Background
I'd like to replace the Tasmota firmware of a WiFi Socket with my own firwmare. The TTL port of the ESP8285H16 (=ESP8266 + 2MB flash) is not accessible without braking the case and I need to re-flash a bunch of devices, so I have to upload my firmware over-the-air.
This is supported by the Tasmota firmware (download firmware from a http server to flash) and my plan is to set the update url to my own http server where I provide my firmware.bin .
Before doing so I wanted to know the partition table used in the Tasmota firmware, so I know how big my firmware and possibly filesystem can get (partition table can not be changed easily through OTA).
So, I cracked open one of the sockets, connected all relevant lines and did
python esptool.py read_flash 0x0 0x1fffff partition.bin
to retrieve a full 2MB flash image.
Expectation
I've played with flash images of the ESP32 before and expected the flash image to have this format in general:
- empty bytes or don't-care-data until address 0x1000
- 2nd stage bootloader starts at 0x1000
- partition table starts at 0x8000
- partitions start at addresses given in the partition table
The start of each section is typically quite prominent when scrolling through the binary file because the previous section ends with empty bytes ff if not fully used:
address 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff -> starting with empty bytes
00000010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00000020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
... ... more empty bytes
00000ff0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00001000 e9 04 02 40 a8 06 08 40 ee 00 00 00 00 00 00 00 -> bootloader starts at 0x1000
00001010 00 00 00 00 00 00 00 01 18 00 ff 3f 04 00 00 00
00001020 ff ff ff ff 1c 00 ff 3f 14 04 00 00 00 00 00 00
00001030 00 00 00 80 00 00 00 a0 00 00 00 c0 00 00 00 e0
... ...
00007fb0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00007fc0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00007fd0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00007fe0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00007ff0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff -> end of bootloader section
00008000 aa 50 01 02 00 90 00 00 00 50 00 00 6e 76 73 00 -> partition table starts at 0x8000
00008010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00008020 aa 50 01 00 00 e0 00 00 00 20 00 00 6f 74 61 64
00008030 61 74 61 00 00 00 00 00 00 00 00 00 00 00 00 00
00008040 aa 50 00 10 00 00 01 00 00 00 50 00 61 70 70 30
00008050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00008060 aa 50 00 11 00 00 51 00 00 00 50 00 61 70 70 31
00008070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00008080 aa 50 01 82 00 00 a1 00 40 4b 4c 00 73 70 69 66
00008090 66 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000080a0 eb eb ff ff ff ff ff ff ff ff ff ff ff ff ff ff
000080b0 02 32 d8 c6 38 83 7f b6 21 c5 80 7d 16 af d9 cd
000080c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
000080d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ->
000080e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Problem
For the ESP8285 the command esptool read_flash 0x0 0x1fffff flash.bin does not return a flash image with the expected format.
Instead, the returned flash image immediately starts with "used bytes", has no obvious "empty bytes" indicating the start/end of a section and - most importantly - doesn't have a partition table.
This is the relevant flash section of the Tasmota device (left) and my reference ESP32 (right) around address 0x8000 where the partition table should be:
Question
Why does esptool read_flash 0x8000 0xc00 not return the partition table for my ESP8285 with Tasmota firmware?
Another suspicious thing is that all bytes above address 0xfffff (=1MB) are empty, but the ESP8285H16 has 2MB flash. I have two unsatisfying explanations:
- the currently installed flash image uses a 1MB partition scheme - but in that case the partition table would have to be in those 1MB (which it isn't)
- I'm reading at the wrong flash position all the time, maybe starting at the second half
