OT

ESP32, Firmware Dump

Dumping firmware of in-module ESP32 flash In my previous article, I wrote about secure boot. In this article, I want to demonstrate one way to dump the ESP32 in-module flash memory, which works, even if different security features are set by burning e-fuses on the chip (JTAG, UART, DFU disabled). This article aims to illustrate the need for secure boot and flash encryption. Dumping, and modifying the firmware is important for testing the mitigations for the threats identified in your device’s threat model.

Continue reading

ESP32, Secure Boot (Part 1)

Understanding Secure Boot ESP32 series (Part 1) This article is part of a series on the Security Features of the Espressif ESP32 microcontroller series. This includes MCUs based on the Xtensa Instruction Set (e.g. ESP32, ESP32-S3), as well as MCUs based on the RISC-V Instruction Set (e.g. ESP32-C3). This is the first article of the series, which will cover: Secure Boot V1 (AES Based Secure Boot) (this article) Secure Boot V2 (RSA Based Secure Boot) Flash encryption (AES-XTS and legacy) AES, SHA, RSA, DS and HMAC accelerators World Controller to allow isolated execution environments Introduction ESP32 SoCs are very popular System On a Chip (SoC) microcontrollers made by the company Espressif.

Continue reading