The ESP-IDF Software Bootloader performs the following functions:
Minimal initial configuration of internal modules;
Select the application partition to boot, based on the partition table and ota_data (if any);
Load this image to RAM (IRAM & DRAM) and transfer management to it.
Bootloader is located at the address 0x1000 in the flash.
For a full description of the startup process including the the ESP-IDF bootloader, see Application Startup Flow.
It is recommended to update to newer versions of ESP-IDF: when they are released. The OTA (over the air) update process can flash new apps in the field but cannot flash a new bootloader. For this reason, the bootloader supports booting apps built from newer versions of ESP-IDF.
The bootloader does not support booting apps from older versions of ESP-IDF. When updating ESP-IDF manually on an existing product that might need to downgrade the app to an older version, keep using the older ESP-IDF bootloader binary as well.
If testing an OTA update for an existing product in production, always test it using the same ESP-IDF bootloader binary that is deployed in production.
SPI Flash Configuration¶
Each ESP-IDF application or bootloader .bin file contains a header with CONFIG_ESPTOOLPY_FLASHMODE, CONFIG_ESPTOOLPY_FLASHFREQ, CONFIG_ESPTOOLPY_FLASHSIZE embedded in it. These are used to configure the SPI flash during boot.
The First stage bootloader in ROM reads the Second stage bootloader header from flash and uses these settings to load it. However, at this time the system clock speed is lower than configured and not all flash modes are supported. When the Second stage bootloader then runs and re-configures the flash, it reads values from the currently selected app binary header not the bootloader header. This allows an OTA update to change the SPI flash settings in use.
The default bootloader log level is “Info”. By setting the CONFIG_BOOTLOADER_LOG_LEVEL option, it’s possible to increase or decrease this level. This log level is separate from the log level used in the app (see Logging library).
Reducing bootloader log verbosity can improve the overall project boot time by a small amount.
Sometimes it is desirable to have a way for the device to fall back to a known-good state, in case of some problem with an update.
To roll back to the original “factory” device configuration and clear any user settings, configure the config item CONFIG_BOOTLOADER_FACTORY_RESET in the bootloader.
The factory reset mechanism allows to reset the device to factory settings in two ways:
Clear one or more data partitions. CONFIG_BOOTLOADER_DATA_FACTORY_RESET allows customers to select which data partitions will be erased when the factory reset is executed.
Can specify the names of partitions as a comma-delimited list with optional spaces for readability. (Like this:
nvs, phy_init, nvs_custom).
Make sure that the names of partitions specified in the partition table and here are the same. Partitions of type “app” cannot be specified here.
Boot from “factory” app partition. CONFIG_BOOTLOADER_OTA_DATA_ERASE - the device will boot from the default “factory” app partition (or if there is no factory app partition in the partition table then the default ota app partition) after a factory reset. This is done by erasing the OTA data partition which holds the currently selected OTA partition slot. The “factory” app partition slot (if it exists) is never updated via OTA, so resetting to this allows reverting to a “known good” firmware application.
Either or both of these configuration options can be enabled independently.
In addition, the following configuration options control the reset condition:
CONFIG_BOOTLOADER_NUM_PIN_FACTORY_RESET- number of the GPIO input for factory reset uses to trigger a factory reset, this GPIO must be pulled low or high (configurable) on reset to trigger this.
CONFIG_BOOTLOADER_HOLD_TIME_GPIO- this is hold time of GPIO for reset/test mode (by default 5 seconds). The GPIO must be held continuously for this period of time after reset before a factory reset or test partition boot (as applicable) is performed.
CONFIG_BOOTLOADER_FACTORY_RESET_PIN_LEVEL - configure whether a factory reset should trigger on a high or low level of the GPIO. If the GPIO has an internal pullup then this is enabled before the pin is sampled, consult the ESP32-S2 datasheet for details on pin internal pullups.
Boot from Test Firmware¶
It’s possible to write a special firmware app for testing in production, and boot this firmware when needed. The project partition table will need a dedicated app partition entry for this testing app, type
app and subtype
test (see Partition Tables).
Implementing a dedicated test app firmware requires creating a totally separate ESP-IDF project for the test app (each project in ESP-IDF only builds one app). The test app can be developed and tested independently of the main project, and then integrated at production testing time as a pre-compiled .bin file which is flashed to the address of the main project’s test app partition.
To support this functionality in the main project’s bootloader, set the configuration item CONFIG_BOOTLOADER_APP_TEST and configure the following two items:
CONFIG_BOOTLOADER_NUM_PIN_APP_TEST - GPIO number to boot TEST partition. The selected GPIO will be configured as an input with internal pull-up enabled. To trigger a test app, this GPIO must be pulled low on reset.
After the GPIO input is deactivated and the device reboots, the normally configured application will boot (factory or any OTA app partition slot).
CONFIG_BOOTLOADER_HOLD_TIME_GPIO - this is hold time of GPIO for reset/test mode (by default 5 seconds). The GPIO must be held low continuously for this period of time after reset before a factory reset or test partition boot (as applicable) is performed.
Rollback and anti-rollback features must be configured in the bootloader as well.
By default, the hardware RTC Watchdog timer remains running while the bootloader is running and will automatically reset the chip if no app has successfully started after 9 seconds.
The timeout period can be adjusted by setting CONFIG_BOOTLOADER_WDT_TIME_MS and recompiling the bootloader.
The app’s behaviour can be adjusted so the RTC Watchdog remains enabled after app startup. The Watchdog would need to be explicitly reset or “fed” by the app to avoid a reset. To do this, set the CONFIG_BOOTLOADER_WDT_DISABLE_IN_USER_CODE option, modify the app as needed, and then recompile the app.
The RTC Watchdog can be disabled in the bootloader by disabling the CONFIG_BOOTLOADER_WDT_ENABLE setting and recompiling the bootloader. This is not recommended.
When enabling additional bootloader functions, including Flash Encryption or Secure Boot, and especially if setting a high CONFIG_BOOTLOADER_LOG_LEVEL level, then it is important to monitor the bootloader .bin file’s size.
When using the default CONFIG_PARTITION_TABLE_OFFSET value 0x8000, the size limit is 0x7000 (28672) bytes.
If the bootloader binary is too large, then the bootloader build will fail with an error “Bootloader binary size [..] is too large for partition table offset”. If the bootloader binary is flashed anyhow then the ESP32-S2 will fail to boot - errors will be logged about either invalid partition table or invalid bootloader checksum.
The bootloader size check only happens in the CMake Build System, when using the legacy GNU Make Build System the size is not checked but the ESP32-S2 will fail to boot if bootloader is too large.
Options to work around this are:
Set bootloader compiler optimization back to “Size” if it has been changed from this default value.
Reduce bootloader log level. Setting log level to Warning, Error or None all significantly reduce the final binary size (but may make it harder to debug).
Set CONFIG_PARTITION_TABLE_OFFSET to a higher value than 0x8000, to place the partition table later in the flash. This increases the space available for the bootloader. If the partition table CSV file contains explicit partition offsets, they will need changing so no partition has an offset lower than
CONFIG_PARTITION_TABLE_OFFSET + 0x1000. (This includes the default partition CSV files supplied with ESP-IDF.)
When Secure Boot V2 is enabled, there is also an absolute binary size limit of 64KB (0x10000 bytes) (excluding the 4KB signature), because the bootloader is first loaded into a fixed size buffer for verification.
Fast boot from Deep Sleep¶
The bootloader has the CONFIG_BOOTLOADER_SKIP_VALIDATE_IN_DEEP_SLEEP option which allows to reduce the wake-up time (useful to reduce consumption). This option is available when CONFIG_SECURE_BOOT option is disabled. Reduction of time is achieved due to the lack of image verification. During the first boot, the bootloader stores the address of the application being launched in the RTC FAST memory. And during the awakening, this address is used for booting without any checks, thus fast loading is achieved.
The current bootloader implementation allows a project to extend it or modify it. There are two ways of doing it: by implementing hooks or by overriding it. Both ways are presented in custom_bootloader folder in ESP-IDF examples:
bootloader_hooks which presents how to connect some hooks to the bootloader initialization
bootloader_override which presents how to override the bootloader implementation
In the bootloader space, you cannot use the drivers and functions from other components. If necessary, then the required functionality should be placed in the project’s bootloader_components directory (note that this will increase its size).
If the bootloader grows too large then it can collide with the partition table, which is flashed at offset 0x8000 by default. Increase the partition table offset value to place the partition table later in the flash. This increases the space available for the bootloader.
Customize the bootloader by using either method is only supported with CMake build system (i.e. not supported with legacy Make build system).