SecureLoader is a cross-platform tool for uploading π AES-128 encrypted firmware
binaries to embedded devices over a serial link β‘.
It ships with a scriptable CLI (sld) and a Qt6 GUI (sld-gui).
SecureLoader is a cross-platform tool that allows flashing embedded devices using encrypted firmware binaries generated by EncryptBIN.
It requires that the target device is already running a compatible bootloader (e.g. SecureBootloader).
SecureLoader handles the host-side flashing process: it reads encrypted .bin files, validates device and firmware compatibility, and streams the firmware over a serial link using a custom XOR-acknowledged protocol π‘.
flowchart LR
A[Factory / Initial provisioning] --> SB[SecureBootloader flashing] --> D[(Device)]
A2[EncryptBIN] -->|produces| B([encrypted .bin])
B -->|input| C[SecureLoader]
C -->|flashes| D
classDef tool fill:#3f51b5,stroke:#1a237e,color:#fff,stroke-width:2px
classDef file fill:#009688,stroke:#004d40,color:#fff
classDef device fill:#455a64,stroke:#263238,color:#fff
class A,A2,C tool
class B file
class D,SB device
Related repositories: SecureBootloader Β· EncryptBIN
Full documentation: https://niwciu.github.io/SecureLoader/
β οΈ Documentation is under active development β expect incomplete sections.
- π§Ύ Firmware validation β reads 48-byte header (version, product ID, CRC32)
- π€ Serial handshake β polls device with
GET_VERSIONevery 500 ms - π¦ Streaming β sends firmware page-by-page with ACK confirmation
- π Auto reconnect β recovers automatically after connection loss
β Deep dive: Serial Protocol Β· Firmware Format Β· Architecture
The SecureBootloader β SecureLoader pairing is version-locked β a protocol change in SecureLoader v2.0.0 reduced the UART wire header from 48 β 44 bytes:
| SecureLoader | SecureBootloader | Compatible |
|---|---|---|
| < v2.0.0 | v1.0.0 | β |
| β₯ v2.0.0 | β₯ v1.1 | β |
| β₯ v2.0.0 | v1.0.0 | β device stalls on CMD_START |
| < v2.0.0 | β₯ v1.1 | β header size mismatch |
β οΈ Always match the SecureLoader version to the SecureBootloader version deployed on your device. Flash the updated bootloader (β₯ v1.1) to the target before deploying SecureLoader v2.0.0 or later.
Python 3.10+ required.
git clone https://github.com/niwciu/SecureLoader.git
cd SecureLoader
pip install -e ".[gui]" # CLI + GUI
pip install -e . # CLI onlyYou can install or build SecureLoader directly from the repository using the provided scripts.
First clone the repository:
git clone https://github.com/niwciu/SecureLoader.git
cd SecureLoaderThen go into the install scripts directory:
cd install_scriptsRun:
build.bat
Run:
./build.shThis will:
- create a virtual environment π§ͺ
- install dependencies
- build CLI + GUI application βοΈ
- generate platform-specific output
- optionally create shortcuts / launchers
To remove a local installation, use the provided uninstall script:
- Windows:
uninstall.bat - Linux/macOS:
uninstall.sh
These scripts remove the virtual environment and installed artifacts.
π https://github.com/niwciu/SecureLoader/releases
Each release may include:
- πͺ Windows
.exeinstallers and portable builds - π§ Ubuntu/Linux packages (
.debor distribution-specific package) - π§° CLI standalone builds
- π₯οΈ GUI builds
- π release notes
β οΈ Some releases may be experimental or in preview state.
β‘ Important: The usage flow is split into two stages:
- π Generate encrypted firmware (external tool)
- π‘ Connect and flash using SecureLoader (CLI or GUI)
This flow is also reflected in the architecture diagram above.
SecureLoader does NOT work with raw binaries.
You must first generate an encrypted .bin file using EncryptBIN:
encryptbin input.bin output.binThis produces:
- AES-128 CBC encrypted firmware π
- 48-byte SecureLoader header π§Ύ
CLI is designed for automation β everything is done in one command:
sld flash --file firmware.bin --port COM3 --baudrate 115200Typical flow:
- Select encrypted firmware file
- Provide serial port
- Optionally set baud rate
- Flash starts immediately
- Tool automatically handles connect β transfer β finish β disconnect
Other useful commands:
sld list-ports
sld info --file firmware.bin
sld info --port COM3SecureLoader can download firmware directly from an HTTP server before flashing β no manual file transfer needed.
The server URL path is built from configurable Product ID sections: named nibble-level slices of
the device's 64-bit productId. The default layout matches the EncryptBIN / SecureBootloader
convention (license_id and unique_id as path segments), but any split and naming scheme is supported.
# 1. Configure your server URL once (HTTPS is required by default)
sld config set http.base_url https://myserver/update
# 2. Download the latest firmware using the default sections
sld fetch --section license_id=AB --section unique_id=C0FE --output firmware.bin
# 3. Flash as usual
sld flash --file firmware.bin --port /dev/ttyUSB0To use custom Product ID sections matching your server layout:
# Define a custom split (once, saved to config)
sld config set product_id.sections "product:0:6,serial:6:16"
# Download using the custom section names
sld fetch --section product=AABB --section serial=C0FE0001 --output firmware.binIf the server requires authentication, set credentials once:
sld config set http.login myuser
sld config set-password # secure interactive prompt β avoids shell history
β οΈ Plain HTTP (http://) is rejected by default. Pass--allow-insecuretofetchonly in isolated lab environments where HTTPS is not available.
The GUI exposes the same feature via the Fetch from server and Get Previous Firmware buttons β both become active once a device is connected. The Settings β Server settings dialog lets you visually design the Product ID section layout and URL path structure.
See the User Guide for HTTP server path requirements and full configuration details.
GUI is designed for manual control and visibility:
- π Launch application
sld-gui-
βοΈ Select:
- Serial port
- Baud rate
-
π Load encrypted
.binfile -
π€ Click Connect
- Establishes handshake with device
- Validates firmware compatibility
-
π‘ Click Update / Flash
- Streams firmware page-by-page
- Shows live progress
-
π Click Disconnect (or automatic after completion)
Both CLI and GUI follow the same internal state machine:
IDLE β CONNECTING β CONNECTED β STARTING β SENDING β CONNECTED (done)
Uses EncryptBIN to generate:
- AES-128 CBC encrypted firmware π
- 48-byte SecureLoader header π§Ύ
We welcome contributions! Please follow the workflow below:
-
π΄ Fork the repository on GitHub
-
π₯ Clone your fork
git clone https://github.com/<your-username>/SecureLoader.git
cd SecureLoader- π§ͺ Install development environment
pip install -e ".[gui,dev]"- π Create a new branch for your changes
git checkout -b feature/my-change-
π§· Make your changes
-
π§ͺ Run tests and checks locally
QT_QPA_PLATFORM=offscreen pytest --cov=src/secure_loader --cov-fail-under=70
ruff check src tests
mypy src
black src tests
flake8 src tests
bandit -r src/ -ll -x src/secure_loader/gui/resources
pip-audit --skip-editable- π Push changes to your fork
git push origin feature/my-change-
β Ensure CI passes on your fork / PR
-
π Open a Pull Request
- Describe your changes clearly
- Link related issues if applicable
Full documentation is hosted at: https://niwciu.github.io/SecureLoader/
β οΈ Documentation is currently under active development. Some sections may be incomplete or subject to change.
| Page | Contents |
|---|---|
| User Guide | Installation, CLI reference, GUI walkthrough, configuration |
| Firmware Format | Binary header layout, field semantics, wire vs. disk format |
| Serial Protocol | Command set, timing, state machine, bootloader requirements |
| Architecture | Layer design, module responsibilities, threading model |
| Contributing | Dev setup, testing, code style, adding sources / languages |
| Troubleshooting | Common errors and fixes |
| Security | Vulnerability reporting, scope, threat model |
To preview docs locally:
pip install mkdocs mkdocs-material pymdown-extensions
mkdocs serve # http://127.0.0.1:8000To report a vulnerability, see SECURITY.md. Please do not open a public GitHub issue for security problems before contacting privately first.
MIT Β©
