How to lock m5stack software (firmware encryption)



  • I want to activate the esp32 "firmware encryption" feature to:

    • ensure that the firmware can't be written again
    • ensure that it can't be read

    I know this feature exists but i would need simple instructions to activate it. Can anybody help ?



  • Did you found a solution? I am looking for the same feature.

    As I understand we need to use ESP-IDF

    I found this but not tested it for now : https://github.com/ropg/m5core2_esp-idf_demo



  • I just found that M5unified support ESP-IDF : https://github.com/m5stack/M5Unified

    @m5stack or @felmue can confirm we can use boot and flash encryption with M5unified ?



  • Also found this : https://www.motius.com/post/how-to-build-a-secure-iot-prototype-with-arduino-and-esp32

    It seems esp-idf is only needed for the encryption part, the code can be written with arduino framework



  • Now the next challenge, use esptool-js to upgrade core2 ota.

    Do someone know if esptool-js support transfert for encrypted files?



  • Enabling firmware encryption on the ESP32, which is the microcontroller used in M5Stack devices, involves a few steps. Please note that the specifics may vary based on the development environment and tools you are using. Here are general steps you can follow using the Arduino IDE:

    Install the ESP32 board support:

    Open Arduino IDE.
    Go to "File" -> "Preferences."
    In the "Additional Boards Manager URLs" field, add the following URL: https://dl.espressif.com/dl/package_esp32_index.json
    Click "OK" to close the preferences dialog.
    Go to "Tools" -> "Board" -> "Boards Manager."
    Search for "esp32" and install the "esp32" package.
    Install the M5Stack library:

    Go to "Sketch" -> "Include Library" -> "Manage Libraries."
    Search for "M5Stack" and install the M5Stack library.
    Update the M5Stack library to the latest version:

    Open the "Library Manager" again and check if there are updates available for the M5Stack library. If yes, update to the latest version.
    Enable Flash Encryption in the Arduino IDE:

    • Open your Arduino sketch.
    • In the Arduino IDE, go to "Tools" -> "M5Stack" -> "Flash Mode" and select "QIO."
      *Go to "Tools" -> "M5Stack" -> "Flash Frequency" and select "40MHz."
      *Go to "Tools" -> "M5Stack" -> "Flash Size" and select "16MB."
      *Finally, go to "Tools" -> "M5Stack" -> "Partition Scheme" and select "Default 4MB with spiffs (1.2MB APP/1.5MB SPIFFS)."
      *Enable Flash Encryption in Code:

    In your Arduino sketch, add the following line at the beginning, before the setup() function:

    Preferences preferences;
    
    In the setup() function, add the following lines:
    

    In the setup() function, add the following lines:

        preferences.begin("yourAppName", false);
        preferences.putString("yourEncryptionKey", "your32ByteEncryptionKeyHere");
        preferences.end();
        // Rest of your setup code...
    }
    

    Replace "yourAppName" with a unique name for your application, and replace "your32ByteEncryptionKeyHere" with a 32-byte encryption key.

    Upload the code to your M5Stack device:

    • Connect your M5Stack device to your computer.
    • Select the correct port and board in the Arduino IDE.
    • Click the "Upload" button to upload the code to your M5Stack.

    These steps should enable flash encryption for your M5Stack firmware. Keep in mind that once flash encryption is enabled, you need to provide the correct encryption key when uploading new firmware. Otherwise, the new firmware won't be written to the device.