Flash Encryption invalid header: 0x6b6df5f7 (IDFGH-12232)

[srikanthpalvai]

Answers checklist.

• I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

Hi, I am trying to enable the Flash encryption and secure boot feature for my ESP32.
But I ended up with the invalid header: 0x6b6df5f7.

Steps followed on esp-idf-v5.1.2\examples\security\flash_encryption example

1. idf.py set-target esp32
2. idf.py menuconfig -> Enable Security features -> Bootloader Reflashbale, Flash Encryption Development & Didn't touch the Potentially insecure options.
3. idf.py build
   -> Got error
   ninja: error: 'C:/esp/Espressif/frameworks/esp-idf-v5.1.2/examples/security/flash_encryption/secure_boot_signing_key.pem', needed by 'signature_verification_key.bin', missing and no known rule to make it
   -> Generated secure_boot_signing_key.pem file
   espsecure.py generate_signing_key secure_boot_signing_key.pem
4. idf.py build
5. espefuse.py --port COM5 burn_efuse FLASH_CRYPT_CONFIG 0x0F
6. espefuse.py --port COM5 burn_efuse FLASH_CRYPT_CNT
7. As per the build log. Followed the
   esptool.py --chip esp32 --port=(PORT) --baud=(BAUD) --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 2MB 0x1000 C:/esp/Espressif/frameworks/esp-idf-v5.1.2/examples/security/flash_encryption/build/bootloader/bootloader.bin

esptool.py -p (PORT) -b 460800 --before default_reset --after no_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0xd000 build\partition_table\partition-table.bin 0x20000 build\flash_encryption.bin

8. idf.py -p COM5 monitor
   -> Got error
   Executing action: monitor
   Running idf_monitor in directory C:\esp\Espressif\frameworks\esp-idf-v5.1.2\examples\security\flash_encryption
   Executing "C:\esp\Espressif\python_env\idf5.1_py3.11_env\Scripts\python.exe C:\esp\Espressif\frameworks\esp-idf-v5.1.2\tools/idf_monitor.py -p COM5 -b 115200 --toolchain-prefix xtensa-esp32-elf- --target esp32 --revision 0 C:\esp\Espressif\frameworks\esp-idf-v5.1.2\examples\security\flash_encryption\build\flash_encryption.elf --force-color -m 'C:\esp\Espressif\python_env\idf5.1_py3.11_env\Scripts\python.exe' 'C:\esp\Espressif\frameworks\esp-idf-v5.1.2\tools\idf.py' '-p' 'COM5'"...
   --- WARNING: GDB cannot open serial ports accessed as COMx
   --- Using \.\COM5 instead...
   --- esp-idf-monitor 1.3.3 on \.\COM5 115200 ---
   --- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---
   ets Jul 29 2019 12:21:46

   rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   ets Jul 29 2019 12:21:46

   rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7
   invalid header: 0x6b6df5f7

9. idf.py -p PORT encrypted-app-flash monitor
   idf.py -p PORT encrypted-flash monitor
   -> Got Error
   Crystal is 40MHz
   MAC: c4:de:e2:65:8f:b4
   Uploading stub...
   Running stub...
   Stub running...
   Changing baud rate to 460800
   Changed.
   Configuring flash size...
   Flash encryption key is not programmed

   A fatal error occurred: Can't perform encrypted flash write, consult Flash Encryption documentation for more information
   CMake Error at run_serial_tool.cmake:66 (message):

10. espefuse.py -p COM5 summary

PS C:\esp\Espressif\frameworks\esp-idf-v5.1.2\examples\security\flash_encryption> espefuse.py -p COM5 summary
espefuse.py v4.7.dev3
Connecting....
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting....
Detecting chip type... ESP32

=== Run "summary" command ===
EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)

Calibration fuses:
ADC_VREF (BLOCK0) True ADC reference voltage = 1114 R/W (0b00010)

Config fuses:
WR_DIS (BLOCK0) Efuse write disable mask = 256 R/W (0x0100)
RD_DIS (BLOCK0) Disable reading from BlOCK1-3 = 2 R/W (0x2)
DISABLE_APP_CPU (BLOCK0) Disables APP CPU = False R/W (0b0)
DISABLE_BT (BLOCK0) Disables Bluetooth = False R/W (0b0)
DIS_CACHE (BLOCK0) Disables cache = False R/W (0b0)
CHIP_CPU_FREQ_LOW (BLOCK0) If set alongside EFUSE_RD_CHIP_CPU_FREQ_RATED; the = False R/W (0b0)
ESP32's max CPU frequency is rated for 160MHz. 24
0MHz otherwise
CHIP_CPU_FREQ_RATED (BLOCK0) If set; the ESP32's maximum CPU frequency has been = True R/W (0b1)
rated
BLK3_PART_RESERVE (BLOCK0) BLOCK3 partially served for ADC calibration data = False R/W (0b0)
CLK8M_FREQ (BLOCK0) 8MHz clock freq override = 50 R/W (0x32)
VOL_LEVEL_HP_INV (BLOCK0) This field stores the voltage level for CPU to run = 0 R/W (0b00)
at 240 MHz; or for flash/PSRAM to run at 80 MHz.0
x0: level 7; 0x1: level 6; 0x2: level 5; 0x3: leve
l 4. (RO)
CODING_SCHEME (BLOCK0) Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
CONSOLE_DEBUG_DISABLE (BLOCK0) Disable ROM BASIC interpreter fallback = True R/W (0b1)
DISABLE_SDIO_HOST (BLOCK0) = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0) Disable flash cache in UART bootloader = False R/W (0b0)

Flash fuses:
FLASH_CRYPT_CNT (BLOCK0) Flash encryption is enabled if this field has an o = 127 R/W (0b1111111)
dd number of bits set
FLASH_CRYPT_CONFIG (BLOCK0) Flash encryption config (key tweak bits) = 15 R/W (0xf)

Identity fuses:
CHIP_PACKAGE_4BIT (BLOCK0) Chip package identifier #4bit = False R/W (0b0)
CHIP_PACKAGE (BLOCK0) Chip package identifier = 1 R/W (0b001)
CHIP_VER_REV1 (BLOCK0) bit is set to 1 for rev1 silicon = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0) = True R/W (0b1)
WAFER_VERSION_MINOR (BLOCK0) = 0 R/W (0b00)
WAFER_VERSION_MAJOR (BLOCK0) calc WAFER VERSION MAJOR from CHIP_VER_REV1 and CH = 3 R/W (0b011)
IP_VER_REV2 and apb_ctl_date (read only)
PKG_VERSION (BLOCK0) calc Chip package = CHIP_PACKAGE_4BIT << 3 + CHIP_ = 1 R/W (0x1)
PACKAGE (read only)

Jtag fuses:
JTAG_DISABLE (BLOCK0) Disable JTAG = False R/W (0b0)

Mac fuses:
MAC (BLOCK0) MAC address
= c4:de:e2:65:8f:b4 (CRC 0x05 OK) R/W
MAC_CRC (BLOCK0) CRC8 for MAC address = 5 R/W (0x05)
MAC_VERSION (BLOCK3) Version of the MAC field = 0 R/W (0x00)

Security fuses:
UART_DOWNLOAD_DIS (BLOCK0) Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0)
newer; only
ABS_DONE_0 (BLOCK0) Secure boot V1 is enabled for bootloader image = False R/W (0b0)
ABS_DONE_1 (BLOCK0) Secure boot V2 is enabled for bootloader image = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0) Disable flash encryption in UART bootloader = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0) Disable flash decryption in UART bootloader = False R/W (0b0)
KEY_STATUS (BLOCK0) Usage of efuse block 3 (reserved) = False R/W (0b0)
SECURE_VERSION (BLOCK3) Secure version for anti-rollback = 0 R/W (0x00000000)
BLOCK1 (BLOCK1) Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK2 (BLOCK2) Security boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK3 (BLOCK3) Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Spi Pad fuses:
SPI_PAD_CONFIG_HD (BLOCK0) read for SPI_pad_config_hd = 0 R/W (0b00000)
SPI_PAD_CONFIG_CLK (BLOCK0) Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0) Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0) Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0) Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)

Vdd fuses:
XPD_SDIO_REG (BLOCK0) read for XPD_SDIO_REG = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0) If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
XPD_SDIO_FORCE (BLOCK0) Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V)

Burn secure boot key to efuse.txt
First time flash command.txt

idf build.log



Summary.txt

For reference, I have followed the below links to resolve, but no luck:
#10927
espressif/arduino-esp32#1387
https://medium.com/@kattelroshan1/esp32-firmware-encryption-a53eb1c9bf9c

Tried disabling Flash Encryption.
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html#disabling-flash-encryption

As It can only be done three times per chip, So tried like below,

@mahavirj Could you please help me here?

[AdityaHPatwardhan]

Hi @srikanthpalvai
From looking at the eFuse summary. It seems that the flash encryption key is not burned for the device and FLASH_CRYPT_CNT is not set as well.
But the commands that you have added afterwards show that the FLASH_CRYPT_CNT has been burned to 127 (Max value possible)

If I understand correctly, FLASH_CRYPT_CNT is burned but Flash encryption key is not burned.
Please checkout this host based workflow
https://docs.espressif.com/projects/esp-idf/en/stable/esp32/security/host-based-security-workflows.html#enable-flash-encryption-externally
It may be the reason why you are getting the invalid header error.

Can you go through the process once again?
You may skip the FLASH_CRYPT_CNT burning process if it is not required for you. Please make sure to sign the binaries before flashing them.

[AdityaHPatwardhan]

Closing the issue due to lack of response.
@srikanthpalvai Please re-open if the above comment does not help you to solve your issue.
Thanks,
Aditya