Hello,
I have similar issues like in this post with burning fuses of TX2. I tried all variants to burn fusses described in README_secureboot.txt, but I constantly get “Oem commands are not supported. Fuse burning failed” error.
sudo ./odmfuse.sh -j -i 0x18 -c PKC \
-k keys/rsa_priv.pem -S keys/SBK.key \
--KEK0 keys/KEK0.key --KEK1 keys/KEK1.key --KEK2 keys/KEK2.key \
jetson-tx2
[ 6.1100 ] tegrarcm_v2 --oem burnfuses blow_fuse_data.bin
[ 6.1110 ] Applet version 01.00.0000
[ 6.1133 ] 0000000000000001: Oem commands are not supported
[ 6.1143 ] Fuse burning failed
[ 6.1143 ]
[ 6.1144 ] trying fusing with CPU binary
[ 6.1172 ] tegrasign_v2 --key None --getmode mode.txt
[ 6.1184 ] Assuming zero filled SBK key
[ 6.1186 ]
[ 6.1186 ] Parsing partition layout
[ 6.1199 ] tegraparser_v2 --pt flash.xml.tmp
[ 6.1219 ]
[ 6.1220 ] Creating list of images to be signed
[ 6.1232 ] tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
[ 6.1244 ] Stat for RECFILE failed
[ 6.1538 ]
Error: Return value 4
Command tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
failed.
Hi,
Please share your release version( $ head -1 /etc/nv_tegra_release ). r28 releases or r32 releases.
$ head -1 /etc/nv_tegra_release
# R32 (release), REVISION: 3.1, GCID: 18186506, BOARD: t186ref, EABI: aarch64, DATE: Tue Dec 10 07:03:07 UTC 2019
Just in case:
$ ./tegrafuse.sh
odm_lock : 0x00000000
arm_jtag_disable : 0x00000000
odm_production_mode : 0x00000000
boot_security_info : 0x00000000
odm_info : 0x00000000
I applied fix-uid-check-in-odmfuse.patch in accordance with this post.
I use the Jetson TX2 module provided with Developer Kit. Can such module be fused?
Hi,
The TX2 module with devkit is fuse-able. Please check if this patch helps:
Hi Jerry,
I’m using odmfuse to burn new keys on the Jetson TX2, I found a bug in the script when using KEK256.
Please see the patch below.
Could you please confirm that this is the right patch ?
Also, can we burn multiple keys at one time ? (See below)
sudo BOARDID=3310 FAB=C04 ./odmfuse.sh -j -i 0x18 -c PKC -k my_privkey.pem --KEK0 my_kek0.key --KEK1 my_kek1.key --KEK2 my_kek2.key --KEK256 my_kek256.key -S my_sbk.key jetson-tx2
Here is the Patch:
--- odmfuse.sh 2020-01-28 18:10:07.000000…
And you may also try a simple command:
$ sudo ./odmfuse.sh -j -i 0x18 -c PKC -k rsa_priv.pem jetson-tx2
This command
sudo ./odmfuse.sh -j -i 0x18 -c PKC -k rsa_priv.pem jetson-tx2
produces the same result:
[ 6.1925 ] tegrarcm_v2 --oem burnfuses blow_fuse_data.bin
[ 6.2000 ] Applet version 01.00.0000
[ 6.2130 ] 0000000000000001: Oem commands are not supported
[ 6.2145 ] Fuse burning failed
[ 6.2145 ]
[ 6.2146 ] trying fusing with CPU binary
[ 6.2441 ] tegrasign_v2 --key None --getmode mode.txt
[ 6.2517 ] Assuming zero filled SBK key
[ 6.2678 ]
[ 6.2698 ] Parsing partition layout
[ 6.2752 ] tegraparser_v2 --pt flash.xml.tmp
[ 6.2881 ]
[ 6.2882 ] Creating list of images to be signed
[ 6.2922 ] tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
[ 6.2991 ] Stat for RECFILE failed
[ 6.3673 ]
Error: Return value 4
Command tegrahost_v2 --chip 0x18 0 --partitionlayout flash.xml.bin --list images_list.xml zerosbk
failed.
Regarding patch: in accordance with documentation KEK256 = KEK0 + KEK1 (T186 and T194).
Is this command correct?
sudo BOARDID=3310 FAB=C04 ./odmfuse.sh -j -i 0x18 -c PKC -k my_privkey.pem --KEK0 my_kek0.key --KEK1 my_kek1.key --KEK2 my_kek2.key –KEK256 my_kek256.key -S my_sbk.key jetson-tx2
Should I anyway apply the patch and use --KEK256 ?
Hi,
Please confirm you get the package for r32.3.1. The error should be present on r28 releases only. A bit strange you see it on r32.
[ 6.2130 ] 0000000000000001: Oem commands are not supported
Command shows that I have R32.3.1 release:
$ head -1 /etc/nv_tegra_release
R32 (release), REVISION: 3.1, GCID: 18186506, BOARD: t186ref, EABI: aarch64, DATE: Tue Dec 10 07:03:07 UTC 2019
Ok, I will do all steps from scratch and come back.
My steps:
downloaded and installed Tegra186_Linux_R32.3.1_aarch64.tbz2
downloaded and installed Tegra_Linux_Sample-Root-Filesystem_R32.3.1_aarch64.tbz2
downloaded and installed secureboot_R32.3.1_aarch64.tbz2
flashed TX2 : sudo ./flash.sh jetson-tx2 mmcblk0p1
applied fix-uid-check-in-odmfuse.patch
tried to burn:
sudo ./odmfuse.sh -j -i 0x18 -c PKC
-k keys/rsa_priv.pem -S keys/SBK.key
–KEK0 keys/KEK0.key --KEK1 keys/KEK1.key --KEK2 keys/KEK2.key
jetson-tx2
Got:
[ 6.0400 ] 0000000000000001: Oem commands are not supported
Hi,
Does it work if you with with –no-burn ?
Please also try to flash through SDKManager and extract secureboot_R32.3.1_aarch64.tbz2 to
$HOME\nvidia\nvidia_sdk\JetPack_4.3_Linux_P3310\Linux_for_Tegra
A user has done cross verfication on TX2 and Nano. It looks fine on TX2:
Hi chijen,
Thanks for your notes.
Interesting. I have not been aware of the fact.
Where can I find such critical specifications?
I tried to burn our product_id to identify the box.
So, ok, I will consider using an odm reserved fuse.
As I have just realized it can not be read, I am not going to use a DK. But let me clarify.
Device key (DK) for T210. Device key for other security applications. If no other security applications are used, leave it untouched.
DK is only for TK1 and Nano.
…
Hi,
DaneLLL:
Does it work if you with with –no-burn ?
Please also try to flash through SDKManager and extract secureboot_R32.3.1_aarch64.tbz2 to
$HOME\nvidia\nvidia_sdk\JetPack_4.3_Linux_P3310\Linux_for_Tegra
I installed JetPack_4.3, but it did not help.
The same error Oem commands are not supported
with and without --noburn.
The user tried L4T 32.2.1 with TX2:
When I had tried before on L4T 32.2.1 with TX2, it didn’t work as described in the document, either. The odmfuse.sh has not worked without a patch .
I will try to downgrade L4T to 32.2.1.
Hi,
Success with JetPack_4.2.3 [L4T 32.2.1] !!!
JetPack_4.3 [L4T 32.3.1] does not work for TX2.
Hi,
Do you have any updates regarding burning fuses by using JetPack_4.3 [L4T 32.3.1] ?
Using multiple Jetpack releases is quite inconvenient.
Hi,
The error looks specfiic to the board since we have other users work on r32.3.1/TX2 and don’t report the error. For more information, please execute tegrafuse.sh and share status of the board.
I have the exact same behavior
TX2 in dev board
Standard unmodified R32.3.1 install created from the BSP and sample rootfs
Only 32.2.1 will write the fuses
I can then use 32.3.1 to flash the device
Fortunately this suffices and I am not concerned about having two releases of JetPack.