I’ve checked different USB cables/systems/disabled autosuspend, and I’ve used this USB cable for long flash sequences before without any issue.
I don’t think it’s a USB cable issue, seems to me like the Orin rejects my signed+encrypted payloads from now on.
The recovery states that it works in SBKPKC mode and I pass my keys to the scripts. The issue happens with l4t_initrd_flash.sh or more concisely when I run odmfuse.sh / odmfuseread.sh.
I tried all the 3 PKCs I burnt, same issue.
The serial console is completly empty during this flash issue.
had you kept the fuse configuration file, which is an XML file that contains fuse data.
may I know what’s your commands to flash a target.
besides, may I also know what’s your host environment setup.
I used the following to generate the fuse hash for the xml: tegrasign_v3.py --pubkeyhash RSA1_pub.pem RSA1_pub.hash --key RSA1_priv.pem
Used the stdout where ‘tegra-fuse format (big endian)’ is outputted and asserted that the hexdump of RSA1_pub.hash is the same like it.
I’m trying to run: tegrakeyhash --pkc RSA1_pub.pem --chip 0x23
but I get Invalid key format.
Update:
For some reason, tegrasign_v3.py command above clobber the RSA1_pub.pem, when I generate the -pubout from the priv again the file was a valid pem certificate and tegrakeyhash above ran correctly.
The tegra-fuse-format it outputted was the same as above.
since you’re using customize OEM K1 fuse key value, had you update EKS image?
please visit jetson-linux-r3550 for downloading [Driver Package (BSP) Sources] package.
you should extract nvidia-jetson-optee-source.tbz2 package.
please refer to optee/samples/hwkey-agent/host/tool/gen_ekb/example.sh to generate a new EKS image, i.e. eks_t234.img
you may see-also Topic 270934 for steps to update EKS image accordingly.
let’s give it a try by adding skip eeprom check to bypass parsing board information.
you should given SKIP_EEPROM_CHECK=1 and also the board info into flash pipeline.
for instance,
here’s sample command-line for Jetson AGX Orin platform, $ sudo SKIP_EEPROM_CHECK=1 BOARDID=3701 FAB=300 BOARDSKU=0004 BOARDREV=C.2 CHIP_SKU=00:00:00:D2 ./flash.sh jetson-agx-orin-devkit internal
since you’re using Orin NX,
please assign BOARDID=3767 BOARDSKU=0000 into flash command-line for testing.
here’re several questions,
please helps me to understand this issue more clearly.
for instance,
(1) it is a customize board, it’s okay to flash before Jetson security enabled.
(2) may I double confirm what’s your original flash command-line.
(3) it should be no issue with image creating, but USB communication failure only for image flashing, right?
(4) such -traditional options should be added for PKC key creation, which means a key used for burning fuse. key cannot change, since you’ve already burn the fuse.
I burnt the fuses written above, without the security mode - which I intended to burn in a separate step. Please assert that it should be valid.
Any command will fail now in the first steps involving the board, i.e. ‘send bct_br/mb1’
Flash command: sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u RSA1.key -v SBK.key -p “-c bootloader/t186ref/cfg/flash_t234_qspi.xml” --showlogs --network usb0 --no-flash jetson-orin-nano-devkit internal
Faster check is: sudo ./odmfuseread.sh -i 0x23 -k RSA1.key -S SBK.key jetson-orin-nano-devkit
In any USB recovery communication with the board will receive USB timeout from here onwards. i.e. ‘send bct_br/mb1’
-traditional is just the .pem format, no ?
I’ve converted my private keys to traditional format using: openssl pkey -in ./PRIV_NEW.pem -traditional >./PRIV_TRADITIONAL.pem
I ran tegrasign_v3.py on the PRIV_TRADITIONAL.pem and asserted that the same hash was outputted as burnt.
The board will boot all the way to the old rootfs, if it helps you in any way.
forecr considered jetson-orin-nano-devkit to be the correct id, trying p3509-a02+p3767-0000 result the same. Please note that odmfuseread doesn’t need specific board and the issue is much earlier.
This is my read from inside the target, please note that sysfs tegra-fuse is misleading (bootsecinfo returned 0, PKCs are clobbered), executing nv_fuse_read returned the correct results.
may I still confirm what’s your original flash command-line to flash your target (i.e. Orin NX 16G on Forecr carrier) before Jetson security has enabled.