How to kick watchdog enabled by enable_watchdog fuse?

When enabling secure boot on our AGX Xavier, we also set bit 5 (0x20) in SwReserved to set “enable_watchdog” so that we would have a watchdog running out of boot. This fuse is documented in several locations including:

  1. Jetson AGX Xavier Series Fuse Programming Application Note
  2. README_secureboot.txt in Jetson Platform Fuse Burning and Secure Boot Documentation and Tools
  3. Mentioned by NVIDIA in another thread, showing how to set enable_watchdog with That thread also mentions that this should enable one of the two watchdogs mentioned here.

Unfortunately, neither the PMIC watchdog or the Tegra watchdog (CCPLEX watchdog) appear to be enabled after checking from Linux, and the board is now resetting every 15 seconds! Even worse, it appears that the recovery bootloader which is used to load the eMMC over USB (nvtboot_recovery_cpu_t194.bin) does not kick this watchdog either, so fails if the loading takes more than 15 seconds.

Can you please provide information on which watchdog is causing this reset, if there is any way of kicking it or stopping it, and if there is a version of nvtboot_recovery_cpu_t194.bin which is capable of kicking or stopping this watchdog? It seems bad that this was mentioned in documentation if it isn’t supported by software, and my board is currently unusable due to this issue. Thanks.

Edit: I see that the PMC reset reason is TEGRA_BPMP_WATCHDOG, which doesn’t appear to be documented anywhere. I see references to the WDT_BPMP in the public cboot sources, but accessing those WDT registers triggers a Security Violation from cboot and Linux…

The watchdog listed in developer guide is enabled by default and you don’t need to program enable_watchdog fuse.

Since proramming fuse is not reversible so we may not be able to recover the board back. Could you check if you can flash image by following the steps:
Unable to burn fuses (dev kit) / no more output (serial/hdmi) / bricked? - #89 by DaneLLL

From what I can find, it doesn’t look like the PMIC Watchdog and/or Tegra Watchdog are enabled by default out of boot like you indicate here. I checked early in the CPU bootloader, and neither was enabled. It looks like cboot will enable the Tegra Watchdog from platform_early_init(), but nothing appears to be enabled before that point in the boot process (including BootROM/MB1/MB2) unless this fuse is set? It also looks like cboot will disable the Tegra Watchdog before booting the kernel (from platform_uninit), so there definitely are large parts of the boot process which are not being protected by a watchdog.

As the answer to the question you asked, I can successfully flash and boot the secured board, just as long as the flashing takes less than 15 seconds (before the BPMP watchdog expires).

It would seem that the easiest solution to allow software to work with this fuse set would to be to simply have the BPMP-FW disable the BPMP WDT that is enabled by this fuse after initialization completes. If the watchdog wasn’t enabled by the fuse, then it does no harm to disable it again too. Alternatively, it could be disabled by BPMP-FW after a mailbox command from the CPU-BL was received, guaranteeing that the CPU was up (and the CPU could have already started the Tegra Watchdog).

Is there a possibility of getting an official updated bpmp_t194.bin that just disables this BPMP watchdog? Thanks.

hello user71830,

could you please share your commands for burning the fuse, also, the command you used to flash the target.
you may also share UART console logs for reference, there’s port J501 you may used to gather bootloader logs,