Can OTA Update work with pre-encrypted application bin? #7740
Replies: 2 comments 2 replies
-
|
Have you found answer for this question? |
Beta Was this translation helpful? Give feedback.
-
|
I had to write a custom solution, as I did not care for the official method as discussed here: |
Beta Was this translation helpful? Give feedback.
-
|
Hello @rsiemens77, I am working on OTA functionality of ESP32, I am learning secure boot and firmware security. As a part of that I want to download pre-encrypted bin file using Update.h lib. But before I do practical I thought to search on web and I came across this post. What I can see, you were not able to perform OTA using pre-encrypted key if you set release mode encryption instead of development. Could you please share how you managed to write that pre-encrypted firmware using OTA ? Thank you |
Beta Was this translation helpful? Give feedback.
-
|
You can duplicate the OTA procedure and switch to use esp_partition_write_raw to write the encrypted data. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I followed the OTAWebUpdater example in my application, and was able to do OTA updates fine. I then turned on flash encryption in development mode. The OTA updates still work. The same bin is uploaded, and gets encrypted by the chip. But now I want to use flash encryption in production mode. The chip's ability to encrypt is disabled, which is what I want: I know the key and can create a pre-encrypted bin with ESP-IDF tools. This encrypted bin works fine for flashing over USB with ESP-IDF tools. But trying to use the OTA upload with this same file, I get "Wrong magic byte" errors. I see in the Updater.cpp code where these are generated.
I did some research and found users have had similar problems with the esp libraries. Some have claimed to work around this by updating the header check, using raw versions of the write calls, and using a bin generated with the correct address for the currently non-active OTA partition. I tried to make a version of Updater that does similar, and invokes esp_partition_write_raw. The upload now appears to complete successfully, but the new code never runs. I'm not sure what to try next.
Has anyone found a method to do OTA updates with pre-encrypted bin? Or any ideas how I might get this working?
Beta Was this translation helpful? Give feedback.
All reactions