burn fuses issue

Autonomous Machines Jetson & Embedded Systems Jetson AGX Xavier
#1

How to burn fuse for Xavier?

We tried to burn fuse using the steps described in Linux_for_Tegra/bootloader/README_secureboot.txt
But it got “Fuse burn is not supported.”.
L4T is R32.2

sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=H.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k ../key/rsa_priv.pem -S ../key/sbk.txt jetson-xavier
cd bootloader
sudo ./fusecmd.sh

Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0127 ] Burning fuses
[   0.0127 ] Generating RCM messages
[   0.0138 ] tegrahost_v2 --chip 0x19 0 --magicid MB1B --appendsigheader mb1_t194_prod.bin zerosbk
[   0.0147 ] Header already present for mb1_t194_prod.bin
[   0.0182 ] 
[   0.0194 ] tegrasign_v2 --key None --getmode mode.txt
[   0.0205 ] Assuming zero filled SBK key
[   0.0206 ] 
[   0.0216 ] tegrasign_v2 --key None --file mb1_t194_prod_sigheader.bin --offset 2960 --length 1136 --pubkeyhash pub_key.key
[   0.0226 ] Assuming zero filled SBK key
[   0.0231 ] 
[   0.0241 ] tegrahost_v2 --chip 0x19 0 --updatesigheader mb1_t194_prod_sigheader.bin mb1_t194_prod_sigheader.hash zerosbk
[   0.0284 ] 
[   0.0294 ] tegrabct_v2 --chip 0x19 0 --sfuse tegra194-mb1-soft-fuses-l4t.cfg sfuse.bin
[   0.0305 ] 
[   0.0314 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x19 0 --sfuses sfuse.bin --download rcm mb1_t194_prod_sigheader.bin 0 0
[   0.0323 ] RCM 0 is saved as rcm_0.rcm
[   0.0359 ] RCM 1 is saved as rcm_1.rcm
[   0.0361 ] RCM 2 is saved as rcm_2.rcm
[   0.0361 ] List of rcm files are saved in rcm_list.xml
[   0.0361 ] 
[   0.0361 ] Signing RCM messages
[   0.0371 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key --getmontgomeryvalues montgomery.bin
[   0.0379 ] Assuming zero filled SBK key
[   0.0386 ] 
[   0.0387 ] Copying signature to RCM mesages
[   0.0396 ] tegrarcm_v2 --chip 0x19 0 --updatesig rcm_list_signed.xml
[   0.0411 ] 
[   0.0412 ] Boot Rom communication
[   0.0420 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml
[   0.0429 ] BR_CID: 0x880219116420f1421000000015ff0280
[   0.0436 ] RCM version 0X190001
[   0.0440 ] Boot Rom communication completed
[   1.0596 ] 
[   2.0631 ] tegrarcm_v2 --isapplet
[   2.0650 ] Applet version 01.00.0000
[   2.0675 ] 
[   2.0710 ] Parsing fuse info as per xml file
[   2.0727 ] tegraparser_v2 --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   2.0744 ] MagicId=0x45535546 version=0x1
[   2.0748 ] node: name=SecureBootKey size=16
[   2.0748 ]   value=0x4028ea0123e03227548299b67a380fa0
[   2.0748 ] node: name=PublicKeyHash size=32
[   2.0748 ]   value=0x835156a9a7d22c227245639eb40bd88b0f4a7eab6dd6e0fb2bbf9536d820927d
[   2.0748 ] node: name=BootSecurityInfo size=4
[   2.0749 ]   value=0x5
[   2.0749 ] 
[   2.0768 ] tegrarcm_v2 --oem burnfuses blow_fuse_data.bin
[   2.0785 ] Applet version 01.00.0000
[   2.0814 ] 0000000074741201: E> NV3P_SERVER: Fuse burn is not supported.
[   2.0903 ] 
[   2.0904 ] Fuse burning failed

console log

[0001.089] I> MB1 (prd-version: 1.5.1.0-t194-41334769-59d8a47d)
[0001.094] I> Boot-mode: RCM
[0001.097] I> Chip revision : A02 
[0001.100] I> Bootrom patch version : 7 (correctly patched)
[0001.105] I> ATE fuse revision : 0x200
[0001.108] I> Ram repair fuse : 0x0
[0001.112] I> Ram Code : 0x0
[0001.114] I> rst_source : 0x0
[0001.117] I> rst_level : 0x0
[0001.121] I> USB configuration success
[0003.102] I> Handling oem command 6
[0003.105] E> NV3P_SERVER: Fuse burn is not supported.
Problems with burning Jetson TX2 keys
#2

hello kckao.tw,

could you please use the standard commands by connect the Jetson-Xavier to the host.
do remember to enable –noburn options, this won’t actually fuse the board but generate a fuse blob for checking.
thanks

$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -p -k <key.pem> [--KEK0 <KEK0 file> --KEK1 <KEK1 file> --KEK2 <KEK2 file> --KEK256 <KEK256 file> -S <SBK file>] jetson-xavier
#3

Hi Jerry,
I did try the following commands, and they are not working.

  1. with board id sku, --noburn, PKC, SBK
    sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=H.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem -S …/key/sbk.txt jetson-xavier
  2. –noburn, PKC, SBK
    sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem -S …/key/sbk.txt jetson-xavier
  3. with board id sku, --noburn, PKC
    sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=H.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem jetson-xavier
  4. PKC
    sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k …/key/rsa_priv.pem jetson-xavier

When sudo ./fusecmd.sh got
[ 2.0814 ] 0000000074741201: E> NV3P_SERVER: Fuse burn is not supported.

#4

hello kckao.tw,

there might be some documentation erroneous, you’ll need to exclude target board naming.
you should also check the readme files in the secureboot package.
$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k -S jetson-xavier

hence, please tried again with below commands,

$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k ../key/rsa_priv.pem -S ../key/sbk.txt
#5

Thanks! it is working.

#6

[EDIT]

hello kckao.tw,

FYI, we had locally verified that adding <device_name> in the end of commands works with JetPack-4.2.1 / l4t-r32.2
I’m wondering you’re not assign the sbk file name correctly. (i.e. sbk.key)

however, please also refer to below commands that works from our side.
thanks

$ sudo ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k rsa_priv.pem -S sbk.key jetson-xavier

Or

$ sudo BOARDID=2888 FAB=400 BOARDSKU=0001 BOARDREV=D.0 CHIPREV=2 ./odmfuse.sh --noburn -i 0x19 -c PKC -j -k rsa_priv.pem -S sbk.key jetson-xavier