OTA update failed with secureboot SOM board

I made a ota packege r32.5.1 to r32.6.1 following steps:

1.fuse the SOM board
in the r32.6.1 L4T BSP and download secureboot_r32.6.1_aarch64.tbz2
sudo ./odmfuse.sh -i 0x19 -c PKC -p -k …/rsa_priv.pem jetson-xavier-nx-devkit-emmc

  1. OTA environment
    ToT_BSP=/home/revo/xavierNX_l4t3261/Linux_for_Tegra (L4Tr32.6.1 )
    TARGET_BSP=/home/revo/xavierNX_l4t3261/Linux_for_Tegra (L4Tr32.6.1 )
    BASE_BSP=/home/revo/xavierNX_l4t3251/Linux_for_Tegra (L4Tr32.5.1 )

  2. download ota tool ota_tools_r32.6.1_aarch64.tbz2 and make images
    sudo ./tools/ota_tools/version_upgrade/build_base_recovery_image.sh -u …/rsa_priv.pem jetson-xavier-nx-devkit-emmc R32-5 ${BASE_BSP} ${BASE_BSP}/rootfs ${TARGET_BSP}
    build_recovery.log (1.1 KB)

sudo ./tools/ota_tools/version_upgrade/l4t_generate_ota_package.sh -u …/rsa_priv.pem jetson-xavier-nx-devkit-emmc R32-5
generate_ota_package.log (170.5 KB)

And install L4t r32.5.1 , copy ota_payload_package.tar.gz and ota_tools_r32.6.1_aarch64.tbz2
to the Xavier NX SOM board

tar xvpf ota_tools_r32.6.1_aarch64.tbz2
cd Linux_for_Tegra/tools/ota_tools/version_upgrade
sudo ./nv_ota_start.sh /dev/mmcblk0 ~/ota_payload_package.tar.gz
ota.log (9.7 KB)

Reboot, I saw the black screen and no HDMI signal,
and no soc debug messages show.

It is seem the SOM board in the recovery mode and can not update to r32.6.1.
I can only do is reflash image.

But I use the non-fuse SOM board and remove “-u rsa_priv.pem” from the build_base_recovery_image.sh and l4t_generate_ota_package.sh , the OTA update process is OK

Can anyone help me solve the issue? thanks.

hello jakelin,

could you please apply below patches into l4t_generate_ota_package.sh.
this adding the PKC/SBK options back when calling l4t_generate_soc_bup.sh script file to generate BUP for OTA update.
for example,


@@ -841,10 +841,19 @@ function generate_BUP()
        local board_name="${TARGET_BOARD}"
        local board_spec_file="${BOARD_SPECS_CONFIG_FILE}"
        local payload_dir="${BOOTLOADER_DIR}"/payloads_"${chipid}"
+       local cmd_arg=
+       cmd_arg="-f \"${board_spec_file}\" -e \"${board_spec_entry}\" -b \"${board_name}\" "
+       if [ "${PKC_KEY_FILE}" != "" ] && [ -f "${PKC_KEY_FILE}" ]; then
+               cmd_arg+="-u \"${PKC_KEY_FILE}\" "
+       fi
+       if [ "${SBK_KEY_FILE}" != "" ] && [ -f "${SBK_KEY_FILE}" ]; then
+               cmd_arg+="-v \"${SBK_KEY_FILE}\" "
+       fi
        pushd "${LINUX_BASE_DIR}" > /dev/null 2>&1
-       echo "Generate BUP file by running command: ${bup_generator} -f ${board_spec_file} -e ${board_spec_entry} -b ${board_name} ${chipid}"
-       if ! "${bup_generator}" -f "${board_spec_file}" -e "${board_spec_entry}" -b "${board_name}" "${chipid}"; then
-               echo "Failed to run \"${bup_generator} -f ${board_spec_file} -e ${board_spec_entry} -b ${board_name} ${chipid}\""
+       echo "Generate BUP file by running command: ${bup_generator} ${cmd_arg} ${chipid}"
+       if ! "${bup_generator}" "${cmd_arg}" "${chipid}"; then
+               echo "Failed to run \"${bup_generator} ${cmd_arg} ${chipid}\""
                exit 1
        popd > /dev/null 2>&1

Hi JerryChang,
Sorry for the late reply, I have tried the patch but got errors,
The log files as attachment, thanks.
error.log (57.9 KB)

hello jakelin,

thanks for sharing test results.
we’re now checking this internally; will update this thread after we come out conclusions.

1 Like