Can OTA Update work with pre-encrypted application bin? · espressif/arduino-esp32 · Discussion #7740

rsiemens77
Jan 20, 2023

I followed the OTAWebUpdater example in my application, and was able to do OTA updates fine. I then turned on flash encryption in development mode. The OTA updates still work. The same bin is uploaded, and gets encrypted by the chip. But now I want to use flash encryption in production mode. The chip's ability to encrypt is disabled, which is what I want: I know the key and can create a pre-encrypted bin with ESP-IDF tools. This encrypted bin works fine for flashing over USB with ESP-IDF tools. But trying to use the OTA upload with this same file, I get "Wrong magic byte" errors. I see in the Updater.cpp code where these are generated.

I did some research and found users have had similar problems with the esp libraries. Some have claimed to work around this by updating the header check, using raw versions of the write calls, and using a bin generated with the correct address for the currently non-active OTA partition. I tried to make a version of Updater that does similar, and invokes esp_partition_write_raw. The upload now appears to complete successfully, but the new code never runs. I'm not sure what to try next.

Has anyone found a method to do OTA updates with pre-encrypted bin? Or any ideas how I might get this working?

Replies: 2 comments 2 replies

prazsmarid
Jun 13, 2023

Have you found answer for this question?

1 reply

@rsiemens77

rsiemens77 Jun 13, 2023
Author

I had to write a custom solution, as I did not care for the official method as discussed here:

https://esp32.com/viewtopic.php?f=13&t=31410

ankitghevariya
Jul 23, 2024

Hello @rsiemens77,

I am working on OTA functionality of ESP32, I am learning secure boot and firmware security. As a part of that I want to download pre-encrypted bin file using Update.h lib. But before I do practical I thought to search on web and I came across this post.

What I can see, you were not able to perform OTA using pre-encrypted key if you set release mode encryption instead of development. Could you please share how you managed to write that pre-encrypted firmware using OTA ?

Thank you

1 reply

@rsiemens77

rsiemens77 Jul 23, 2024
Author

You can duplicate the OTA procedure and switch to use esp_partition_write_raw to write the encrypted data.

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Can OTA Update work with pre-encrypted application bin? #7740

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

rsiemens77
Jan 20, 2023

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

prazsmarid
Jun 13, 2023

Uh oh!

{{title}}

Uh oh!

rsiemens77 Jun 13, 2023
Author

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

ankitghevariya
Jul 23, 2024

Uh oh!

{{title}}

Uh oh!

rsiemens77 Jul 23, 2024
Author

Select a reply

Uh oh!

Uh oh!

Can OTA Update work with pre-encrypted application bin? #7740

Uh oh!

Uh oh!

rsiemens77 Jan 20, 2023

Replies: 2 comments · 2 replies

Uh oh!

prazsmarid Jun 13, 2023

Uh oh!

rsiemens77 Jun 13, 2023 Author

Uh oh!

Uh oh!

ankitghevariya Jul 23, 2024

Uh oh!

rsiemens77 Jul 23, 2024 Author

rsiemens77
Jan 20, 2023

Replies: 2 comments 2 replies

prazsmarid
Jun 13, 2023

rsiemens77 Jun 13, 2023
Author

ankitghevariya
Jul 23, 2024

rsiemens77 Jul 23, 2024
Author