Skip to content

ESP32

ESP32

Bootloader

Booting Process
Decompile the Bootloader

Security Features

Source

One Time Programmable eFUSE

Secure Boot

https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v1.html
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html

Enable Secureboot:

## Burn the secure boot key into BLK2
espefuse.py burn_key secure_boot ./hello_world_k1/secure-bootloader-key-256.bin
## Burn the ABS_DONE fuse to activate the sec boot
espefuse.py burn_efuse ABS_DONE_0

Flash Encryption

https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html

Voltage Glitcher AES Key

Enable AES Flash:

>>> espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin
 
>>> hexdump my_flash_encryption_key.bin 
0000000 c838 e375 7633 1541 5ff9 4365 f2dd 2ce9
0000010 1f78 42a0 bf53 8f14 68ce 009f 5586 9b52
 
>>> espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption my_flash_encryption_key.bin
espefuse.py v2.7-dev
Connecting......
Write key in efuse block 1. The key block will be read and write protected (no further changes or readback). This is an irreversible operation.
Type 'BURN' (all capitals) to continue.
BURN
Burned key data. New value: 9b 52 55 86 00 9f 68 ce 8f 14 bf 53 42 a0 1f 78 2c e9 f2 dd 43 65 5f f9 15 41 76 33 e3 75 c8 38
Disabling read/write to key efuse block...

#
>>> espefuse.py burn_efuse FLASH_CRYPT_CONFIG 0xf
>>> espefuse.py burn_efuse FLASH_CRYPT_CNT

Write AES Flash:

espsecure.py encrypt_flash_data -k ../../my_flash_encryption_key.bin -o bootloader-reflash-digest-encrypted.bin -a 0x0 bootloader-reflash-digest.bin 
 
esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 115200 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x0 /home/ limited/esp/hello_world_k1_FE/build/bootloader/bootloader-reflash-digest-encrypted.bin
 
espsecure.py encrypt_flash_data -k ../my_flash_encryption_key.bin -o hello-world-encrypted.bin -a 0x10000 hello-world.bin 
 
espsecure.py encrypt_flash_data -k ../my_flash_encryption_key.bin -o partitions_singleapp-encrypted.bin -a 0x08000 partitions_singleapp.bin 
 
esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 115200 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x10000 /home/limited/esp/hello_world_k1_FE/build/hello-world-encrypted.bin 0x8000 /home/limited/esp/hello_world_k1_FE/build/partitions_singleapp-encrypted.bin

Verify Encrypted Flash:

esptool.py -p /dev/ttyUSB0 -b 460800 read_flash 0 0x400000 flash_contents.bin

Disabling JTAG/UART Boot

Read Key from JTAG]

Dumping the ESP32 memory

Source

  1. Setup uart
  2. Pull pin 25 to ground to enable DOWNLOAD_BOOT mode
  3. Run the command esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin to dump the memory

Flash Analysis

python esp32knife.py --chip=esp32 load_from_file ./flash.bin

App Image Format

Source

Patch Binary

Change Bits:

Fix Checksum :

python esp32fix.py --chip=esp32 app_image ./patched.part.3.factory

Reflash partial