The rom of esp32 has solidified the firmware.
After entering the programming mode, the esp32 serial port outputs:
When burning firmware for esp32, it needs to communicate with the bootloder of rom. When communicating, use SLIP packet frame for bidirectional data transmission.
Each SLIP packet begins and ends with 0xC0. In the data packet, all occurrences of 0xC0 and 0xDB are replaced with 0xDB 0xDC and 0xDB 0xDD respectively. Substitution is done after calculating the checksum and length, so the packet length may be longer than the size field below.
Based on the SLIP communication protocol, the following protocols are derived:
Command Packet
Each command is a SLIP packet initiated by the host, and the packet consists of a header and a variable-length body. little-endian transfer.
Byte |
Name |
Comment |
0 |
Direction |
Always 0x00 for requests |
1 |
Command |
Command identifier (see Commands). |
2-3 |
Size |
Length of Data field, in bytes. |
4-7 |
Checksum |
Simple checksum of part of the data field (only used for some commands, see Checksum). |
8..n |
Data |
Variable length data payload (0-65535 bytes, as indicated by Size parameter). Usage depends on specific command. |
The command types supported by esp32 rom are as follows:
Byte |
Name |
Description |
Input Data |
Output Data |
0x02 |
FLASH_BEGIN |
Four 32-bit words: size to erase, number of data packets, data size in one packet, flash offset. |
||
0x03 |
FLASH_DATA |
Four 32-bit words: data size, sequence number, 0, 0, then data. Uses Checksum. |
||
0x04 |
FLASH_END |
One 32-bit word: 0 to reboot, 1 to run user code. Not necessary to send this command if you wish to stay in the loader |
||
0x05 |
MEM_BEGIN |
Total size, number of data packets, data size in one packet, memory offset |
||
0x06 |
MEM_END |
Two 32-bit words: execute flag, entry point address |
||
0x07 |
MEM_DATA |
Four 32-bit words: data size, sequence number, 0, 0, then data. Uses Checksum. |
||
0x08 |
SYNC |
36 bytes: 0x07 0x07 0x12 0x20, followed by 32 x 0x55 |
||
0x09 |
WRITE_REG |
Four 32-bit words: address, value, mask and delay (in microseconds) |
||
0x0a |
READ_REG |
Address as 32-bit word |
Read data as 32-bit word in value field. |
|
0x0b |
SPI_SET_PARAMS |
Six 32-bit words: id, total size in bytes, block size, sector size, page size, status mask. |
||
0x0d |
SPI_ATTACH |
32-bit word: Zero for normal SPI flash. A second 32-bit word (should be 0) is passed to ROM loader only. |
||
0x0f |
CHANGE_BAUDRATE |
Two 32-bit words: new baud rate, 0 if we are talking to the ROM loader or the current/old baud rate if we are talking to the stub loader. |
||
0x10 |
FLASH_DEFL_BEGIN |
Four 32-bit words: uncompressed size, number of data packets, data packet size, flash offset. With stub loader the uncompressed size is exact byte count to be written, whereas on ROM bootloader it is rounded up to flash erase block size. |
||
0x11 |
FLASH_DEFL_DATA |
Four 32-bit words: data size, sequence number, 0, 0, then data. Uses Checksum. |
Error code 0xC1 on checksum error. |
|
0x12 |
FLASH_DEFL_END |
One 32-bit word: 0 to reboot, 1 to run user code. Not necessary to send this command if you wish to stay in the loader. |
||
0x13 |
SPI_FLASH_MD5 |
Four 32-bit words: address, size, 0, 0 |
Body contains 16 raw bytes of MD5 followed by 2 status bytes (stub loader) or 32 hex-coded ASCII (ROM loader) of calculated MD5 |
Response Packet
Byte |
Name |
Comment |
0 |
Direction |
Always 0x01 for responses |
1 |
Command |
Same value as Command identifier in the request packet that trigged the response |
2-3 |
Size |
Size of data field. At least the length of the Status Bytes (2 or 4 bytes, see below). |
4-7 |
Value |
Response value used by READ_REG command (see below). Zero otherwise. |
8..n |
Data |
Variable length data payload. Length indicated by “Size” field. |
The final bytes of the Data payload indicate command status
对于 ESP32 ROM最后四个字节被使用,但只有前两个字节包含状态信息:
Byte |
Name |
Comment |
Size-4 |
Status |
Status flag, success (0) or failure (1) |
Size-3 |
Error |
If Status 1, this indicates the type of error. |
Size-2 |
Reserved |
|
Size-1 |
Reserved |
ROM Loader Errors 枚举
Value |
Meaning |
0x05 |
“Received message is invalid” (parameters or length field is invalid) |
0x06 |
“Failed to act on received message” |
0x07 |
“Invalid CRC in message” |
0x08 |
“Flash write error” - after writing a block of data to flash, the ROM loader reads the value back and the 8-bit CRC is compared to the data read from flash. If they don’t match, this error is returned. |
0x09 |
“Flash read error” - SPI read failed |
0x0a |
“Flash read length error” - SPI read request length is too long |
0x0b |
“Deflate error” (compressed uploads only) |
reff:
https://docs.espressif.com/projects/esptool/en/latest/esp32/advanced-topics/index.html