Bricking and flashing ESP-01s – (8266)

A powerfull tool, delicate hardware and the simplicity of use. That is the Espressif ESP-01s with the 8266EX chip. Sometimes, you can bring it to an unusable state. Such as I did, with a factory reset (AT+RESTORE, or AT+RST in some cases). Now, how to bring it back to life?

The status

Simply put, screwed. No matter the Baud rate used, or commands chucked at it, the ESP did not even boot into it’s AT command program. Pretty much bricked, time to bring it back to life, hopefully.

I should stress, the ESP8266 HAS TO USE 3.3V under all circumstances. This is true for Vin, as well as Rx, Tx! If standard, 5V TTL signals are being used for communication, the behavior is unpredictable.

The setup

 

First the pins and what they mean:

  • TX – Transfer, serial send pin
  • EN – ENABLE, or SELECT, or… it has multiple names. This pin needs to be set high (read logical 1 – ~3 – 3.3V) for the module to work, send and receive data. Putting it high with Vcc / Vin throgh a resistor or directly is a good idea
  • RST – RESET. We’re going to use this one. If set LOW, device reset is initiated, but for the device to boot and actually reset, you must take the GND off this pin. In normal operation this should be set HIGH. Leaving it “in the air” is not a good idea.
  • 3V3 – Vcc / Vin – call it as you like – Input voltage. Mind you, 3.3V max!
  • GND – GROUND. doh!
  • IO2 – General purpose I/O pin #2
  • IO0 – General purpose I/O pin #0, we’ll need this one for flashing as well
  • RX – Receive, serial receive pin

If you are using an FTDI programmer, USB dongle, or other interface, make sure it is 3.3V capable. If you start chucking 5V signals at it, it misbehaves. People have reported the ESP8266 to be 5V tolerant, but I found it far less stable at 5V logical levels. And how long it takes to get damaged at that rate? Who knows.

Pay the extra buck and get one of these (switchable 5V / 3.3V logic):

For sheer lack of due diligence, I had to use an Arduino Nano as a voltage stabilizer. Please don’t do this, it is utter nonsense. I know however, that for testing purposes and flashing, the current supplied by the Nano is sufficient, so, leave me alone with this.

You should however think about using one of these (at least) for voltage stabilization:

This power supply is cheap, tolerant to 5V-12V (some say 24V is OK – gonna test it :-)) and has 4 pinouts, so can power 4 arduinos.

Connect like this. If you are not lazy, nor stupid, don’t use the arduino as a voltage regulator. 馃槈

The pain of finding out how

I thought, that there is only one firmware, and only one way to do things with the ESP-01s. Turns out, there are multiple firmwares available, AT commands, Python derivates… ehm, let’s concentrate on how to bring the ESP back to factory (AT firmware) setup. Great resource for FWs and documentation, of course:聽http://esp8266.net/.

How to flash

You need PYTHON installed. Flash software:聽https://github.com/espressif/esptool聽– I like to use GIT, so:

https://github.com/espressif/esptool
cd ./esptool/

The basic commands to flash a .bin file is as follows (Don’t forget to set up correct privileges – i.e. add yourself to “dialout” group or – use sudo).

sudo ./esptool.py --port /dev/ttyUSB2 write_flash 0xFE000 ./ESP8266_AT/bin/blank.bin 
esptool.py v2.2-dev
Connecting........_
Detecting chip type... ESP8266
Chip is ESP8266EX
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 1MB
Compressed 4096 bytes to 26...
Wrote 4096 bytes (26 compressed) at 0x000fe000 in 0.0 seconds (effective 4743.5 kbit/s)...
Hash of data verified.

Now that we know how to destroy things, write crap to the controller, let’s do something useful…

Gather the firmware!

AT firmware:聽https://github.com/espressif/ESP8266_AT/tree/master/bin聽– this is stock, AT firmware, that came with the ESP-01s preinstalled. I want that!

git clone https://github.com/espressif/ESP8266_AT

It says to flash these bins to the specified address (which I later found out it is wrong on my ESP).

Bin Address
boot_v1.1.bin---------------->0x00000 (reset)
user1.bin-------------------->0x01000 (reset)
esp_init_data_default.bin---->0x7C000 (no reset)
blank.bin-------------------->0x7E000 (reset)

Let’s see… (how to observe ESP8266 boot sequence? later! Just take it as a fact, read on)

...
SPI Speed : 40MHz
SPI Mode : QIO
SPI Flash Size : 8Mbit
jump to run usererror user bin flag, flag = 6
user code done

Nope. Dead. A spark of hope though, this clearly shows, that it is not fried, just misconfigured somehow.

The way I read the documentation, there is a boot code and a user code (more on the boot later on). The user code should contain the AT commands functionality, but here it seems it doesn’t even run, or errors out. Might this be a problem of a mis-fired, wrongly placed user.bin?

Go back in line, repeat again

Again, but this聽 time聽https://www.allaboutcircuits.com/projects/flashing-the-ESP-01-firmware-to-SDK-v2.0.0-is-easier-now/聽helped me out, so I found the corect memory addresses to flash the files to.

These values worked for me.

boot 00000
user 01000
blank FB000
init_data_default FC000
blank 7E000
blank FE000

Go.

  1. Press and hold the Reset button聽(SW1) on your flashing circuit.
  2. Press and hold the Flash button (SW2) on your flashing circuit.
  3. Release the Reset button.
  4. Release the Flash button.
  5. run the appropriate command.
  6. Or any freakin combination of the above. In general, the IO0 must be pulled down and pulldown of reset pin is sometimes needed, just wait for init, and if it doesn’t do anything, just press reset.

In my case, all of the commands used to flash the ESP-01s were as follows:

$ sudo ./esptool.py --port /dev/ttyUSB2 write_flash 0x00000 ESP8266_AT/bin/boot_v1.1.bin 
esptool.py v2.2-dev
Connecting...
Detecting chip type... ESP8266
Chip is ESP8266EX
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 1MB
Flash params set to 0x0020
Compressed 1712 bytes to 1295...
Wrote 1712 bytes (1295 compressed) at 0x00000000 in 0.1 seconds (effective 116.0 kbit/s)...
Hash of data verified.
Leaving...
Hard resetting...

$ sudo ./esptool.py --port /dev/ttyUSB2 write_flash 0x01000 ./ESP8266_AT/bin/newest/user1.bin 
esptool.py v2.2-dev
Connecting........_____....._____.....
Detecting chip type... ESP8266
Chip is ESP8266EX
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 1MB
Compressed 222376 bytes to 141270...
Wrote 222376 bytes (141270 compressed) at 0x00001000 in 12.4 seconds (effective 143.0 kbit/s)...
Hash of data verified.
Leaving...
Hard resetting...

$ sudo ./esptool.py --port /dev/ttyUSB2 write_flash 0xFB000 ./ESP8266_AT/bin/blank.bin 
esptool.py v2.2-dev
Connecting........_____....._
Detecting chip type... ESP8266
Chip is ESP8266EX
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 1MB
Compressed 4096 bytes to 26...
Wrote 4096 bytes (26 compressed) at 0x000fb000 in 0.0 seconds (effective 4739.4 kbit/s)...
Hash of data verified.
Leaving...
Hard resetting...

$ sudo ./esptool.py --port /dev/ttyUSB2 write_flash 0xFC000 ./ESP8266_AT/bin/esp_init_data_default.bin 
esptool.py v2.2-dev
Connecting........_____....._
Detecting chip type... ESP8266
Chip is ESP8266EX
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 1MB
Compressed 128 bytes to 72...
Wrote 128 bytes (72 compressed) at 0x000fc000 in 0.0 seconds (effective 93.0 kbit/s)...
Hash of data verified.
Leaving...
Hard resetting...

$ sudo ./esptool.py --port /dev/ttyUSB2 write_flash 0x7E000 ./ESP8266_AT/bin/blank.bin 
esptool.py v2.2-dev
Connecting........_
Detecting chip type... ESP8266
Chip is ESP8266EX
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 1MB
Compressed 4096 bytes to 26...
Wrote 4096 bytes (26 compressed) at 0x0007e000 in 0.0 seconds (effective 4691.9 kbit/s)...
Hash of data verified.
Leaving...
Hard resetting...

$ sudo ./esptool.py --port /dev/ttyUSB2 write_flash 0xFE000 ./ESP8266_AT/bin/blank.bin 
esptool.py v2.2-dev
Connecting........_
Detecting chip type... ESP8266
Chip is ESP8266EX
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 1MB
Compressed 4096 bytes to 26...
Wrote 4096 bytes (26 compressed) at 0x000fe000 in 0.0 seconds (effective 4743.5 kbit/s)...
Hash of data verified.
Leaving...
Hard resetting...

Check! And hope that not Mate!

Go to console (minicom, arduino monitor, whatever that can read serial), disconnect the IO0 pin from ground, press reset button… and don’t forget to set your console speed to 74880 baud!

After a boot, with a nice value of 74880 baud rate, I got a full Boot, except for the last part, BUT this is expected, as there the baud rate changes, or should change to 115200.

ets Jan 8 2013,rst cause:2, boot mode:(3,6)

load 0x40100000, len 612, room 16 
tail 4
chksum 0x12
load 0x3ffe8000, len 788, room 4 
tail 0
chksum 0x50
load 0x3ffe8314, len 264, room 8 
tail 0
chksum 0x4a
csum 0x4a

2nd boot version : 1.1
 SPI Speed : 40MHz
 SPI Mode : QIO
 SPI Flash Size : 8Mbit
jump to run user1


飧府飧府飧府飧府飧府飧府飧府飧

Now, change your baud rate to 115200 and go for AT commands:聽https://www.espressif.com/sites/default/files/documentation/4a-esp8266_at_instruction_set_en.pdf

AT

OK
AT+CWMODE? 
+CWMODE:2

OK
AT+CWMODE=1

OK
AT+CWLAP 
+CWLAP:(3,"Bastart netgear 24",-37,"b0:7f:b9:9b:43:30",3)
+CWLAP:(4,"Kvasnicovy_Synanet",-87,"c4:6e:1f:0b:e6:ae",6)
+CWLAP:(3,"BastArt",-40,"bc:75:74:03:9f:23",11)

OK
AT+CWJAP="Bastart netgear 24","xyz"

OK
AT+CIFSR 
+CIFSR:STAIP,"192.168.0.171"
+CIFSR:STAMAC,"18:fi:34:xa:6e:52"

OK

If this works for you, let me know.

5 Replies

  • Hi,

    I didn’t think I bricked my esp01ex, but well… I installed Arduino on it, it was working great, but then I wanted back the AT functions to make it work with an Arduino.

    Even after following your guide, with the GUI on windows or with esptool on macOS, I keep having this, looping (without even a pause) on the monitor when it boots (even with RST not floating), do you have any idea please?

    ets Jan 8 2013,rst cause:2, boot mode:(3,6)

    load 0x40100000, len 612, room 16
    tail 4
    chksum 0x12
    load 0x3ffe8000, len 788, room 4
    tail 0
    chksum 0x50
    load 0x3ffe8314, len 264, room 8
    tail 0
    chksum 0x4a
    csum 0x4a

    2nd boot version : 1.1
    SPI Speed : 40MHz
    SPI Mode : QIO
    SPI Flash Size : 8Mbit
    jump to run user1

    ets Jan 8 2013,rst cause:2, boot mode:(3,6)

    load 0x40100000, len 612, room 16
    tail 4
    chksum 0x12
    load 0x3ffe8000, len 788, room 4
    tail 0
    chksum 0x50
    load 0x3ffe8314, len 264, room 8
    tail 0
    chksum 0x4a
    csum 0x4a

    2nd boot version : 1.1
    SPI Speed : 40MHz
    SPI Mode : QIO
    SPI Flash Size : 8Mbit
    jump to run user1

    • Based on your output, the 鈥渦ser鈥 portion of your flash is empty, or not correctly flashed, so the fires up the boot, then tries to go to the user section of the code. If there is nothing there, or might be corrupt, it finishes the user section and boots again.
      The user space should be designed in a way that it never finishes (i.e. the loop statement in arduino C++).

      Try to check the addresses for code flashing, download again the user binary sections etc. The ESP is OK, as far as I see from the output.

      Theoretically, less possible, but still, you could have a faulty flash area where it refuses to write the user section and only the boot sections were flashed (e.g. a used flash chip from china, second hand installed, already had 10kk flash cycles鈥 but cheap) 鈥 but again, this is very unlikely鈥

  • HI!
    I have some problems..
    I tried everything with no results..
    In boot i get:

    ets Jan 8 2013,rst cause:2, boot mode:(3,7)

    load 0x40100000, len 612, room 16
    tail 4
    chksum 0x12
    load 0x3ffe8000, len 788, room 4
    tail 0
    chksum 0x50
    load 0x3ffe8314, len 264, room 8
    tail 0
    chksum 0x4a
    csum 0x4a

    2nd boot version : 1.1
    SPI Speed : 40MHz
    SPI Mode : QIO
    SPI Flash Size : 8Mbit
    jump to run user1

    “@j脮l

    When i try AT commands every respond is error…
    Could you help me?

    • This actually looks quite good. The jumbled result is “just” a different speed of the console.
      On the second part of your comment, when you try AT commands. If you were installing micropython, you should get a repl prompt, something along a “>>>”
      For this to be available, you need to set the baud reate of the console to 115200 baud – that is the python REPL speed.
      From then on, you can type python commands – this is not an AT command compatible firmware.
      Let me know the results.

  • Now that I look at the schematic and revise the diagram, I see I have an error – the positions of GPIO0 and GPIO2 are switched. If you are unlucky with the firmware flash, keep this in mind.

Leave a Reply

Your email address will not be published. Required fields are marked *