The main purpose of application rollback is to ensure that the device can be rolled back to the previous version in case of exceptions after an update, without affecting the normal use of the device. When rollback is enabled, the firmware will be marked as a new firmware (
ESP_OTA_IMG_NEW) once the firmware verification is completed. Upon reboot, the Bootloader will select this firmware and re-mark it as pending-for-verification (
ESP_OTA_IMG_PENDING_VERIFY). When running the
app_main() function, two scenarioes may occur:
After testing and confirming that everything is working properly, the developer calls the
esp_ota_mark_app_valid_cancel_rollback()function to mark the current running firmware as a valid firmware (
ESP_ OTA_IMG_VALID). After that, the firmware can be booted without any restrictions.
Encountering serious errors
It will trigger an automatic secondary reboot, and the Bootloader will directly mark the firmware as an aborted firmware (
ESP_OTA_IMG_ABORTED) and roll back to the previous version. After self-testing, the developer should confirm that there is an error and call
esp_ota_mark_app_invalid_rollback_and_reboot()to mark the running version as an invalid firmware. The firmware will then be rolled back to the previous version automatically and cannot be rebooted again.
Another function of the secure version number is to prevent the firmware
from rolling back to a lower secure version. When selecting the bootable
application, the Bootloader will check the secure version number
extrally. Only if the secure version number of the firmware is equal to
or higher than that stored in the chip's eFuse, the firmware will be
selected. The new secure version number will be updated after the
firmware status is marked as valid (
Both rollback and anti-rollback can be enabled through
(Top) → Bootloader config ... ... [*] Enable app rollback support [*] Enable app anti-rollback support (0) eFuse secure version of app (NEW) (16) Size of the eFuse secure version field (NEW) ... ...