To flash encrypted files, the key must be stored inside the roloFlash. To prevent it from being read by another script on an SD card, the script to be executed must also be stored and run inside the roloFlash.
We recommend the following procedure:
You can perform this on the PC with suitable software. Here we show you how to do this with roloFlash.
Copy the data you want to flash onto the SD card and, if necessary, rename the file so that it fits the 8.3 format (e.g., NAME5678.HEX). From now on, this documentation uses the name “FLASH.HEX”.
In ENCRYPT_DATA.BAS
there is a script for encrypting files. Copy this script to the SD card,
rename it to RUN_V07.BAS, and adjust
the settings at the beginning of the file. BE SURE TO REPLACE THE KEY
WITH YOUR OWN SECRET VALUES:
plainFilename = "FLASH.HEX" ! Any file you want to encrypt, for a example
! a hex file.
plainFileSystem = SDCARD ! The filesystem of the given file.
! Can be SDCARD, FLASHVARS or FLASHDISK.
cryptedFilename = "FLASH.CRY" ! The name of the encrypted file to create.
cryptedFileSystem = SDCARD ! The filesystem of the given file.
! Can be SDCARD, FLASHVARS or FLASHDISK.
algo = SEC_AES ! Specify the Crypt Algorithm, here:
width = 256 ! AES with 256 bit in CBC mode, which needs
mode = SEC_CBC ! an additional initialisation vector (iv)
padding = SEC_PKCS7 ! Crypt algorthm is a blockcyper. To
! encrypt/decrpyt the padding algorithm PKCS7
! is recommended.
! A key and an initialisation vector (iv) is needed, REPLACE BY OWN KEY AND IV!
! For AES-256 a 32 Byte bey is needed.
! For CBC mode a 16 Byte initialisation vector is needed.
key = char($b0, $cd, $18, $be, $a5, $66, $92, $49, _
$11, $05, $f6, $29, $34, $18, $27, $12, _
$90, $d0, $71, $ff, $c9, $72, $21, $c2, _
$e4, $d7, $de, $e9, $05, $9e, $b7, $0d, _
$7d, $21, $09, $40, $33, $d4, $a3, $bb, _
$89, $13, $bd, $54, $88, $ea, $3b, $a6, _
$8c, $1a, $c2, $08, $87, $5a, $9b, $01, _
$9a, $1d, $1d, $e5, $50, $ee, $d9, $1f)
iv = char($48, $09, $fc, $c2, $3f, $1d, $a8, $e0, _
$39, $d6, $a8, $8d, $5d, $bb, $f5, $30, _
$2d, $1b, $50, $bf, $57, $38, $9e, $8c, _
$31, $be, $81, $f0, $78, $3e, $bf, $d3) Call the compiler with the file compile_V07.bat. This creates the file RUN_V07.BIN. This must now be executed once on the roloFlash. After the script finishes, LED 5 lights green. You can now connect the SD card to the PC. As a result, the encrypted file FLASH.CRY has been created.
Save the RUN_V07.BAS file, the FLASH.HEX file, and the FLASH.CRY file on your PC in a secure location. We suggest creating a folder named encrypt-data in a directory and using it for this.
The SD card contains templates for various controllers. Find one that
matches your controller and copy it to the root directory of the SD
card. This file is named
RUN_V07.BAS.
Adjust the exact type according to the designations in the manual.
You have already copied the file to be flashed to the SD card in the previous chapter.
Enter its name in the RUN_V07.BAS and call the compiler with the file compile_V07.bat. This creates the file RUN_V07.BIN.
Insert the SD card into the roloFlash and verify the flash process with the unencrypted data. If this works, connect the SD card to the PC. Save the RUN_V07.BAS file and the RUN_V07.BIN file on your PC in a secure location. We suggest creating a folder named flash-uncrypted in a directory and using it for this.
The next step is to extend your script from the previous chapter to flash encrypted data.
At the beginning of your script you will find a block for configuration. Change the name of the file to be flashed to the name of the encrypted file. For example:
flashFile = "FLASH.HEX"
flashFile = "FLASH.CRY"
Add the following to the configuration block and adjust it to match your settings from chapter 1:
algo = SEC_AES ! Specify the Crypt Algorithm, here:
width = 256 ! AES with 256 bit in CBC mode, which needs
mode = SEC_CBC ! an additional initialisation vector (iv)
padding = SEC_PKCS7 ! Crypt algorthm is a blockcyper. To
! encrypt/decrpyt the padding algorithm PKCS7
! is recommended.
! A key and iv is needed, REPLACE BY OWN KEY AND IV FROM CHAPTER 1!
! For AES-256 a 32 Byte bey is needed.
! For CBC mode a 16 Byte initialisation vector is needed.
key = char($b0, $cd, $18, $be, $a5, $66, $92, $49, _
$11, $05, $f6, $29, $34, $18, $27, $12, _
$90, $d0, $71, $ff, $c9, $72, $21, $c2, _
$e4, $d7, $de, $e9, $05, $9e, $b7, $0d, _
$7d, $21, $09, $40, $33, $d4, $a3, $bb, _
$89, $13, $bd, $54, $88, $ea, $3b, $a6, _
$8c, $1a, $c2, $08, $87, $5a, $9b, $01, _
$9a, $1d, $1d, $e5, $50, $ee, $d9, $1f)
iv = char($48, $09, $fc, $c2, $3f, $1d, $a8, $e0, _
$39, $d6, $a8, $8d, $5d, $bb, $f5, $30, _
$2d, $1b, $50, $bf, $57, $38, $9e, $8c, _
$31, $be, $81, $f0, $78, $3e, $bf, $d3)algoSpec = vari(algo, width, mode)
dataSpec = vari(key, iv, padding)
cryptSpec = vari(algoSpec, dataSpec)cryptSpec to the actual flashing command line:target_writeFromFile targetHandle, SDCARD, flashFile, HEX, FLASH, WRITEVERIFY
target_writeFromFile targetHandle, SDCARD, flashFile, HEX, FLASH, WRITEVERIFY, cryptSpec
Call the compiler with compile_V07.bat. This creates the file RUN_V07.BIN.
Remove the unencrypted file FLASH.HEX from the SD card to ensure it cannot be used.
Now you can insert the SD card into the roloFlash and verify the flashing process with encrypted data.
If this works, connect the SD card to the PC.
Save the RUN_V07.BAS file and the RUN_V07.BIN file on your PC in a secure location. We suggest creating a folder named flash-crypted in a directory and using it for this.
Create a folder named “TO-RF” on the SD card and move the RUN_V07.BAS file and the RUN_V07.BIN file from the previous chapter into this folder.
There is a script called COPY_TO_FLASHDISK.BAS
that copies your RUN_V07.BIN file from the
“TO-RF” folder to the roloFlash’s Flashdisk. Copy this script to the
root directory of the SD card, rename it to
RUN_V07.BAS, and compile it using
compile_V07.bat to create the file
RUN_V07.BIN.
Insert the SD card into the roloFlash and execute the script once using any target.
Use a fresh SD card to ensure that no secrets remain. Simply deleting all data or formatting can leave fragments of your data on the storage device.
Copy only the file FLASH.CRY to the SD card. In chapter 1, we suggested storing this file on your PC in a folder named encrypt-data.
Insert the SD card into the roloFlash and test the procedure. If everything works, you can hand over this roloFlash with the SD card.
#roloFlash 2, v07.*
! ***************************************************************************
! *
! * Sample script for encrypt any file
! *
! * Copyright (C) 2009-2025 by halec embedded solutions
! *
! ***************************************************************************
! For all files on the microSD card, the following applies:
! - File name has to be in 8.3 format
! - File name must contain only CAPITAL LETTERS
! - (see manual, chapter "Files")
! *** Please adapt to your requirements! ***
plainFilename = "FLASH.HEX" ! Any file you want to encrypt, for a example
! a hex file.
plainFileSystem = SDCARD ! The filesystem of the given file.
! Can be SDCARD, FLASHVARS or FLASHDISK.
cryptedFilename = "FLASH.CRY" ! The name of the encrypted file to create.
cryptedFileSystem = SDCARD ! The filesystem of the given file.
! Can be SDCARD, FLASHVARS or FLASHDISK.
algo = SEC_AES ! Specify the Crypt Algorithm, here:
width = 256 ! AES with 256 bit in CBC mode, which needs
mode = SEC_CBC ! an additional initialisation vector (iv)
padding = SEC_PKCS7 ! Crypt algorthm is a blockcyper. To
! encrypt/decrpyt the padding algorithm PKCS7
! is recommended.
! A key and an initialisation vector (iv) is needed, REPLACE BY OWN KEY AND IV!
! For AES-256 a 32 Byte bey is needed.
! For CBC mode a 16 Byte initialisation vector is needed.
key = char($b0, $cd, $18, $be, $a5, $66, $92, $49, _
$11, $05, $f6, $29, $34, $18, $27, $12, _
$90, $d0, $71, $ff, $c9, $72, $21, $c2, _
$e4, $d7, $de, $e9, $05, $9e, $b7, $0d, _
$7d, $21, $09, $40, $33, $d4, $a3, $bb, _
$89, $13, $bd, $54, $88, $ea, $3b, $a6, _
$8c, $1a, $c2, $08, $87, $5a, $9b, $01, _
$9a, $1d, $1d, $e5, $50, $ee, $d9, $1f)
iv = char($48, $09, $fc, $c2, $3f, $1d, $a8, $e0, _
$39, $d6, $a8, $8d, $5d, $bb, $f5, $30, _
$2d, $1b, $50, $bf, $57, $38, $9e, $8c, _
$31, $be, $81, $f0, $78, $3e, $bf, $d3)
! Green running light from LED 1 to LED 2 -> symbolizes script processing
! (LED 5 is kept free for display of "Done")
led_runningLight 1, 2, COLOR_GREEN, 200
! ---- Preparations ----
! Delete old log file, if present
!
f = "LOG.TXT"
if fs_fileExists(0,f)
fs_remove 0, f
endif
! Write software version of roloFlash and script name to LOG.TXT
print "softwareVersion=", sys_softwareVersion, "\r\n"
print "Running script copied from scripts/secureApi/ENCRYPT.BAS\r\n"
!
! ---- A general purpose file encrypt/decrpyt procedure ----
!
procedure copyFileSEC fsSrc, filenameSrc, fsDst, filenameDst, cryptSpec, doEncrypt
fileSizeSrc = fs_fileSize(fsSrc, filenameSrc)
src = fs_open(fsSrc, filenameSrc)
for pass = 0 to 1
if pass = 0
pass = 1
if fsDst <> SDCARD
if doEncrypt
fileSizeDst = (fileSizeSrc and $fffffff0) + 16
elseif cryptSpec[0][2] = SEC_ECB
filePos = fileSizeSrc - 16
a = fs_read(src, filePos, 16)
sec_decrypt a, cryptSpec, SEC_SINGLEBLOCK
fileSizeDst = filePos + size(a)
else
pass = 0
endif
endif
endif
if pass = 1
if fsDst = SDCARD
fs_create fsDst, filenameDst
else
fs_create fsDst, filenameDst, fileSizeDst
endif
dst = fs_open(fsDst, filenameDst)
endif
blockSize = 8192
filePos = 0
do while filePos < filesizeSrc > 0
mySize = blockSize
if mySize > filesizeSrc - filePos
mySize = filesizeSrc - filePos
endif
a = fs_read(src, filePos, mySize)
if filesizeSrc <= blockSize
opState = SEC_SINGLEBLOCK
elseif filePos = 0
opState = SEC_FIRSTBLOCK
elseif mySize >= filesizeSrc - filePos
opState = SEC_LASTBLOCK
else
opState = SEC_NEXTBLOCK
endif
if doEncrypt
sec_encrypt a, cryptSpec, opState
else
sec_decrypt a, cryptSpec, opState
endif
if pass = 1
fs_write dst, filePos, a
endif
filePos = filePos + mySize
loop
if pass = 0
fileSizeDst = fileSizeSrc - 16 + size(a)
endif
next
fs_close dst
fs_close src
end
!
! Build cryptSpec and encrypt
!
algoSpec = vari(algo, width, mode)
dataSpec = vari(key, iv, padding)
cryptSpec = vari(algoSpec, dataSpec)
copyFileSEC plainFileSystem, plainFilename, cryptedFileSystem, cryptedFilename, cryptSpec, 1
! ---- Check for possibly occurred exceptions, write ----
! ---- evaluation to log file and signal it via LEDs ----
catch exception
print "Duration [ms]: ", sys_getSystemTime(), "\r\n"
catch dummyException ! If the last print throws an exception
if exception <> 0
! There has been an error, record the error in LOG.TXT
print "ERROR: Exception ", exception
! Throw exception again, after it has been caught. As a result, the number
! of the exception gets displayed via LED blink codes. The blink codes
! are documented in the manual, chapter "Meaning of LED Codes", subchapter
! "Exception has Occurred"
throw exception
else
! No errors: write to log file and switch LED 5 to green
print "Script ran successfully.\r\n"
led_on 5, COLOR_GREEN
endif#roloFlash 2, v07+
! ***************************************************************************
! *
! * script for copying:
! * from: SD-card /TO_RF/RUN_V07.BIN
! * to: roloFlash flashDisk RUN_V07.BIN
! *
! * Copyright (C) 2009-2025 by halec embedded solutions
! *
! ***************************************************************************
! Green running light from LED 1 to LED 4 -> symbolizes script processing
! (Data transfer direction: write)
! (LED 5 is kept free for display of "Done")
led_runningLight 1, 4, COLOR_GREEN, 200
! ---- Preparations ----
! Delete old log file, if present
f = "LOG.TXT"
if fs_fileExists(0,f)
fs_remove 0, f
endif
procedure copyFile fsSrc, filenameSrc, fsDst, filenameDst
dataSize = fs_fileSize(fsSrc, filenameSrc)
fs_create fsDst, filenameDst, dataSize
src = fs_open(fsSrc, filenameSrc)
dst = fs_open(fsDst, filenameDst)
blockSize = 512
filePos = 0
do while dataSize > 0
mySize = blockSize
if mySize > dataSize
mySize = dataSize
endif
a = fs_read(src, filePos, mySize)
fs_write dst, filePos, a
filePos = filePos + mySize
dataSize = dataSize - mySize
loop
fs_close dst
fs_close src
end
! -- copy "RUN_V07.BIN" from SD-card (folder TO_RF) to FlashDisk (root folder):
copyFile SDCARD, "TO_RF/RUN_V07.BIN", FLASHDISK, "RUN_V07.BIN"
! ---- Check for possibly occurred exceptions, write ----
! ---- evaluation to log file and signal it via LEDs ----
catch exception
print "Duration [ms]: ", sys_getSystemTime(), "\r\n"
catch dummyException ! If the last print throws an exception
if exception <> 0
! There has been an error, record the error in LOG.TXT
print "ERROR: Exception ", exception
! Throw exception again, after it has been caught. As a result, the number
! of the exception gets displayed via LED blink codes. The blink codes
! are documented in the manual, chapter "Meaning of LED Codes", subchapter
! "Exception has Occurred"
throw exception
else
! No errors: write to log file and switch LED 5 to green
print "Script ran successfully.\r\n"
led_on 5, COLOR_GREEN
endif