burn fuses issue

How to burn fuse for Xavier?

We tried to burn fuse using the steps described in Linux_for_Tegra/bootloader/README_secureboot.txt
But it got “Fuse burn is not supported.”.
L4T is R32.2

sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=H.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k ../key/rsa_priv.pem -S ../key/sbk.txt jetson-xavier
cd bootloader
sudo ./fusecmd.sh
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0127 ] Burning fuses
[   0.0127 ] Generating RCM messages
[   0.0138 ] tegrahost_v2 --chip 0x19 0 --magicid MB1B --appendsigheader mb1_t194_prod.bin zerosbk
[   0.0147 ] Header already present for mb1_t194_prod.bin
[   0.0182 ] 
[   0.0194 ] tegrasign_v2 --key None --getmode mode.txt
[   0.0205 ] Assuming zero filled SBK key
[   0.0206 ] 
[   0.0216 ] tegrasign_v2 --key None --file mb1_t194_prod_sigheader.bin --offset 2960 --length 1136 --pubkeyhash pub_key.key
[   0.0226 ] Assuming zero filled SBK key
[   0.0231 ] 
[   0.0241 ] tegrahost_v2 --chip 0x19 0 --updatesigheader mb1_t194_prod_sigheader.bin mb1_t194_prod_sigheader.hash zerosbk
[   0.0284 ] 
[   0.0294 ] tegrabct_v2 --chip 0x19 0 --sfuse tegra194-mb1-soft-fuses-l4t.cfg sfuse.bin
[   0.0305 ] 
[   0.0314 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x19 0 --sfuses sfuse.bin --download rcm mb1_t194_prod_sigheader.bin 0 0
[   0.0323 ] RCM 0 is saved as rcm_0.rcm
[   0.0359 ] RCM 1 is saved as rcm_1.rcm
[   0.0361 ] RCM 2 is saved as rcm_2.rcm
[   0.0361 ] List of rcm files are saved in rcm_list.xml
[   0.0361 ] 
[   0.0361 ] Signing RCM messages
[   0.0371 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key --getmontgomeryvalues montgomery.bin
[   0.0379 ] Assuming zero filled SBK key
[   0.0386 ] 
[   0.0387 ] Copying signature to RCM mesages
[   0.0396 ] tegrarcm_v2 --chip 0x19 0 --updatesig rcm_list_signed.xml
[   0.0411 ] 
[   0.0412 ] Boot Rom communication
[   0.0420 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml
[   0.0429 ] BR_CID: 0x880219116420f1421000000015ff0280
[   0.0436 ] RCM version 0X190001
[   0.0440 ] Boot Rom communication completed
[   1.0596 ] 
[   2.0631 ] tegrarcm_v2 --isapplet
[   2.0650 ] Applet version 01.00.0000
[   2.0675 ] 
[   2.0710 ] Parsing fuse info as per xml file
[   2.0727 ] tegraparser_v2 --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   2.0744 ] MagicId=0x45535546 version=0x1
[   2.0748 ] node: name=SecureBootKey size=16
[   2.0748 ]   value=0x4028ea0123e03227548299b67a380fa0
[   2.0748 ] node: name=PublicKeyHash size=32
[   2.0748 ]   value=0x835156a9a7d22c227245639eb40bd88b0f4a7eab6dd6e0fb2bbf9536d820927d
[   2.0748 ] node: name=BootSecurityInfo size=4
[   2.0749 ]   value=0x5
[   2.0749 ] 
[   2.0768 ] tegrarcm_v2 --oem burnfuses blow_fuse_data.bin
[   2.0785 ] Applet version 01.00.0000
[   2.0814 ] 0000000074741201: E> NV3P_SERVER: Fuse burn is not supported.
[   2.0903 ] 
[   2.0904 ] Fuse burning failed

console log

[0001.089] I> MB1 (prd-version: 1.5.1.0-t194-41334769-59d8a47d)
[0001.094] I> Boot-mode: RCM
[0001.097] I> Chip revision : A02 
[0001.100] I> Bootrom patch version : 7 (correctly patched)
[0001.105] I> ATE fuse revision : 0x200
[0001.108] I> Ram repair fuse : 0x0
[0001.112] I> Ram Code : 0x0
[0001.114] I> rst_source : 0x0
[0001.117] I> rst_level : 0x0
[0001.121] I> USB configuration success
[0003.102] I> Handling oem command 6
[0003.105] E> NV3P_SERVER: Fuse burn is not supported.

hello kckao.tw,

could you please use the standard commands by connect the Jetson-Xavier to the host.
do remember to enable –noburn options, this won’t actually fuse the board but generate a fuse blob for checking.
thanks

$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -p -k <key.pem> [--KEK0 <KEK0 file> --KEK1 <KEK1 file> --KEK2 <KEK2 file> --KEK256 <KEK256 file> -S <SBK file>] jetson-xavier

Hi Jerry,
I did try the following commands, and they are not working.

  1. with board id sku, --noburn, PKC, SBK
    sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=H.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem -S …/key/sbk.txt jetson-xavier
  2. –noburn, PKC, SBK
    sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem -S …/key/sbk.txt jetson-xavier
  3. with board id sku, --noburn, PKC
    sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=H.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem jetson-xavier
  4. PKC
    sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem jetson-xavier

When sudo ./fusecmd.sh got
[ 2.0814 ] 0000000074741201: E> NV3P_SERVER: Fuse burn is not supported.

hello kckao.tw,

there might be some documentation erroneous, you’ll need to exclude target board naming.
you should also check the readme files in the secureboot package.
$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k -S jetson-xavier

hence, please tried again with below commands,

$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k ../key/rsa_priv.pem -S ../key/sbk.txt

Thanks! it is working.

[EDIT]

hello kckao.tw,

FYI, we had locally verified that adding <device_name> in the end of commands works with JetPack-4.2.1 / l4t-r32.2
I’m wondering you’re not assign the sbk file name correctly. (i.e. sbk.key)

however, please also refer to below commands that works from our side.
thanks

$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k rsa_priv.pem -S sbk.key jetson-xavier

Or

$ sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=D.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k rsa_priv.pem -S sbk.key jetson-xavier