esptool: add a warning when write_flash operation can potentially

brick the device Cases considered: - secure_download_mode and flash encryption is enabled - encrypted download is disabled and flash encryption is enabled
espressif · Feb 7, 2023 · 0be5fcd · 0be5fcd
1 parent f3c6aec
commit 0be5fcd
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/docs/en/esptool/basic-commands.rst b/docs/en/esptool/basic-commands.rst
@@ -69,6 +69,25 @@ Use the ``-e/--erase-all`` option to erase all flash sectors (not just the write
 
     This behavior can be overridden with the ``--force`` option. **Use this only at your own risk and only if you know what you are doing!**
 
+
+    Encrypted Flash Protection
+    ^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    .. only:: esp32
+
+        Overwriting the encrypted firmware (bootloader, application, etc.) without the ``--encrypt`` option is disabled, if `Flash Encryption <https://docs.espressif.com/projects/esp-idf/en/latest/{IDF_TARGET_PATH_NAME}/security/flash-encryption.html>`_ is enabled and Encrypted Download being disabled (efuse bit ``EFUSE_DISABLE_DL_ENCRYPT`` is set).
+
+    .. only:: not esp32
+
+        Overwriting the encrypted firmware (bootloader, application, etc.) without the ``--encrypt`` option is disabled, if:
+
+        *  `Flash Encryption <https://docs.espressif.com/projects/esp-idf/en/latest/{IDF_TARGET_PATH_NAME}/security/flash-encryption.html>`_ and Secure Download Mode are enabled or
+        *  `Flash Encryption <https://docs.espressif.com/projects/esp-idf/en/latest/{IDF_TARGET_PATH_NAME}/security/flash-encryption.html>`_ is enabled but Encrypted Download is disabled (efuse bit ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` is set).
+
+    This is a safety measure to prevent accidentally overwriting the encrypted firmware with a plaintext binary, which **can ultimately lead to bricking the device**.
+
+    This behavior can be overridden with the ``--force`` option. **Use this option provided that the flash encryption key is generated external to the device and you could perform the encryption on the host machine.**
+
     Flashing an Incompatible Image
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

diff --git a/esptool/cmds.py b/esptool/cmds.py
@@ -422,6 +422,32 @@ def write_flash(esp, args):
                 "Can't perform encrypted flash write, "
                 "consult Flash Encryption documentation for more information"
             )
+    else:
+        if not args.force and esp.CHIP_NAME != "ESP8266":
+            # ESP32 does not support `get_security_info()` and `secure_download_mode`
+            if (
+                esp.CHIP_NAME != "ESP32"
+                and esp.secure_download_mode
+                and bin(esp.get_security_info()["flash_crypt_cnt"]).count("1") & 1 != 0
+            ):
+                raise FatalError(
+                    "WARNING: Detected flash encryption and "
+                    "secure download mode enabled.\n"
+                    "Flashing plaintext binary may brick your device! "
+                    "Use --force to override the warning."
+                )
+
+            if (
+                not esp.secure_download_mode
+                and esp.get_encrypted_download_disabled()
+                and esp.get_flash_encryption_enabled()
+            ):
+                raise FatalError(
+                    "WARNING: Detected flash encryption enabled and "
+                    "download manual encrypt disabled.\n"
+                    "Flashing plaintext binary may brick your device! "
+                    "Use --force to override the warning."
+                )
 
     # verify file sizes fit in flash
     if args.flash_size != "keep":  # TODO: check this even with 'keep'