Recovery mode bootrom communication no longer working after burning PKC fuse

I’ve successfully burned the PKC private key fuse hash, but now when I try to write a new BCT/bootloader with said private key, I get a failure code.

Here is the logs of the PKC fuse burning:

$ sudo ./odmfuse.sh -j -i 0x21 -c PKC -p -k rsa_priv.pem
*** Calculating HASH from keyfile rsa_priv.pem ... done
PKC HASH: 0x[snip]
*** Generating fuse configuration ... done.
done.
*** Start fusing  ... 
./tegraflash.py --chip 0x21 --applet nvtboot_recovery.bin --cmd "blowfuses odmfuse_pkc.xml;"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0045 ] Parsing fuse info as per xml file
[   0.0066 ] tegraparser --fuse_info odmfuse_pkc.xml blow_fuse_data.bin
[   0.0092 ] 
[   0.0093 ] Generating RCM messages
[   0.0110 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 --download rcm nvtboot_recovery.bin 0 0
[   0.0128 ] RCM 0 is saved as rcm_0.rcm
[   0.0135 ] RCM 1 is saved as rcm_1.rcm
[   0.0136 ] List of rcm files are saved in rcm_list.xml
[   0.0136 ] 
[   0.0136 ] Signing RCM messages
[   0.0146 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0157 ] Assuming zero filled SBK key
[   0.0272 ] 
[   0.0273 ] Copying signature to RCM mesages
[   0.0302 ] tegrarcm --chip 0x21 --updatesig rcm_list_signed.xml
[   0.0362 ] 
[   0.0363 ] Boot Rom communication
[   0.0386 ] tegrarcm --chip 0x21 --rcm rcm_list_signed.xml
[   0.0410 ] BR_CID: 0x[snip]
[   0.0423 ] RCM version 0X210001
[   0.0424 ] Boot Rom communication completed
[   1.0495 ] 
[   1.0496 ] Blowing fuses
[   1.0525 ] tegrarcm --oem blowfuses blow_fuse_data.bin
[   1.0552 ] Applet version 00.01.0000
[   1.0579 ] Successfully burnt fuses as per fuse info blob
[   1.0709 ] 
*** The fuse configuration is saved in bootloader/odmfuse_pkc.xml
*** The ODM fuse has been secured with PKC keys.
*** Flash "signed BCT and bootloader(s)".
*** done.

And here when trying to write new bootloader:

$ ./tegrarcm --listrcm rcm_list.xml --chip 0x21 --download rcm nvtboot_recovery.bin 0 0
RCM 0 is saved as rcm_0.rcm
RCM 1 is saved as rcm_1.rcm
List of rcm files are saved in rcm_list.xml
$ ./tegrasign --key rsa_priv.pem --list rcm_list.xml --pubkeyhash pub_key.key
PKC key in Open SSL format
Saving public key  in pub_key.key
Saving public key Hash as binary: pub_key.hash
Saving public key Hash as big-endian text: pub_key.hash_txt
Saving public key Hash as little-endian(sysfs) text: pub_key.hash_sysfs_txt
$ ./tegrarcm --chip 0x21 --updatesig rcm_list_signed.xml
$ sudo ./tegrarcm --chip 0x21 --rcm rcm_list_signed.xml
BR_CID: 0x[snip]
RCM version 0X13
Boot Rom communication failed

Does anyone know what went wrong here?

hello berterino,

am i understand correctly that you’re going to partial update the BCT/bootloader ?
if correct, then we don’t support partition update for the fused-device.
thanks

Hi Jerry,

I followed the Jetson TX1 fuse secure boot guide, to burn a PKC private key hash into the fuses. Now I want to write a secure bootloader into the device.

Currently, the Jetson does not boot up anymore. I suspect an old all-zero SBK hashed BCT/bootloader is still present on the eMMC device, and since the PKC is burned, the bootrom will no longer accept it.

I was hoping to update through the USB RCM. What options do I have at the moment besides having a bricked Jetson device?

Follow up: I don’t know what you mean with partial update. I want to fully update the BCT/bootloader with a secure one.

hello berterino,

are you able to boot-up device with the following flash commands?

sudo ./flash.sh -x <chipid> -y PKC -u <keyfile> <device name> mmcblk0p1

Hi berterino,

Any update or issue has been resolved?

Thanks

1 Like