Flashing Xavier NX after SBKPKC fusing fails during GPT writing

Hello,

I’m running into an unexpected issue trying to flash a Xavier NX eMMC module after having burned SBK / PKC keys into the fuses. Running
sudo ./flash.sh -u keys/pkc-sign-key.pem -v keys/sbk.key -s keys/pkc-sign-key.pem -r -y SBKPKC jetson-xavier-nx-devkit-emmc mmcblk0p1
fails when it starts writing the secondary_gpt part:

(((earlier log messages omitted)))
./tegraflash.py --bl nvtboot_recovery_cpu_t194.bin_sigheader.encrypt.signed --bct br_bct_BR.bct --applet rcm_2_signed.rcm --applet_softfuse rcm_1_signed.rcm --cmd "secureflash;reboot"  --cfg secureflash.xml --chip 0x19 --mb1_bct mb1_bct_MB1.bct_sigheader.encrypt.signed --mem_bct mem_rcm.bct_sigheader.encrypt.signed --mb1_cold_boot_bct mb1_cold_boot_bct_MB1.bct_sigheader.encrypt.signed --mem_bct_cold_boot mem_coldboot_sigheader.bct.signed  --bins "mb2_bootloader nvtboot_recovery_t194.bin_sigheader.encrypt.signed; mts_preboot preboot_c10_prod_cr_sigheader.bin.encrypt.signed; mts_mce mce_c10_prod_cr_sigheader.bin.encrypt.signed; mts_proper mts_c10_prod_cr_sigheader.bin.encrypt.signed; bpmp_fw bpmp_t194_sigheader.bin.encrypt.signed; bpmp_fw_dtb tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt.signed; spe_fw spe_t194_sigheader.bin.encrypt.signed; tlk tos-trusty_t194_sigheader.img.encrypt.signed; eks eks_sigheader.img.encrypt.signed; bootloader_dtb tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt.signed"   
saving flash command in flashcmd.txt
*** Flashing target device started. ***
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0158 ] Parsing partition layout
[   0.0170 ] tegraparser_v2 --pt secureflash.xml.tmp
[   0.0190 ] 
[   0.0190 ] Boot Rom communication
[   0.0213 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_1_signed.rcm --rcm rcm_2_signed.rcm
[   0.0225 ] BR_CID: 0xe80219116459e5871000000013048180
[   0.2286 ] Boot Rom communication completed
[   1.4692 ] 
[   2.4741 ] tegrarcm_v2 --isapplet
[   2.4762 ] Applet version 01.00.0000
[   3.3577 ] 
[   3.3578 ] Sending BCTs
[   3.3614 ] tegrarcm_v2 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1.bct_sigheader.encrypt.signed --download bct_mem mem_rcm.bct_sigheader.encrypt.signed
[   3.3632 ] Applet version 01.00.0000
[   4.2339 ] Sending bct_bootrom
[   4.2341 ] [................................................] 100%
[   4.2355 ] Sending bct_mb1
[   4.2422 ] [................................................] 100%
[   4.2460 ] Sending bct_mem
[   4.3001 ] [................................................] 100%
[   4.3761 ] 
[   4.3762 ] Generating blob
[   4.3823 ] tegrahost_v2 --chip 0x19 --generateblob blob.xml blob.bin
[   4.3841 ] number of images in blob are 11
[   4.3850 ] blobsize is 5900536
[   4.3852 ] Added binary blob_nvtboot_recovery_cpu_t194.bin_sigheader.encrypt.signed of size 263840
[   4.3927 ] Added binary blob_nvtboot_recovery_t194.bin_sigheader.encrypt.signed of size 181152
[   4.3935 ] Added binary blob_preboot_c10_prod_cr_sigheader.bin.encrypt.signed of size 24016
[   4.3942 ] Added binary blob_mce_c10_prod_cr_sigheader.bin.encrypt.signed of size 143200
[   4.3949 ] Added binary blob_mts_c10_prod_cr_sigheader.bin.encrypt.signed of size 3430416
[   4.3968 ] Added binary blob_bpmp_t194_sigheader.bin.encrypt.signed of size 856352
[   4.3985 ] Added binary blob_tegra194-a02-bpmp-p3668-a00_sigheader.dtb.encrypt.signed of size 281984
[   4.3992 ] Added binary blob_spe_t194_sigheader.bin.encrypt.signed of size 94960
[   4.3999 ] Added binary blob_tos-trusty_t194_sigheader.img.encrypt.signed of size 410560
[   4.4007 ] Added binary blob_eks_sigheader.img.encrypt.signed of size 5136
[   4.4013 ] Added binary blob_tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt.signed of size 208736
[   4.4027 ] 
[   4.4028 ] Sending bootloader and pre-requisite binaries
[   4.4047 ] tegrarcm_v2 --download blob blob.bin
[   4.4060 ] Applet version 01.00.0000
[   5.1505 ] Sending blob
[   5.1507 ] [................................................] 100%
[   5.9649 ] 
[   5.9687 ] tegrarcm_v2 --boot recovery
[   5.9704 ] Applet version 01.00.0000
[   6.8461 ] 
[   7.8509 ] tegrarcm_v2 --isapplet
[   8.4575 ] 
[   8.4610 ] tegrarcm_v2 --ismb2
[   9.3334 ] 
[   9.3371 ] tegradevflash_v2 --iscpubl
[   9.3389 ] Bootloader version 01.00.0000
[   9.7738 ] Bootloader version 01.00.0000
[   9.7747 ] 
[   9.7748 ] Retrieving storage infomation
[   9.7784 ] tegrarcm_v2 --oem platformdetails storage storage_info.bin
[   9.7801 ] Applet is not running on device. Continue with Bootloader
[  10.4230 ] 
[  10.4264 ] tegradevflash_v2 --oem platformdetails storage storage_info.bin
[  10.4281 ] Bootloader version 01.00.0000
[  10.8657 ] Saved platform info in storage_info.bin
[  10.8672 ] 
[  10.8673 ] Flashing the device
[  10.8706 ] tegraparser_v2 --storageinfo storage_info.bin --generategpt --pt secureflash.xml.bin
[  10.8732 ] 
[  10.8762 ] tegradevflash_v2 --pt secureflash.xml.bin --create
[  10.8777 ] Bootloader version 01.00.0000
[  11.3097 ] Erasing spi: 0 ......... [Done]
[  14.3124 ] Writing partition secondary_gpt with gpt_secondary_3_0.bin
[  14.3132 ] [................................................] 100%
[  14.3147 ] 000000000d0d0001: o initialize partition table from GPT.
[  14.4012 ] 
[  14.4012 ] 
Error: Return value 1
Command tegradevflash_v2 --pt secureflash.xml.bin --create

On the debug serial I see the following:

main enter
SPE VERSION #: R01.00.14 Created: Sep 19 2018 @ 11:03:21
HW Function test
Start Scheduler.
in late init
��
  [0054.378] I> Welcome to MB2(TBoot-BPMP) Recovery (version: 00.00.2018.32-mobi
le-21d977c9)
[0054.378] I> DMA Heap @ [0x526fa000 - 0x52ffa000]
[0054.379] I> Default Heap @ [0xd486400 - 0xd48a400]
[0054.380] E> DEVICE_PROD: Invalid value data = 70020000, size = 0.
[0054.386] W> device prod register failed
[0054.391] I> parsing oem signed section of bpmp-fw header done
[0054.398] I> bpmp-fw binary copied from blob
[0054.404] I> RSA PSS signature check: OK
[0054.404] I> oem authentication of bpmp-fw header done
[0054.409] I> bpmp-fw: Authentication init Done
[0054.413] I> parsing oem signed section of cpubl header done
[0054.419] I> cpubl binary copied from blob
[0054.426] I> bpmp-fw: Authentication Finalize Done
[0054.430] I> RSA PSS signature check: OK
[0054.431] I> oem authentication of cpubl header done
[0054.436] I> cpubl: Authentication init Done
[0054.440] I> parsing oem signed section of tos header done
[0054.446] I> tos binary copied from blob
[0054.449] I> Relocating BR-BCT
[0054.453] I> cpubl: Authentication Finalize Done
[0054.459] I> RSA PSS signature check: OK
[0054.460] I> oem authentication of tos header done
[0054.465] I> tos: Authentication init Done
[0054.469] I> parsing oem signed section of bpmp-fw-dtb header done
[0054.475] I> bpmp-fw-dtb binary copied from blob
[0054.481] I> tos: Authentication Finalize Done
[0054.488] I> RSA PSS signature check: OK
[0054.488] I> oem authentication of bpmp-fw-dtb header done
[0054.492] I> bpmp-fw-dtb: Authentication init Done
[0054.497] I> parsing oem signed section of cpubl-dtb header done
[0054.503] I> cpubl-dtb binary copied from blob
[0054.509] I> bpmp-fw-dtb: Authentication Finalize Done
[0054.608] I> RSA PSS signature check: OK
[0054.608] I> oem authentication of cpubl-dtb header done
[0054.609] I> cpubl-dtb: Authentication init Done
[0054.610] I> parsing oem signed section of eks header done
[0054.610] I> eks binary copied from blob
[0054.612] I> cpubl-dtb: Authentication Finalize Done
[0054.616] I> RSA PSS signature check: OK
[0054.616] I> oem authentication of eks header done
[0054.619] I> eks: Authentication init Done
[0054.623] I> eks: Authentication Finalize Done
[0054.627] I> EKB detected (length: 0x410) @ VA:0x526fb800
��NOTICE:  BL31: v1.3(release):b5eeb33f7
NOTICE:  BL31: Built : 12:15:32, Jul 26 2021
ipc-unittest-main: 1519: Welcome to IPC unittest!!!
ipc-unittest-main: 1531: waiting forever
ipc-unittest-srv: 329: Init unittest services!!!
hwkey-agent: 41: hwkey-agent is running!!
hwkey-agent: 315: key_mgnt_processing .......
hwkey-agent: 162: ekb_verification: EKB_CMAC verification is not match.
hwkey-agent: 368: key_mgnt_processing: failed (-7)
hwkey-agent: 45: main: Failed to verify or extract EKB (-7).
exit called, thread 0xffffffffea8a4d58, name trusty_app_2_92b92883-f96a-4177
luks-srv: 40: luks-srv is running!!
platform_bootstrap_epilog: trusty bootstrap complete
��

welcome to lk
calling constructors
initializing heap
creating bootstrap completion thread
top of bootstrap2()
initializing platform
bpmp: platform_init
tag is e73a758761f0c6d24a1e69a2ac6b5035
tag_show initialized
dt initialized
mail initialized
chipid initialized
fuse initialized
sku initialized
speedo initialized
ec_get_ec_list: found 45 ecs
ec initialized
ec_mrq initialized
vmon_populate_monitors: found 3 monitors
vmon initialized
adc initialized
fmon_populate_monitors: found 73 monitors
fmon initialized
fmon_mrq initialized
reset initialized
nvhs initialized
391 clocks registered
clk_mrq_init: mrq handler registered
clk initialized
nvlink initialized
io_dpd initialized
io_dpd initialized
thermal initialized
i2c5 controller initialized
initialized i2c mrq handling
i2c initialized
regulator initialized
avfs_clk_platform_init: bad clk id in clock@cluster1_avfs
avfs_clk_platform initialized
soctherm initialized
aotag initialized
powergate initialized
dvs initialized
pm initialized
pg_late initialized
strap initialized
tag initialized
emc initialized
clk_dt initialized
avfs_ccplex_platform initialized
tj_max: dt node not found
tj_init initialized
/uphy is not enabled status = disabled
uphy_dt initialized
uphy initialized
safereg_init: period 80 ms
ec_late initialized
mrq initialized
��
  [0054.979] I> Welcome to TBoot-CPU Recovery
��WARNING: no registered clock for FMON_NAFLL_CLUSTER1 (id 281)
fmon_post initialized
��[0054.980] I> Heap: [0xa4000000 ... 0xaa000000
[0054.990] I> gpio framework initialized
��clk_set_parent failed for clk i2c2, parent pll_aon (-22)
clk_set_parent failed for clk i2c8, parent pll_aon (-22)
clk_dt_late initialized
machine_check initialized
pm_post initialized
dbells initialized
avfs_clk_platform_post initialized
dmce initialized
cvc initialized
ccplex_avfs_hw_init: nafll_cluster0: not monitored
ccplex_avfs_hw_init: nafll_cluster2: not monitored
ccplex_avfs_hw_init: nafll_cluster3: not monitored
avfs_clk_mach_post initialized
regulator_post initialized
rm initialized
sc7_diag initialized
thermal_test initialized
serial_late initialized
clk_post initialized
clk_dt_post initialized
mc_reg initialized
pg_post initialized
dyn_modules initialized
sku_debugfs initialized
speedo_debugfs initialized
adc_debugfs initialized
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
Failed to register PTO counter for id 281
clk_debugfs initialized
emc_debugfs initialized
dvs_debugfs initialized
fmon_debugfs_init_one: no clock debugfs node to attach FMON_NAFLL_CLUSTER1
fmon_debugfs initialized
vmon_debugfs initialized
pg_debugfs initialized
profile_fs initialized
debugfs_cons initialized
mail_fs initialized
profile initialized
cvc_debugfs initialized
dmce_debugfs initialized
ec_debugfs initialized
rm_rail_debugfs_init: /rm/vdd_cpu: failed
rm_rail_debugfs_init: /rm/vdd_cpu: failed
rm_debugfs initialized
soctherm_debug initialized
gr_reader initialized
mods initialized
dt_fs initialized
debugfs_mrq initialized
debug_mrq initialized
debug_safereg initialized
initializing target
calling apps_init()
starting app shell
entering main console loop
] ��[0055.000] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio' 
driver
[0055.154] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio-aon' 
driver
[0055.159] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x46
[0055.168] W> fetch_driver_phandle_from_dt: failed to get node with compatible t
i,tca9539
[0055.176] W> fetch_driver_phandle_from_dt: failed to get node with compatible n
xp,tca9539
[0055.180] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0055.186] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x44
[0055.194] W> fetch_driver_phandle_from_dt: failed to get node with compatible t
i,tca9539
[0055.202] W> fetch_driver_phandle_from_dt: failed to get node with compatible n
xp,tca9539
[0055.208] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0055.216] I> fixed regulator driver initialized
[0055.227] I> CPU: Nvidia Carmel
[0055.227] I> CPU: MIDR: 0x4e0f0040, MPIDR: 0x80000000
[0055.228] I> chip revision : A02 
[0055.230] I> Boot-device: eMMC
[0055.233] I> Boot_device: SDMMC_BOOT instance: 3
[0055.656] I> sdmmc DDR50 mode
[0055.666] I> sdmmc-3 params source = safe params
[0055.667] I> QSPI source rate = 19200 Khz
[0055.668] I> Requested rate for QSPI clock = 19000 Khz
[0055.668] I> BPMP-set rate for QSPI clk = 19200 Khz
[0055.669] I> QSPI Flash Size = 32 MB
[0055.671] E> CR3V cmd failed, (err:0x0)
[0055.674] I> Qspi initialized successfully
[0055.674] I> qspi flash-0 params source = safe params
[0055.675] I> sdmmc bdev is already initialized
[0055.680] I> sdmmc-3 params source = safe params
[0055.700] W> Cannot find any partition table for 00000003
[0055.713] W> Cannot find any partition table for 00010003
[0055.714] W> Cannot find any partition table for 00030000
[0055.714] I> Recovery boot_type: 0
[0055.715] I> Entering 3p server
[0055.715] I> USB configuration success
[0058.339] I> Populate storage info
[0058.791] I> Erasing device 3: 0
[0058.791] I> QSPI: Erasing entire device
[0061.794] I> Writing device 3: 0.
[0061.876] W> Cannot find any partition table for 00030000
[0061.876] E> NV3P_SERVER: Failed to initialize partition table from GPT.

The only other mention I’ve found about the NV3P_SERVER: Failed to initialize partition table from GPT. was in this thread, where the advice was to the RMA the board. Seeing as this board worked fine until I enabled SBK/PKC, it seems more likely that I’m getting the error due to something related to that.

Fuses used were: JtagDisable (0x1), SecureBootKey, Kek0, Kek1, Kek2, PublicKeyHash, BootSecurityInfo (0x6), SwReserved (0x28), and SecurityMode (0x1).

Possibly relevant is that I burned the fuses while there was a non-signed/non-encrypted OS on the board.

I’ve also tried using nvmassflashgen.sh, which results in the same error during the nvaflash.sh run.

Any ideas on what I’m doing / have done wrong would be appreciated, before I subject a second board to the same treatment.
Thanks.

hello jmattsson,

may I know which Jetpack release version you’re working with?
here’re two things you may try.
for example…

1. please exclude -r options to re-create the system.img by the flashing process.
2. please use offline approach by having --no-flash added to create fuse blob. taking created script to flash the target.

Hi Jerry,

This is R32.6.1.

1. Made no difference. Same error.
2. The board is already fused, I can’t re-fuse it (see original post for fuse values). As mentioned, I already tried the offline flash creation via nvmassflashgen.sh. That too results in the same error when attempting to flash the result.

Regards,
Johny

hello jmattsson,

could you please revise the settings for confirmation. i.e. $OUT/Linux_for_Tegra/bootloader/tegra19x-mb1-bct-device-qspi-p3668.cfg.
for example,
please change the interface frequency to 50Mhz.

device.qspiflash.0.interface-frequency = 50000000;
device.qspiflash.0.maximum-bus-width = 0;
device.qspiflash.0.trimmer2-val = 0;

I tried with the suggested changes, but it made no difference. I also changed the verbosity to Debug level; this is what I see before the error:

entering main console loop
] ��[0019.444] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio' 
driver
[0019.595] D> tegrabl_gpio_driver_init: tegra gpio driver:nvidia,tegra194-gpio r
egistered successfully
[0019.608] D> Found gpio driver 'nvidia,tegra194-gpio' in list
[0019.610] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio-aon' 
driver
[0019.618] D> tegrabl_gpio_driver_init: tegra gpio driver:nvidia,tegra194-gpio-a
on registered successfully
[0019.627] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x46
[0019.636] W> fetch_driver_phandle_from_dt: failed to get node with compatible t
i,tca9539
[0019.643] W> fetch_driver_phandle_from_dt: failed to get node with compatible n
xp,tca9539
[0019.649] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0019.655] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x44
[0019.663] W> fetch_driver_phandle_from_dt: failed to get node with compatible t
i,tca9539
[0019.670] W> fetch_driver_phandle_from_dt: failed to get node with compatible n
xp,tca9539
[0019.677] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0019.683] D> regulator framework initialized
[0019.688] I> fixed regulator driver initialized
[0019.692] D> register 'vdd-ac-bat' regulator
[0019.696] D> register 'vdd-sdmmc1-sw' regulator
[0019.700] D> 0x13 0x32 0x0
[0019.703] D> register 'vdd-1v8-sd' regulator
[0019.707] D> register 'vdd-3v3-cvb' regulator
[0019.711] D> register 'vdd-1v8-cvb' regulator
[0019.715] D> register 'vdd-epb-1v0' regulator
[0019.720] D> register 'avdd-cam-2v8' regulator
[0019.723] D> 0x13 0x68 0x0
[0019.726] D> register 'vdd-fan' regulator
[0019.730] D> register 'vdd-hdmi-5v0' regulator
[0019.734] D> register 'vdd_sys_en' regulator
[0019.739] D> register 'vdd-1v8-aud2' regulator
[0019.742] D> 0xc8 0xb 0x1
[0019.745] I> CPU: Nvidia Carmel
[0019.748] I> CPU: MIDR: 0x4e0f0040, MPIDR: 0x80000000
[0019.753] I> chip revision : A02 
[0019.756] I> Boot-device: eMMC
[0019.759] I> Boot_device: SDMMC_BOOT instance: 3
[0019.763] D> Instance: 3
[0019.765] D> sdmmc init
[0019.768] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0019.774] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.165] D> sdmmc send command failed, error = f0f0706
[0020.166] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.166] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.167] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.168] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.171] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.178] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.258] I> sdmmc DDR50 mode
[0020.264] D> DDR Data width = 6,[0020.269] D> sdmmc DDR50 mode enabled
[0020.269] D> Init boot device
[0020.269] D> Init user device
[0020.270] I> sdmmc-3 params source = safe params
[0020.270] D> Qspi using gpc-dma
[0020.270] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.271] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.273] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.280] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.286] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.293] I> QSPI source rate = 19200 Khz
[0020.296] I> Requested rate for QSPI clock = 19000 Khz
[0020.302] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.308] I> BPMP-set rate for QSPI clk = 19200 Khz
[0020.313] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.319] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.326] D> tegrabl_ccplex_bpmp_wait_for_slave_ack: Got ack from slave
[0020.332] I> QSPI Flash Size = 32 MB
[0020.338] E> CR3V cmd failed, (err:0x0)
[0020.341] E> CR3V: Blank Check enable failed, (err:0x0)
[0020.344] I> Qspi initialized successfully
[0020.348] I> qspi flash-0 params source = safe params
[0020.353] D> Instance: 3
[0020.355] I> sdmmc bdev is already initialized
[0020.360] I> sdmmc-3 params source = safe params
[0020.364] D> Publishing device 00000003
[0020.372] D> Selected access_region = 1
[0020.374] D> GPT Signature check failed
[0020.379] D> Selected access_region = 1
[0020.384] D> Selected access_region = 2
[0020.386] D> GPT Signature check failed
[0020.386] D> Could not find GPT
[0020.389] W> Cannot find any partition table for 00000003
[0020.394] D> Failed to publish 00000003
[0020.398] D> Publishing device 00010003
[0020.406] D> Selected access_region = 0
[0020.408] D> GPT Signature check failed
[0020.413] D> Selected access_region = 0
[0020.416] D> GPT Signature check failed
[0020.417] D> Could not find GPT
[0020.419] W> Cannot find any partition table for 00010003
[0020.425] D> Failed to publish 00010003
[0020.428] D> Publishing device 00030000
[0020.432] D> DMA channel 1 is busy
[0020.435] D> GPT Signature check failed
[0020.439] D> DMA channel 1 is busy
[0020.442] D> GPT Signature check failed
[0020.446] D> Could not find GPT
[0020.449] W> Cannot find any partition table for 00030000
[0020.454] D> Failed to publish 00030000
[0020.458] I> Recovery boot_type: 0
[0020.461] I> Entering 3p server
[0020.464] D> Transport interface is USB
[0020.468] I> USB configuration success
[0020.471] D> nv3p: Enable checksum verification
[0023.534] I> Erasing device 3: 0
[0023.535] I> QSPI: Erasing entire device
[0026.538] I> Writing device 3: 0.
[0026.702] D> Publishing device 00030000
[0026.703] D> DMA channel 1 is busy
[0026.703] D> GPT Signature check failed
[0026.703] D> Could not find GPT
[0026.704] W> Cannot find any partition table for 00030000
[0026.704] D> Failed to publish 00030000
[0026.704] E> NV3P_SERVER: Failed to initialize partition table from GPT.

It’s not really feeling like a hardware issue to me. Rather a logic issue. Why is it attempting to initialize the partition table from the on-disk GPT rather than the GPT uploaded into RAM?

hello jmattsson,

may I know how you fuse the device, could you please share the steps (in details) to burn SBKPKC.
btw, is this device fused with -p options to set production mode?

Hi Jerry,

Here’s the log from when I fused the device:

$ sudo ./nvafuse.sh 1-4

*** Boot Rom communication
/tmp/fuse/tegrarcm_v2 --instance 1-4 --chip 0x19 0 --rcm rcm_list_signed.xml
BR_CID: 0x880219116459e5871000000013048180
RCM version 0X190001
Boot Rom communication completed
*** Boot Rom communication succeeded.

*** Checking applet
/tmp/fuse/tegrarcm_v2 --instance 1-4 --isapplet
Applet version 01.00.0000
*** Checking applet succeeded.

*** Sending BCTs
/tmp/fuse/tegrarcm_v2 --instance 1-4 --download bct_bootrom br_bct_BR.bct --download bct_mb1 mb1_bct_MB1_sigheader.bct.encrypt --download bct_mem mem_rcm_sigheader.bct.encrypt
Applet version 01.00.0000
Sending bct_bootrom
[................................................] 100%
Sending bct_mb1
[................................................] 100%
Sending bct_mem
[................................................] 100%
*** Sending BCTs succeeded.

*** Sending bootloader and pre-requisite binaries
/tmp/fuse/tegrarcm_v2 --instance 1-4 --download blob blob.bin
Applet version 01.00.0000
Sending blob
[................................................] 100%
*** Sending bootloader and pre-requisite binaries succeeded.

*** Booting Recovery
/tmp/fuse/tegrarcm_v2 --instance 1-4 --boot recovery
Applet version 01.00.0000
*** Booting Recovery succeeded.

*** Checking applet
/tmp/fuse/tegrarcm_v2 --instance 1-4 --isapplet

*** Checking CPU bootloader
/tmp/fuse/tegradevflash_v2 --instance 1-4 --iscpubl
Bootloader version 01.00.0000
Bootloader version 01.00.0000
*** Checking CPU bootloader succeeded.

*** Fusing the device
/tmp/fuse/tegradevflash_v2 --instance 1-4 --oem burnfuses odmfuse_pkc.bin
Bootloader version 01.00.0000
Fusing burning successful
*** Fusing the device succeeded.

The odmfuse_pkc.xml matching the used odmfuse_pkc.bin was (keys redacted):

<genericfuse MagicId="0x45535546" version="1.0.0">
<fuse name="JtagDisable" size="4" value="0x1" />
<fuse name="SecureBootKey" size="16" value="REDACTED" />
<fuse name="Kek0" size="16" value="REDACTED" />
<fuse name="Kek1" size="16" value="REDACTED" />
<fuse name="Kek2" size="16" value="REDACTED" />
<fuse name="PublicKeyHash" size="32" value="0xREDACTED" />
<fuse name="BootSecurityInfo" size="4" value="0x6" />
<fuse name="SwReserved" size="4" value="0x28" />
<fuse name="SecurityMode" size="4" value="0x1" />
</genericfuse>
```

hello jmattsson,

could you please also share the fuse command, you may omitted those keys.

hello jmattsson,

let’s try not using flash.sh script to burn the device directly.
here’s an alternative ways to create the image blob, please refer to below command.
for example,
$ sudo BOARDID=3668 FAB=200 BOARDSKU=0001 BOARDREV=G.0 ./nvmassfusegen.sh -i 0x19 --auth SBKPKC -p -k private_pkc.pem -S sbk.key --KEK2 kek2 jetson-xavier-nx-devkit-emmc

the image blob should created/saved to your local host machine after the process complete.
please follow the instructions to flash the devices.
thanks

I’m sorry, I do not understand the request. The fuse command was nvafuse.sh 1-4. The odmfuse_pkc.xml lists the SBK/KEK0/KEK1/KEK2/PKC keys/hash. If I run tegraparser_v2 --fuse_info odmfuse_pkc.xml odmfuse_pkc.bin I can recreate the exact same odmfuse_pkc.bin as the one used to fuse this board.

For obvious reasons I do not wish to share the actual keys on a public forum.

It looks like the board decrypts and authenticates the payload fine, looking at this part of the log:

[0054.391] I> parsing oem signed section of bpmp-fw header done
[0054.398] I> bpmp-fw binary copied from blob
[0054.404] I> RSA PSS signature check: OK
[0054.404] I> oem authentication of bpmp-fw header done
[0054.409] I> bpmp-fw: Authentication init Done
[0054.413] I> parsing oem signed section of cpubl header done
[0054.419] I> cpubl binary copied from blob
[0054.426] I> bpmp-fw: Authentication Finalize Done
[0054.430] I> RSA PSS signature check: OK
[0054.431] I> oem authentication of cpubl header done
[0054.436] I> cpubl: Authentication init Done
[0054.440] I> parsing oem signed section of tos header done
[0054.446] I> tos binary copied from blob
[0054.449] I> Relocating BR-BCT
[0054.453] I> cpubl: Authentication Finalize Done
[0054.459] I> RSA PSS signature check: OK
[0054.460] I> oem authentication of tos header done
[0054.465] I> tos: Authentication init Done
[0054.469] I> parsing oem signed section of bpmp-fw-dtb header done
[0054.475] I> bpmp-fw-dtb binary copied from blob
[0054.481] I> tos: Authentication Finalize Done
[0054.488] I> RSA PSS signature check: OK
[0054.488] I> oem authentication of bpmp-fw-dtb header done
[0054.492] I> bpmp-fw-dtb: Authentication init Done
[0054.497] I> parsing oem signed section of cpubl-dtb header done
[0054.503] I> cpubl-dtb binary copied from blob
[0054.509] I> bpmp-fw-dtb: Authentication Finalize Done
[0054.608] I> RSA PSS signature check: OK
[0054.608] I> oem authentication of cpubl-dtb header done
[0054.609] I> cpubl-dtb: Authentication init Done
[0054.610] I> parsing oem signed section of eks header done
[0054.610] I> eks binary copied from blob
[0054.612] I> cpubl-dtb: Authentication Finalize Done
[0054.616] I> RSA PSS signature check: OK

If I use the wrong encryption key or PKC key, everything fails much earlier.

my meant the detail commands of odmfuse.sh for Burning PKC [DK(KEK), SBK] Fuses

We did not use odmfuse.sh directly, we used nvmassfusegen.sh:

sudo env BOARDID=3668 BOARDSKU=0001 BOARDREV=N/A FAB=100 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 --auth NS --disable-jtag -r 0x28 -k keys/pkc-sign-key.pem -S keys/sbk.key --KEK0 keys/kek0.key --KEK1 keys/kek1.key --KEK2 keys/kek2.key -p jetson-xavier-nx-devkit-emmc

and then transferred the resulting package to the programming host, and ran sudo ./nvafuse.sh 1-4 there.

The fuse burning reported success.

However, after burning the fuses, flashing the board now always fails with NV3P_SERVER: Failed to initialize partition table from GPT.

Hi Jerry,

Today I have tried fusing and flashing a second Xavier NX module, and I get the exact same error. This module was taken fresh out of its packaging. I also started with a clean Linux_for_Tegra setup.

Here are the steps to reproduce:

$ tar xf jetson_linux_r32.6.1_aarch64.tbz2
$ tar xf secureboot_r32.6.1_aarch64.tbz2
$ tar -C Linux_for_Tegra/rootfs/ -xf tegra_linux_sample-root-filesystem_r32.6.1_aarch64.tbz2
$ cd Linux_for_Tegra
$ # unpack our keys into keys/ directory
$ mkdir rootfs/boot/extlinux
$ cp bootloader/extlinux.conf rootfs/boot/extlinux/
$ sudo ./flash.sh jetson-xavier-nx-devkit-emmc mmcblk0p1
$ sudo env BOARDID=3668 BOARDSKU=0001 BOARDREV=N/A FAB=100 FUSELEVEL=fuselevel_production ./nvmassfusegen.sh -i 0x19 --auth NS --disable-jtag -r 0x28 -k keys/pkc-sign-key.pem -S keys/sbk.1x128.key --KEK0 keys/kek0.1x128.key --KEK1 keys/kek1.1x128.key --KEK2 keys/kek2.1x128.key -p jetson-xavier-nx-devkit-emmc
$ tar xf mfuse_jetson-xavier-nx-devkit-emmc.tbz2
$ cd mfuse_jetson-xavier-nx-devkit-emmc/
$ sudo ./nvmfuse.sh
$ cd ..
$ sudo ./flash.sh -u keys/pkc-sign-key.pem -v keys/sbk.1x128.key -s keys/pkc-sign-key.pem -y SBKPKC jetson-xavier-nx-devkit-emmc mmcblk0p1

failed with:

[   9.5563 ]
[   9.5581 ] tegradevflash_v2 --pt secureflash.xml.bin --create
[   9.5589 ] Bootloader version 01.00.0000
[   9.8514 ] Erasing spi: 0 ......... [Failed]
[  18.0235 ]

debug log shows:

[0071.049] I> Boot-device: eMMC
[0071.052] I> Boot_device: SDMMC_BOOT instance: 3
[0071.475] I> sdmmc DDR50 mode
[0071.486] I> sdmmc-3 params source = safe params
[0071.487] I> QSPI source rate = 19200 Khz
[0071.487] I> Requested rate for QSPI clock = 19000 Khz
[0071.487] I> BPMP-set rate for QSPI clk = 19200 Khz
[0071.488] I> QSPI Flash Size = 32 MB
[0071.491] E> CR3V cmd failed, (err:0x0)
[0071.493] I> Qspi initialized successfully
[0071.493] I> qspi flash-0 params source = safe params
[0071.495] I> sdmmc bdev is already initialized
[0071.499] I> sdmmc-3 params source = safe params
[0071.520] W> Cannot find any partition table for 00000003
[0071.532] I> Found 11 partitions in SDMMC_USER (instance 3)
[0071.534] W> Cannot find any partition table for 00030000
[0071.534] I> Recovery boot_type: 0
[0071.534] I> Entering 3p server
[0071.534] I> USB configuration success
[0073.440] I> Populate storage info
[0073.741] I> Erasing device 3: 0
[0073.741] I> QSPI: Erasing entire device

Retrying same command again:

$ sudo ./flash.sh -u keys/pkc-sign-key.pem -v keys/sbk.1x128.key -s keys/pkc-sign-key.pem -y SBKPKC jetson-xavier-nx-devkit-emmc mmcblk0p1

Failed with:

[   9.4571 ] tegradevflash_v2 --pt secureflash.xml.bin --create
[   9.4579 ] Bootloader version 01.00.0000
[   9.7503 ] Erasing spi: 0 ......... [Done]
[  12.7527 ] Writing partition secondary_gpt with gpt_secondary_3_0.bin
[  12.7531 ] [................................................] 100%
[  12.7546 ] 000000000d0d0001: o initialize partition table from GPT.
[  12.9306 ]
[  12.9306 ]

Debug log shows:

[0074.855] I> Boot-device: eMMC
[0074.856] I> Boot_device: SDMMC_BOOT instance: 3
[0075.277] I> sdmmc DDR50 mode
[0075.288] I> sdmmc-3 params source = safe params
[0075.288] I> QSPI source rate = 19200 Khz
[0075.289] I> Requested rate for QSPI clock = 19000 Khz
[0075.289] I> BPMP-set rate for QSPI clk = 19200 Khz
[0075.290] I> QSPI Flash Size = 32 MB
[0075.292] E> CR3V cmd failed, (err:0x0)
[0075.295] E> CR3V: Blank Check enable failed, (err:0x0)
[0075.295] I> Qspi initialized successfully
[0075.297] I> qspi flash-0 params source = safe params
[0075.302] I> sdmmc bdev is already initialized
[0075.306] I> sdmmc-3 params source = safe params
[0075.326] W> Cannot find any partition table for 00000003
[0075.339] I> Found 11 partitions in SDMMC_USER (instance 3)
[0075.340] W> Cannot find any partition table for 00030000
[0075.341] I> Recovery boot_type: 0
[0075.341] I> Entering 3p server
[0075.341] I> USB configuration success
[0077.249] I> Populate storage info
[0077.548] I> Erasing device 3: 0
[0077.549] I> QSPI: Erasing entire device
[0080.551] I> Writing device 3: 0.
[0080.727] W> Cannot find any partition table for 00030000
[0080.728] E> NV3P_SERVER: Failed to initialize partition table from GPT.

I would be willing to share the specific keys used if necessary for NVIDIA to successfully reproduce this issue and help me resolve this problem.

Thanks in advance.
/Johny

hello jmattsson,

we have Xavier-NX eMMC which fused with SBKPKC, it’s able to flash JetPack-4.6 and boot-up successfully.
may I know are you using a Xavier NX DevKit? or, you’re having only NX module with a customize carrier board?

I’m using a regular P3450 carrier board, from the Jetson Nano devkit.

hello jmattsson,

we’ve confirmed fuse burning works with Xavier NX DevKits.
there’re some limitation for using Nano’s carrier board,
please check this topic as see-also.

Hi Jerry,

We do have a heatsink on the module, and everything has been working reliably until we enabled SBKPKC this week. I still have no explanation of what is causing the NV3P_SERVER: Failed to initialize partition table from GPT. error. Could you please investigate that part? Or provide the relevant source code so that I may do so myself?

Many thanks.

this is failure with QSPI while erasing entire device.
could you please have a try to flash only QSPI with this configuration file,
i.e. $OUT/Linux_for_Tegra/bootloader/t186ref/cfg/flash_l4t_t194_qspi_p3668.xml
for example, $ sudo ./flash.sh ... jetson-xavier-nx-devkit-qspi mmcblk0p1

I’m afraid that made no difference:

sudo ./flash.sh -u keys/pkc-sign-key.pem -v keys/sbk.1x128.key -s keys/pkc-sign-key.pem -y SBKPKC jetson-xavier-nx-devkit-qspi mmcblk0p1
...
[   9.4937 ] Flashing the device
[   9.4959 ] tegraparser_v2 --storageinfo storage_info.bin --generategpt --pt secureflash.xml.bin
[   9.4970 ] 
[   9.4989 ] tegradevflash_v2 --pt secureflash.xml.bin --create
[   9.4997 ] Bootloader version 01.00.0000
[   9.7946 ] Erasing spi: 0 ......... [Done]
[  12.7975 ] Writing partition secondary_gpt with gpt_secondary_3_0.bin
[  12.7980 ] [................................................] 100%
[  12.7993 ] 000000000d0d0001: o initialize partition table from GPT.
[  12.8976 ] 
[  12.8976 ] 
Error: Return value 1
Command tegradevflash_v2 --pt secureflash.xml.bin --create

On the debug console I get

entering main console loop
] ��[0022.492] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio'r
[0022.647] I> tegrabl_gpio_driver_register: register 'nvidia,tegra194-gpio-aon'r
[0022.651] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x46
[0022.661] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0022.668] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0022.673] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0022.679] I> tegrabl_tca9539_init: i2c bus: 1, slave addr: 0x44
[0022.688] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0022.696] W> fetch_driver_phandle_from_dt: failed to get node with compatible 9
[0022.700] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0022.709] I> fixed regulator driver initialized
[0022.720] I> CPU: Nvidia Carmel
[0022.721] I> CPU: MIDR: 0x4e0f0040, MPIDR: 0x80000000
[0022.721] I> chip revision : A02P
[0022.722] I> Boot-device: eMMC
[0022.725] I> Boot_device: SDMMC_BOOT instance: 3
[0023.149] I> sdmmc DDR50 mode
[0023.159] I> sdmmc-3 params source = safe params
[0023.160] I> QSPI source rate = 19200 Khz
[0023.160] I> Requested rate for QSPI clock = 19000 Khz
[0023.161] I> BPMP-set rate for QSPI clk = 19200 Khz
[0023.161] I> QSPI Flash Size = 32 MB
[0023.164] E> CR3V cmd failed, (err:0x0)
[0023.167] I> Qspi initialized successfully
[0023.167] I> qspi flash-0 params source = safe params
[0023.184] W> Cannot find any partition table for 00000003
[0023.197] I> Found 11 partitions in SDMMC_USER (instance 3)
[0023.198] W> Cannot find any partition table for 00030000
[0023.199] I> Recovery boot_type: 0
[0023.199] I> Entering 3p server
[0023.199] I> USB configuration success
[0025.141] I> Populate storage info
[0025.445] I> Erasing device 3: 0
[0025.445] I> QSPI: Erasing entire device
[0028.448] I> Writing device 3: 0.
[0028.546] W> Cannot find any partition table for 00030000
[0028.546] E> NV3P_SERVER: Failed to initialize partition table from GPT.

I’m really grasping at straws here, but

1. Could it somehow be related to the SwReserved flags (-r) used? Is the watchdog flag interfering perhaps?
2. Could it somehow be related to the use of a 3072bit PKC key?
3. Could it somehow be related to loading KEK0 & KEK1 into the fuses?
4. Could it somehow be related to fusing too many things in a single go? Did it somehow damage the QSPI with a rogue current somewhere?
5. Would you be able to share a Known Good set of commands to fuse a Xavier NX eMMC board, including key generation? I could take one more board and do those exact steps and see whether I get a different outcome (but I am running low on available boards; we did not budget on losing that many to the process).