Espressif ESP32
The ESP32 is a series of single and dual-core SoCs from Espressif based on Harvard architecture Xtensa LX6 CPUs and with on-chip support for Bluetooth and Wi-Fi.
All embedded memory, external memory and peripherals are located on the data bus and/or the instruction bus of these CPUs. With some minor exceptions, the address mapping of two CPUs is symmetric, meaning they use the same addresses to access the same memory. Multiple peripherals in the system can access embedded memory via DMA.
On dual-core SoCs, the two CPUs are typically named “PRO_CPU” and “APP_CPU” (for “protocol” and “application”), however for most purposes the two CPUs are interchangeable.
ESP32 Toolchain
The toolchain used to build ESP32 firmware can be either downloaded or built from the sources. It is highly recommended to use (download or build) the same toolchain version that is being used by the NuttX CI.
Please refer to the Docker container and check for the current compiler version being used. For instance:
###############################################################################
# Build image for tool required by ESP32 builds
###############################################################################
FROM nuttx-toolchain-base AS nuttx-toolchain-esp32
# Download the latest ESP32 GCC toolchain prebuilt by Espressif
RUN mkdir -p xtensa-esp32-elf-gcc && \
curl -s -L "https://github.com/espressif/crosstool-NG/releases/download/esp-12.2.0_20230208/xtensa-esp32-elf-12.2.0_20230208-x86_64-linux-gnu.tar.xz" \
| tar -C xtensa-esp32-elf-gcc --strip-components 1 -xJ
RUN mkdir -p xtensa-esp32s2-elf-gcc && \
curl -s -L "https://github.com/espressif/crosstool-NG/releases/download/esp-12.2.0_20230208/xtensa-esp32s2-elf-12.2.0_20230208-x86_64-linux-gnu.tar.xz" \
| tar -C xtensa-esp32s2-elf-gcc --strip-components 1 -xJ
RUN mkdir -p xtensa-esp32s3-elf-gcc && \
curl -s -L "https://github.com/espressif/crosstool-NG/releases/download/esp-12.2.0_20230208/xtensa-esp32s3-elf-12.2.0_20230208-x86_64-linux-gnu.tar.xz" \
| tar -C xtensa-esp32s3-elf-gcc --strip-components 1 -xJ
For ESP32, the toolchain version is based on GGC 12.2.0 (xtensa-esp32-elf-12.2.0_20230208
)
The prebuilt Toolchain (Recommended)
First, create a directory to hold the toolchain:
$ mkdir -p /path/to/your/toolchain/xtensa-esp32-elf-gcc
Download and extract toolchain:
$ curl -s -L "https://github.com/espressif/crosstool-NG/releases/download/esp-12.2.0_20230208/xtensa-esp32-elf-12.2.0_20230208-x86_64-linux-gnu.tar.xz" \
| tar -C xtensa-esp32-elf-gcc --strip-components 1 -xJ
Add the toolchain to your PATH:
$ echo "export PATH=/path/to/your/toolchain/xtensa-esp32-elf-gcc/bin:$PATH" >> ~/.bashrc
You can edit your shell’s rc files if you don’t use bash.
Building from source
You can also build the toolchain yourself. The steps to build the toolchain with crosstool-NG on Linux are as follows
$ git clone https://github.com/espressif/crosstool-NG.git
$ cd crosstool-NG
$ git submodule update --init
$ ./bootstrap && ./configure --enable-local && make
$ ./ct-ng xtensa-esp32-elf
$ ./ct-ng build
$ chmod -R u+w builds/xtensa-esp32-elf
$ export PATH="crosstool-NG/builds/xtensa-esp32-elf/bin:$PATH"
These steps are given in the setup guide in ESP-IDF documentation.
Building and flashing NuttX
Bootloader and partitions
NuttX can boot the ESP32 directly using the so-called “Simple Boot”. An externally-built 2nd stage bootloader is not required in this case as all functions required to boot the device are built within NuttX. Simple boot does not require any specific configuration (it is selectable by default if no other 2nd stage bootloader is used).
If other features are required, an externally-built 2nd stage bootloader is needed. The bootloader
is built using the make bootloader
command. This command generates the firmware in the
nuttx
folder. The ESPTOOL_BINDIR
is used in the make flash
command to specify the path
to the bootloader. For compatibility among other SoCs and future options of 2nd stage bootloaders,
the commands make bootloader
and the ESPTOOL_BINDIR
option (for the make flash
) can be
used even if no externally-built 2nd stage bootloader is being built (they will be ignored if
Simple Boot is used, for instance):
$ make bootloader
Note
It is recommended that if this is the first time you are using the board with NuttX to perform a complete SPI FLASH erase.
$ esptool.py erase_flash
Building and Flashing
First, make sure that esptool.py
is installed. This tool is used to convert the ELF to a
compatible ESP32 image and to flash the image into the board.
It can be installed with: pip install esptool==4.8.dev4
.
It’s a two-step process where the first converts the ELF file into an ESP32 compatible binary and the second flashes it to the board. These steps are included in the build system and it is possible to build and flash the NuttX firmware simply by running:
$ make flash ESPTOOL_PORT=<port> ESPTOOL_BINDIR=./
where <port>
is typically /dev/ttyUSB0
or similar. ESPTOOL_BINDIR=./
is the path of the
externally-built 2nd stage bootloader and the partition table (if applicable): when built using the
make bootloader
, these files are placed into nuttx
folder. ESPTOOL_BAUD
is able to
change the flash baud rate if desired.
Debugging
This section describes debugging techniques for the ESP32.
Debugging with openocd
and gdb
Espressif uses a specific version of OpenOCD to support ESP32: openocd-esp32.
Please check Building OpenOCD from Sources for more information on how to build OpenOCD for ESP32.
ESP32 has dedicated pins for JTAG debugging. The following pins are used for JTAG debugging:
ESP32 Pin |
JTAG Signal |
---|---|
MTDO / GPIO15 |
TDO |
MTDI / GPIO12 |
TDI |
MTCK / GPIO13 |
TCK |
MTMS / GPIO14 |
TMS |
Some boards, like ESP32-Ethernet-Kit V1.2 and ESP-WROVER-KIT, have a built-in JTAG debugger.
Other boards that don’t have any built-in JTAG debugger can be debugged using an external JTAG debugger, like the one described for the ESP32-DevKitC.
Note
One must configure the USB drivers to enable JTAG communication. Please check Configure USB Drivers for configuring the JTAG adapter of the ESP32-Ethernet-Kit V1.2 and ESP-WROVER-KIT boards and other FT2232-based JTAG adapters.
OpenOCD can then be used:
openocd -c 'set ESP_RTOS hwthread; set ESP_FLASH_SIZE 0' -f board/esp32-wrover-kit-1.8v.cfg
Once OpenOCD is running, you can use GDB to connect to it and debug your application:
xtensa-esp32-elf-gdb -x gdbinit nuttx
whereas the content of the gdbinit
file is:
target remote :3333
set remote hardware-watchpoint-limit 2
mon reset halt
flushregs
monitor reset halt
thb nsh_main
c
Note
nuttx
is the ELF file generated by the build process. Please note that CONFIG_DEBUG_SYMBOLS
must be enabled in the menuconfig
.
Please refer to Debugging for more information about debugging techniques.
Stack Dump and Backtrace Dump
NuttX has a feature to dump the stack of a task and to dump the backtrace of it (and of all the other tasks). This feature is useful to debug the system when it is not behaving as expected, especially when it is crashing.
In order to enable this feature, the following options must be enabled in the NuttX configuration:
CONFIG_SCHED_BACKTRACE
, CONFIG_DEBUG_SYMBOLS
and, optionally, CONFIG_ALLSYMS
.
Note
The first two options enable the backtrace dump. The third option enables the backtrace dump with the associated symbols, but increases the size of the generated NuttX binary.
Espressif also provides a tool to translate the backtrace dump into a human-readable format.
This tool is called btdecode.sh
and is available at tools/espressif/btdecode.sh
of NuttX
repository.
Note
This tool is not necessary if CONFIG_ALLSYMS
is enabled. In this case, the backtrace dump
contains the function names.
Example - Crash Dump
A typical crash dump, caused by an illegal load with CONFIG_SCHED_BACKTRACE
and
CONFIG_DEBUG_SYMBOLS
enabled, is shown below:
xtensa_user_panic: User Exception: EXCCAUSE=001d task: backtrace
_assert: Current Version: NuttX 10.4.0 2ae3246e40-dirty Sep 19 2024 12:59:10 xtensa
_assert: Assertion failed user panic: at file: :0 task: backtrace process: backtrace 0x400f0724
up_dump_register: PC: 400f0754 PS: 00060530
up_dump_register: A0: 800e2fcc A1: 3ffe1400 A2: 00000000 A3: 3ffe0470
up_dump_register: A4: 3ffe0486 A5: 3ffaf4b0 A6: 00000000 A7: 00000000
up_dump_register: A8: 800f0751 A9: 3ffe13d0 A10: 0000005a A11: 3ffafcb0
up_dump_register: A12: 00000059 A13: 3ffaf600 A14: 00000002 A15: 3ffafaa4
up_dump_register: SAR: 00000018 CAUSE: 0000001d VADDR: 00000000
up_dump_register: LBEG: 4000c28c LEND: 4000c296 LCNT: 00000000
dump_stack: User Stack:
dump_stack: base: 0x3ffe0490
dump_stack: size: 00004048
dump_stack: sp: 0x3ffe1400
stack_dump: 0x3ffe13e0: 00000059 3ffaf600 00000002 3ffafaa4 800e1eb4 3ffe1420 400f0724 00000002
stack_dump: 0x3ffe1400: 3ffe0486 3ffaf4b0 00000000 00000000 00000000 3ffe1440 00000000 400f0724
stack_dump: 0x3ffe1420: 3ffe0470 3ffafae8 00000000 3ffb0d2c 00000000 3ffe1460 00000000 00000000
stack_dump: 0x3ffe1440: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
stack_dump: 0x3ffe1460: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
sched_dumpstack: backtrace| 2: 0x400ef738 0x40085152 0x40084d05 0x40084c7d 0x40080c84 0x400f0754 0x400e2fcc 0x400e1eb4
sched_dumpstack: backtrace| 2: 0x40000000 0x400e2fcc 0x400e1eb4 0x40000000
dump_tasks: PID GROUP PRI POLICY TYPE NPX STATE EVENT SIGMASK STACKBASE STACKSIZE COMMAND
dump_task: 0 0 0 FIFO Kthread - Ready 0000000000000000 0x3ffb0010 3056 Idle_Task
dump_task: 1 1 100 RR Task - Waiting Semaphore 0000000000000000 0x3ffaec10 3024 nsh_main
dump_task: 2 2 255 RR Task - Running 0000000000000000 0x3ffe0490 4048 backtrace task
sched_dumpstack: backtrace| 0: 0x400e12bb 0x400826eb
sched_dumpstack: backtrace| 1: 0x400edc59 0x400edb5b 0x400edb94 0x400e6c36 0x400e643c 0x400e6714 0x400e5830 0x400e56b8
sched_dumpstack: backtrace| 1: 0x400e5689 0x400e2fcc 0x400e1eb4 0x40000000
sched_dumpstack: backtrace| 2: 0x400ef738 0x40084ed4 0x400ed9ea 0x40085184 0x40084d05 0x40084c7d 0x40080c84 0x400f0754
sched_dumpstack: backtrace| 2: 0x400e2fcc 0x400e1eb4 0x40000000 0x400e2fcc 0x400e1eb4 0x40000000
The lines starting with sched_dumpstack
show the backtrace of the tasks. By checking it, it is
possible to track the root cause of the crash. Saving this output to a file and using the btdecode.sh
:
./tools/btdecode.sh esp32 /tmp/backtrace.txt
Backtrace for task 2:
0x400ef738: sched_dumpstack at sched_dumpstack.c:69
0x40085152: _assert at assert.c:691
0x40084d05: xtensa_user_panic at xtensa_assert.c:188 (discriminator 1)
0x40084c7d: xtensa_user at ??:?
0x40080c84: _xtensa_user_handler at xtensa_user_handler.S:194
0x400f0754: assert_on_task at backtrace_main.c:158
(inlined by) backtrace_main at backtrace_main.c:194
0x400e2fcc: nxtask_startup at task_startup.c:70
0x400e1eb4: nxtask_start at task_start.c:75
0x40000000: ?? ??:0
0x400e2fcc: nxtask_startup at task_startup.c:70
0x400e1eb4: nxtask_start at task_start.c:75
0x40000000: ?? ??:0
Backtrace dump for all tasks:
Backtrace for task 2:
0x400ef738: sched_dumpstack at sched_dumpstack.c:69
0x40084ed4: dump_backtrace at assert.c:418
0x400ed9ea: nxsched_foreach at sched_foreach.c:69 (discriminator 2)
0x40085184: _assert at assert.c:726
0x40084d05: xtensa_user_panic at xtensa_assert.c:188 (discriminator 1)
0x40084c7d: xtensa_user at ??:?
0x40080c84: _xtensa_user_handler at xtensa_user_handler.S:194
0x400f0754: assert_on_task at backtrace_main.c:158
(inlined by) backtrace_main at backtrace_main.c:194
0x400e2fcc: nxtask_startup at task_startup.c:70
0x400e1eb4: nxtask_start at task_start.c:75
0x40000000: ?? ??:0
0x400e2fcc: nxtask_startup at task_startup.c:70
0x400e1eb4: nxtask_start at task_start.c:75
0x40000000: ?? ??:0
Backtrace for task 1:
0x400edc59: nxsem_wait at sem_wait.c:217
0x400edb5b: nxsched_waitpid at sched_waitpid.c:165
0x400edb94: waitpid at sched_waitpid.c:618
0x400e6c36: nsh_builtin at nsh_builtin.c:163
0x400e643c: nsh_execute at nsh_parse.c:652
(inlined by) nsh_parse_command at nsh_parse.c:2840
0x400e6714: nsh_parse at nsh_parse.c:2930
0x400e5830: nsh_session at nsh_session.c:246
0x400e56b8: nsh_consolemain at nsh_consolemain.c:79
0x400e5689: nsh_main at nsh_main.c:80
0x400e2fcc: nxtask_startup at task_startup.c:70
0x400e1eb4: nxtask_start at task_start.c:75
0x40000000: ?? ??:0
Backtrace for task 0:
0x400e12bb: nx_start at nx_start.c:772 (discriminator 1)
0x400826eb: __esp32_start at esp32_start.c:294
(inlined by) __start at esp32_start.c:358
The above output shows the backtrace of the tasks. By checking it, it is possible to track the functions that were being executed when the crash occurred.
Peripheral Support
The following list indicates the state of peripherals’ support in NuttX:
Peripheral |
Support |
NOTES |
---|---|---|
ADC |
No |
|
AES |
Yes |
|
Bluetooth |
Yes |
|
CAN/TWAI |
Yes |
|
DMA |
Yes |
|
DAC |
Yes |
One-shot |
eFuse |
Yes |
|
Ethernet |
Yes |
|
GPIO |
Yes |
|
I2C |
Yes |
|
I2S |
Yes |
|
LED_PWM |
Yes |
|
MCPWM |
Yes |
|
Pulse_CNT |
Yes |
|
RMT |
Yes |
|
RNG |
Yes |
|
RSA |
No |
|
RTC |
Yes |
|
SD/MMC |
No |
|
SDIO |
No |
|
SHA |
No |
|
SPI |
Yes |
|
SPIFLASH |
Yes |
|
SPIRAM |
Yes |
|
Timers |
Yes |
|
Touch |
Yes |
|
UART |
Yes |
|
Watchdog |
Yes |
|
Wifi |
Yes |
Memory Map
Address Mapping
BUS TYPE |
START |
LAST |
DESCRIPTION |
NOTES |
---|---|---|---|---|
Data |
0x3F400000 |
0x3F7FFFFF |
External Memory |
|
Data |
0x3F800000 0x3FC00000 |
0x3FBFFFFF 0x3FEFFFFF |
External Memory |
Reserved |
Data |
0x3FF00000 |
0x3FF7FFFF |
Peripheral |
|
Data |
0x3FF80000 |
0x3FFFFFFF |
Embedded Memory |
|
Instruction |
0x40000000 |
0x400C1FFF |
Embedded Memory |
|
Instruction |
0x400C2000 |
0x40BFFFFF |
External Memory |
|
. |
0x40C00000 |
0x4FFFFFFF |
Reserved |
|
Data / Instruction |
0x50000000 |
0x50001FFF |
Embedded Memory |
|
. |
0x50002000 |
0xFFFFFFFF |
Reserved |
Embedded Memory
BUS TYPE |
START |
LAST |
DESCRIPTION |
NOTES |
---|---|---|---|---|
Data |
0x3ff80000 |
0x3ff81fff |
RTC FAST Memory |
PRO_CPU Only |
. |
0x3ff82000 |
0x3ff8ffff |
Reserved |
|
Data |
0x3ff90000 |
0x3ff9ffff |
Internal ROM 1 |
|
. |
0x3ffa0000 |
0x3ffadfff |
Reserved |
|
Data |
0x3ffae000 |
0x3ffdffff |
Internal SRAM 2 |
DMA |
Data |
0x3ffe0000 |
0x3fffffff |
Internal SRAM 1 |
DMA |
Boundary Address (Embedded)
BUS TYPE |
START |
LAST |
DESCRIPTION |
NOTES |
---|---|---|---|---|
Instruction |
0x40000000 |
0x40007fff |
Internal ROM 0 |
Remap |
Instruction |
0x40008000 |
0x4005ffff |
Internal ROM 0 |
|
. |
0x40060000 |
0x4006ffff |
Reserved |
|
Instruction |
0x40070000 |
0x4007ffff |
Internal SRAM 0 |
Cache |
Instruction |
0x40080000 |
0x4009ffff |
Internal SRAM 0 |
|
Instruction |
0x400a0000 |
0x400affff |
Internal SRAM 1 |
|
Instruction |
0x400b0000 |
0x400b7FFF |
Internal SRAM 1 |
Remap |
Instruction |
0x400b8000 |
0x400bffff |
Internal SRAM 1 |
|
Instruction |
0x400c0000 |
0x400c1FFF |
RTC FAST Memory |
PRO_CPU Only |
Data / Instruction |
0x50000000 |
0x50001fff |
RTC SLOW Memory |
External Memory
BUS TYPE |
START |
LAST |
DESCRIPTION |
NOTES |
---|---|---|---|---|
Data |
0x3f400000 |
0x3f7fffff |
External Flash |
Read |
Data |
0x3f800000 |
0x3fbfffff |
External SRAM |
Read and Write |
Boundary Address (External)
Instruction 0x400c2000 0x40bfffff 11512 KB External Flash Read
Linker Segments
DESCRIPTION |
START |
END |
ATTR |
LINKER SEGMENT NAME |
---|---|---|---|---|
|
0x3f400010 |
0x3fc00010 |
R |
drom0_0_seg |
|
0x3ffb0000 |
0x40000000 |
RW |
dram0_0_seg (NOTE 1,2,3) |
|
0x40080000 |
0x400a0000 |
RX |
iram0_0_seg |
|
0x400c0000 |
0x400c2000 |
RWX |
rtc_iram_seg (PRO_CPU only) |
|
0x400d0018 |
0x40400018 |
RX |
iram0_2_seg (actually FLASH) |
|
0x50000000 |
0x50001000 |
RW |
rtc_slow_seg (NOTE 4) |
Note
Linker script will reserve space at the beginning of the segment for BT and at the end for trace memory.
Heap ends at the top of dram_0_seg.
Parts of this region is reserved for the ROM bootloader.
Linker script will reserve space at the beginning of the segment for co-processor reserve memory and at the end for ULP coprocessor reserve memory.
64-bit Timers
ESP32 has 4 generic timers of 64 bits (2 from Group 0 and 2 from Group 1). They’re accessible as character drivers, the configuration along with a guidance on how to run the example and the description of the application level interface can be found here.
Watchdog Timers
ESP32 has 3 WDTs. 2 MWDTS from the Timers Module and 1 RWDT from the RTC Module (Currently not supported yet). They’re accessible as character drivers, The configuration along with a guidance on how to run the example and the description of the application level interface can be found here.
SMP
The ESP32 has 2 CPUs. Support is included for testing an SMP configuration. That configuration is still not yet ready for usage but can be enabled with the following configuration settings, in
, with:CONFIG_SPINLOCK=y
CONFIG_SMP=y
CONFIG_SMP_NCPUS=2
Debug Tip: During debug session, OpenOCD may mysteriously switch from one
CPU to another. This behavior can be eliminated by uncommenting one of the
following in scripts/esp32.cfg
:
# Only configure the PRO CPU
#set ESP32_ONLYCPU 1
# Only configure the APP CPU
#set ESP32_ONLYCPU 2
Wi-Fi
A standard network interface will be configured and can be initialized such as:
nsh> ifup wlan0
nsh> wapi psk wlan0 mypasswd 3
nsh> wapi essid wlan0 myssid 1
nsh> renew wlan0
In this case a connection to AP with SSID myssid
is done, using mypasswd
as
password. IP address is obtained via DHCP using renew
command. You can check
the result by running ifconfig
afterwards.
Tip
Boards usually expose a wifi
defconfig which enables Wi-Fi
Tip
Please check wapi documentation for more information about its commands and arguments.
Note
The wapi psk
command on Station mode sets a security threshold. That
is, it enables connecting only to an equally or more secure network than the set
threshold. wapi psk wlan0 mypasswd 3
sets a WPA2-PSK-secured network and
enables the device to connect to networks that are equally or more secure than
that (WPA3-SAE, for instance, would be eligible for connecting to).
Wi-Fi SoftAP
It is possible to use ESP32 as an Access Point (SoftAP). Actually there are some boards config examples called sta_softap which enables this support
If you are using this board config profile you can run these commands to be able to connect your smartphone or laptop to your board:
nsh> ifup wlan1
nsh> dhcpd_start wlan1
nsh> wapi psk wlan1 mypasswd 3
nsh> wapi essid wlan1 nuttxap 1
In this case, you are creating the access point nuttxapp
in your board and to
connect to it on your smartphone you will be required to type the password mypasswd
using WPA2.
Tip
Please check wapi documentation for more information about its commands and arguments.
The dhcpd_start
is necessary to let your board to associate an IP to your smartphone.
Bluetooth
These are the steps to test Bluetooth Low Energy (BLE) scan on ESP32 (i.e. Devkit board). First configure to use the BLE board profile:
$ make distclean
$ ./tools/configure.sh esp32-devkitc:ble
$ make flash ESPTOOL_PORT=/dev/ttyUSB0
Enter in the NSH shell using your preferred serial console tool and run the scan command:
NuttShell (NSH) NuttX-10.2.0
nsh> ifconfig
bnep0 Link encap:UNSPEC at DOWN
inet addr:0.0.0.0 DRaddr:0.0.0.0 Mask:0.0.0.0
wlan0 Link encap:Ethernet HWaddr ac:67:b2:53:8b:ec at UP
inet addr:10.0.0.2 DRaddr:10.0.0.1 Mask:255.255.255.0
nsh> bt bnep0 scan start
nsh> bt bnep0 scan stop
nsh> bt bnep0 scan get
Scan result:
1. addr: 63:14:2f:b9:9f:83 type: 1
rssi: -90
response type: 3
advertiser data: 1e ff 06 00 01 09 20 02 7c 33 a3 a7 cd c9 44 5b
2. addr: 52:ca:05:b5:ad:77 type: 1
rssi: -82
response type: 3
advertiser data: 1e ff 06 00 01 09 20 02 03 d1 21 57 bf 19 b3 7a
3. addr: 46:8e:b2:cd:94:27 type: 1
rssi: -92
response type: 2
advertiser data: 02 01 1a 09 ff c4 00 10 33 14 12 16 80 02 0a d4
4. addr: 46:8e:b2:cd:94:27 type: 1
rssi: -92
response type: 4
advertiser data: 18 09 5b 4c 47 5d 20 77 65 62 4f 53 20 54 56 20
5. addr: 63:14:2f:b9:9f:83 type: 1
rssi: -80
response type: 3
advertiser data: 1e ff 06 00 01 09 20 02 7c 33 a3 a7 cd c9 44 5b
nsh>
I2S
The I2S peripheral is accessible using either the generic I2S audio driver or a specific audio codec driver. Also, it’s possible to use the I2S character driver to bypass the audio subsystem and develop specific usages of the I2S peripheral.
Note
Note that the bit-width and sample rate can be modified “on-the-go” when using audio-related drivers. That is not the case for the I2S character device driver and such parameters are set on compile time through make menuconfig.
Warning
Some upper driver implementations might not handle both transmission and reception configured at the same time on the same peripheral.
Please check for usage examples using the ESP32 DevKitC.
Using QEMU
Get or build QEMU from here.
Enable the ESP32_QEMU_IMAGE
config found in .
Enable ESP32_APP_FORMAT_LEGACY
.
Build and generate the QEMU image:
$ make bootloader
$ make ESPTOOL_BINDIR=.
A QEMU-compatible nuttx.merged.bin
binary image will be created. It can be run as:
$ qemu-system-xtensa -nographic -machine esp32 -drive file=nuttx.merged.bin,if=mtd,format=raw
QEMU for ESP32 does not correctly define the chip revision as v3.0 so you have two options:
#define
ESP32_IGNORE_CHIP_REVISION_CHECK
inarch/xtensa/src/esp32/esp32_start.c
Emulate the efuse as described here.
QEMU Networking
Networking is possible using the openeth MAC driver. Enable ESP32_OPENETH
option and set the nic in QEMU:
$ qemu-system-xtensa -nographic -machine esp32 -drive file=nuttx.merged.bin,if=mtd,format=raw -nic user,model=open_eth
Secure Boot and Flash Encryption
Secure Boot
Secure Boot protects a device from running any unauthorized (i.e., unsigned) code by checking that each piece of software that is being booted is signed. On an ESP32, these pieces of software include the second stage bootloader and each application binary. Note that the first stage bootloader does not require signing as it is ROM code thus cannot be changed. This is achieved using specific hardware in conjunction with MCUboot (read more about MCUboot here).
The Secure Boot process on the ESP32 involves the following steps performed:
The first stage bootloader verifies the second stage bootloader’s RSA-PSS signature. If the verification is successful, the first stage bootloader loads and executes the second stage bootloader.
When the second stage bootloader loads a particular application image, the application’s signature (RSA, ECDSA or ED25519) is verified by MCUboot. If the verification is successful, the application image is executed.
Warning
Once enabled, Secure Boot will not boot a modified bootloader. The bootloader will only boot an application firmware image if it has a verified digital signature. There are implications for reflashing updated images once Secure Boot is enabled. You can find more information about the ESP32’s Secure boot here.
Note
As the bootloader image is built on top of the Hardware Abstraction Layer component of ESP-IDF, the API port by Espressif will be used by MCUboot rather than the original NuttX port.
Flash Encryption
Flash encryption is intended for encrypting the contents of the ESP32’s off-chip flash memory. Once this feature is enabled, firmware is flashed as plaintext, and then the data is encrypted in place on the first boot. As a result, physical readout of flash will not be sufficient to recover most flash contents.
Warning
After enabling Flash Encryption, an encryption key is generated internally by the device and cannot be accessed by the user for re-encrypting data and re-flashing the system, hence it will be permanently encrypted. Re-flashing an encrypted system is complicated and not always possible. You can find more information about the ESP32’s Flash Encryption here.
Prerequisites
First of all, we need to install imgtool
(a MCUboot utility application to manipulate binary
images) and esptool
(the ESP32 toolkit):
$ pip install imgtool esptool==4.8.dev4
We also need to make sure that the python modules are added to PATH
:
$ echo "PATH=$PATH:/home/$USER/.local/bin" >> ~/.bashrc
Now, we will create a folder to store the generated keys (such as ~/signing_keys
):
$ mkdir ~/signing_keys && cd ~/signing_keys
With all set up, we can now generate keys to sign the bootloader and application binary images, respectively, of the compiled project:
$ espsecure.py generate_signing_key --version 2 bootloader_signing_key.pem
$ imgtool keygen --key app_signing_key.pem --type rsa-3072
Important
The contents of the key files must be stored securely and kept secret.
Enabling Secure Boot and Flash Encryption
To enable Secure Boot for the current project, go to the project’s NuttX directory, execute make menuconfig
and the following steps:
Enable experimental features in
;Enable MCUboot in
;Change image type to
MCUboot-bootable format
in ;Enable building MCUboot from the source code by selecting
Build binaries from source
; in ;Enable Secure Boot in
;If you want to protect the SPI Bus against data sniffing, you can enable Flash Encryption in
.
Now you can design an update and confirm agent to your application. Check the MCUboot design guide and the MCUboot Espressif port documentation for more information on how to apply MCUboot. Also check some notes about the NuttX MCUboot port, the MCUboot porting guide and some examples of MCUboot applied in NuttX applications.
After you developed an application which implements all desired functions, you need to flash it into the primary image slot
of the device (it will automatically be in the confirmed state, you can learn more about image
confirmation here).
To flash to the primary image slot, select Application image primary slot
in
and compile it using make -j ESPSEC_KEYDIR=~/signing_keys
.
When creating update images, make sure to change Application image secondary slot
.
Important
When deploying your application, make sure to disable UART Download Mode by selecting Permanently disabled
in
and change usage mode to Release
in System Type –> Application Image Configuration –> Enable usage mode.
After disabling UART Download Mode you will not be able to flash other images through UART.
Things to Do
Lazy co-processor save logic supported by Xtensa. That logic works like this:
CPENABLE is set to zero on each context switch, disabling all co- processors.
If/when the task attempts to use the disabled co-processor, an exception occurs
The co-processor exception handler re-enables the co-processor.
Instead, the NuttX logic saves and restores CPENABLE on each context switch. This has disadvantages in that (1) co-processor context will be saved and restored even if the co-processor was never used, and (2) tasks must explicitly enable and disable co-processors.
Currently the Xtensa port copies register state save information from the stack into the TCB. A more efficient alternative would be to just save a pointer to a register state save area in the TCB. This would add some complexity to signal handling and also to up_initialstate(). But the performance improvement might be worth the effort.
See SMP-related issues above