How to disable DTB encryption of L4T 28.2

Signing DTBs with encryption in L4T 28.2 brought a lot of inconvenience to developers, is there a way to disable DTB signing in L4T 28.2?
Thanks in advance for suggestions.

hello yahoo2016,

sorry, we’re not suggest to disable DTB encryption.
may I know what’s the side-effect after DTB signing?

There are several posts about encrypted DTB on L4T 28.2. Developers would like to be able to update DTB on TX2 without using micro USB cable and Ubuntu host.

We build kernel and DTB on TX2, using “dd” to flash DTB on R28.1 and reboot to make new DTB take effect.

It’s much slower building new DTB on host, copy it to “kernel/dtb” folder, put TX2 in recovery mode, and run “” on host.

How difficult would it be to disable DTB encryption?


hello yahoo2016,

we share the steps to update the DTB files without using micro USB cable and Ubuntu host.
please refer to

Those steps still need a Ubuntu host with Intel CPU to run NV binaries and copy the encrypted DTB from Intel host to TX2.
Can source code for NV binaries needed by “” be released?
Or, can Nvidia build and provide those binaries for TX2?

The command line tools do not require an Ubuntu host (this is purely a JetPack requirement)…any 64-bit x86 host will work if it is running Linux. However, for the signing part, I too am interested in what tools might be calling indirectly.

Binary file tegrasign_v2 was used multiple times by

It appears signing process is done before u-boot. Tegraboot for R28.2 is changed for DTB signing.

Since Tegraboot is provide by Nvidia as binary, developers can’t “custimized” it for signing. I did not see signing option in BCT configuration.

Some documentation hinted that the signing itself is not proprietary. I was hoping perhaps someone from NVIDIA might suggest details of how to emulate the signing via tools such as PGP or OpenSSH tools. Example: What digest the fingerprint is, and requirements of the key.

Hello. I’m also interested in flashing the DTB files with the dd command like it can be done with R28.1. Are there any updates?

hello Werner1,

again, we do NOT support disable DTB encryption.
here are brief steps for your to update the DTB files without flashing the Jetson-TX2 device.

  1. build the DTB
  2. replace new DTB files with $OUT/bootloader/tegra186.dtb
  3. generate signed files with
    for example,
sudo ./ --bl nvtboot_recovery_cpu.bin  --chip 0x18 --applet mb1_recovery_dev.bin  --cfg flash.xml  --sdram_config P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --sdram_config P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --misc_config tegra186-mb1-bct-misc-si-l4t.cfg --pinmux_config tegra186-mb1-bct-pinmux-quill-p3310-1000-a00.cfg --pmic_config tegra186-mb1-bct-pmic-quill-p3310-1000-a00.cfg --pmc_config tegra186-mb1-bct-pad-quill-p3310-1000-a00.cfg --prod_config tegra186-mb1-bct-prod-quill-p3310-1000-a00.cfg --scr_config minimal_scr.cfg --scr_cold_boot_config mobile_scr.cfg --br_cmd_config tegra186-mb1-bct-bootrom-quill-p3310-1000-a00.cfg --dev_params emmc.cfg  --cfg  flash.xml --bins "mb2_bootloader nvtboot_recovery.bin; mts_preboot preboot_d15_dev_cr.bin; mts_bootpack mce_mts_d15_dev_cr.bin; bpmp_fw bpmp.bin; bpmp_fw_dtb tegra186-a02-bpmp-quill-p3310-1000-a00-00-te770d-ucm2.dtb; tlk tos.img; eks eks.img; bootloader_dtb tegra186-quill-p3310-1000-a00-00-base.dtb"  --cmd "sign"
  1. copy the signed DTB to target device.
  2. list the block IDs with below commands, please check the partition ID for kernel-dtb
$ ls -al /dev/disk/by-partlabel
  1. replace the kernel-dtb partition (/dev/mmcblk0p26) with dd command for TX2.
    for example,
$ sudo dd if=tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt of=/dev/mmcblk0p26 bs=1M

you may also refer to Topic 1042852, Topic 1020708, Topic 1021660 for more details.

Hi, can you give me a hint how the arguments for should look like only to encrypt a DTB?

hello Werner1,

DTB is encrypted before flashing into the board, you should execute below commands at the first time, and rollback the flashing console messages, you may found the encrypt commands.

$ sudo ./ -r -k kernel-dtb jetson-tx2 mmcblk0p1

I’ve also update my previous comments (#10) for you checking.

Thanks. This works for me now. I found the flash messages in ./Linux_for_Tegra/bootloader/flashcmd.txt