Copyright ©

Mongoose OS Forum

ATTENTION! This forum has moved to:

Do not post any new messages.

Disable Flash Encryption

Is there a command to disable flash encryption with Mongoose OS?


  • SergeySergey Dublin, Ireland

    If the flash is encrypted, there is no way back.
    Flash encryption is irreversible.

  • rojerrojer Dublin, Ireland
    edited August 2017

    actually, you can enable and disable it 4 times. after 4th time the device is left unencrypted and cannot be encrypted again. here's how it works.
    esp32 has a set of fuses that start at 0 and can be permanently set to 1 (burned). you can get their status with an eXtended mos command: mos -X esp32-efuse-get
    there are many fuses, but we'll focus on one, flash_crypt_cnt, which controls flash encryption status:

    $ mos -X esp32-efuse-get flash_crypt_cnt
    Using port /dev/ttyUSB0
    Opening /dev/ttyUSB0 @ 115200...
    Connecting to ESP32 ROM, attempt 1 of 10...
    flash_crypt_cnt      : 0x01

    on an unencrypted device it's 0 and on a device that's been encrypted for the first time it's 1.
    it is an 8-bit field and encryption status is controlled by bit parity: how many bits are set to 1. if the number of 1s is even (or 0), encryption is disabled, if it's odd, encryption is enabled.
    so, you can "unencrypt" an encrypted device by making the number of 1s in this field even. since bits cannot be reset, the next even number with even number of 1s is 3:

    $ mos -X esp32-efuse-set flash_crypt_cnt=3 --dry-run=false
    Using port /dev/ttyUSB0
    Opening /dev/ttyUSB0 @ 115200...
    Connecting to ESP32 ROM, attempt 1 of 10...
    flash_crypt_cnt      : 0x01 -> 0x03
    Programming eFuses...

    this will not let you read the firmware and device will no longer boot since encrypted contents of the SPI flash are no longer being decrypted, but you can now flash it again with unencrypted firmware (without applying the key). the key previously burned into it remains in place (in the flash_encryption_key efuse block).
    you can re-enable encryption by setting flash_crypt_cnt to 7, and so on: 15 - unencrypted, 31 - encrypted, 63 - unenc, 127 - enc, 255 - unenc. after this, encryption can no longer be enabled again because there are no more bits in the field.
    it is also impossible to change the key, as efuse block 1 (flash_encryption_key is both read and write protected after initial encryption, so you can only re-enable encryption with a key that was previously programmed.

    Thanked by 1applecrusher
Sign In or Register to comment.