Skip to content

Commit 73d1c25

Browse files
committed
docs(secure_download_mode): Explain available commands and serial protocol restrictions in SDM
1 parent c26e58e commit 73d1c25

File tree

3 files changed

+39
-1
lines changed

3 files changed

+39
-1
lines changed

docs/en/advanced-topics/serial-protocol.rst

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -302,6 +302,26 @@ ROM loaders will not recognize these commands.
302302
| ``0xd3`` | RUN_USER_CODE | Exits loader and runs user code | | |
303303
+------------+-------------------+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------+----------+
304304

305+
.. only:: not esp8266 and not esp32
306+
307+
.. _supported-in-sdm:
308+
309+
Supported in Secure Download Mode
310+
"""""""""""""""""""""""""""""""""
311+
312+
Secure Download Mode is a restricted version of the ROM Loader available on Espressif chips. It only allows a limited set of commands:
313+
314+
* synchronisation (``SYNC``)
315+
* attaching SPI flash (``SPI_ATTACH``)
316+
* updating SPI config (``SPI_SET_PARAMS``)
317+
* changing baud rate (``CHANGE_BAUDRATE``)
318+
* basic flash write (``FLASH_BEGIN``, ``FLASH_DATA``, ``FLASH_END``)
319+
* reading a summary of currently enabled security features (``GET_SECURITY_INFO``)
320+
321+
Any other command (e.g., reading or writing memory, arbitrary code execution through loading to RAM, ...) will result in an error.
322+
323+
You can read more about Secure Download Mode in the `ESP-IDF Security Overview <https://docs.espressif.com/projects/esp-idf/en/stable/{IDF_TARGET_PATH_NAME}/security/security.html#uart-download-mode>`__.
324+
305325
Checksum
306326
^^^^^^^^
307327

@@ -442,7 +462,7 @@ SPI Configuration Commands
442462
SPI Attach Command
443463
""""""""""""""""""
444464

445-
The SPI _ATTACH command enables the SPI flash interface. It takes a 32-bit data payload which is used to determine which SPI peripheral and pins should be used to connect to SPI flash.
465+
The SPI_ATTACH command enables the SPI flash interface. It takes a 32-bit data payload which is used to determine which SPI peripheral and pins should be used to connect to SPI flash.
446466

447467
.. only:: esp8266
448468

docs/en/esptool/advanced-commands.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,8 @@ This will read 4 bytes from SFDP address 16.
136136

137137
.. only:: not esp8266 and not esp32
138138

139+
.. _get-security-info:
140+
139141
Read Security Info: ``get_security_info``
140142
------------------------------------------
141143

docs/en/esptool/basic-commands.rst

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,21 @@ Gaps between the files will be filled with `0x00` bytes.
335335
esptool --chip {IDF_TARGET_NAME} merge-bin --format uf2 -o merged-flash.uf2 --flash-mode dio --flash-size 4MB 0x1000 bootloader.bin 0x8000 partition-table.bin 0x10000 app.bin
336336
337337
338+
.. only:: not esp8266 and not esp32
339+
340+
Commands Supported in Secure Download Mode
341+
------------------------------------------
342+
343+
When running a command against an SoC with active Secure Download Mode, only the following commands are supported:
344+
345+
* :ref:`write-flash`
346+
* :ref:`erase-flash` (only ``erase-region``)
347+
* :ref:`get-security-info`
348+
349+
Running any other operation will result in an error. This is caused by the set of available serial protocol commands being restricted in Secure Download Mode, see :ref:`supported-in-sdm` for details.
350+
351+
Binary image manipulation commands (``elf2image``, ``image-info``, ``merge-bin``) are not affected, because they do not require a serial connection with an SoC.
352+
338353
Advanced Commands
339354
-----------------
340355

@@ -351,3 +366,4 @@ The following commands are less commonly used, or only of interest to advanced u
351366
* :ref:`read-flash-sfdp`
352367
:esp8266: * :ref:`chip-id`
353368
:esp8266: * :ref:`run`
369+
:not esp8266 and not esp32: * :ref:`get-security-info`

0 commit comments

Comments
 (0)