官方有通过WIFI的更新样例，如果要自主实现BLE的升级，只能自己上了。在网上瞎找还不如好好看看官方文档。

Over The Air Updates (OTA)

OTA Process Overview

The OTA update mechanism allows a device to update itself based on data received while the normal firmware is running (for example, over WiFi or Bluetooth.)
——可以通过BLE升级。
OTA requires configuring the Partition Table of the device with at least two “OTA app slot” partitions (ie ota_0 and ota_1)and an “OTA Data Partition”.
——需要先配置分区表的两个运行分区和一个OTA数据分区
The OTA operation functions write a new app firmware image to whichever OTA app slot is not currently being used for booting. Once the image is verified, the OTA Data partition is updated to specify that this image should be used for the next boot.
——ota_0 ota_1轮换被使用，OTA Data partition标识那个分区正在使用

OTA Data Partition

An OTA data partition (type data, subtype ota) must be included in the Partition Table of any project which uses the OTA functions.
——OTA必须配置OTA data partition
For factory boot settings, the OTA data partition should contain no data (all bytes erased to 0xFF). In this case the esp-idf software bootloader will boot the factory app if it is present in the the partition table. If no factory app is included in the partition table, the first available OTA slot (usually ota_0) is booted.
——如果有出厂APP，OTA data partition应被格式化为0xFF。如果无出厂默认APP，将会启动可用OTA分区
After the first OTA update, the OTA data partition is updated to specify which OTA app slot partition should be booted next.
——一旦某个OTA分区被更新，OTA data将会指过去
The OTA data partition is two flash sectors (0x2000 bytes) in size, to prevent problems if there is a power failure while it is being written. Sectors are independently erased and written with matching data, and if they disagree a counter field is used to determine which sector was written more recently.
——OTA数据分区 将会使用两个独立的扇区来存取，防止扇区写入时突发性写入失败。万一出现两个扇区不一致，计数器可以确定哪个是写入失败的。

App rollback

The main purpose of the application rollback is to keep the device working after the update. This feature allows you to roll back to the previous working application in case a new application has critical errors. When the rollback process is enabled and an OTA update provides a new version of the app, one of three things can happen:
——拥有回滚机制，防止更新失败。回滚启动后有以下三种情况：

• The application works fine, esp_ota_mark_app_valid_cancel_rollback() marks the running application with the state ESP_OTA_IMG_VALID. There are no restrictions on booting this application.
  ——应用正常，esp_ota_mark_app_valid_cancel_rollback将其标记为ESP_OTA_IMG_VALID，此状态启用无限制。
• The application has critical errors and further work is not possible, a rollback to the previous application is required, esp_ota_mark_app_invalid_rollback_and_reboot() marks the running application with the state ESP_OTA_IMG_INVALID and reset. This application will not be selected by the bootloader for boot and will boot the previously working application.
  ——应用存在严重错误无法工作，启动回滚至前一个版本。esp_ota_mark_app_invalid_rollback_and_reboot将其标记为ESP_OTA_IMG_INVALID，此应用无法被引导启动。
• If the CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE option is set, and a reset occurs without calling either function then the application is rolled back.
  ——通过配置CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE直接回滚程序，无需调用接口

Note: The state is not written to the binary image of the application it is written to the otadata partition. The partition contains a ota_seq counter which is a pointer to the slot (ota_0, ota_1, …) from which the application will be selected for boot.
——回滚状态存储于数据存储分区，ota_seq来指向ota_0, ota_1，用以标记启动哪个分区。

App OTA State

States control the process of selecting a boot app:

If CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE option is not enabled (by default), then the use of the following functions esp_ota_mark_app_valid_cancel_rollback() and esp_ota_mark_app_invalid_rollback_and_reboot() are optional, and ESP_OTA_IMG_NEW and ESP_OTA_IMG_PENDING_VERIFY states are not used.
——配置回滚不开启时，直接用 OTA 有效 和OTA无效 直接标记APP状态。
An option in Kconfig CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE allows you to track the first boot of a new application. In this case, the application must confirm its operability by calling esp_ota_mark_app_valid_cancel_rollback() function, otherwise the application will be rolled back upon reboot. It allows you to control the operability of the application during the boot phase. Thus, a new application has only one attempt to boot successfully.
——配置回滚开启时，会跟踪第一次启动。如果程序可以正常启动，必须调用OTA有效将state标记为可用，路径为：ESP_OTA_IMG_NEW--》ESP_OTA_IMG_PENDING_VERIFY--》ESP_OTA_IMG_VALID（这里需要调函数）；否则会将启动APP按照：ESP_OTA_IMG_NEW--》ESP_OTA_IMG_PENDING_VERIFY--》ESP_OTA_IMG_ABORTED（函数调用失败）标记为不可用。新应用程序在配置回滚开启时会尝试引导一次，如果成功请标记为可用，如果不可用，将被自动忽略此版本。

Rollback Process

The description of the rollback process when CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE option is enabled:

• The new application successfully downloaded and esp_ota_set_boot_partition() function makes this partition bootable and sets the state ESP_OTA_IMG_NEW. This state means that the application is new and should be monitored for its first boot.
• Reboot esp_restart().
• The bootloader checks for the ESP_OTA_IMG_PENDING_VERIFY state if it is set, then it will be written to ESP_OTA_IMG_ABORTED.
• The bootloader selects a new application to boot so that the state is not set as ESP_OTA_IMG_INVALID or ESP_OTA_IMG_ABORTED.
• The bootloader checks the selected application for ESP_OTA_IMG_NEW state if it is set, then it will be written to ESP_OTA_IMG_PENDING_VERIFY. This state means that the application requires confirmation of its operability, if this does not happen and a reboot occurs, this state will be overwritten to ESP_OTA_IMG_ABORTED (see above) and this application will no longer be able to start, i.e. there will be a rollback to the previous work application.
• A new application has started and should make a self-test.
• If the self-test has completed successfully, then you must call the function esp_ota_mark_app_valid_cancel_rollback() because the application is awaiting confirmation of operability (ESP_OTA_IMG_PENDING_VERIFY state).
• If the self-test fails then call esp_ota_mark_app_invalid_rollback_and_reboot() function to roll back to the previous working application, while the invalid application is set ESP_OTA_IMG_INVALID state.
• If the application has not been confirmed, the state remains ESP_OTA_IMG_PENDING_VERIFY, and the next boot it will be changed to ESP_OTA_IMG_ABORTED. That will prevent re-boot of this application. There will be a rollback to the previous working application.
  ——以上流程很清晰。配置回滚开启，首次启动后，如果正常则调用函数标记为有效，否则标记为无效，或者自动重启后标记为忽略状态。

Unexpected Reset

If a power loss or an unexpected crash occurs at the time of the first boot of a new application, it will roll back the application.
——新应用启动中发生意外，会迫使回滚发生。
Recommendation: Perform the self-test procedure as quickly as possible, to prevent rollback due to power loss.
Only OTA partitions can be rolled back. Factory partition is not rolled back.
——只有OTA分区可以回滚，出厂分区不支持回滚。

Booting invalid/aborted apps

Booting an application which was previously set to ESP_OTA_IMG_INVALID or ESP_OTA_IMG_ABORTED is possible:
——重启ESP_OTA_IMG_INVALID和ESP_OTA_IMG_ABORTED失效APP

• Get the last invalid application partition esp_ota_get_last_invalid_partition().
  ——esp_ota_get_last_invalid_partition获得失效APP
• Pass the received partition to esp_ota_set_boot_partition(), this will update the otadata.
  ——将失效APP标记为ESP_OTA_IMG_UNDEFINED 或者ESP_OTA_IMG_NEW
• Restart esp_restart(). The bootloader will boot the specified application.
  ——重启执行
  To determine if self-tests should be run during startup of an application, call the esp_ota_get_state_partition() function. If result is ESP_OTA_IMG_PENDING_VERIFY then self-testing and subsequent confirmation of operability is required.
  ——esp_ota_get_state_partition==ESP_OTA_IMG_PENDING_VERIFY 为自检。

Where the states are set

A brief description of where the states are set:
——汇总状态变更说明

• ESP_OTA_IMG_VALID state is set by esp_ota_mark_app_valid_cancel_rollback() function.
• ESP_OTA_IMG_UNDEFINED state is set by esp_ota_set_boot_partition() function if CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE option is not enabled.
• ESP_OTA_IMG_NEW state is set by esp_ota_set_boot_partition() function if CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE option is enabled.
• ESP_OTA_IMG_INVALID state is set by esp_ota_mark_app_invalid_rollback_and_reboot() function.
• ESP_OTA_IMG_ABORTED state is set if there was no confirmation of the application operability and occurs reboots (if CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE option is enabled).
• ESP_OTA_IMG_PENDING_VERIFY state is set in a bootloader if CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE option is enabled and selected app has ESP_OTA_IMG_NEW state.

Anti-rollback

Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip.
——低版本时防回滚，开启CONFIG_BOOTLOADER_APP_ANTI_ROLLBACK
This function works if set CONFIG_BOOTLOADER_APP_ANTI_ROLLBACK option. In the bootloader, when selecting a bootable application, an additional security version check is added which is on the chip and in the application image. The version in the bootable firmware must be greater than or equal to the version in the chip.

CONFIG_BOOTLOADER_APP_ANTI_ROLLBACK and CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE options are used together. In this case, rollback is possible only on the security version which is equal or higher than the version in the chip.

A typical anti-rollback scheme is

• New firmware released with the elimination of vulnerabilities with the previous version of security.
• After the developer makes sure that this firmware is working. He can increase the security version and release a new firmware.
• Download new application.
• To make it bootable, run the function esp_ota_set_boot_partition(). If the security version of the new application is smaller than the version in the chip, the new application will be erased. Update to new firmware is not possible.
  ——这里增加一层防回滚检测
• Reboot.
• In the bootloader, an application with a security version greater than or equal to the version in the chip will be selected. If otadata is in the initial state, and one firmware was loaded via a serial channel, whose secure version is higher than the chip, then the secure version of efuse will be immediately updated in the bootloader.
• New application booted. Then the application should perform diagnostics of the operation and if it is completed successfully, you should call esp_ota_mark_app_valid_cancel_rollback() function to mark the running application with the ESP_OTA_IMG_VALID state and update the secure version on chip. Note that if was called esp_ota_mark_app_invalid_rollback_and_reboot() function a rollback may not happend due to the device may not have any bootable apps then it will return ESP_ERR_OTA_ROLLBACK_FAILED error and stay in the ESP_OTA_IMG_PENDING_VERIFY state.
  ——如果无其它可用APP，esp_ota_mark_app_invalid_rollback_and_reboot存在回滚失败的可能，ESP_OTA_IMG_PENDING_VERIFY保持不变。
• The next update of app is possible if a running app is in the ESP_OTA_IMG_VALID state.

Recommendation:
If you want to avoid the download/erase overhead in case of the app from the server has security version lower then running app you have to get new_app_info.secure_version from the first package of an image and compare it with the secure version of efuse. Use esp_efuse_check_secure_version(new_app_info.secure_version) function if it is true then continue downloading otherwise abort.
——esp_efuse_check_secure_version可以直接在更新前检查版本，以避免下载后再删除。

bool image_header_was_checked = false;
while (1) {
    int data_read = esp_http_client_read(client, ota_write_data, BUFFSIZE);
    ...
    if (data_read > 0) {
        if (image_header_was_checked == false) {
            esp_app_desc_t new_app_info;
            if (data_read > sizeof(esp_image_header_t) + sizeof(esp_image_segment_header_t) + sizeof(esp_app_desc_t)) {
                // check current version with downloading
                if (esp_efuse_check_secure_version(new_app_info.secure_version) == false) {
                    ESP_LOGE(TAG, "This a new app can not be downloaded due to a secure version is lower than stored in efuse.");
                    http_cleanup(client);
                    task_fatal_error();
                }

                image_header_was_checked = true;

                esp_ota_begin(update_partition, OTA_SIZE_UNKNOWN, &update_handle);
            }
        }
        esp_ota_write( update_handle, (const void *)ota_write_data, data_read);
    }
}

Restrictions:

• The number of bits in the secure_version field is limited to 32 bits. This means that only 32 times you can do an anti-rollback. You can reduce the length of this efuse field use CONFIG_BOOTLOADER_APP_SEC_VER_SIZE_EFUSE_FIELD option.
  ——最大可回滚次数，esp32是32次，esp32S2是16次
• Anti-rollback only works if the encoding scheme for efuse is set to NONE.
• The partition table should not have a factory partition, only two of the app.
  ——不能没有出厂APP。

security_version:

• In application image it is stored in esp_app_desc structure. The number is set CONFIG_BOOTLOADER_APP_SECURE_VERSION.
• In ESP32 it is stored in efuse EFUSE_BLK3_RDATA4_REG. (when a eFuse bit is programmed to 1, it can never be reverted to 0). The number of bits set in this register is the security_version from app.

See also

• Partition Table documentation
  ——分区表介绍
• Lower-Level SPI Flash/Partition API
  ——Flash操作接口
• ESP HTTPS OTA
  ——HTTPS升级接口
  ————
  以上已介绍完整个OTA流程

API Reference

Header File

返回当前运行APP的详情esp_app_desc结构体，包含APP版本号

• Return
  Pointer to esp_app_desc structure.

填充SHA256格式ELF文件数据至dst中，十六进制，以0x00结尾，如果空间不足，将尽肯能充满，最后补0x00。

• Return
  Number of bytes written to dst (including null terminator)

• Parameters
  dst: Destination buffer
  size: Size of the buffer

开始向指定分区写入OTA更新。
指定的分区将被擦除到指定的图像大小。
如果图像大小未知，请传递OTA_size_UNKNOWN，这将导致整个分区被擦除。
如果成功，该函数将分配在使用返回的句柄调用esp_ota_end()之前一直使用的内存。
注意：如果启用了回滚选项，并且正在运行的应用程序具有ESP_OTA_IMG_PENDING_VERIFY状态，则将导致ESP_ERR_OTA_rollback_INVALID_state错误。在运行下载新应用程序之前，请确认正在运行的应用程序，对其使用esp_ota_mark_app_valid_cancel_rollback()函数（应在首次下载新应用程序时尽早完成）。

• Return
  ESP_OK: OTA operation commenced successfully.
  ESP_ERR_INVALID_ARG: partition or out_handle arguments were NULL, or partition doesn’t point to an OTA app partition.
  ESP_ERR_NO_MEM: Cannot allocate memory for OTA operation.
  ESP_ERR_OTA_PARTITION_CONFLICT: Partition holds the currently running firmware, cannot update in place.
  ESP_ERR_NOT_FOUND: Partition argument not found in partition table.
  ESP_ERR_OTA_SELECT_INFO_INVALID: The OTA data partition contains invalid data.
  ESP_ERR_INVALID_SIZE: Partition doesn’t fit in configured flash size.
  ESP_ERR_FLASH_OP_TIMEOUT or ESP_ERR_FLASH_OP_FAIL: Flash write failed.
  ESP_ERR_OTA_ROLLBACK_INVALID_STATE: If the running app has not confirmed state. Before performing an update, the application must be valid.

• Parameters
  partition: Pointer to info for partition which will receive the OTA update. Required.
  image_size: Size of new OTA app image. Partition will be erased in order to receive this size of image. If 0 or OTA_SIZE_UNKNOWN, the entire partition is erased.
  out_handle: On success, returns a handle which should be used for subsequent esp_ota_write() and esp_ota_end() calls.

——将ota写入指定分区。重点：可多次写入，比如蓝牙接收时可以直接调用。

——完成OTA并验证

——将启动分区配置到OTAdata

——获取正在运行的分区信息

——mark valid 并取消自动回滚。

——失败重启

——格式化分区并重新初始化otadata。以便重新使用此分区。