How to recover brick Jetson nano after secure boot enable?

Hi
In a new board I just perform odmfuse with -p option.
Then tried to flash the board.
The flashing is unsuccessful.
I think the -p is making the board brick.
Can you please confirm this?

mayu@mayu:~/nvidia/nvidia_sdk/JetPack_4.6.4_Linux_JETSON_NANO_TARGETS/Linux_for_Tegra$ sudo ./odmfuse.sh -j -i 0x21 -c PKC -k rsa_priv.pem -p
[sudo] password for mayu: 

The option -j is obsolete now. Jtag by default is enabled.
Please use "--disable-jtag" option if you want to burn the jtag-disable fuse.
Jtag can't be re-enabled once the jtag-disable fuse bit is burned.

*** Calculating HASH from keyfile /home/mayu/nvidia/nvidia_sdk/JetPack_4.6.4_Linux_JETSON_NANO_TARGETS/Linux_for_Tegra/rsa_priv.pem ... done
PKC HASH: 0x4b0e3186401bb2a05c063d1f866ee5524a6065f1febaa9b65ac0716cb1b46b03
*** Generating fuse configuration ... done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml; reboot recovery"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0029 ] Parsing fuse info as per xml file
[   0.0053 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0068 ] 
[   0.0068 ] Generating RCM messages
[   0.0093 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[   0.0105 ] RCM 0 is saved as rcm_0.rcm
[   0.0111 ] RCM 1 is saved as rcm_1.rcm
[   0.0111 ] List of rcm files are saved in rcm_list.xml
[   0.0112 ] 
[   0.0112 ] Signing RCM messages
[   0.0135 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0150 ] Assuming zero filled SBK key
[   0.0217 ] 
[   0.0217 ] Copying signature to RCM mesages
[   0.0245 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0265 ] 
[   0.0266 ] Boot Rom communication
[   0.0291 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml
[   0.0309 ] BR_CID: 0x321010016429d88600000000190182c0
[   0.0601 ] RCM version 0X210001
[   0.1035 ] Boot Rom communication completed
[   1.1101 ] 
[   1.1102 ] Blowing fuses
[   1.1150 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.1179 ] Applet version 00.01.0000
[   1.1936 ] Successfully burnt fuses as per fuse info blob
[   1.2087 ] 
[   1.2089 ] Rebooting to recovery mode
[   1.2134 ] tegradevflash --reboot recovery
[   1.2152 ] Cboot is not running on device.
[   1.2440 ] 
[   1.2441 ] Rebooting to recovery mode
[   1.2483 ] tegrarcm --reboot recovery
[   1.2512 ] Applet version 00.01.0000
[   1.3453 ] 
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been burned successfully.
*** done.
mayu@mayu:~/nvidia/nvidia_sdk/JetPack_4.6.4_Linux_JETSON_NANO_TARGETS/Linux_for_Tegra$ sudo ./flash.sh BOARDID=3448 FAB=200 BOARDSKU=0002 -x 0x21 -y PKC -u rsa_priv.pem jetson-nano-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 7.4
###############################################################################
# Target Board Information:
# Name: jetson-nano-emmc, Board Family: t210ref, SoC: Tegra 210, 
# OpMode: production, Boot Authentication: PKC, 
# Disk encryption: disabled ,
###############################################################################
Error: Either RSA key file is not provided or SBK key file is provided for PKC protected target board.

Do you mean that you can flash the board if you don’t use -p option for fuse?

Yes that is correct.
I tried different board without -p and it worked.
This new board is bricked only when I add -p.

If you can work as expected w/o adding -p parameter, please just do not use it in your case.

Hi Kevin,
As per the datasheet -p is used to lock the eFUSES and cannot be read which gives more protection to the device. So I think it is mandatory to have this enabled.

My main questions are:

  1. Why we are unable to execute the flash.sh script even a single time and download the encrypted kernel image if the ODM Production Mode (FUSE_SECURITY_MODE [0]) is fused?

  2. When I was analyzing the flash.sh script I found below lines:

		if [ "${keyfile}" = "" ] || [ "${sbk_keyfile}" != "" ]; then
			echo -n "Error: Either RSA key file is not provided or SBK key " >&2;
			echo "file is provided for PKC protected target board." >&2;
			exit 14;
		fi;

According to my command I am not passing -v option for the device which I tried to enable ODM Production Mode. Then why these lines are printed?

  1. To overcome the above issue I hard coded the files as below:
    sbk_keyfile="";
    keyfile="rsa_priv.pem";
    And then I tried to perform the flashing for -p used bricked device. Now it is failing in rcm stage. See log below for more details:
mayu@mayu:~/nvidia/nvidia_sdk/JetPack_4.6.4_Linux_JETSON_NANO_TARGETS/Linux_for_Tegra$ sudo ./flash.sh BOARDID=3448 FAB=200 BOARDSKU=0002 -x 0x21 -y PKC -s rsa_priv.pem  jetson-nano-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 7.4
###############################################################################

# Target Board Information:
# Name: jetson-nano-emmc, Board Family: t210ref, SoC: Tegra 210, 
# OpMode: production, Boot Authentication: PKC, 
# Disk encryption: disabled ,
###############################################################################
./tegraflash.py --chip 0x21 --applet "/home/mayu/nvidia/nvidia_sdk/JetPack_4.6.4_Linux_JETSON_NANO_TARGETS/Linux_for_Tegra/bootloader/nvtboot_recovery.bin" --skipuid --cmd "dump eeprom boardinfo cvm.bin" --key "rsa_priv.pem" 
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0034 ] Generating RCM messages
[   0.0057 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm /home/mayu/nvidia/nvidia_sdk/JetPack_4.6.4_Linux_JETSON_NANO_TARGETS/Linux_for_Tegra/bootloader/nvtboot_recovery.bin 0 0
[   0.0069 ] RCM 0 is saved as rcm_0.rcm
[   0.0075 ] RCM 1 is saved as rcm_1.rcm
[   0.0076 ] List of rcm files are saved in rcm_list.xml
[   0.0076 ] 
[   0.0076 ] Signing RCM messages
[   0.0099 ] tegrasign --key rsa_priv.pem --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0110 ] Assuming zero filled SBK key
[   0.0180 ] 
[   0.0180 ] Copying signature to RCM mesages
[   0.0205 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml
[   0.0224 ] 
[   0.0225 ] Boot Rom communication
[   0.0250 ] tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml --skipuid
[   0.0269 ] RCM version 0X13
[   0.1266 ] Boot Rom communication failed
[   0.1266 ] 
Error: Return value 3
Command tegrarcm --chip 0x21 0 --rcm rcm_list_signed.xml --skipuid
Reading board information failed.

  1. Why flash.sh script is not using sbk key file with -v option and printing “Assuming zero filled SBK key”?

hello msivanesan,

you may ignore this Assuming zero filled SBK key message, as it’s calling tegrasign and given zero keys.
let me re-cap the flash messages as below.

as you can see…
there’s --key None in the command-line.
due to such command with a None key, pub_key.key were passed in as zero by default.

Hi Jerry,
Thank you for the clarification about zero filled key.
But can you please respond to the other questions which I asked?

Hi Any updates on this?
Can I use -p for jetson Nano?