Firmware with daisk encryption

Good afternoon! I’m trying to flash the Jetson Orin nano dev kit using these commands. But I either get a non-working system or errors during the firmware. Am I doing everything right?

sudo apt-get install cryptsetup
sudo ./tools/kernel_flash/ --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" --no-flash --network usb0 jetson-orin-nano-devkit-nvme internal
head -c 32 /dev/urandom | xxd -p -c 32 > ekb.key
sudo ROOTFS_ENC=1 ./tools/kernel_flash/ --showlogs --no-flash --external-device nvme0n1p1 -i ./ekb.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 jetson-orin-nano-devkit external
sudo ./tools/kernel_flash/ --showlogs --network usb0 --flash-only

When I run these commands I get an error

 Entering RCM boot

[   0.0767 ] mb1_t234_prod_aligned_sigheader.bin.encrypt filename is from --mb1_bin
[   0.0768 ] psc_bl1_t234_prod_aligned_sigheader.bin.encrypt filename is from --psc_bl1_bin
[   0.0768 ] rcm boot with presigned binaries
[   0.0790 ] tegrarcm_v2 --instance 1-2 --new_session --chip 0x23 0 --uid --download bct_br br_bct_BR.bct --download mb1 mb1_t234_prod_aligned_sigheader.bin.encrypt --download psc_bl1 psc_bl1_t234_prod_aligned_sigheader.bin.encrypt --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt
[   0.0843 ] BR_CID: 0x80012344705DD789740000000FFE8280
[   0.1124 ] Sending bct_br
[   0.1407 ] Sending mb1
[   0.1425 ] Sending psc_bl1
[   0.1521 ] Sending bct_mb1
[   0.1579 ] Generating blob for T23x
[   0.1635 ] tegrahost_v2 --chip 0x23 0 --generateblob blob.xml blob.bin
[   0.1654 ] The number of images in blob is 18
[   0.1668 ] blobsize is 73516139
[   0.1676 ] Added binary blob_uefi_jetson_with_dtb_sigheader.bin.encrypt of size 2924608
[   0.2195 ] Added binary blob_pscfw_t234_prod_sigheader.bin.encrypt of size 375168
[   0.2316 ] Added binary blob_mce_flash_o10_cr_prod_sigheader.bin.encrypt of size 190592
[   0.2462 ] Added binary blob_applet_t234_sigheader.bin.encrypt of size 277312
[   0.2568 ] Not supported type: mb2_applet
[   0.2608 ] Added binary blob_mb2_t234_with_mb2_cold_boot_bct_MB2_sigheader.bin.encrypt of size 438768
[   0.2681 ] Added binary blob_xusb_t234_prod_sigheader.bin.encrypt of size 164864
[   0.2711 ] Added binary blob_display-t234-dce_sigheader.bin.encrypt of size 9097216
[   0.2741 ] Added binary blob_nvdec_t234_prod_sigheader.fw.encrypt of size 294912
[   0.2811 ] Added binary blob_bpmp_t234-TE980M-A1_prod_sigheader.bin.encrypt of size 1051136
[   0.2956 ] Added binary blob_tegra234-bpmp-3767-0000-a02-3509-a02_with_odm_sigheader.dtb.encrypt of size 258688
[   0.3006 ] Added binary blob_camera-rtcpu-sce_sigheader.img.encrypt of size 166304
[   0.3037 ] Added binary blob_camera-rtcpu-t234-rce_sigheader.img.encrypt of size 537952
[   0.3187 ] Added binary blob_adsp-fw_sigheader.bin.encrypt of size 400864
[   0.3208 ] Added binary blob_spe_t234_sigheader.bin.encrypt of size 270336
[   0.3311 ] Added binary blob_tos-optee_t234_sigheader.img.encrypt of size 1127568
[   0.3369 ] Added binary blob_eks_t234_sigheader.img.encrypt of size 9232
[   0.3461 ] Added binary blob_boot0.img of size 55582720
[   0.3480 ] Added binary blob_tegra234-p3767-0000-p3768-0000-a0.dtb of size 346795
[   0.4208 ] tegrarcm_v2 --instance 1-2 --chip 0x23 0 --pollbl --download bct_mem mem_rcm_sigheader.bct.encrypt --download blob blob.bin
[   0.4236 ] BL: version last_boot_error: 0
[   0.4423 ] Sending bct_mem
[   0.4437 ] Sending blob
[   0.5613 ] ERROR: might be timeout in USB write.
Error: Return value 3
Command tegrarcm_v2 --instance 1-2 --chip 0x23 0 --pollbl --download bct_mem mem_rcm_sigheader.bct.encrypt --download blob blob.bin
Cleaning up...

Hi robert969696,

What’s the Jetpack version you are going to flash with?

Can you use jetson-orin-nano-devkit instead of jetson-orin-nano-devkit-nvme as board config?

Please also share the serial console log from your board when you hit this error from host.

While I was waiting for your answer, I made a couple more firmwares using other instructions. And now I have a new problem, after completing these steps, my Jetson stopped responding to any actions. I did these steps, then went home and the next morning the jetson light was off and there was nothing in the serial console. Is it possible to somehow revive Jetson?

set -e
while [[ "$#" -gt 0 ]]; do
    case $1 in
        -p|--production) PRODUCTION=1 ;;
        *) echo "Unknown parameter passed: $1"; exit 1 ;;
if [[ "${PRODUCTION}" -ne "0" ]]; then
  echo "====================================="
  echo "========== PRODUCTION MODE =========="
  echo "====================================="
  echo "======================================"
  echo "============ TESTING MODE ============"
  echo "======================================"
##### SETUP SYSTEM #####
echo "Stopping Services"
sudo systemctl stop udisks2
sudo -s echo -1 > /sys/module/usbcore/parameters/autosuspend
sudo ufw disable
echo "Installing packages"
apt-get install dislocker cryptsetup libcryptsetup-dev libcryptsetup12 cryptmount cryptmount overlayroot qemu-user-static
pip install cryptography
pip install pycrypto
echo "Creating Directory"
mkdir tmp
cd tmp
echo "Downloading Packages"
echo "Unpacking Packages"
tar xvf jetson_linux_r35.4.1_aarch64.tbz2
sudo tar xvf tegra_linux_sample-root-filesystem_r35.4.1_aarch64.tbz2 -C Linux_for_Tegra/rootfs/
tar xvf public_sources.tbz2
cd Linux_for_Tegra/source/public/
tar xvf nvidia-jetson-optee-source.tbz2
cd ../..
echo "Running prerequeisites script"
sudo tools/
echo "Applying Binaries"
sudo ./
if [ ! -f rsa.pem ]; then
  echo "Generating PKCS key pair..."
  openssl genrsa -out rsa.pem 3072
PKCS_KEY_XML_HASH=$(./bootloader/ --pubkeyhash rsa.pubkey rsa.hash --key rsa.pem | grep "tegra-fuse format" | awk '{print $NF}')
echo "PKCS Key Hash: ${PKCS_KEY_XML_HASH}"
##### PREPARE AN SBK KEY #####
if [ ! -f sbk.key ] || [ ! -f sbk_xml.key ]; then
  echo "Generating SBK key..."
  SBK_0=$(openssl rand -hex 4)
  SBK_1=$(openssl rand -hex 4)
  SBK_2=$(openssl rand -hex 4)
  SBK_3=$(openssl rand -hex 4)
  SBK_4=$(openssl rand -hex 4)
  SBK_5=$(openssl rand -hex 4)
  SBK_6=$(openssl rand -hex 4)
  SBK_7=$(openssl rand -hex 4)
  SBK_KEY=$(echo "0x${SBK_0} 0x${SBK_1} 0x${SBK_2} 0x${SBK_3} 0x${SBK_4} 0x${SBK_5} 0x${SBK_6} 0x${SBK_7}")
  echo "${SBK_KEY}" > sbk.key
  echo "${SBK_KEY_XML}" > sbk_xml.key
  SBK_KEY=$(cat sbk.key)
  SBK_KEY_XML=$(cat sbk_xml.key)
echo "SBK Key: ${SBK_KEY_XML}"
##### PREPARE KEK KEYS #####
if [ ! -f kek.key ] || [ ! -f kek_xml.key ]; then
  echo "Generating KEK key..."
  KEK_2_0=$(openssl rand -hex 4)
  KEK_2_1=$(openssl rand -hex 4)
  KEK_2_2=$(openssl rand -hex 4)
  KEK_2_3=$(openssl rand -hex 4)
  KEK_2_4=$(openssl rand -hex 4)
  KEK_2_5=$(openssl rand -hex 4)
  KEK_2_6=$(openssl rand -hex 4)
  KEK_2_7=$(openssl rand -hex 4)
  KEK_2_KEY=$(echo "0x${KEK_2_0} 0x${KEK_2_1} 0x${KEK_2_2} 0x${KEK_2_3} 0x${KEK_2_4} 0x${KEK_2_5} 0x${KEK_2_6} 0x${KEK_2_7}")
  echo "${KEK_2_KEY}" > kek.key
  echo "${KEK_2_KEY_XML}" > kek_xml.key
  echo "${KEK_2_KEY_OPTEE}" > kek_optee.key
  KEK_2_KEY=$(cat kek.key)
  KEK_2_KEY_XML=$(cat kek_xml.key)
  KEK_2_KEY_OPTEE=$(cat kek_optee.key)
echo "KEK1 Key: ${KEK_2_KEY_XML}"
echo "<genericfuse MagicId=\"0x45535546\" version=\"1.0.0\">" > fuse.xml
echo "  <fuse name=\"PublicKeyHash\" size=\"64\" value=\"${PKCS_KEY_XML_HASH}\"/>" >> fuse.xml
echo "  <fuse name=\"SecureBootKey\" size=\"32\" value=\"${SBK_KEY_XML}\"/>" >> fuse.xml
echo "  <fuse name=\"OemK2\" size=\"32\" value=\"${KEK_2_KEY_XML}\"/>" >> fuse.xml
echo "  <fuse name=\"BootSecurityInfo\" size=\"4\" value=\"0x209\"/>" >> fuse.xml
if [[ "${PRODUCTION}" -ne "0" ]]; then
  echo "  <fuse name=\"SecurityMode\" size=\"4\" value=\"0x1\"/>" >> fuse.xml
echo "</genericfuse>" >> fuse.xml
echo "==============================================================================="
cat fuse.xml
echo "==============================================================================="
echo "Generating OpTee image"
echo "bad66eb4484983684b992fe54a648bb8" > fv_ekb_t234
echo "010203040506070809a0b0c0d0e0f001" > sym_t234.key
echo "f0e0d0c0b0a001020304050607080900" > sym2_t234.key
python3 ./source/public/optee/samples/hwkey-agent/host/tool/gen_ekb/ -chip t234 -oem_k2_key kek_optee.key -fv fv_ekb_t234 -in_sym_key sym_t234.key -in_sym_key2 sym2_t234.key -out bootloader/eks_t234.img
read -p "Press key to continue"
sudo ./ -i 0x23 -k rsa.pem -S sbk.key -X fuse.xml jetson-orin-nano-devkit
##### QSPI SETUP #####
echo "Creating QSPI Image"
echo "Modify NUM_SECTORS in ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml"
echo "For a 500GB drive, this should equal to `(500(size in GiB) * 1000 * 1000 * 1000) / 500(sector size)` = 1000000000."
echo "Put Jetson Orin Nano Devkit into recovery mode and plug it in"
read -p "Press key to continue"
sudo ./tools/kernel_flash/ --network usb0 -u ./rsa.pem -v ./sbk.key --no-flash --showlogs -p "-c bootloader/t186ref/cfg/flash_t234_qspi.xml" jetson-orin-nano-devkit internal
sudo cp bootloader/eks_t234_sigheader_encrypt.img.signed ./tools/kernel_flash/images/internal/
##### ROOTFS SETUP #####
echo "Creating RootFs Image"
echo "Put Jetson Orin Nano Devkit into recovery mode and plug it in"
echo "Please make sure you have modified the script for a good rootfs size of `-S 400Gib` is default and good for a 500GiB drive"
read -p "Press key to continue"
# Modify 400GiB rootfs size. There needs to be enough room inside NUM_SECTORS replacement, and the remaining partitions #
sudo ROOTFS_ENC=1 ./tools/kernel_flash/ --showlogs -u ./rsa.pem -v ./sbk.key --no-flash --external-device nvme0n1p1 -i ./sym2_t234.key -c ./tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml -S 400GiB --external-only --append --network usb0 jetson-orin-nano-devkit external
##### FLASH #####
echo "Flash Image"
echo "Put Jetson Orin Nano Devkit into recovery mode and plug it in"
read -p "Press key to continue"
sudo ./tools/kernel_flash/ --showlogs -u rsa.pem -v sbk.key --network usb0 --flash-only

Without the serial console log, we won’t know the status on your board.
Could you try to perform some electric check like if the power is expected from HW side first?

Yes, the power is supplied, but the jetson does not react at all, it warms up a little. But the serial console is empty.

Seems Jetson is broken. Do you have another devkit to do cross-check? Or is it possible for you to do some hardware checks with multimeter and osilloscope?

I still have a lot of Jetsons, but I’m afraid of damaging them during the cross check. Any recommendations on what to check with a multimeter? Could I have broken it simply by flashing the firmware?

You can measure the voltage level of some rails as you can see in the design guide and reference carrier board schematic in DLC.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.