Rollback and Anti-Rollback

The main purpose of application rollback is to ensure that the device can be rolled back to the previous version in case of exceptions after an update, without affecting the normal use of the device. When rollback is enabled, the firmware will be marked as a new firmware (ESP_OTA_IMG_NEW) once the firmware verification is completed. Upon reboot, the Bootloader will select this firmware and re-mark it as pending-for-verification (ESP_OTA_IMG_PENDING_VERIFY). When running the app_main() function, two scenarioes may occur:

  1. Normally functioning

    After testing and confirming that everything is working properly, the developer calls the esp_ota_mark_app_valid_cancel_rollback() function to mark the current running firmware as a valid firmware (ESP_ OTA_IMG_VALID). After that, the firmware can be booted without any restrictions.

  2. Encountering serious errors

    It will trigger an automatic secondary reboot, and the Bootloader will directly mark the firmware as an aborted firmware (ESP_OTA_IMG_ABORTED) and roll back to the previous version. After self-testing, the developer should confirm that there is an error and call esp_ota_mark_app_invalid_rollback_and_reboot() to mark the running version as an invalid firmware. The firmware will then be rolled back to the previous version automatically and cannot be rebooted again.

Another function of the secure version number is to prevent the firmware from rolling back to a lower secure version. When selecting the bootable application, the Bootloader will check the secure version number extrally. Only if the secure version number of the firmware is equal to or higher than that stored in the chip's eFuse, the firmware will be selected. The new secure version number will be updated after the firmware status is marked as valid (ESP_OTA_IMG_VALID).

Both rollback and anti-rollback can be enabled through menuconfig as follows:

(Top) → Bootloader config
[*] Enable app rollback support
[*]     Enable app anti-rollback support
(0)         eFuse secure version of app (NEW)
(16)        Size of the eFuse secure version field (NEW)