How to burn ODM fuse bits?

Hi,
Do you use Nano production module? We have tried the command and it works well.

TakenoriSato,

"ODM_RESERVED and ODM_LOCK fuses are still writable until the ODM_LOCK bit is burned
=> Fuse Spec document states more clear so you can refer to that. ODM_RESERVED fuses is reserved for SW usage so can still be programmed after ODM_PRODUCTION_MODE fuse bit is burned. However, the first 4 32-bit, i.e. FUSE_RESERVED_ODM0[31:0]
FUSE_RESERVED_ODM1[31:0]
FUSE_RESERVED_ODM2[31:0]
FUSE_RESERVED_ODM3[31:0]
can be controlled to lock by the following bit respectively
FUSE_ODM_LOCK[0]
FUSE_ODM_LOCK[1]
FUSE_ODM_LOCK[2]
FUSE_ODM_LOCK[3]
It means hen you program FUSE_ODM_LOCK[2] to ‘1’, then FUSE_RESERVED_ODM2[31:0] won’t be able to write any more.

Yes. Can you show what command do you use with which tool exactly?

Thanks for the information. So, I will avoid using 1 as a test value.

When you say FUSE_RESERVED_ODMn, how is n counted? For example, in my example, I have tried to set 1 as “0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000001 0x00000000”, in which case n = 1 or n = 6?

But anyway, I have never succeeded to write a ODM fuse as above.

From Developer Guide doc about oemfuse,
https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide%2Fbootloader_secure_boot.html%23wwpID0E0XF0HA

-o
Sets odm_reserved to the specified value. The value must be a quoted series of eight 32-bit HEX numbers such as:
“0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0x00000000”
The last 32-bit HEX number must be 0x00000000 because these fuses are reserved for NVIDIA use.

The answer to you question should be ‘1’ on FUSE_RESERVED_ODM6.

"I have never succeeded to write a ODM fuse as above.
=> Share your oemfuse?
=> How do you verify it failed the write?

Thanks. That’s exactly the same as my first post of this thread.

Good to hear that 1 is not on the FUSE_RESERVED_ODM1.

Here’s the result. I can not verify. But the odmfuse.sh command has never succeeded.

$ sudo ./tegrafuse.sh 
arm_jtag_disable : 0x00000000
odm_lock : 0x00000000
odm_production_mode : 0x00000001
pkc_disable : 0x00000001
sec_boot_dev_cfg : 0x00000000
sec_boot_dev_sel : 0x00000000

Hi,
#2 is what we have verified working on Nano production module. It is not expected you hit error in running same command. Do you by accident you change emi_pkc.pem? The error now is

[   1.7118 ] Failed to burn fuses as per fuse info blob, Error:1179996997
[   1.7331 ] 0100cdaa: Failed to process oem command

-o 0x0000000000000000000000000000000000000000000000000000000100000000 is the correct format.

Thanks for looking at this.

The hash from the first command is the same as the second one as two hash values are the same as below.

First

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem -o "0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000001 0x00000000"
[sudo] password for tsato: 
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b

Second

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem -o 0x0000000000000000000000000000000000000000000000000000000100000000
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b

There could be a chance that I have chosen a broken board.

So, I am going to try 2 more production boards for comparisons.

So, I am going to try 2 more production boards for comparisons.

It turned out that this issue is only for this particular box named Product A as below.

Product A

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem -o 0x0000000000000000000000000000000000000000000000000000000100000000
[sudo] password for tsato: 
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0056 ] Parsing fuse info as per xml file
[   0.0270 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0308 ] 
[   0.0308 ] Generating RCM messages
[   0.0442 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0461 ] RCM 0 is saved as rcm_0.rcm
[   0.0540 ] RCM 1 is saved as rcm_1.rcm
[   0.0540 ] List of rcm files are saved in rcm_list.xml
[   0.0540 ] 
[   0.0541 ] Signing RCM messages
[   0.0721 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0739 ] Assuming zero filled SBK key
[   0.0973 ] 
[   0.0973 ] Copying signature to RCM mesages
[   0.0993 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.1010 ] 
[   0.1011 ] Boot Rom communication
[   0.1030 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.1048 ] BR_CID: 0x421010016445b5071000000018058200
[   0.2646 ] RCM version 0X210001
[   0.4445 ] Boot Rom communication completed
[   1.4515 ] 
[   1.4516 ] Blowing fuses
[   1.4536 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.4555 ] Applet version 00.01.0000
[   1.7938 ] Failed to burn fuses as per fuse info blob, Error:1179996997
[   1.8153 ] 0100cdaa: Failed to process oem command
[   1.8153 ] 
Error: Return value 170
Command tegrarcm --oem blowfuses blow_fuse_data.bin
failed.

Product B

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem -o 0x0000000000000000000000000000000000000000000000000000000100000000
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0036 ] Parsing fuse info as per xml file
[   0.0053 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0075 ] 
[   0.0075 ] Generating RCM messages
[   0.0091 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0108 ] RCM 0 is saved as rcm_0.rcm
[   0.0119 ] RCM 1 is saved as rcm_1.rcm
[   0.0119 ] List of rcm files are saved in rcm_list.xml
[   0.0119 ] 
[   0.0119 ] Signing RCM messages
[   0.0136 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0152 ] Assuming zero filled SBK key
[   0.0255 ] 
[   0.0256 ] Copying signature to RCM mesages
[   0.0274 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0301 ] 
[   0.0302 ] Boot Rom communication
[   0.0319 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0331 ] BR_CID: 0x32101001644612850c0000000d060140
[   0.1915 ] RCM version 0X210001
[   0.3673 ] Boot Rom communication completed
[   1.3743 ] 
[   1.3744 ] Blowing fuses
[   1.3764 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.3784 ] Applet version 00.01.0000
[   1.7126 ] Successfully burnt fuses as per fuse info blob
[   1.7284 ] 
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.

Product C

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem -o 0x0000000000000000000000000000000000000000000000000000000100000000
*** Calculating HASH from keyfile /home/tsato/Desktop/l4timages/Nano/L4T32.3.1/emi_pkc.pem ... done
PKC HASH: 0x78e352f7bb4cc4f0ea430b73947efe33a4e86650f935257d4fdce560e0e9ba0b
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0036 ] Parsing fuse info as per xml file
[   0.0054 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0076 ] 
[   0.0076 ] Generating RCM messages
[   0.0092 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0109 ] RCM 0 is saved as rcm_0.rcm
[   0.0118 ] RCM 1 is saved as rcm_1.rcm
[   0.0121 ] List of rcm files are saved in rcm_list.xml
[   0.0121 ] 
[   0.0121 ] Signing RCM messages
[   0.0138 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0155 ] Assuming zero filled SBK key
[   0.0276 ] 
[   0.0277 ] Copying signature to RCM mesages
[   0.0295 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0323 ] 
[   0.0324 ] Boot Rom communication
[   0.0342 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0361 ] BR_CID: 0x321010016445b5071000000002010480
[   0.1994 ] RCM version 0X210001
[   0.3752 ] Boot Rom communication completed
[   1.3822 ] 
[   1.3823 ] Blowing fuses
[   1.3843 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.3862 ] Applet version 00.01.0000
[   1.7204 ] Successfully burnt fuses as per fuse info blob
[   1.7363 ] 
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.

Do you think the Product A has a problem if the result of tegrafuse.sh would have proved that nothing was burned yet?

Before closing this issue, please tell me one more thing. How do I read back the odmreserved value on a device?

Hi TakenoriSato,

Please read odm reserved value from:

# cat /sys/devices/7000f800.efuse/7000f800.efuse:efuse-burn/reserved_odm<b>X</b>

X for 0~7 (reserved_odm0 ~ reserved_odm7).

Thanks, it did work!

For the clarification, let me share the command and the result here.

Command

$ sudo ./odmfuse.sh -i 0x21 -c PKC -k ../emi_pkc.pem -o 0xabcd001200000000000000000000000000000000000000000000000100000000

Result

$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm0
0x00000000
$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm1
0x00000001
$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm2
0x00000000
$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm3
0x00000000
$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm4
0x00000000
$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm5
0x00000000
$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm6
0x00000000
$ sudo cat /sys/devices/7000f800.efuse/7000f800.efuse\:efuse-burn/reserved_odm7
0xabcd0012
1 Like

Hi,

I think there is a bug in odmfuse.sh script that I already fix it.

I add a second patch for tegrafuse.sh script to display more tegra fuses.

I used the secure boot package that you can download it from here.

Please take a look on the nvidia documentation here, we should be able to burn all odm_reserved fuses (series of eight 32-bit HEX number) by usign -o option.

I highly recommend to burn odm_reserved fuses by using NS (no security) option to be sure that everything is well done with that, and after you can burn fuses by using the PKC and SBK keys.

Please follow the steps below:

  • Applying the patch
$ cd path/to/Linux_for_Tegra
$ patch -p0 < 0001_fix_burn_odm_reserved_fuses.patch.log
$ cd pkc
$ patch -p0 < 0002-diplay-tegra-fuses-via-tegrafuse-script.patch.log 
  • Generate the fuseblob
# BOARDID=3310 FAB=C04 ./odmfuse.sh --noburn -j -i 0x18 -c NS -o "0x00000011 0x00000111 0x00000010 0x00000001 0x00000010 0x00000001 0x00000010 0x00000001" jetson-tx2
Board ID(3310) version(C04) sku() revision()

...

*** Generating fuse configuration ... done.
*** Start preparing fuse configuration ... 
*** done.
#
  • Burn the odm_reserved fuses

Please decompress the fuseblob tar file.

$ mkdir /tmp/fuses_tests
$ tar xf fuseblob.tbz2 -C /tmp/fuses_tests
$ cd /tmp/fuses_tests/bootloader
# ./fusecmd.sh 

Attached log files are:

  • Serial uart (recovery mode).
  • odm_reserved initial and final values.
  • Burn odm_reserverd fuses.
  • Patchs.

Please let me know if you need any help.

Note: This patch is tested with Nvidia Jetson TX2.

0001_fix_burn_odm_reserved_fuses.patch.log (2.0 KB) 0002-diplay-tegra-fuses-via-tegrafuse-script.patch.log (666 Bytes) burn_odm_reserved_fuse_with_no_security_fuseblob_cmd.log (15.5 KB) burn_odm_reserved_fuse_with_no_security_serial_uart.log (7.2 KB) initial_final_values_odm-reserved_fuses.log (1.4 KB)

So, can I move this post to How to burn ODM fuse bits (TX2)??

This post has been already closed. And I have confirmed ODM fuses can be retrieved after burning. If this is somehow applied to Nano as well, then, I will make a new post to update this post.

1 Like

Yes please.

Thank you

I finally started working on this.

According the the confirmation by The wrong boot authentication identification, NS is 0x1 and is a default value. So burining fuses should be done by a single command with -p. So, such a recommendation becomes quite a big misleading. So, please clarify again both in case of Nano and TX2.

Hi @TakenoriSato

Sorry for that, I was trying to say to use the odmfuse.sh script with option -c as follow:

# BOARDID=3310 FAB=C04 ./odmfuse.sh -j -i 0x18 -c NS -o "0x00000011 0x00000111 0x00000010 0x00000001 0x00000010 0x00000001 0x00000010 0x00000001" jetson-tx2

This command is used for jetson TX2.
Note: NS means No Crypto

Here is the documentation of odmfuse.sh script:

  ./odmfuse.sh -c <CryptoType> -i <TegraID> -k <KeyFile> [options] TargetBoard

  Where options are,
    -c <CryptoType> ------ NS -- No Crypto, PKC - Public Key Crypto.
    -d <0xXXXX> ---------- sets sec_boot_dev_cfg=0xXXXX&0x3fff.
    -i <TegraID> --------- tegra ID: 0x40-TK1, 0x21-TX1, 0x18-TX2, 0x19-Xavier
    -j ------------------- Keep jtag enabled.
    -k <KeyFile> --------- 2048 bit RSA private KEY file. (.pem file)
    -l <0xX> ------------- sets odm_lock=0xX.
    -o <8-0xXXXXXXXX> ---- sets odm_reserved=<8-0xXXXXXXXX>
                           8 32bit values MUST be quoted.
    -p ------------------- sets production mode.
    -r <0xXX> ------------ sets sw_reserved=0xXX.
    -S <SBK file> -------- 128bit Secure Boot Key file in HEX format.
    --noburn ------------- Prepare fuse blob without actual burning.
    --KEK0 <Key file> ---- 128bit Key Encryption Key file in HEX format.
    --KEK1 <Key file> ---- 128bit Key Encryption Key file in HEX format.
    --KEK2 <Key file> ---- 128bit Key Encryption Key file in HEX format.
    --KEK256 <Key file> -- 256bit Key Encryption Key file in HEX format.

-p option is used to enable production mode, please make sure the KEK2 fuse is burned before you burn the odm_production_mode fuse as described here

Please let me know if you need any help

Best regards,
Ilies

Yes, I understand. The point of the discussion is that NS is the default value and which is 0x1, although it is described as 0x0 in the document. So this means that it can not be changed once you burn the fuse. Is that correct and can be applied to TX2? We have already confirmed it is true on Nano.

I have tried the procedures as explained anyway, but fusecmd.sh does not work as below.

$ lsusb | grep -i nvidia
Bus 003 Device 012: ID 0955:7c18 NVidia Corp. 
$ ./fusecmd.sh 
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0109 ] Burning fuses
[   0.0110 ] Generating RCM messages
[   0.0128 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm mb1_recovery_prod.bin 0 0
[   0.0146 ] RCM 0 is saved as rcm_0.rcm
[   0.0153 ] RCM 1 is saved as rcm_1.rcm
[   0.0154 ] List of rcm files are saved in rcm_list.xml
[   0.0154 ] 
[   0.0154 ] Signing RCM messages
[   0.0171 ] tegrasign_v2 --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0188 ] Assuming zero filled SBK key
[   0.0276 ] 
[   0.0276 ] Copying signature to RCM mesages
[   0.0295 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0322 ] 
[   0.0322 ] Boot Rom communication
[   0.0340 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[   0.0357 ] BootRom is not running
[   0.0363 ] 
[   1.0396 ] tegrarcm_v2 --isapplet
[   1.0415 ] USB communication failed.Check if device is in recovery
[   1.0418 ] 
[   1.0439 ] tegradevflash_v2 --iscpubl
[   1.0459 ] Cannot Open USB
[   1.0462 ] 
[   2.0494 ] tegrarcm_v2 --isapplet
[   2.0514 ] USB communication failed.Check if device is in recovery
[   2.0517 ] 
[   2.0538 ] tegradevflash_v2 --iscpubl
[   2.0558 ] Cannot Open USB
[   2.0561 ] 
[   3.0593 ] tegrarcm_v2 --isapplet
[   3.0613 ] USB communication failed.Check if device is in recovery
[   3.0616 ] 
[   3.0636 ] tegradevflash_v2 --iscpubl
[   3.0656 ] Cannot Open USB
[   3.0659 ] 
^CTraceback (most recent call last):
  File "./tegraflash.py", line 1280, in <module>
    tegraflash_run_commands()
  File "./tegraflash.py", line 1149, in tegraflash_run_commands
    interpreter.onecmd(command)
  File "/usr/lib/python2.7/cmd.py", line 221, in onecmd
    return func(arg)
  File "./tegraflash.py", line 817, in do_burnfuses
    tegraflash_burnfuses(exports, args)
  File "/tmp/fuses_tests/bootloader/tegraflash_internal.py", line 1474, in tegraflash_burnfuses
    tegraflash_send_tboot(tegrarcm_values['--signed_list'])
  File "/tmp/fuses_tests/bootloader/tegraflash_internal.py", line 2187, in tegraflash_send_tboot
    tegraflash_poll_applet_bl()
  File "/tmp/fuses_tests/bootloader/tegraflash_internal.py", line 2289, in tegraflash_poll_applet_bl
    time.sleep(1)
KeyboardInterrupt

Hi @TakenoriSato
Is the log the result of programming fuses on Nano? If you program all fuses in one single step, it should work. We would like to keep this topic for Nano.

No, on TX2.

I agree. I will continue this topic in another post for TX2.