Build the Massfuse Blob failed for Agx(32G)

Hi,

I want to build the Massfuse Blob offline for Jetson AGX Xavier with L4T R32.6.1 and secureboot on Ubuntu 18.04 , but failed.

I build like this:

sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=L.0 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 -auth SBKPKC -p -k xxx/rsa_pri.pem -S xxx/SBK --KEK2 xxx/KEK2 jetson-agx-xavier-devkit

I got failed at step 2 , the error is:

Error: Return value 4
Command tegrahost_v2 --chip -0x19 --align enncrypted_signed_t19x/nvtboot_recovery_t194.bin_signheader.encrypt.signed
Keep temporary directory xxx/Linux_for_Tegra/bootloader/18105
Error: Signing binaries failed.

hello zjfsharp,

please refer to README_Massfuse.txt for the sample command-line,
for example,

To fuse SBK key and PKC HASH with JTAG enabled:

#For AGX 16GB
sudo BOARDID=2888 BOARDSKU=0001 FAB=400 BOARDREV=H.0
FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -j -i 0x19 -c SBKPKC
-p -k <key.pem> [-D | --KEK{0-2} ] -S
jetson-agx-xavier-devkit

#For AGX 32GB
sudo BOARDID=2888 BOARDSKU=0004 FAB=400 BOARDREV=K.0
FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -j -i 0x19 -c SBKPKC
-p -k <key.pem> [-D | --KEK{0-2} ] -S
jetson-agx-xavier-devkit

JTAG is enabled default with R32.6.1 in official script, you can check it again.

My script is like to this, you can check it again, thanks

sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=L.0 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 -auth SBKPKC -p -k xxx/rsa_pri.pem -S xxx/SBK --KEK2 xxx/KEK2 jetson-agx-xavier-devkit

hello zjfsharp,

the readme file is using -c SBKPKC instead of --auth.

The option -c is obsolete now. Please use “–auth” instead at official script. You can run my script above to confirm it. Thanks.

I tested “nvmassfusegen.sh” not work in R32.5.0 / R32.5.1 / R32.5.2 and R32.6.1,I using R32.6.1 now. An error occurs in the Step 1: Generate Command File in r32.5*, but an error occurs in the Step 2: Sign Binaries in r32.6.1, so I think that part of it was fixed in r32.6.1.

Can you check it?

thanks

FYI, according to Topic 184486.
I’ve confirmed it’s able to create a massflash blob with r32.5.1, although it’s Nano series.

I don’t understand why you claim it doesn’t works,
here’s also another thread, Topic 179392 to confirm nvmassflashgen works on r32.5.1 also.

hello zjfsharp,

it’s also confirmed with r32.6.1,
for example,

********************************************************************************
*** Mass Flashing tarball mfi_jetson-agx-xavier-devkit.tbz2 is ready.
********************************************************************************
    1. Download mfi_jetson-agx-xavier-devkit.tbz2 to each flashing hosts.
    2. Untar mfi_jetson-agx-xavier-devkit.tbz2. ( tar xvjf mfi_jetson-agx-xavier-devkit.tbz2 )
    3. cd mfi_jetson-agx-xavier-devkit
    4. Connect Jetson boards(jetson-agx-xavier-devkit only) and put them in RCM mode.
    5. ./nvmflash.sh
$ ls -la mfi_jetson-agx-xavier-devkit.tbz2
-rw-r--r-- 1 root root 841062254 Aug 10 14:02 mfi_jetson-agx-xavier-devkit.tbz2

Sorry.

You build flash blob, but i build fuse blob. I can also build flash blob success.

that’s exactly the nvmassfusegen.sh script file generated.

Sorry, I really do not quite understand what you mean it.

I think if I run nvmassfusegen.sh, I will get fuse blob like: mfuse_jetson_xxx.tbz2. If I run nvmassflash.sh, I will get flash blob like: mfi_jetson_xxx.tbz2.

Now I can build mfi_jetson_xxx.tbz2 for device flash successful, but i build mfuse_jetson_xxx.tbz2 for burning fuse failed.

README for mfuse_jetson_xxx.tbz2 is Linux_for_Tegra/bootloader/README_Massfuse.txt

README for mflash_jetson_xxx.tbz2 is Linux_for_Tegra/README_Massflash.txt

Hi @JerryChang

Any updates?

Did I misunderstand something here?

thanks

hello zjfsharp,

we’re able to reproduce this and it looks like a bug. neither offline nor online approach cannot create fuseblob.

Okay.

Is there a temporary solution?

Thanks.

hello zjfsharp,

here’s another way to create fuse blob offline.
please perform odmfuse.sh with board info, --noburn, and --auth options to create fuse blob locally.
note, --auth specify the current board authentication status, there’re possible values, NS (Non-Secure), PKC, and SBKPKC.
here’s example for your reference,
$ sudo FAB=400 BOARDID=2888 BOARDSKU=0006 BOARDREV=B.0 ./odmfuse.sh --noburn -i 0x19 --auth SBKPKC -p -k <pkc> --KEK2 <kek2> -S <sbk> jetson-xavier-8gb

Thanks.

Yes, I built and got a “fuseblob.tbz2”.

So I just unzip fuseblob.tbz2 and run sudo fusecmd.sh and that’s it, right?

hello zjfsharp,

just would like to double confirm you’re using --auth command correctly.
for example,

  1. the options is --auth NS if you’re going to program a board without fuse before.
  2. if you’re going to create a fuseblob of a PKC fused device, it’s --auth PKC you should used.

in addition, there’s xml file generated to include all fuse values when you complete the process.
please do review the xml file to examine all the fuse parameters before you perform fusecmd.sh to actual burning the target.
thanks

I comfirmed. I only used --auth SBKPKC to generate fuseblob. Thanks.

sudo FAB=400 BOARDID=2888 BOARDSKU=0004 BOARDREV=L.0 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 -auth SBKPKC -p -k xxx/rsa_pri.pem -S xxx/SBK --KEK2 xxx/KEK2 jetson-agx-xavier-devkit