Serial Console Silent after fuse burning (Xavier NX 16GB)

I’m using Xavier NX 16GB emmc + reComputer J202 carrier

My host OS is Ubuntu 24.04 LTS. The board is connected with a FTDI usb to serial cable to the Control and UART header.
I’ve also connected the USBC cable for the recovery mode.

Then I burned the fuses with the command bellow:

sudo ./odmfuse.sh -i 0x19 -k pkc.pem -S sbk.key -r 0x9 jetson-xavier-nx-devkit-emmc

this sets the PKC, SBK and SwReserved (ignore straps and use SwReserved 2:0 bits, which is set to QSPI=0x1)
The SwReserved value is taken from Jetson_Xavier_NX_Fuse_Specification_DA-09876-001_v1.1.pdf document

I can read the fuses back:

PublicKeyHash: 0874daa48b5b0aad7c0ddebb644825b799da333847508e0767f05236f0a7c3e8
SecureBootKey: 6d7c62057ff3e7115e215c3ba72a24f5
Kek0: 00000000000000000000000000000000
Kek1: 00000000000000000000000000000000
Kek2: 00000000000000000000000000000000
Kek256: 0000000000000000000000000000000000000000000000000000000000000000
BootSecurityInfo: 00000005
JtagDisable: 00000000
SecurityMode: 00000000
SwReserved: 00000009
DebugAuthentication: 00000000
OdmId: 0000000000000000
OdmLock: 00000000
ReservedOdm0: 00000000
ReservedOdm1: 00000000
ReservedOdm2: 00000000
ReservedOdm3: 00000000
ReservedOdm4: 00000000
ReservedOdm5: 00000000
ReservedOdm6: 00000000
ReservedOdm7: 00000000
ReservedOdm8: 00000000
ReservedOdm9: 00000000
ReservedOdm10: 00000000
ReservedOdm11: 00000000

They are set correctly.

After that I’ve flash the unit with the following command:

sudo ROOTFS_ENC=1 ./flash.sh --uefi-keys uefi_keys/uefi_keys.conf -u pkc.pem -v sbk.key -i sym2_t194.key jetson-xavier-nx-devkit-emmc mmcblk0p1

Flash is successful, which means the PKC and SBK are correctly set. If I try another pair of keys, the flash fails (which is supposed to).

However, after removing the recovery mode jumper and power cycle the board, the console is silent. The board appears to be stuck.

I can still place it in recovery mode and re-run the flash command or read the fuses.

So, what now?
Is the module bricked?
Is the SwReserved value wrong? If so then the documentation is wrong…

hello gabriel.sanches,

please double check Boot Security Info,
for instance, are you using 2048 bit RSA or 3072 bit RSA?

please dig into Jetson Xavier NX Fuse Specification Application Note for FUSE_BOOT_SECURITY_INFO [15:0]

hi Chang,

the private key is a RSA 2048 bit, it was created with the command:

openssl genrsa --traditional -out pkc.pem 2048

–tradional was used as per this response

Verifying the pkc:

$ openssl rsa -in pkc.pem -text -noout
Private-Key: (2048 bit, 2 primes)
modulus:
    00:c0:5f:f6:ce:29:09:94:17:6d:42:1b:b5:e1:0a:
    aa:3e:fb:6f:59:2a:c9:0c:28:1c:4d:8b:86:90:89:
    d3:e4:96:6d:92:9a:48:41:a8:91:12:4f:e8:43:ce:
    c1:e1:ae:fd:54:1b:2e:7a:9c:ea:27:27:c6:72:3d:
    40:44:75:06:ba:56:2e:8a:da:0c:66:5f:23:5c:98:
    c7:3a:ec:86:30:07:8f:15:aa:34:36:4c:f3:57:fc:
    10:36:38:41:c6:2a:55:51:ab:1f:94:bd:67:ce:f0:
    1c:1c:6e:14:30:7d:e2:99:fb:64:b5:6d
...

From the document you mentioned, BootSecutiryInfo: 00000005 sets:

Bits [1:0] = 01b: 2048 bit RSA
Bit [2] = secure boot encryption scheme, enables encryption using SBK when set to 1

now, I haven´t burned any other bits, but ODM Fuse Encryption Key Select Bits [6:4] has no further documentation. Other than that, the other bits don’t seem relevant for my configuration.

Still, why it doesn’t output anything on console? not even errors…

hello gabriel.sanches,

we’ve tested fuse burning on Xavier NX eMMC before, please refer to similar discussion threads,
such as… Topic 273585 and Topic 222924 as see-also.

BTW,
we’ve burn all fuses together instead of burning fuses step-by-step.

It is pretty clear that I can only boot in recovery mode with the correct PKC and SBK:

sudo ./flash.sh -u ../../pkc.pem -v ../../sbk.key jetson-xavier-nx-devkit-emmc mmcblk0p1
###############################################################################
# L4T BSP Information:
# R35 , REVISION: 6.0
# User release: 0.0
###############################################################################
ECID is 0xd80219116401c30724000000040302c0
# Target Board Information:
# Name: jetson-xavier-nx-devkit-emmc, Board Family: t186ref, SoC: Tegra 194,
# OpMode: production, Boot Authentication: SBKPKC,
# Disk encryption: disabled ,
###############################################################################
copying soft_fuses(/home/gasa/projects/****/work/Linux_for_Tegra/bootloader/t186ref/BCT/tegra194-mb1-soft-fuses-l4t.cfg)... done.
./tegraflash.py --chip 0x19 --applet "/home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod.bin" --skipuid --soft_fuses tegra194-mb1-soft-fuses-l4t.cfg --bins "mb2_applet nvtboot_applet_t194.bin" --cmd "dump eeprom boardinfo cvm.bin;reboot recovery" --key "/home/gasa/projects/****/pkc.pem" --encrypt_key "/home/gasa/projects/****/sbk.key"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands

[   0.0210 ] Generating RCM messages
[   0.0254 ] tegrasign_v3.py --file /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod.bin --key /home/gasa/projects/****/sbk.key --offset 4096
[   0.0256 ] Key is a SBK key
[   0.0256 ] Key Size is 16 bytes
[   0.0326 ] tegrahost_v2 --chip 0x19 0 --magicid MB1B --appendsigheader /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt.bin zerosbk
[   0.0328 ] Header already present for /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt.bin
[   0.0393 ] tegrasign_v3.py --key /home/gasa/projects/****/pkc.pem --getmode mode.txt
[   0.0396 ] Key size is 256 bytes
[   0.0414 ] tegrasign_v3.py --file /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin --key /home/gasa/projects/****/pkc.pem --length 1136 --getmontgomeryvalues montgomery.bin --offset 2960 --pubkeyhash pub_key.key
[   0.0417 ] Key size is 256 bytes
[   0.0512 ] Saving pkc public key in pub_key.key
[   0.0499 ] tegrahost_v2 --chip 0x19 0 --pubkeyhash pub_key.key --setmontgomeryvalues montgomery.bin --updatesigheader /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.sig oem-rsa
[   0.0542 ] tegrabct_v2 --chip 0x19 0 --sfuse tegra194-mb1-soft-fuses-l4t.cfg.pdf sfuse.bin
[   0.0559 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x19 0 --sfuses sfuse.bin --download rcm /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/mb1_t194_prod_encrypt_sigheader.bin 0 0
[   0.0561 ] RCM 0 is saved as rcm_0.rcm
[   0.0588 ] RCM 1 is saved as rcm_1.rcm
[   0.0589 ] RCM 2 is saved as rcm_2.rcm
[   0.0590 ] List of rcm files are saved in rcm_list.xml
[   0.0590 ]
[   0.0591 ] Signing RCM messages
[   0.0631 ] tegrasign_v3.py --key /home/gasa/projects/****/pkc.pem --list rcm_list.xml --getmontgomeryvalues montgomery.bin --pubkeyhash pub_key.key
[   0.0634 ] Key size is 256 bytes
[   0.0907 ] Saving pkc public key in pub_key.key
[   0.0880 ] Copying signature to RCM mesages
[   0.0893 ] tegrarcm_v2 --chip 0x19 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[   0.0905 ] Boot Rom communication
[   0.0918 ] tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml --skipuid
[   0.0920 ] RCM version 0X190001
[   0.0959 ] Boot Rom communication completed
[   2.1255 ] tegrarcm_v2 --isapplet
[   2.1261 ] Applet version 01.00.0000
[   2.1291 ] tegrarcm_v2 --ismb2
[   2.1407 ] tegrahost_v2 --chip 0x19 --align nvtboot_applet_t194_aligned.bin
[   2.1411 ] header_magic: 50000ea
[   2.1455 ] tegrasign_v3.py --key /home/gasa/projects/****/sbk.key --list nvtboot_applet_t194_aligned.bin_list.xml
[   2.1456 ] Key is a SBK key
[   2.1456 ] Key Size is 16 bytes
[   2.1486 ] tegrahost_v2 --chip 0x19 0 --updatesigheader nvtboot_applet_t194_aligned.bin.encrypt nvtboot_applet_t194_aligned.bin.hash zerosbk
[   2.1508 ] tegrahost_v2 --chip 0x19 --align nvtboot_applet_t194.bin_aligned.encrypt
[   2.1511 ] header_magic: f276467
[   2.1524 ] tegrahost_v2 --appendsigheader nvtboot_applet_t194.bin_aligned.encrypt oem-rsa-sbk --chip 0x19 0 --magicid PLDT
[   2.1527 ] adding BCH for nvtboot_applet_t194.bin_aligned.encrypt
[   2.1591 ] tegrasign_v3.py --key /home/gasa/projects/****/pkc.pem --list nvtboot_applet_t194.bin_aligned_sigheader.encrypt_list.xml --pubkeyhash pub_key.key
[   2.1594 ] Key size is 256 bytes
[   2.1687 ] Saving pkc public key in pub_key.key
[   2.1674 ] tegrahost_v2 --chip 0x19 0 --updatesigheader nvtboot_applet_t194.bin_aligned_sigheader.encrypt.signed nvtboot_applet_t194.bin_aligned_sigheader.encrypt.sig oem-rsa --pubkeyhash pub_key.key
[   2.1705 ] tegrarcm_v2 --download mb2 nvtboot_applet_t194.bin_sigheader.encrypt.signed
[   2.1706 ] Applet version 01.00.0000
[   2.1723 ] Sending mb2
[   2.1723 ] [................................................] 100%
[   2.1954 ] tegrarcm_v2 --boot recovery
[   2.1956 ] Applet version 01.00.0000
[   3.2027 ] tegrarcm_v2 --isapplet
[   3.2065 ] tegrarcm_v2 --ismb2
[   3.2067 ] MB2 Applet version 01.00.0000
[   3.2100 ] tegrarcm_v2 --ismb2
[   3.2102 ] MB2 Applet version 01.00.0000
[   3.2134 ] Retrieving board information
[   3.2147 ] tegrarcm_v2 --oem platformdetails chip chip_info.bin
[   3.2149 ] MB2 Applet version 01.00.0000
[   3.2186 ] Saved platform info in chip_info.bin
[   3.2227 ] Chip minor revision: 2
[   3.2228 ] Bootrom revision: 0xf
[   3.2229 ] Ram code: 0x1
[   3.2230 ] Chip sku: 0xde
[   3.2231 ] Chip Sample: non es
[   3.2235 ] Retrieving EEPROM data
[   3.2235 ] tegrarcm_v2 --oem platformdetails eeprom cvm /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/cvm.bin
[   3.2237 ] MB2 Applet version 01.00.0000
[   3.2274 ] Saved platform info in /home/gasa/projects/****/work/Linux_for_Tegra/bootloader/cvm.bin
[   3.2664 ] Rebooting to recovery mode
[   3.2677 ] tegrarcm_v2 --ismb2
[   3.2680 ] MB2 Applet version 01.00.0000
[   3.2699 ] Rebooting to recovery mode
[   3.2713 ] tegrarcm_v2 --reboot recovery
[   3.2714 ] MB2 Applet version 01.00.0000
Board ID(3668) version(301) sku(0001) revision(L.0)

...

Those values are correct, if I use any other keys there I get no response from the unit.

There must be something else regarding the other fuses that I have burned.
Can you check the values along with the board identification?:

ECID is 0xd80219116401c30724000000040302c0
Board ID(3668) version(301) sku(0001) revision(L.0)

Regarding the links you provided, I did similarly.
I’ve also burned those fuses in a single command as previously stated. Not that it should matter, as per documentation, one can burn fuses at will until the lock has been burn.

just an FYI,
on Xavier series, we always program all the fuse (including production mode, -p) for testing.
as you can see… Xavier NX (eMMC) Secureboot Fusing renders devices unbootable - #27 by JerryChang, issue gone by activation of the production mode.

adding -p flag works. the board boots fine now.

This information should be added to the documentation. Although it is clear what the flag does, it is not clear that PKC and SBK can be burned without also burning the production mode to have a working system.

hello gabriel.sanches,

just an FYI,
it’s added here… Burn Fuses with the Fuse Configuration file. although it’s only updating to the latest release.

NVIDIA recommends burning all the fuses you need in a single operation. While partial fuse burning is possible if SecurityMode is not burned, it may lead to issues not described in this document. If you are determined to proceed with partial fuse burning, contact NVIDIA technical support for further assistance.

Thanks for the help

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.