From fd048290ed4de79137d5620b075ee923cff14431 Mon Sep 17 00:00:00 2001 From: Brian Ignacio Date: Thu, 30 May 2024 19:46:28 +0800 Subject: [PATCH 1/4] initial flash encryption implementation --- examples/typescript/src/index.html | 1 + examples/typescript/src/index.ts | 67 ++++++++++------- src/esploader.ts | 117 +++++++++++++++++++++++------ src/targets/esp32.ts | 2 + src/targets/esp32c3.ts | 2 + src/targets/esp32c6.ts | 2 + src/targets/esp32h2.ts | 2 + src/targets/esp32s2.ts | 2 + src/targets/esp32s3.ts | 2 + src/targets/esp8266.ts | 2 + src/targets/rom.ts | 2 + 11 files changed, 148 insertions(+), 53 deletions(-) diff --git a/examples/typescript/src/index.html b/examples/typescript/src/index.html index 82d40802..638273e8 100644 --- a/examples/typescript/src/index.html +++ b/examples/typescript/src/index.html @@ -54,6 +54,7 @@

Program

Flash Address + Encrypt file ? File diff --git a/examples/typescript/src/index.ts b/examples/typescript/src/index.ts index 7df3008f..bc0377de 100644 --- a/examples/typescript/src/index.ts +++ b/examples/typescript/src/index.ts @@ -155,35 +155,43 @@ addFileButton.onclick = () => { element1.value = "0x1000"; cell1.appendChild(element1); - // Column 2 - File selector + // Column 2 - Encrypt file ? const cell2 = row.insertCell(1); const element2 = document.createElement("input"); - element2.type = "file"; - element2.id = "selectFile" + rowCount; - element2.name = "selected_File" + rowCount; - element2.addEventListener("change", handleFileSelect, false); + element2.type = "checkbox"; + element2.id = "file_encrypted" + rowCount; + element2.checked = false; cell2.appendChild(element2); - // Column 3 - Progress + // Column 3 - File selector const cell3 = row.insertCell(2); - cell3.classList.add("progress-cell"); - cell3.style.display = "none"; - cell3.innerHTML = ``; - - // Column 4 - Remove File + const element3 = document.createElement("input"); + element3.type = "file"; + element3.id = "selectFile" + rowCount; + element3.name = "selected_File" + rowCount; + element3.addEventListener("change", handleFileSelect, false); + cell3.appendChild(element3); + + // Column 4 - Progress const cell4 = row.insertCell(3); - cell4.classList.add("action-cell"); + cell4.classList.add("progress-cell"); + cell4.style.display = "none"; + cell4.innerHTML = ``; + + // Column 5 - Remove File + const cell5 = row.insertCell(4); + cell5.classList.add("action-cell"); if (rowCount > 1) { - const element4 = document.createElement("input"); - element4.type = "button"; + const element5 = document.createElement("input"); + element5.type = "button"; const btnName = "button" + rowCount; - element4.name = btnName; - element4.setAttribute("class", "btn"); - element4.setAttribute("value", "Remove"); // or element1.value = "button"; - element4.onclick = function () { + element5.name = btnName; + element5.setAttribute("class", "btn"); + element5.setAttribute("value", "Remove"); // or element1.value = "button"; + element5.onclick = function () { removeRow(row); }; - cell4.appendChild(element4); + cell5.appendChild(element5); } }; @@ -299,7 +307,7 @@ function validateProgramInputs() { else if (offsetArr.includes(offset)) return "Offset field in row " + index + " is already in use!"; else offsetArr.push(offset); - const fileObj = row.cells[1].childNodes[0]; + const fileObj = row.cells[2].childNodes[0]; fileData = fileObj.data; if (fileData == null) return "No file selected for row " + index + "!"; } @@ -319,7 +327,7 @@ programButton.onclick = async () => { // Hide error message alertDiv.style.display = "none"; - const fileArray = []; + const fileArray: { data: string; address: number; encrypted: boolean }[] = []; const progressBars = []; for (let index = 1; index < table.rows.length; index++) { @@ -328,16 +336,19 @@ programButton.onclick = async () => { const offSetObj = row.cells[0].childNodes[0] as HTMLInputElement; const offset = parseInt(offSetObj.value); - const fileObj = row.cells[1].childNodes[0] as ChildNode & { data: string }; - const progressBar = row.cells[2].childNodes[0]; + const encryptedObj = row.cells[1].childNodes[0] as HTMLInputElement; + const encryptFlag = encryptedObj.checked; + + const fileObj = row.cells[2].childNodes[0] as ChildNode & { data: string }; + const progressBar = row.cells[3].childNodes[0]; progressBar.textContent = "0"; progressBars.push(progressBar); - row.cells[2].style.display = "initial"; - row.cells[3].style.display = "none"; + row.cells[3].style.display = "initial"; + row.cells[4].style.display = "none"; - fileArray.push({ data: fileObj.data, address: offset }); + fileArray.push({ data: fileObj.data, address: offset, encrypted: encryptFlag }); } try { @@ -358,8 +369,8 @@ programButton.onclick = async () => { } finally { // Hide progress bars and show erase buttons for (let index = 1; index < table.rows.length; index++) { - table.rows[index].cells[2].style.display = "none"; - table.rows[index].cells[3].style.display = "initial"; + table.rows[index].cells[3].style.display = "none"; + table.rows[index].cells[4].style.display = "initial"; } } }; diff --git a/src/esploader.ts b/src/esploader.ts index e47b1900..4ebe6006 100644 --- a/src/esploader.ts +++ b/src/esploader.ts @@ -13,10 +13,10 @@ import atob from "atob-lite"; */ export interface FlashOptions { /** - * An array of file objects representing the data to be flashed. - * @type {Array<{ data: string; address: number }>} + * An array of file objects representing the data to be flashed, address offset and if to be encrypted. + * @type {Array<{ data: string; address: number, encrypted: boolean }>} */ - fileArray: { data: string; address: number }[]; + fileArray: { data: string; address: number; encrypted: boolean }[]; /** * The size of the flash memory to be used. @@ -207,12 +207,17 @@ export class ESPLoader { ESP_READ_FLASH = 0xd2; ESP_RUN_USER_CODE = 0xd3; + ESP_FLASH_ENCRYPT_DATA = 0xd4; + ESP_IMAGE_MAGIC = 0xe9; ESP_CHECKSUM_MAGIC = 0xef; // Response code(s) sent by ROM ROM_INVALID_RECV_MSG = 0x05; // response if an invalid message is received + // Commands supported by ESP32-S2 and later chips ROM bootloader only + ESP_GET_SECURITY_INFO = 0x14; + ERASE_REGION_TIMEOUT_PER_MB = 30000; ERASE_WRITE_TIMEOUT_PER_MB = 40000; MD5_TIMEOUT_PER_MB = 8000; @@ -255,6 +260,7 @@ export class ESPLoader { private romBaudrate = 115200; private debugLogging = false; private syncStubDetected = false; + private secureDownloadMode = false; /** * Create a new ESPLoader to perform serial communication @@ -266,7 +272,7 @@ export class ESPLoader { */ constructor(options: LoaderOptions) { this.IS_STUB = false; - this.FLASH_WRITE_SIZE = 0x4000; + this.FLASH_WRITE_SIZE = 0x400; this.transport = options.transport; this.baudrate = options.baudrate; @@ -670,13 +676,21 @@ export class ESPLoader { this.info("\n\r", false); if (!detecting) { - const chipMagicValue = (await this.readReg(0x40001000)) >>> 0; - this.debug("Chip Magic " + chipMagicValue.toString(16)); - const chip = await magic2Chip(chipMagicValue); - if (this.chip === null) { - throw new ESPError(`Unexpected CHIP magic value ${chipMagicValue}. Failed to autodetect chip type.`); - } else { - this.chip = chip as ROM; + try { + const chipMagicValue = (await this.readReg(0x40001000)) >>> 0; + this.debug("Chip Magic " + chipMagicValue.toString(16)); + const chip = await magic2Chip(chipMagicValue); + if (this.chip === null) { + throw new ESPError(`Unexpected CHIP magic value ${chipMagicValue}. Failed to autodetect chip type.`); + } else { + this.chip = chip as ROM; + } + } catch (error) { + if (error instanceof ESPError && error.message && error.message.indexOf("unsupported command error") !== -1) { + this.secureDownloadMode = true; + } else { + throw error; + } } } } @@ -695,6 +709,20 @@ export class ESPLoader { } } + /** + * Get the chip ID using the check command + * @returns {number} Chip ID + */ + async getChipId() { + const res = (await this.checkCommand( + "get security info", + this.ESP_GET_SECURITY_INFO, + new Uint8Array(0), + 0, + )) as Uint8Array; + return res[4 + 9 - 1]; + } + /** * Execute the command and check the command response. * @param {string} opDescription Command operation description. @@ -780,7 +808,10 @@ export class ESPLoader { * @param {number} hspiArg - Argument for SPI attachment */ async flashSpiAttach(hspiArg: number) { - const pkt = this._intToByteArray(hspiArg); + let pkt = this._intToByteArray(hspiArg); + if (!this.IS_STUB) { + pkt = this._appendArray(pkt, this._intToByteArray(0)); + } await this.checkCommand("configure SPI flash pins", this.ESP_SPI_ATTACH, pkt); } @@ -803,9 +834,10 @@ export class ESPLoader { * Start downloading to Flash (performs an erase) * @param {number} size Size to erase * @param {number} offset Offset to erase + * @param {boolean} encrypt Flag if encrypt * @returns {number} Number of blocks (of size self.FLASH_WRITE_SIZE) to write. */ - async flashBegin(size: number, offset: number) { + async flashBegin(size: number, offset: number, encrypt = false) { const numBlocks = Math.floor((size + this.FLASH_WRITE_SIZE - 1) / this.FLASH_WRITE_SIZE); const eraseSize = this.chip.getEraseSize(offset, size); @@ -822,7 +854,7 @@ export class ESPLoader { pkt = this._appendArray(pkt, this._intToByteArray(this.FLASH_WRITE_SIZE)); pkt = this._appendArray(pkt, this._intToByteArray(offset)); if (this.IS_STUB == false) { - pkt = this._appendArray(pkt, this._intToByteArray(0)); // XXX: Support encrypted + pkt = this._appendArray(pkt, this._intToByteArray(encrypt ? 1 : 0)); } await this.checkCommand("enter Flash download mode", this.ESP_FLASH_BEGIN, pkt, undefined, timeout); @@ -896,6 +928,31 @@ export class ESPLoader { await this.checkCommand("write to target Flash after seq " + seq, this.ESP_FLASH_DATA, pkt, checksum, timeout); } + /** + * Encrypt, write block to flash, retry if fail + * @param {Uint8Array} data Unsigned 8-bit array data. + * @param {number} seq Sequence number + * @param {number} timeout Timeout in milliseconds (ms) + */ + async flashEncryptBlock(data: Uint8Array, seq: number, timeout: number) { + if (this.chip.SUPPORTS_ENCRYPTED_FLASH && !this.IS_STUB) { + await this.flashBlock(data, seq, timeout); + } else { + let pkt = this._appendArray(this._intToByteArray(data.length), this._intToByteArray(seq)); + pkt = this._appendArray(pkt, this._intToByteArray(0)); + pkt = this._appendArray(pkt, this._intToByteArray(0)); + pkt = this._appendArray(pkt, data); + const checksum = this.checksum(data); + await this.checkCommand( + "Write encrypted to target Flash after seq " + seq, + this.ESP_FLASH_ENCRYPT_DATA, + pkt, + checksum, + timeout, + ); + } + } + /** * Write block to flash, send compressed, retry if fail * @param {Uint8Array} data Unsigned int 8-bit array data to write @@ -1335,13 +1392,13 @@ export class ESPLoader { aFlashSize = this.parseFlashSizeArg(flashSize); } - const flashParams = (aFlashMode << 8) | (aFlashFreq + aFlashSize); + const flashParams = (aFlashMode << 8) | (aFlashSize + aFlashFreq); this.info("Flash params set to " + flashParams.toString(16)); if (parseInt(image[2]) !== aFlashMode << 8) { image = image.substring(0, 2) + (aFlashMode << 8).toString() + image.substring(2 + 1); } - if (parseInt(image[3]) !== aFlashFreq + aFlashSize) { - image = image.substring(0, 3) + (aFlashFreq + aFlashSize).toString() + image.substring(3 + 1); + if (parseInt(image[3]) !== aFlashSize + aFlashFreq) { + image = image.substring(0, 3) + (aFlashSize + aFlashFreq).toString() + image.substring(3 + 1); } return image; } @@ -1367,6 +1424,11 @@ export class ESPLoader { let image: string, address: number; for (let i = 0; i < options.fileArray.length; i++) { this.debug("Data Length " + options.fileArray[i].data.length); + + let compress = options.compress; + if (compress && options.fileArray[i].encrypted) { + compress = false; + } image = options.fileArray[i].data; const reminder = options.fileArray[i].data.length % 4; if (reminder > 0) image += "\xff\xff\xff\xff".substring(4 - reminder); @@ -1384,12 +1446,12 @@ export class ESPLoader { } const uncsize = image.length; let blocks: number; - if (options.compress) { + if (compress) { const uncimage = this.bstrToUi8(image); image = this.ui8ToBstr(deflate(uncimage, { level: 9 })); blocks = await this.flashDeflBegin(uncsize, image.length, address); } else { - blocks = await this.flashBegin(uncsize, address); + blocks = await this.flashBegin(uncsize, address, options.fileArray[i].encrypted); } let seq = 0; let bytesSent = 0; @@ -1418,7 +1480,7 @@ export class ESPLoader { ); const block = this.bstrToUi8(image.slice(0, this.FLASH_WRITE_SIZE)); - if (options.compress) { + if (compress) { const lenUncompressedPrevious = totalLenUncompressed; inflate.push(block, false); const blockUncompressed = totalLenUncompressed - lenUncompressedPrevious; @@ -1436,7 +1498,11 @@ export class ESPLoader { timeout = blockTimeout; } } else { - throw new ESPError("Yet to handle Non Compressed writes"); + if (options.fileArray[i].encrypted) { + await this.flashEncryptBlock(block, seq, timeout); + } else { + await this.flashBlock(block, seq, timeout); + } } bytesSent += block.length; image = image.slice(this.FLASH_WRITE_SIZE, image.length); @@ -1448,7 +1514,7 @@ export class ESPLoader { } d = new Date(); const t = d.getTime() - t1; - if (options.compress) { + if (compress) { this.info( "Wrote " + uncsize + @@ -1461,7 +1527,7 @@ export class ESPLoader { " seconds.", ); } - if (calcmd5) { + if (calcmd5 && !options.fileArray[i].encrypted && !this.secureDownloadMode) { const res = await this.flashMd5sum(address, uncsize); if (new String(res).valueOf() != new String(calcmd5).valueOf()) { this.info("File md5: " + calcmd5); @@ -1476,7 +1542,8 @@ export class ESPLoader { if (this.IS_STUB) { await this.flashBegin(0, 0); - if (options.compress) { + const lastFileIndex = options.fileArray && options.fileArray.length ? options.fileArray.length - 1 : 0; + if (options.compress && lastFileIndex && !options.fileArray[lastFileIndex].encrypted) { await this.flashDeflFinish(); } else { await this.flashFinish(); @@ -1497,7 +1564,7 @@ export class ESPLoader { } async getFlashSize() { - this.debug("flash_id"); + this.debug("flash_size"); const flashid = await this.readFlashId(); const flidLowbyte = (flashid >> 16) & 0xff; return this.DETECTED_FLASH_SIZES_NUM[flidLowbyte]; diff --git a/src/targets/esp32.ts b/src/targets/esp32.ts index 6ef67f3c..e9471556 100644 --- a/src/targets/esp32.ts +++ b/src/targets/esp32.ts @@ -37,6 +37,8 @@ export class ESP32ROM extends ROM { public ROM_DATA = ESP32_STUB.data; public ROM_TEXT = ESP32_STUB.text; + public SUPPORTS_ENCRYPTED_FLASH = false; + public async readEfuse(loader: ESPLoader, offset: number): Promise { const addr = this.EFUSE_RD_REG_BASE + 4 * offset; loader.debug("Read efuse " + addr); diff --git a/src/targets/esp32c3.ts b/src/targets/esp32c3.ts index af65a081..c639a15d 100644 --- a/src/targets/esp32c3.ts +++ b/src/targets/esp32c3.ts @@ -36,6 +36,8 @@ export class ESP32C3ROM extends ROM { public ROM_DATA = ESP32C3_STUB.data; public ROM_TEXT = ESP32C3_STUB.text; + public SUPPORTS_ENCRYPTED_FLASH = true; + public async getPkgVersion(loader: ESPLoader): Promise { const numWord = 3; const block1Addr = this.EFUSE_BASE + 0x044; diff --git a/src/targets/esp32c6.ts b/src/targets/esp32c6.ts index 6d82e3bd..cf2b5020 100644 --- a/src/targets/esp32c6.ts +++ b/src/targets/esp32c6.ts @@ -36,6 +36,8 @@ export class ESP32C6ROM extends ROM { public ROM_DATA = ESP32C6_STUB.data; public ROM_TEXT = ESP32C6_STUB.text; + public SUPPORTS_ENCRYPTED_FLASH = true; + public async getPkgVersion(loader: ESPLoader) { const numWord = 3; const block1Addr = this.EFUSE_BASE + 0x044; diff --git a/src/targets/esp32h2.ts b/src/targets/esp32h2.ts index 4d2ccfaf..93a4c73d 100644 --- a/src/targets/esp32h2.ts +++ b/src/targets/esp32h2.ts @@ -40,6 +40,8 @@ export class ESP32H2ROM extends ROM { public ROM_DATA = ESP32H2_STUB.data; public ROM_TEXT = ESP32H2_STUB.text; + public SUPPORTS_ENCRYPTED_FLASH = true; + public async getChipDescription(loader: ESPLoader) { return this.CHIP_NAME; } diff --git a/src/targets/esp32s2.ts b/src/targets/esp32s2.ts index f23387a3..4677169b 100644 --- a/src/targets/esp32s2.ts +++ b/src/targets/esp32s2.ts @@ -36,6 +36,8 @@ export class ESP32S2ROM extends ROM { public ROM_DATA = ESP32S2_STUB.data; public ROM_TEXT = ESP32S2_STUB.text; + public SUPPORTS_ENCRYPTED_FLASH = true; + public async getPkgVersion(loader: ESPLoader): Promise { const numWord = 3; const block1Addr = this.EFUSE_BASE + 0x044; diff --git a/src/targets/esp32s3.ts b/src/targets/esp32s3.ts index 583a3f87..2736269b 100644 --- a/src/targets/esp32s3.ts +++ b/src/targets/esp32s3.ts @@ -40,6 +40,8 @@ export class ESP32S3ROM extends ROM { public ROM_DATA = ESP32S3_STUB.data; public ROM_TEXT = ESP32S3_STUB.text; + public SUPPORTS_ENCRYPTED_FLASH = true; + public async getChipDescription(loader: ESPLoader) { return "ESP32-S3"; } diff --git a/src/targets/esp8266.ts b/src/targets/esp8266.ts index 96ba8df5..9a6d4dd1 100644 --- a/src/targets/esp8266.ts +++ b/src/targets/esp8266.ts @@ -42,6 +42,8 @@ export class ESP8266ROM extends ROM { public ROM_DATA = ESP8266_STUB.data; public ROM_TEXT = ESP8266_STUB.text; + public SUPPORTS_ENCRYPTED_FLASH = false; + public async readEfuse(loader: ESPLoader, offset: number): Promise { const addr = this.EFUSE_RD_REG_BASE + 4 * offset; loader.debug("Read efuse " + addr); diff --git a/src/targets/rom.ts b/src/targets/rom.ts index 02146ded..b101e28c 100644 --- a/src/targets/rom.ts +++ b/src/targets/rom.ts @@ -100,4 +100,6 @@ export abstract class ROM { abstract UART_DATE_REG_ADDR: number; // not in esp8266 abstract TEXT_START: number; // abstract XTAL_CLK_DIVIDER: number; //esp32 + + abstract SUPPORTS_ENCRYPTED_FLASH: boolean; } From 2953127d8ec7dd828c2ee5d941d34af283ef528f Mon Sep 17 00:00:00 2001 From: Brian Ignacio Date: Fri, 31 May 2024 19:09:09 +0800 Subject: [PATCH 2/4] add FLASH_ENCRYPTED_WRITE_ALIGN check --- src/esploader.ts | 69 ++++++++++++++++++++++++++++++++++++++++-- src/targets/esp32.ts | 1 + src/targets/esp32c3.ts | 1 + src/targets/esp32c6.ts | 1 + src/targets/esp32h2.ts | 1 + src/targets/esp32s2.ts | 1 + src/targets/esp32s3.ts | 1 + src/targets/esp8266.ts | 1 + src/targets/rom.ts | 1 + 9 files changed, 74 insertions(+), 3 deletions(-) diff --git a/src/esploader.ts b/src/esploader.ts index 4ebe6006..748983d3 100644 --- a/src/esploader.ts +++ b/src/esploader.ts @@ -677,7 +677,7 @@ export class ESPLoader { if (!detecting) { try { - const chipMagicValue = (await this.readReg(0x40001000)) >>> 0; + const chipMagicValue = (await this.readReg(this.CHIP_DETECT_MAGIC_REG_ADDR)) >>> 0; this.debug("Chip Magic " + chipMagicValue.toString(16)); const chip = await magic2Chip(chipMagicValue); if (this.chip === null) { @@ -1418,6 +1418,46 @@ export class ESPLoader { } } + const encryptedFiles = options.fileArray.filter((f) => f.encrypted); + + if (encryptedFiles && encryptedFiles.length > 0) { + let doWrite = true; + for (let f of encryptedFiles) { + if (f.encrypted && this.chip.SUPPORTS_ENCRYPTED_FLASH && f.address % this.chip.FLASH_ENCRYPTED_WRITE_ALIGN) { + doWrite = false; + this.info(`File at address ${f.address} is not %d byte aligned, can't flash encrypted`); + } + } + if (!doWrite) { + let errMsg = + "Can't perform encrypted flash write,\n" + "consult Flash Encryption documentation for more information"; + this.debug(errMsg); + throw new ESPError(errMsg); + } + } else { + if (this.chip.CHIP_NAME !== "ESP32" && this.secureDownloadMode && this) { + throw new ESPError( + "WARNING: Detected flash encryption and " + + "secure download mode enabled.\n" + + "Flashing plaintext binary may brick your device! ", + ); + } + + // TO DO + // Add esp.get_security_info + // esp.get_encrypted_download_disabled() + // and esp.get_flash_encryption_enabled() + + if (!this.secureDownloadMode) { + throw new ESPError( + "WARNING: Detected flash encryption enabled and " + + "download manual encrypt disabled.\n" + + "Flashing plaintext binary may brick your device! " + + "Use --force to override the warning.", + ); + } + } + if (this.IS_STUB === true && options.eraseAll === true) { await this.eraseFlash(); } @@ -1563,11 +1603,34 @@ export class ESPLoader { this.info("Detected flash size: " + this.DETECTED_FLASH_SIZES[flidLowbyte]); } - async getFlashSize() { + async detectFlashSize(options?: FlashOptions) { this.debug("flash_size"); + if (this.secureDownloadMode) { + if (options && options.flashSize === "detect") { + const errMsg = + "Detecting flash size is not supported in secure download mode. Need to manually specify flash size."; + this.debug(errMsg); + throw new ESPError(errMsg); + } else { + return; + } + } const flashid = await this.readFlashId(); const flidLowbyte = (flashid >> 16) & 0xff; - return this.DETECTED_FLASH_SIZES_NUM[flidLowbyte]; + let flashSize = this.DETECTED_FLASH_SIZES[flidLowbyte]; + + if (options && options.flashSize === "detect") { + if (!flashSize) { + this.info( + `WARNING: Could not auto-detect Flash size. FlashID: ${flashid}, SizeId: ${flashSize}. Defaulting to 4MB.`, + ); + flashSize = "4MB"; + } else { + this.info(`Auto-detected Flash size: ${flashSize}`); + } + options.flashSize = flashSize; + } + return flashSize; } /** diff --git a/src/targets/esp32.ts b/src/targets/esp32.ts index e9471556..49618186 100644 --- a/src/targets/esp32.ts +++ b/src/targets/esp32.ts @@ -38,6 +38,7 @@ export class ESP32ROM extends ROM { public ROM_TEXT = ESP32_STUB.text; public SUPPORTS_ENCRYPTED_FLASH = false; + public FLASH_ENCRYPTED_WRITE_ALIGN = 32; public async readEfuse(loader: ESPLoader, offset: number): Promise { const addr = this.EFUSE_RD_REG_BASE + 4 * offset; diff --git a/src/targets/esp32c3.ts b/src/targets/esp32c3.ts index c639a15d..0ff40eab 100644 --- a/src/targets/esp32c3.ts +++ b/src/targets/esp32c3.ts @@ -37,6 +37,7 @@ export class ESP32C3ROM extends ROM { public ROM_TEXT = ESP32C3_STUB.text; public SUPPORTS_ENCRYPTED_FLASH = true; + public FLASH_ENCRYPTED_WRITE_ALIGN = 16; public async getPkgVersion(loader: ESPLoader): Promise { const numWord = 3; diff --git a/src/targets/esp32c6.ts b/src/targets/esp32c6.ts index cf2b5020..1d66d68c 100644 --- a/src/targets/esp32c6.ts +++ b/src/targets/esp32c6.ts @@ -37,6 +37,7 @@ export class ESP32C6ROM extends ROM { public ROM_TEXT = ESP32C6_STUB.text; public SUPPORTS_ENCRYPTED_FLASH = true; + public FLASH_ENCRYPTED_WRITE_ALIGN = 16; public async getPkgVersion(loader: ESPLoader) { const numWord = 3; diff --git a/src/targets/esp32h2.ts b/src/targets/esp32h2.ts index 93a4c73d..56c5ecce 100644 --- a/src/targets/esp32h2.ts +++ b/src/targets/esp32h2.ts @@ -41,6 +41,7 @@ export class ESP32H2ROM extends ROM { public ROM_TEXT = ESP32H2_STUB.text; public SUPPORTS_ENCRYPTED_FLASH = true; + public FLASH_ENCRYPTED_WRITE_ALIGN = 16; public async getChipDescription(loader: ESPLoader) { return this.CHIP_NAME; diff --git a/src/targets/esp32s2.ts b/src/targets/esp32s2.ts index 4677169b..d063a7b4 100644 --- a/src/targets/esp32s2.ts +++ b/src/targets/esp32s2.ts @@ -37,6 +37,7 @@ export class ESP32S2ROM extends ROM { public ROM_TEXT = ESP32S2_STUB.text; public SUPPORTS_ENCRYPTED_FLASH = true; + public FLASH_ENCRYPTED_WRITE_ALIGN = 16; public async getPkgVersion(loader: ESPLoader): Promise { const numWord = 3; diff --git a/src/targets/esp32s3.ts b/src/targets/esp32s3.ts index 2736269b..cbf3492a 100644 --- a/src/targets/esp32s3.ts +++ b/src/targets/esp32s3.ts @@ -41,6 +41,7 @@ export class ESP32S3ROM extends ROM { public ROM_TEXT = ESP32S3_STUB.text; public SUPPORTS_ENCRYPTED_FLASH = true; + public FLASH_ENCRYPTED_WRITE_ALIGN = 16; public async getChipDescription(loader: ESPLoader) { return "ESP32-S3"; diff --git a/src/targets/esp8266.ts b/src/targets/esp8266.ts index 9a6d4dd1..28acc75b 100644 --- a/src/targets/esp8266.ts +++ b/src/targets/esp8266.ts @@ -43,6 +43,7 @@ export class ESP8266ROM extends ROM { public ROM_TEXT = ESP8266_STUB.text; public SUPPORTS_ENCRYPTED_FLASH = false; + public FLASH_ENCRYPTED_WRITE_ALIGN = 16; public async readEfuse(loader: ESPLoader, offset: number): Promise { const addr = this.EFUSE_RD_REG_BASE + 4 * offset; diff --git a/src/targets/rom.ts b/src/targets/rom.ts index b101e28c..c33cdd96 100644 --- a/src/targets/rom.ts +++ b/src/targets/rom.ts @@ -102,4 +102,5 @@ export abstract class ROM { // abstract XTAL_CLK_DIVIDER: number; //esp32 abstract SUPPORTS_ENCRYPTED_FLASH: boolean; + abstract FLASH_ENCRYPTED_WRITE_ALIGN: number; } From ced37375fc59d4645060079766d0eba91fc826e9 Mon Sep 17 00:00:00 2001 From: Brian Ignacio Date: Fri, 31 May 2024 19:10:05 +0800 Subject: [PATCH 3/4] fix lint --- src/esploader.ts | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/esploader.ts b/src/esploader.ts index 748983d3..fb8e0853 100644 --- a/src/esploader.ts +++ b/src/esploader.ts @@ -1422,14 +1422,14 @@ export class ESPLoader { if (encryptedFiles && encryptedFiles.length > 0) { let doWrite = true; - for (let f of encryptedFiles) { + for (const f of encryptedFiles) { if (f.encrypted && this.chip.SUPPORTS_ENCRYPTED_FLASH && f.address % this.chip.FLASH_ENCRYPTED_WRITE_ALIGN) { doWrite = false; this.info(`File at address ${f.address} is not %d byte aligned, can't flash encrypted`); } } if (!doWrite) { - let errMsg = + const errMsg = "Can't perform encrypted flash write,\n" + "consult Flash Encryption documentation for more information"; this.debug(errMsg); throw new ESPError(errMsg); @@ -1442,9 +1442,8 @@ export class ESPLoader { "Flashing plaintext binary may brick your device! ", ); } - // TO DO - // Add esp.get_security_info + // Add esp.get_security_info // esp.get_encrypted_download_disabled() // and esp.get_flash_encryption_enabled() From 9f8c0f4f1d1e2c0f14a3c2879dc7929d779586b6 Mon Sep 17 00:00:00 2001 From: Brian Ignacio Date: Tue, 4 Jun 2024 20:00:50 +0800 Subject: [PATCH 4/4] secure boot flash encryption download disabled validation --- src/esploader.ts | 44 ++++++++++++++++++++++++++++++++++-------- src/targets/esp32.ts | 34 ++++++++++++++++++++++++++++++++ src/targets/esp32c2.ts | 30 ++++++++++++++++++++++++++++ src/targets/esp32c3.ts | 31 +++++++++++++++++++++++++++++ src/targets/esp32c6.ts | 30 ++++++++++++++++++++++++++++ src/targets/esp32h2.ts | 30 ++++++++++++++++++++++++++++ src/targets/esp32s2.ts | 30 ++++++++++++++++++++++++++++ src/targets/esp32s3.ts | 30 ++++++++++++++++++++++++++++ src/targets/esp8266.ts | 12 ++++++++++++ src/targets/rom.ts | 18 +++++++++++++++++ 10 files changed, 281 insertions(+), 8 deletions(-) diff --git a/src/esploader.ts b/src/esploader.ts index fb8e0853..f6ff6c6d 100644 --- a/src/esploader.ts +++ b/src/esploader.ts @@ -714,13 +714,29 @@ export class ESPLoader { * @returns {number} Chip ID */ async getChipId() { + const securityInfo = await this.getSecurityInfo(); + return securityInfo.chipId; + } + + /** + * Get the chip security information + * @returns {number} Chip Security Information + */ + async getSecurityInfo() { const res = (await this.checkCommand( "get security info", this.ESP_GET_SECURITY_INFO, new Uint8Array(0), 0, )) as Uint8Array; - return res[4 + 9 - 1]; + const esp32s2 = res && res.length === 12; + return { + flags: res[0], + flashCryptCnt: res[1], + keyPurposes: res.slice(2, 9), + chipId: esp32s2 ? undefined : res[9], + apiVersion: esp32s2 ? undefined : res[10], + }; } /** @@ -1422,6 +1438,16 @@ export class ESPLoader { if (encryptedFiles && encryptedFiles.length > 0) { let doWrite = true; + const isEncryptedDownloadDisabled = await this.chip.getEncryptedDownloadDisabled(this); + if (!this.secureDownloadMode && isEncryptedDownloadDisabled) { + const errMsg = + "This chip has encrypt functionality \n" + + "in UART download mode disabled. \n" + + "This is the Flash Encryption configuration for Production mode \n" + + "instead of Development mode."; + this.debug(errMsg); + throw new ESPError(errMsg); + } for (const f of encryptedFiles) { if (f.encrypted && this.chip.SUPPORTS_ENCRYPTED_FLASH && f.address % this.chip.FLASH_ENCRYPTED_WRITE_ALIGN) { doWrite = false; @@ -1434,20 +1460,22 @@ export class ESPLoader { this.debug(errMsg); throw new ESPError(errMsg); } - } else { - if (this.chip.CHIP_NAME !== "ESP32" && this.secureDownloadMode && this) { + } else if (this.chip.CHIP_NAME !== "ESP8266") { + const flashSecurityInfo = await this.getSecurityInfo(); + const flashCryptCntBinaryString = flashSecurityInfo.flashCryptCnt.toString(2); + const onesCount = flashCryptCntBinaryString.split("").filter((char) => char === "1").length & 1; + + if (this.chip.CHIP_NAME !== "ESP32" && this.secureDownloadMode && onesCount !== 0) { throw new ESPError( "WARNING: Detected flash encryption and " + "secure download mode enabled.\n" + "Flashing plaintext binary may brick your device! ", ); } - // TO DO - // Add esp.get_security_info - // esp.get_encrypted_download_disabled() - // and esp.get_flash_encryption_enabled() + const isEncryptedDownloadDisabled = await this.chip.getEncryptedDownloadDisabled(this); + const isFlashEncryptionEnabled = await this.chip.getFlashEncryptionEnabled(this); - if (!this.secureDownloadMode) { + if (!this.secureDownloadMode && isEncryptedDownloadDisabled && isFlashEncryptionEnabled) { throw new ESPError( "WARNING: Detected flash encryption enabled and " + "download manual encrypt disabled.\n" + diff --git a/src/targets/esp32.ts b/src/targets/esp32.ts index 49618186..9f942855 100644 --- a/src/targets/esp32.ts +++ b/src/targets/esp32.ts @@ -40,6 +40,40 @@ export class ESP32ROM extends ROM { public SUPPORTS_ENCRYPTED_FLASH = false; public FLASH_ENCRYPTED_WRITE_ALIGN = 32; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG = this.EFUSE_RD_REG_BASE + 0x18; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT = 1 << 7; // EFUSE_RD_DISABLE_DL_ENCRYPT; + + public EFUSE_SPI_BOOT_CRYPT_CNT_REG = this.EFUSE_RD_REG_BASE; // EFUSE_BLK0_WDATA0_REG + public EFUSE_SPI_BOOT_CRYPT_CNT_MASK = 0x7f << 20; // EFUSE_FLASH_CRYPT_CNT + + public EFUSE_RD_ABS_DONE_REG = this.EFUSE_RD_REG_BASE + 0x018; + public EFUSE_RD_ABS_DONE_0_MASK = 1 << 4; + public EFUSE_RD_ABS_DONE_1_MASK = 1 << 5; + + public async getSecureBootEnabled(loader: ESPLoader): Promise { + const efuses = await loader.readReg(this.EFUSE_RD_ABS_DONE_REG); + const rev = await this.getChipRevision(loader); + return ( + (efuses & this.EFUSE_RD_ABS_DONE_0_MASK) !== 0 || (rev >= 300 && efuses & this.EFUSE_RD_ABS_DONE_1_MASK) !== 0 + ); + } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return ( + ((await loader.readReg(this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG)) & this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) !== + 0 + ); + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + const flashCryptCounter = + (await loader.readReg(this.EFUSE_SPI_BOOT_CRYPT_CNT_REG)) & this.EFUSE_SPI_BOOT_CRYPT_CNT_MASK; + + const binaryString = flashCryptCounter.toString(2); + const onesCount = binaryString.split("").filter((char) => char === "1").length & 1; + return onesCount !== 0; + } + public async readEfuse(loader: ESPLoader, offset: number): Promise { const addr = this.EFUSE_RD_REG_BASE + 4 * offset; loader.debug("Read efuse " + addr); diff --git a/src/targets/esp32c2.ts b/src/targets/esp32c2.ts index 17620ab1..b2912985 100644 --- a/src/targets/esp32c2.ts +++ b/src/targets/esp32c2.ts @@ -37,6 +37,36 @@ export class ESP32C2ROM extends ESP32C3ROM { public ROM_DATA = ESP32C2_STUB.data; public ROM_TEXT = ESP32C2_STUB.text; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG = this.EFUSE_BASE + 0x30; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT = 1 << 6; + + public EFUSE_SPI_BOOT_CRYPT_CNT_REG = this.EFUSE_BASE + 0x30; // EFUSE_BLK0_WDATA0_REG + public EFUSE_SPI_BOOT_CRYPT_CNT_MASK = 0x7 << 18; // EFUSE_FLASH_CRYPT_CNT + + public EFUSE_SECURE_BOOT_EN_REG = this.EFUSE_BASE + 0x038; + public EFUSE_SECURE_BOOT_EN_MASK = 1 << 20; + + public async getSecureBootEnabled(loader: ESPLoader): Promise { + const secureBootEnableReg = await loader.readReg(this.EFUSE_SECURE_BOOT_EN_REG); + return (secureBootEnableReg & this.EFUSE_SECURE_BOOT_EN_MASK) !== 0; + } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return ( + ((await loader.readReg(this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG)) & this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) !== + 0 + ); + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + const flashCryptCounter = + (await loader.readReg(this.EFUSE_SPI_BOOT_CRYPT_CNT_REG)) & this.EFUSE_SPI_BOOT_CRYPT_CNT_MASK; + + const binaryString = flashCryptCounter.toString(2); + const onesCount = binaryString.split("").filter((char) => char === "1").length & 1; + return onesCount !== 0; + } + public async getPkgVersion(loader: ESPLoader): Promise { const numWord = 1; const block1Addr = this.EFUSE_BASE + 0x040; diff --git a/src/targets/esp32c3.ts b/src/targets/esp32c3.ts index 0ff40eab..4af37a94 100644 --- a/src/targets/esp32c3.ts +++ b/src/targets/esp32c3.ts @@ -39,6 +39,37 @@ export class ESP32C3ROM extends ROM { public SUPPORTS_ENCRYPTED_FLASH = true; public FLASH_ENCRYPTED_WRITE_ALIGN = 16; + public EFUSE_RD_REG_BASE = this.EFUSE_BASE + 0x030; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG = this.EFUSE_RD_REG_BASE + 0x30; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT = 1 << 20; + + public EFUSE_SPI_BOOT_CRYPT_CNT_REG = this.EFUSE_BASE + 0x034; // EFUSE_BLK0_WDATA0_REG + public EFUSE_SPI_BOOT_CRYPT_CNT_MASK = 0x7 << 18; // EFUSE_FLASH_CRYPT_CNT + + public EFUSE_SECURE_BOOT_EN_REG = this.EFUSE_BASE + 0x038; + public EFUSE_SECURE_BOOT_EN_MASK = 1 << 20; + + public async getSecureBootEnabled(loader: ESPLoader): Promise { + const secureBootEnableReg = await loader.readReg(this.EFUSE_SECURE_BOOT_EN_REG); + return (secureBootEnableReg & this.EFUSE_SECURE_BOOT_EN_MASK) !== 0; + } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return ( + ((await loader.readReg(this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG)) & this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) !== + 0 + ); + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + const flashCryptCounter = + (await loader.readReg(this.EFUSE_SPI_BOOT_CRYPT_CNT_REG)) & this.EFUSE_SPI_BOOT_CRYPT_CNT_MASK; + + const binaryString = flashCryptCounter.toString(2); + const onesCount = binaryString.split("").filter((char) => char === "1").length & 1; + return onesCount !== 0; + } + public async getPkgVersion(loader: ESPLoader): Promise { const numWord = 3; const block1Addr = this.EFUSE_BASE + 0x044; diff --git a/src/targets/esp32c6.ts b/src/targets/esp32c6.ts index 1d66d68c..326c6c82 100644 --- a/src/targets/esp32c6.ts +++ b/src/targets/esp32c6.ts @@ -39,6 +39,36 @@ export class ESP32C6ROM extends ROM { public SUPPORTS_ENCRYPTED_FLASH = true; public FLASH_ENCRYPTED_WRITE_ALIGN = 16; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG = this.EFUSE_BASE + 0x30; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT = 1 << 20; + + public EFUSE_SPI_BOOT_CRYPT_CNT_REG = this.EFUSE_BASE + 0x034; // EFUSE_BLK0_WDATA0_REG + public EFUSE_SPI_BOOT_CRYPT_CNT_MASK = 0x7 << 18; // EFUSE_FLASH_CRYPT_CNT + + public EFUSE_SECURE_BOOT_EN_REG = this.EFUSE_BASE + 0x038; + public EFUSE_SECURE_BOOT_EN_MASK = 1 << 20; + + public async getSecureBootEnabled(loader: ESPLoader): Promise { + const secureBootEnableReg = await loader.readReg(this.EFUSE_SECURE_BOOT_EN_REG); + return (secureBootEnableReg & this.EFUSE_SECURE_BOOT_EN_MASK) !== 0; + } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return ( + ((await loader.readReg(this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG)) & this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) !== + 0 + ); + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + const flashCryptCounter = + (await loader.readReg(this.EFUSE_SPI_BOOT_CRYPT_CNT_REG)) & this.EFUSE_SPI_BOOT_CRYPT_CNT_MASK; + + const binaryString = flashCryptCounter.toString(2); + const onesCount = binaryString.split("").filter((char) => char === "1").length & 1; + return onesCount !== 0; + } + public async getPkgVersion(loader: ESPLoader) { const numWord = 3; const block1Addr = this.EFUSE_BASE + 0x044; diff --git a/src/targets/esp32h2.ts b/src/targets/esp32h2.ts index 56c5ecce..d0e4d9a4 100644 --- a/src/targets/esp32h2.ts +++ b/src/targets/esp32h2.ts @@ -43,6 +43,36 @@ export class ESP32H2ROM extends ROM { public SUPPORTS_ENCRYPTED_FLASH = true; public FLASH_ENCRYPTED_WRITE_ALIGN = 16; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG = this.EFUSE_BASE + 0x30; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT = 1 << 20; + + public EFUSE_SPI_BOOT_CRYPT_CNT_REG = this.EFUSE_BASE + 0x034; // EFUSE_BLK0_WDATA0_REG + public EFUSE_SPI_BOOT_CRYPT_CNT_MASK = 0x7 << 18; // EFUSE_FLASH_CRYPT_CNT + + public EFUSE_SECURE_BOOT_EN_REG = this.EFUSE_BASE + 0x038; + public EFUSE_SECURE_BOOT_EN_MASK = 1 << 20; + + public async getSecureBootEnabled(loader: ESPLoader): Promise { + const secureBootEnableReg = await loader.readReg(this.EFUSE_SECURE_BOOT_EN_REG); + return (secureBootEnableReg & this.EFUSE_SECURE_BOOT_EN_MASK) !== 0; + } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return ( + ((await loader.readReg(this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG)) & this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) !== + 0 + ); + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + const flashCryptCounter = + (await loader.readReg(this.EFUSE_SPI_BOOT_CRYPT_CNT_REG)) & this.EFUSE_SPI_BOOT_CRYPT_CNT_MASK; + + const binaryString = flashCryptCounter.toString(2); + const onesCount = binaryString.split("").filter((char) => char === "1").length & 1; + return onesCount !== 0; + } + public async getChipDescription(loader: ESPLoader) { return this.CHIP_NAME; } diff --git a/src/targets/esp32s2.ts b/src/targets/esp32s2.ts index d063a7b4..f4e84802 100644 --- a/src/targets/esp32s2.ts +++ b/src/targets/esp32s2.ts @@ -39,6 +39,36 @@ export class ESP32S2ROM extends ROM { public SUPPORTS_ENCRYPTED_FLASH = true; public FLASH_ENCRYPTED_WRITE_ALIGN = 16; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG = this.EFUSE_BASE + 0x30; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT = 1 << 19; + + public EFUSE_SPI_BOOT_CRYPT_CNT_REG = this.EFUSE_BASE + 0x034; // EFUSE_BLK0_WDATA0_REG + public EFUSE_SPI_BOOT_CRYPT_CNT_MASK = 0x7 << 18; // EFUSE_FLASH_CRYPT_CNT + + public EFUSE_SECURE_BOOT_EN_REG = this.EFUSE_BASE + 0x038; + public EFUSE_SECURE_BOOT_EN_MASK = 1 << 20; + + public async getSecureBootEnabled(loader: ESPLoader): Promise { + const secureBootEnableReg = await loader.readReg(this.EFUSE_SECURE_BOOT_EN_REG); + return (secureBootEnableReg & this.EFUSE_SECURE_BOOT_EN_MASK) !== 0; + } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return ( + ((await loader.readReg(this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG)) & this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) !== + 0 + ); + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + const flashCryptCounter = + (await loader.readReg(this.EFUSE_SPI_BOOT_CRYPT_CNT_REG)) & this.EFUSE_SPI_BOOT_CRYPT_CNT_MASK; + + const binaryString = flashCryptCounter.toString(2); + const onesCount = binaryString.split("").filter((char) => char === "1").length & 1; + return onesCount !== 0; + } + public async getPkgVersion(loader: ESPLoader): Promise { const numWord = 3; const block1Addr = this.EFUSE_BASE + 0x044; diff --git a/src/targets/esp32s3.ts b/src/targets/esp32s3.ts index cbf3492a..f506be29 100644 --- a/src/targets/esp32s3.ts +++ b/src/targets/esp32s3.ts @@ -43,6 +43,36 @@ export class ESP32S3ROM extends ROM { public SUPPORTS_ENCRYPTED_FLASH = true; public FLASH_ENCRYPTED_WRITE_ALIGN = 16; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG = this.EFUSE_BASE + 0x30; + public EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT = 1 << 20; + + public EFUSE_SPI_BOOT_CRYPT_CNT_REG = this.EFUSE_BASE + 0x034; // EFUSE_BLK0_WDATA0_REG + public EFUSE_SPI_BOOT_CRYPT_CNT_MASK = 0x7 << 18; // EFUSE_FLASH_CRYPT_CNT + + public EFUSE_SECURE_BOOT_EN_REG = this.EFUSE_BASE + 0x038; + public EFUSE_SECURE_BOOT_EN_MASK = 1 << 20; + + public async getSecureBootEnabled(loader: ESPLoader): Promise { + const secureBootEnableReg = await loader.readReg(this.EFUSE_SECURE_BOOT_EN_REG); + return (secureBootEnableReg & this.EFUSE_SECURE_BOOT_EN_MASK) !== 0; + } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return ( + ((await loader.readReg(this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT_REG)) & this.EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) !== + 0 + ); + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + const flashCryptCounter = + (await loader.readReg(this.EFUSE_SPI_BOOT_CRYPT_CNT_REG)) & this.EFUSE_SPI_BOOT_CRYPT_CNT_MASK; + + const binaryString = flashCryptCounter.toString(2); + const onesCount = binaryString.split("").filter((char) => char === "1").length & 1; + return onesCount !== 0; + } + public async getChipDescription(loader: ESPLoader) { return "ESP32-S3"; } diff --git a/src/targets/esp8266.ts b/src/targets/esp8266.ts index 28acc75b..75740673 100644 --- a/src/targets/esp8266.ts +++ b/src/targets/esp8266.ts @@ -138,4 +138,16 @@ export class ESP8266ROM extends ROM { public getEraseSize(offset: number, size: number) { return size; } + + public async getEncryptedDownloadDisabled(loader: ESPLoader): Promise { + return false; + } + + public async getFlashEncryptionEnabled(loader: ESPLoader): Promise { + return false; + } + + public async getSecureBootEnabled(loader: ESPLoader) { + return false; + } } diff --git a/src/targets/rom.ts b/src/targets/rom.ts index c33cdd96..4fcf417e 100644 --- a/src/targets/rom.ts +++ b/src/targets/rom.ts @@ -75,6 +75,24 @@ export abstract class ROM { return size; } + /** + * Check if download has been disabled due to encryption + * @returns {boolean} Is encrypted download disabled (EFUSE_RD_DISABLE_DL_ENCRYPT). + */ + abstract getEncryptedDownloadDisabled(loader: ESPLoader): Promise; + + /** + * Check if flash encryption is enabled + * @returns {boolean} Is flash encryption enabled (EFUSE_FLASH_CRYPT_CNT). + */ + abstract getFlashEncryptionEnabled(loader: ESPLoader): Promise; + + /** + * Check if secure boot is enabled + * @returns {number} Is Secure boot enabled (EFUSE_RD_ABS_DONE_REG). + */ + abstract getSecureBootEnabled(loader: ESPLoader): Promise; + abstract FLASH_SIZES: { [key: string]: number }; abstract BOOTLOADER_FLASH_OFFSET: number;