OTA Secure Update using ESP32

crisay794266 · ‎2025-08-21

Hello everyone,

I would like to update the STM32 remotely using ESP32. So the Idea is to transfer the signed image via Bluetooth and to store it firstly on the esp32, which will transfer it in the end via UART to the STM32.

After that the secure boot on the stm32 must verify the image signature. I came across X-CUBE-SBSFU but I actually don't know how to use it in my case. Should I only use the Ymodem protocol ?

Best regards

Jocelyn RICARD · ‎2025-08-22

Hello @crisay794266 ,

The Ymodem protocol proposed in secure boot examples can be replaced by any other protocol.

Its purpose is just to download a new firmware image (signed and encrypted) into flash.

The only constraint for such protocol is to be able to work by chunks of data with acknowledge.

This way, the ESP32 sends a chunk of data, say 1KB to the STM32. STM32 writes this data in download slot in flash and acknowledge the transfer to get next chunk.

That's all you need to do.

The Ymodem implementation in secure boot examples provides a callback to manage flash write. This callback can be reused and adapted to your need.

Best regards

Jocelyn

View solution in original post

Jocelyn RICARD · ‎2025-08-22

Hello @crisay794266 ,

The Ymodem protocol proposed in secure boot examples can be replaced by any other protocol.

Its purpose is just to download a new firmware image (signed and encrypted) into flash.

The only constraint for such protocol is to be able to work by chunks of data with acknowledge.

This way, the ESP32 sends a chunk of data, say 1KB to the STM32. STM32 writes this data in download slot in flash and acknowledge the transfer to get next chunk.

That's all you need to do.

The Ymodem implementation in secure boot examples provides a callback to manage flash write. This callback can be reused and adapted to your need.

Best regards

Jocelyn