Error when using ' --noburn'


I’m trying to follow the steps in Secureboot.

It seems many people have problems when following these instructions. I was hoping to follow most of the steps without burning or flashing before repeating ‘for real’.

I’m trying to complete Burning PKC [DK(KEK), SBK] Fuses using sudo ./ --noburn -j -i 0x19 -c PKC -p -k my_privkey.pem -S my_sbk.key jetson-xavier-nx-devkit-emmc but I get an error.

v4@v4-ubuntu-matt:~/l4t-32.5/Linux_for_Tegra$ sudo ./ --noburn -j -i 0x19 -c PKC -p -k ../../rsa_priv.pem -S ../../sbk.key jetson-xavier-nx-devkit-emmc
Board ID() version() sku() revision()
copying sdram_config(/home/v4/l4t-32.5/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-memcfg-p3668-0001-a00.cfg)... done.
copying sdram_config1(/home/v4/l4t-32.5/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-memcfg-sw-override.cfg)... done.
Existing applet(/home/v4/l4t-32.5/Linux_for_Tegra/bootloader/mb1_t194_prod.bin) reused.
*** Calculating HASH from keyfile /home/v4/rsa_priv.pem ... done
PKC HASH: 0xedcb6ab8ba40af31c585cc7dcef373bdc8755d5c3ac49c2a46ab7a43797edfb0
*** Generating fuse configuration ... done.
*** Start preparing fuse configuration ...
tar: bootloader//home/v4/l4t-32.5/Linux_for_Tegra/bootloader/t186ref/BCT: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
*** done.

fuseblob.tbz2 gets created but it seems is trying to add something incorrectly. The invalid path appears to be related to ${uphy_config} and ${uphy_configname}.

I tried with an NX in recovery mode connected. I also tried adding BOARDID=3668 FAB=100 BOARDSKU=0001 BOARDREV=F.0 to the command (I found this in another post, I don’t know it matches my board!). The error was the same.

I’m using Jetpack 4.5.1/L4T 32.5.1. I downloaded Secureboot package 32.3.1 (secureboot_R32.3.1_aarch64.tbz2).

Any help with Secureboot will be greatly appreciated!


hello MattBr,

there’s No such file or directory failure, it looks you’re executing the script under incorrect path.
you should extract the secure boot package under JetPack installation folder to perform the
BTW, please also check Topic 158361 for the steps to fuse burning Xavier NX eMMC modules.

Hi @JerryChang , thanks for helping. I’m sorry I have tried to follow this instructions but it’s complicated, right?

bootloader//home/v4/l4t-32.5/Linux_for_Tegra/bootloader/t186ref/BCT is clearly not a valid path but I don’t understand how ${uphy_configname} is configured and came to contain this value.

/home/v4/l4t-32.5/Linux_for_Tegra/bootloader/t186ref/BCT is a valid path that exists:

v4@v4-ubuntu-matt:~/l4t-32.5/Linux_for_Tegra$ readlink -f bootloader/t186ref/BCT

Yes, I thought that what I was doing. I can use to successfully flash NX and TX2 developer kits. I haven’t used to flash an NX production module yet. I appreciate I mustn’t use with the NX SD-card module, which is why I’m practicing with --noburn.

I created the Linux_for_Tegra directory by following the instructions from here, Preparing a Jetson Developer Kit for Use. I downloaded jetson_linux_r32.5.2_aarch64.tbz2 and tegra_linux_sample-root-filesystem_r32.5.2_aarch64.tbz2 from L4T Archive.

I’m happy to install Jetpack and/or L4T using a different approach if I’ve done something wrong. I have installed SDK Manager but I was uncertain about the L4T it was using so decided to use L4T from the archive.

Yes, I’ve seen that post and was trying to do what it says. There are 3 obvious differences with what I’m doing:

  • It says ‘Jetpack 4.4’ whereas I think I’m using Jetpack 4.5.1 (L4T 32.5.2).
  • The example command includes BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0. I tried adding this to my command but it made no difference.
  • The example command includes --KEK2 kek2.key. My command doesn’t include --KEK2 because I don’t understand what the KEK is.


Hi @JerryChang,

I’ve just discovered that at the bottom of L4T R32.5.1 Release Page there is another link to the Secureboot package. It’s under ’ 32.5.1 Driver Details|Tools’. Jetson Platform Fuse Burning and Secure Boot Documentation and Tools

Using this link I downloaded secureboot_R32.5.0_aarch64.tbz2.

Clearly this is not reflected by the instructions Installing the Secureboot Package which say:

Download the latest Secureboot package for your platform from the Jetson Download Center. Search the database of downloads for “secure boot.”

When following the these instructions the latest available package is secureboot_R32.3.1_aarch64.tbz2.

After installing 32.5.0 and updating the options, as instructed by error messages, I can run it without errors:

v4@v4-ubuntu-matt:~/l4t-32.5/Linux_for_Tegra$ sudo BOARDID=3668 BOARDSKU=0001 FAB=100 BOARDREV=H.0 ./ --noburn --disable-jtag -i 0x19 --auth PKC -p -k ../../rsa_priv.pem jetson-xavier-
CHIPREV is missing, will use the default value(2).
Board ID(3668) version(100) sku(0001) revision(H.0)
copying sdram_config(/home/v4/l4t-32.5/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-bct-memcfg-p3668-0001-a00.cfg)... done.
[   6.1379 ] Saving pkc public key  in pub_key.key
[   6.2235 ]
[   6.2251 ] tegrahost_v2 --chip 0x19 0 --pubkeyhash pub_key.key --updatesigheader nvtboot_recovery_cpu_t194_sigheader.bin.signed nvtboot_recovery_cpu_t194_sigheader.bin.sig oem-rsa
[   6.2346 ]
[   6.2348 ] Copying signed file in /home/v4/l4t-32.5/Linux_for_Tegra/bootloader/signed
[   6.2806 ] tegraparser_v2 --pt flash.xml.bin --generateflashindex /home/v4/l4t-32.5/Linux_for_Tegra/bootloader/signed/flash.xml.tmp flash.idx
[   6.4768 ]
*** Calculating HASH from keyfile /home/v4/rsa_priv.pem ... done
PKC HASH: 0xedcb6ab8ba40af31c585cc7dcef373bdc8755d5c3ac49c2a46ab7a43797edfb0
*** Generating fuse configuration ... done.
*** Start preparing fuse configuration ...
*** done.

This command line is somewhat different to the examples given in Burning PKC [DK(KEK), SBK] Fuses.

I’m unsure what this achieves! What I hope this means is that, the boot files (kernal, dftb and initrd) will be signed but not encrypted.

Does any of the make sense?


hello MattBr,

that’s correct, some of the packages under the L4T release page, i.e. L4T R32.5.1 Release Page.

PKC for sign, if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption, if SBK is burned, then the SBKFILE users provide is for encrypting the images.

since you’ve burn the target with PKC only, that’s not encrypted.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.