONE fuse to activate the sec boot espefuse.py burn_efuse ABS_DONE_0

Link to this headingFlash Encryption

https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html

Voltage Glitcher AES Key

Enable AES Flash:

>>> espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin >>> hexdump my_flash_encryption_key.bin 0000000 c838 e375 7633 1541 5ff9 4365 f2dd 2ce9 0000010 1f78 42a0 bf53 8f14 68ce 009f 5586 9b52 >>> espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption my_flash_encryption_key.bin espefuse.py v2.7-dev Connecting...... Write key in efuse block 1. The key block will be read and write protected (no further changes or readback). This is an irreversible operation. Type 'BURN' (all capitals) to continue. BURN Burned key data. New value: 9b 52 55 86 00 9f 68 ce 8f 14 bf 53 42 a0 1f 78 2c e9 f2 dd 43 65 5f f9 15 41 76 33 e3 75 c8 38 Disabling read/write to key efuse block... # >>> espefuse.py burn_efuse FLASH_CRYPT_CONFIG 0xf >>> espefuse.py burn_efuse FLASH_CRYPT_CNT

Write AES Flash:

espsecure.py encrypt_flash_data -k ../../my_flash_encryption_key.bin -o bootloader-reflash-digest-encrypted.bin -a 0x0 bootloader-reflash-digest.bin esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 115200 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x0 /home/ limited/esp/hello_world_k1_FE/build/bootloader/bootloader-reflash-digest-encrypted.bin espsecure.py encrypt_flash_data -k ../my_flash_encryption_key.bin -o hello-world-encrypted.bin -a 0x10000 hello-world.bin espsecure.py encrypt_flash_data -k ../my_flash_encryption_key.bin -o partitions_singleapp-encrypted.bin -a 0x08000 partitions_singleapp.bin esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 115200 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x10000 /home/limited/esp/hello_world_k1_FE/build/hello-world-encrypted.bin 0x8000 /home/limited/esp/hello_world_k1_FE/build/partitions_singleapp-encrypted.bin

Verify Encrypted Flash:

esptool.py -p /dev/ttyUSB0 -b 460800 read_flash 0 0x400000 flash_contents.bin

Link to this headingDisabling JTAG/UART Boot

Read Key from JTAG]

Link to this headingDumping the ESP32 memory

Source

  1. Setup uart
  2. Pull pin 25 to ground to enable DOWNLOAD_BOOT mode
  3. Run the command esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin to dump the memory

Link to this headingFlash Analysis

python esp32knife.py --chip=esp32 load_from_file ./flash.bin

Link to this headingApp Image Format

Source

Link to this headingPatch Binary

Change Bits:

Fix Checksum :

python esp32fix.py --chip=esp32 app_image ./patched.part.3.factory

Link to this headingReflash partial