Add Ota and mdns (#257)

* Add Sketch Update Library * Add MDNS Library * Add Arduino OTA Library * add missing library file * Add library files for Update * Add missing headers * fix ota command * Add espota binary * remove bad example * PlatformIO does not auto forward declare methods like Arduino Builder
2017-03-11 07:15:44 +01:00
parent 2f5efed220
commit fa1716e73e
27 changed files with 2428 additions and 91 deletions
--- a/tools/espota.exe
+++ b/tools/espota.exe
--- a/tools/espota.py
+++ b/tools/espota.py
@ -0,0 +1,321 @@
+#!/usr/bin/env python
+#
+# Original espota.py by Ivan Grokhotkov:
+# https://gist.github.com/igrr/d35ab8446922179dc58c
+#
+# Modified since 2015-09-18 from Pascal Gollor (https://github.com/pgollor)
+# Modified since 2015-11-09 from Hristo Gochkov (https://github.com/me-no-dev)
+# Modified since 2016-01-03 from Matthew O'Gorman (https://githumb.com/mogorman)
+#
+# This script will push an OTA update to the ESP
+# use it like: python espota.py -i <ESP_IP_address> -I <Host_IP_address> -p <ESP_port> -P <Host_port> [-a password] -f <sketch.bin>
+# Or to upload SPIFFS image:
+# python espota.py -i <ESP_IP_address> -I <Host_IP_address> -p <ESP_port> -P <HOST_port> [-a password] -s -f <spiffs.bin>
+#
+# Changes
+# 2015-09-18:
+# - Add option parser.
+# - Add logging.
+# - Send command to controller to differ between flashing and transmitting SPIFFS image.
+#
+# Changes
+# 2015-11-09:
+# - Added digest authentication
+# - Enhanced error tracking and reporting
+#
+# Changes
+# 2016-01-03:
+# - Added more options to parser.
+#
+
+from __future__ import print_function
+import socket
+import sys
+import os
+import optparse
+import logging
+import hashlib
+import random
+
+# Commands
+FLASH = 0
+SPIFFS = 100
+AUTH = 200
+PROGRESS = False
+# update_progress() : Displays or updates a console progress bar
+## Accepts a float between 0 and 1. Any int will be converted to a float.
+## A value under 0 represents a 'halt'.
+## A value at 1 or bigger represents 100%
+def update_progress(progress):
+  if (PROGRESS):
+    barLength = 60 # Modify this to change the length of the progress bar
+    status = ""
+    if isinstance(progress, int):
+      progress = float(progress)
+    if not isinstance(progress, float):
+      progress = 0
+      status = "error: progress var must be float\r\n"
+    if progress < 0:
+      progress = 0
+      status = "Halt...\r\n"
+    if progress >= 1:
+      progress = 1
+      status = "Done...\r\n"
+    block = int(round(barLength*progress))
+    text = "\rUploading: [{0}] {1}% {2}".format( "="*block + " "*(barLength-block), int(progress*100), status)
+    sys.stderr.write(text)
+    sys.stderr.flush()
+  else:
+    sys.stderr.write('.')
+    sys.stderr.flush()
+
+def serve(remoteAddr, localAddr, remotePort, localPort, password, filename, command = FLASH):
+  # Create a TCP/IP socket
+  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  server_address = (localAddr, localPort)
+  logging.info('Starting on %s:%s', str(server_address[0]), str(server_address[1]))
+  try:
+    sock.bind(server_address)
+    sock.listen(1)
+  except:
+    logging.error("Listen Failed")
+    return 1
+
+  content_size = os.path.getsize(filename)
+  f = open(filename,'rb')
+  file_md5 = hashlib.md5(f.read()).hexdigest()
+  f.close()
+  logging.info('Upload size: %d', content_size)
+  message = '%d %d %d %s\n' % (command, localPort, content_size, file_md5)
+
+  # Wait for a connection
+  inv_trys = 0
+  data = ''
+  msg = 'Sending invitation to %s ' % (remoteAddr)
+  sys.stderr.write(msg)
+  sys.stderr.flush()
+  while (inv_trys < 10):
+    inv_trys += 1
+    sock2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    remote_address = (remoteAddr, int(remotePort))
+    sent = sock2.sendto(message.encode(), remote_address)
+    sock2.settimeout(1)
+    try:
+      data = sock2.recv(37).decode()
+      break;
+    except:
+      sys.stderr.write('.')
+      sys.stderr.flush()
+      sock2.close()
+  sys.stderr.write('\n')
+  sys.stderr.flush()
+  if (inv_trys == 10):
+    logging.error('No response from the ESP')
+    return 1
+  if (data != "OK"):
+    if(data.startswith('AUTH')):
+      nonce = data.split()[1]
+      cnonce_text = '%s%u%s%s' % (filename, content_size, file_md5, remoteAddr)
+      cnonce = hashlib.md5(cnonce_text.encode()).hexdigest()
+      passmd5 = hashlib.md5(password.encode()).hexdigest()
+      result_text = '%s:%s:%s' % (passmd5 ,nonce, cnonce)
+      result = hashlib.md5(result_text.encode()).hexdigest()
+      sys.stderr.write('Authenticating...')
+      sys.stderr.flush()
+      message = '%d %s %s\n' % (AUTH, cnonce, result)
+      sock2.sendto(message.encode(), remote_address)
+      sock2.settimeout(10)
+      try:
+        data = sock2.recv(32).decode()
+      except:
+        sys.stderr.write('FAIL\n')
+        logging.error('No Answer to our Authentication')
+        sock2.close()
+        return 1
+      if (data != "OK"):
+        sys.stderr.write('FAIL\n')
+        logging.error('%s', data)
+        sock2.close()
+        sys.exit(1);
+        return 1
+      sys.stderr.write('OK\n')
+    else:
+      logging.error('Bad Answer: %s', data)
+      sock2.close()
+      return 1
+  sock2.close()
+
+  logging.info('Waiting for device...')
+  try:
+    sock.settimeout(10)
+    connection, client_address = sock.accept()
+    sock.settimeout(None)
+    connection.settimeout(None)
+  except:
+    logging.error('No response from device')
+    sock.close()
+    return 1
+
+  try:
+    f = open(filename, "rb")
+    if (PROGRESS):
+      update_progress(0)
+    else:
+      sys.stderr.write('Uploading')
+      sys.stderr.flush()
+    offset = 0
+    while True:
+      chunk = f.read(1460)
+      if not chunk: break
+      offset += len(chunk)
+      update_progress(offset/float(content_size))
+      connection.settimeout(10)
+      try:
+        connection.sendall(chunk)
+        res = connection.recv(5)
+      except:
+        sys.stderr.write('\n')
+        logging.error('Error Uploading')
+        connection.close()
+        f.close()
+        sock.close()
+        return 1
+
+    sys.stderr.write('\n')
+    logging.info('Waiting for result...')
+    try:
+      connection.settimeout(60)
+      data = connection.recv(32).decode()
+      logging.info('Result: %s' ,data)
+      connection.close()
+      f.close()
+      sock.close()
+      if (data != "OK"):
+        sys.stderr.write('\n')
+        logging.error('%s', data)
+        return 1;
+      return 0
+    except:
+      logging.error('No Result!')
+      connection.close()
+      f.close()
+      sock.close()
+      return 1
+
+  finally:
+    connection.close()
+    f.close()
+
+  sock.close()
+  return 1
+# end serve
+
+
+def parser(unparsed_args):
+  parser = optparse.OptionParser(
+    usage = "%prog [options]",
+    description = "Transmit image over the air to the esp8266 module with OTA support."
+  )
+
+  # destination ip and port
+  group = optparse.OptionGroup(parser, "Destination")
+  group.add_option("-i", "--ip",
+    dest = "esp_ip",
+    action = "store",
+    help = "ESP8266 IP Address.",
+    default = False
+  )
+  group.add_option("-I", "--host_ip",
+    dest = "host_ip",
+    action = "store",
+    help = "Host IP Address.",
+    default = "0.0.0.0"
+  )
+  group.add_option("-p", "--port",
+    dest = "esp_port",
+    type = "int",
+    help = "ESP8266 ota Port. Default 8266",
+    default = 8266
+  )
+  group.add_option("-P", "--host_port",
+    dest = "host_port",
+    type = "int",
+    help = "Host server ota Port. Default random 10000-60000",
+    default = random.randint(10000,60000)
+  )
+  parser.add_option_group(group)
+
+  # auth
+  group = optparse.OptionGroup(parser, "Authentication")
+  group.add_option("-a", "--auth",
+    dest = "auth",
+    help = "Set authentication password.",
+    action = "store",
+    default = ""
+  )
+  parser.add_option_group(group)
+
+  # image
+  group = optparse.OptionGroup(parser, "Image")
+  group.add_option("-f", "--file",
+    dest = "image",
+    help = "Image file.",
+    metavar="FILE",
+    default = None
+  )
+  group.add_option("-s", "--spiffs",
+    dest = "spiffs",
+    action = "store_true",
+    help = "Use this option to transmit a SPIFFS image and do not flash the module.",
+    default = False
+  )
+  parser.add_option_group(group)
+
+  # output group
+  group = optparse.OptionGroup(parser, "Output")
+  group.add_option("-d", "--debug",
+    dest = "debug",
+    help = "Show debug output. And override loglevel with debug.",
+    action = "store_true",
+    default = False
+  )
+  group.add_option("-r", "--progress",
+    dest = "progress",
+    help = "Show progress output. Does not work for ArduinoIDE",
+    action = "store_true",
+    default = False
+  )
+  parser.add_option_group(group)
+
+  (options, args) = parser.parse_args(unparsed_args)
+
+  return options
+# end parser
+
+
+def main(args):
+  options = parser(args)
+  loglevel = logging.WARNING
+  if (options.debug):
+    loglevel = logging.DEBUG
+
+  logging.basicConfig(level = loglevel, format = '%(asctime)-8s [%(levelname)s]: %(message)s', datefmt = '%H:%M:%S')
+  logging.debug("Options: %s", str(options))
+
+  # check options
+  global PROGRESS
+  PROGRESS = options.progress
+  if (not options.esp_ip or not options.image):
+    logging.critical("Not enough arguments.")
+    return 1
+
+  command = FLASH
+  if (options.spiffs):
+    command = SPIFFS
+
+  return serve(options.esp_ip, options.host_ip, options.esp_port, options.host_port, options.auth, options.image, command)
+# end main
+
+
+if __name__ == '__main__':
+  sys.exit(main(sys.argv))
--- a/tools/gen_esp32part.exe
+++ b/tools/gen_esp32part.exe
--- a/tools/platformio-build.py
+++ b/tools/platformio-build.py
@ -51,6 +51,7 @@ env.Prepend(
    CPPPATH=[
        join(FRAMEWORK_DIR, "tools", "sdk", "include", "config"),
        join(FRAMEWORK_DIR, "tools", "sdk", "include", "bluedroid"),
+        join(FRAMEWORK_DIR, "tools", "sdk", "include", "bootloader_support"),
        join(FRAMEWORK_DIR, "tools", "sdk", "include", "bt"),
        join(FRAMEWORK_DIR, "tools", "sdk", "include", "driver"),
        join(FRAMEWORK_DIR, "tools", "sdk", "include", "esp32"),
--- a/tools/sdk/include/bootloader_support/esp_efuse.h
+++ b/tools/sdk/include/bootloader_support/esp_efuse.h
@ -0,0 +1,56 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef _ESP_EFUSE_H
+#define _ESP_EFUSE_H
+
+#include "soc/efuse_reg.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* @brief Permanently update values written to the efuse write registers
+ *
+ * After updating EFUSE_BLKx_WDATAx_REG registers with new values to
+ * write, call this function to permanently write them to efuse.
+ *
+ * @note Setting bits in efuse is permanent, they cannot be unset.
+ *
+ * @note Due to this restriction you don't need to copy values to
+ * Efuse write registers from the matching read registers, bits which
+ * are set in the read register but unset in the matching write
+ * register will be unchanged when new values are burned.
+ *
+ * @note This function is not threadsafe, if calling code updates
+ * efuse values from multiple tasks then this is caller's
+ * responsibility to serialise.
+ *
+ * After burning new efuses, the read registers are updated to match
+ * the new efuse values.
+ */
+void esp_efuse_burn_new_values(void);
+
+/* @brief Reset efuse write registers
+ *
+ * Efuse write registers are written to zero, to negate
+ * any changes that have been staged here.
+ */
+void esp_efuse_reset(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __ESP_EFUSE_H */
+
--- a/tools/sdk/include/bootloader_support/esp_flash_encrypt.h
+++ b/tools/sdk/include/bootloader_support/esp_flash_encrypt.h
@ -0,0 +1,102 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef __ESP32_FLASH_ENCRYPT_H
+#define __ESP32_FLASH_ENCRYPT_H
+
+#include <stdbool.h>
+#include "esp_attr.h"
+#include "esp_err.h"
+#include "esp_spi_flash.h"
+#include "soc/efuse_reg.h"
+
+/**
+ * @file esp_partition.h
+ * @brief Support functions for flash encryption features
+ *
+ * Can be compiled as part of app or bootloader code.
+ */
+
+/** @brief Is flash encryption currently enabled in hardware?
+ *
+ * Flash encryption is enabled if the FLASH_CRYPT_CNT efuse has an odd number of bits set.
+ *
+ * @return true if flash encryption is enabled.
+ */
+static inline /** @cond */ IRAM_ATTR /** @endcond */ bool esp_flash_encryption_enabled(void) {
+    uint32_t flash_crypt_cnt = REG_GET_FIELD(EFUSE_BLK0_RDATA0_REG, EFUSE_RD_FLASH_CRYPT_CNT);
+    /* __builtin_parity is in flash, so we calculate parity inline */
+    bool enabled = false;
+    while(flash_crypt_cnt) {
+        if (flash_crypt_cnt & 1) {
+            enabled = !enabled;
+        }
+        flash_crypt_cnt >>= 1;
+    }
+    return enabled;
+}
+
+/* @brief Update on-device flash encryption
+ *
+ * Intended to be called as part of the bootloader process if flash
+ * encryption is enabled in device menuconfig.
+ *
+ * If FLASH_CRYPT_CNT efuse parity is 1 (ie odd number of bits set),
+ * then return ESP_OK immediately (indicating flash encryption is enabled
+ * and functional).
+ *
+ * If FLASH_CRYPT_CNT efuse parity is 0 (ie even number of bits set),
+ * assume the flash has just been written with plaintext that needs encrypting.
+ *
+ * The following regions of flash are encrypted in place:
+ *
+ * - The bootloader image, if a valid plaintext image is found.[*]
+ * - The partition table, if a valid plaintext table is found.
+ * - Any app partition that contains a valid plaintext app image.
+ * - Any other partitions with the "encrypt" flag set. [**]
+ *
+ * After the re-encryption process completes, a '1' bit is added to the
+ * FLASH_CRYPT_CNT value (setting the parity to 1) and the EFUSE is re-burned.
+ *
+ * [*] If reflashing bootloader with secure boot enabled, pre-encrypt
+ * the bootloader before writing it to flash or secure boot will fail.
+ *
+ * [**] For this reason, if serial re-flashing a previous flashed
+ * device with secure boot enabled and using FLASH_CRYPT_CNT to
+ * trigger re-encryption, you must simultaneously re-flash plaintext
+ * content to all partitions with the "encrypt" flag set or this
+ * data will be corrupted (encrypted twice).
+ *
+ * @note The post-condition of this function is that all
+ * partitions that should be encrypted are encrypted.
+ *
+ * @note Take care not to power off the device while this function
+ * is running, or the partition currently being encrypted will be lost.
+ *
+ * @return ESP_OK if all operations succeeded, ESP_ERR_INVALID_STATE
+ * if a fatal error occured during encryption of all partitions.
+ */
+esp_err_t esp_flash_encrypt_check_and_update(void);
+
+
+/** @brief Encrypt-in-place a block of flash sectors
+ *
+ * @param src_addr Source offset in flash. Should be multiple of 4096 bytes.
+ * @param data_length Length of data to encrypt in bytes. Will be rounded up to next multiple of 4096 bytes.
+ *
+ * @return ESP_OK if all operations succeeded, ESP_ERR_FLASH_OP_FAIL
+ * if SPI flash fails, ESP_ERR_FLASH_OP_TIMEOUT if flash times out.
+ */
+esp_err_t esp_flash_encrypt_region(uint32_t src_addr, size_t data_length);
+
+#endif
--- a/tools/sdk/include/bootloader_support/esp_flash_partitions.h
+++ b/tools/sdk/include/bootloader_support/esp_flash_partitions.h
@ -0,0 +1,39 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef __ESP_FLASH_PARTITIONS_H
+#define __ESP_FLASH_PARTITIONS_H
+
+#include "esp_err.h"
+#include "esp_flash_data_types.h"
+#include <stdbool.h>
+
+/* Pre-partition table fixed flash offsets */
+#define ESP_BOOTLOADER_DIGEST_OFFSET 0x0
+#define ESP_BOOTLOADER_OFFSET 0x1000 /* Offset of bootloader image. Has matching value in bootloader KConfig.projbuild file. */
+#define ESP_PARTITION_TABLE_OFFSET 0x8000 /* Offset of partition table. Has matching value in partition_table Kconfig.projbuild file. */
+
+#define ESP_PARTITION_TABLE_MAX_LEN 0xC00 /* Maximum length of partition table data */
+#define ESP_PARTITION_TABLE_MAX_ENTRIES (ESP_PARTITION_TABLE_MAX_LEN / sizeof(esp_partition_info_t)) /* Maximum length of partition table data, including terminating entry */
+
+/* @brief Verify the partition table (does not include verifying secure boot cryptographic signature)
+ *
+ * @param partition_table Pointer to at least ESP_PARTITION_TABLE_MAX_ENTRIES of potential partition table data. (ESP_PARTITION_TABLE_MAX_LEN bytes.)
+ * @param log_errors Log errors if the partition table is invalid.
+ * @param num_partitions If result is ESP_OK, num_partitions is updated with total number of partitions (not including terminating entry).
+ *
+ * @return ESP_OK on success, ESP_ERR_INVALID_STATE if partition table is not valid.
+ */
+esp_err_t esp_partition_table_basic_verify(const esp_partition_info_t *partition_table, bool log_errors, int *num_partitions);
+
+#endif
--- a/tools/sdk/include/bootloader_support/esp_image_format.h
+++ b/tools/sdk/include/bootloader_support/esp_image_format.h
@ -0,0 +1,143 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef __ESP32_IMAGE_FORMAT_H
+#define __ESP32_IMAGE_FORMAT_H
+
+#include <stdbool.h>
+#include <esp_err.h>
+
+#define ESP_ERR_IMAGE_BASE       0x2000
+#define ESP_ERR_IMAGE_FLASH_FAIL (ESP_ERR_IMAGE_BASE + 1)
+#define ESP_ERR_IMAGE_INVALID    (ESP_ERR_IMAGE_BASE + 2)
+
+/* Support for app/bootloader image parsing
+   Can be compiled as part of app or bootloader code.
+*/
+
+/* SPI flash mode, used in esp_image_header_t */
+typedef enum {
+    ESP_IMAGE_SPI_MODE_QIO,
+    ESP_IMAGE_SPI_MODE_QOUT,
+    ESP_IMAGE_SPI_MODE_DIO,
+    ESP_IMAGE_SPI_MODE_DOUT,
+    ESP_IMAGE_SPI_MODE_FAST_READ,
+    ESP_IMAGE_SPI_MODE_SLOW_READ
+} esp_image_spi_mode_t;
+
+/* SPI flash clock frequency */
+enum {
+    ESP_IMAGE_SPI_SPEED_40M,
+    ESP_IMAGE_SPI_SPEED_26M,
+    ESP_IMAGE_SPI_SPEED_20M,
+    ESP_IMAGE_SPI_SPEED_80M = 0xF
+} esp_image_spi_freq_t;
+
+/* Supported SPI flash sizes */
+typedef enum {
+    ESP_IMAGE_FLASH_SIZE_1MB = 0,
+    ESP_IMAGE_FLASH_SIZE_2MB,
+    ESP_IMAGE_FLASH_SIZE_4MB,
+    ESP_IMAGE_FLASH_SIZE_8MB,
+    ESP_IMAGE_FLASH_SIZE_16MB,
+    ESP_IMAGE_FLASH_SIZE_MAX
+} esp_image_flash_size_t;
+
+#define ESP_IMAGE_HEADER_MAGIC 0xE9
+
+/* Main header of binary image */
+typedef struct {
+    uint8_t magic;
+    uint8_t segment_count;
+    uint8_t spi_mode;      /* flash read mode (esp_image_spi_mode_t as uint8_t) */
+    uint8_t spi_speed: 4;  /* flash frequency (esp_image_spi_freq_t as uint8_t) */
+    uint8_t spi_size: 4;   /* flash chip size (esp_image_flash_size_t as uint8_t) */
+    uint32_t entry_addr;
+    uint8_t encrypt_flag;    /* encrypt flag */
+    uint8_t extra_header[15]; /* ESP32 additional header, unused by second bootloader */
+}  esp_image_header_t;
+
+/* Header of binary image segment */
+typedef struct {
+    uint32_t load_addr;
+    uint32_t data_len;
+} esp_image_segment_header_t;
+
+
+/**
+ * @brief Read an ESP image header from flash.
+ *
+ * If encryption is enabled, data will be transparently decrypted.
+ *
+ * @param src_addr Address in flash to load image header. Must be 4 byte aligned.
+ * @param log_errors Log error output if image header appears invalid.
+ * @param[out] image_header Pointer to an esp_image_header_t struture to be filled with data. If the function fails, contents are undefined.
+ *
+ * @return ESP_OK if image header was loaded, ESP_ERR_IMAGE_FLASH_FAIL
+ * if a SPI flash error occurs, ESP_ERR_IMAGE_INVALID if the image header
+ * appears invalid.
+ */
+esp_err_t esp_image_load_header(uint32_t src_addr, bool log_errors, esp_image_header_t *image_header);
+
+/**
+ * @brief Read the segment header and data offset of a segment in the image.
+ *
+ * If encryption is enabled, data will be transparently decrypted.
+ *
+ * @param index Index of the segment to load information for.
+ * @param src_addr Base address in flash of the image.
+ * @param[in] image_header Pointer to the flash image header, already loaded by @ref esp_image_load_header().
+ * @param log_errors Log errors reading the segment header.
+ * @param[out] segment_header Pointer to a segment header structure to be filled with data. If the function fails, contents are undefined.
+ * @param[out] segment_data_offset Pointer to the data offset of the segment.
+ *
+ * @return ESP_OK if segment_header & segment_data_offset were loaded successfully, ESP_ERR_IMAGE_FLASH_FAIL if a SPI flash error occurs, ESP_ERR_IMAGE_INVALID if the image header appears invalid, ESP_ERR_INVALID_ARG if the index is invalid.
+ */
+esp_err_t esp_image_load_segment_header(uint8_t index, uint32_t src_addr, const esp_image_header_t *image_header, bool log_errors, esp_image_segment_header_t *segment_header, uint32_t *segment_data_offset);
+
+
+/**
+ * @brief Non-cryptographically validate app image integrity. On success, length of image is provided to caller.
+ *
+ * If the image has a secure boot signature appended, the signature is not checked and this length is not included in the
+ * output value.
+ *
+ * Image validation checks:
+ * - Magic byte
+ * - No single segment longer than 16MB
+ * - Total image no longer than 16MB
+ * - 8 bit image checksum is valid
+ *
+ * If flash encryption is enabled, the image will be tranpsarently decrypted.
+ *
+ * @param src_addr Offset of the start of the image in flash. Must be 4 byte aligned.
+ * @param allow_decrypt If true and flash encryption is enabled, the image will be transparently decrypted.
+ * @param log_errors Log errors verifying the image.
+ * @param[out] length Length of the image, set to a value if the image is valid. Can be null.
+ *
+ * @return ESP_OK if image is valid, ESP_FAIL or ESP_ERR_IMAGE_INVALID on errors.
+ *
+ */
+esp_err_t esp_image_basic_verify(uint32_t src_addr, bool log_errors, uint32_t *length);
+
+
+typedef struct {
+    uint32_t drom_addr;
+    uint32_t drom_load_addr;
+    uint32_t drom_size;
+    uint32_t irom_addr;
+    uint32_t irom_load_addr;
+    uint32_t irom_size;
+} esp_image_flash_mapping_t;
+
+#endif
--- a/tools/sdk/include/bootloader_support/esp_secure_boot.h
+++ b/tools/sdk/include/bootloader_support/esp_secure_boot.h
@ -0,0 +1,91 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef __ESP32_SECUREBOOT_H
+#define __ESP32_SECUREBOOT_H
+
+#include <stdbool.h>
+#include <esp_err.h>
+#include "soc/efuse_reg.h"
+
+/* Support functions for secure boot features.
+
+   Can be compiled as part of app or bootloader code.
+*/
+
+/** @brief Is secure boot currently enabled in hardware?
+ *
+ * Secure boot is enabled if the ABS_DONE_0 efuse is blown. This means
+ * that the ROM bootloader code will only boot a verified secure
+ * bootloader digest from now on.
+ *
+ * @return true if secure boot is enabled.
+ */
+static inline bool esp_secure_boot_enabled(void) {
+    return REG_READ(EFUSE_BLK0_RDATA6_REG) & EFUSE_RD_ABS_DONE_0;
+}
+
+
+/** @brief Enable secure boot if it is not already enabled.
+ *
+ * @important If this function succeeds, secure boot is permanently
+ * enabled on the chip via efuse.
+ *
+ * @important This function is intended to be called from bootloader code only.
+ *
+ * If secure boot is not yet enabled for bootloader, this will
+ * generate the secure boot digest and enable secure boot by blowing
+ * the EFUSE_RD_ABS_DONE_0 efuse.
+ *
+ * This function does not verify secure boot of the bootloader (the
+ * ROM bootloader does this.)
+ *
+ * Will fail if efuses have been part-burned in a way that indicates
+ * secure boot should not or could not be correctly enabled.
+ *
+ *
+ * @return ESP_ERR_INVALID_STATE if efuse state doesn't allow
+ * secure boot to be enabled cleanly. ESP_OK if secure boot
+ * is enabled on this chip from now on.
+ */
+esp_err_t esp_secure_boot_permanently_enable(void);
+
+/** @brief Verify the secure boot signature (determinstic ECDSA w/ SHA256) appended to some binary data in flash.
+ *
+ * Public key is compiled into the calling program. See docs/security/secure-boot.rst for details.
+ *
+ * @param src_addr Starting offset of the data in flash.
+ * @param length Length of data in bytes. Signature is appended -after- length bytes.
+ *
+ * If flash encryption is enabled, the image will be transparently decrypted while being verified.
+ *
+ * @return ESP_OK if signature is valid, ESP_ERR_INVALID_STATE if
+ * signature fails, ESP_FAIL for other failures (ie can't read flash).
+ */
+esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length);
+
+/** @brief Secure boot verification block, on-flash data format. */
+typedef struct {
+    uint32_t version;
+    uint8_t signature[64];
+} esp_secure_boot_sig_block_t;
+
+#define FLASH_OFFS_SECURE_BOOT_IV_DIGEST 0
+
+/** @brief Secure boot IV+digest header */
+typedef struct {
+    uint8_t iv[128];
+    uint8_t digest[64];
+} esp_secure_boot_iv_digest_t;
+
+#endif