Timeout issue during Massflash with Disk Encryption on Jetson AGX Orin

Robotics & Edge Computing Jetson Systems Jetson AGX Orin
, ,
1

Hello,

I am having trouble performing a mass flash on the Jetson AGX Orin when disk encryption is enabled.

I am able to flash a single unit successfully using the following commands:

sudo ROOTFS_ENC=1 ./flash.sh --generic-passphrase --no-flash \ 
  -i sym2_t234.key \ -u ecp256.pem -v sbk-32.key --uefi-keys \ 
 uefi_keys/uefi_keys.conf --uefi-enc sym_t234.key \
 jetson-agx-orin-devkit mmcblk0p1

cd bootloader 
sudo bash ./flashcmd.txt

However, when I attempt to use the Massflash workflow with l4t_initrd_flash.sh, the process fails during the “Waiting for target to boot-up” stage and eventually times out.

Steps to reproduce:

  1. Generate the mass flash image:
sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \ 
  -i ./sym2_t234.key -p "--generic-passphrase" --no-flash --network usb0 \ 
  --massflash 10 -u ecp256.pem -v sbk-32.key \
  --uefi-keys uefi_keys/uefi_keys.conf --uefi-enc sym_t234.key \ 
  jetson-agx-orin-devkit mmcblk0p1
  1. Execute the flash:
sudo tar xpfv mfi_jetson-agx-orin-devkit.tar.gz
cd mfi_jetson-agx-orin-devkit
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --network usb0 \ 
  --massflash 10 --keep

Error Output:

***************************************
* Step 3: Start the flashing process *
***************************************
Waiting for target to boot-up...
Waiting for target to boot-up...
...
Waiting for target to boot-up...
Waiting for target to boot-up...
Timeout
Cleaning up...

I have attached the full flash logs and UART logs for your review. Could you please help me identify why the target fails to boot into the initrd environment during the mass flash process?

Attachments:
my_flash.log (568.3 KB)
my_uart.log (73.2 KB)

2

*** Please note that this reply is generated by LLM automatically ***

I’d be happy to help you troubleshoot the issue with mass flashing the Jetson AGX Orin when disk encryption is enabled.

First, let’s break down the steps you’ve taken so far:

  1. You’ve generated the mass flash image.
  2. You’ve executed the flash command using the following commands (although you didn’t specify the exact commands, I assume you’re using the standard flash.sh command with the ROOTFS_ENC=1 option to enable disk encryption).

However, the process fails during the “Waiting for target to bootup” stage and eventually times out.

To help you identify the issue, I’d like to review the flash logs and UART logs you’ve attached. Unfortunately, I’m a text-based AI and don’t have the capability to access or review the attached files. However, I can provide some general guidance on what might be causing the issue.

When disk encryption is enabled, the boot process is slightly different. The device needs to decrypt the root filesystem before booting into the initrd environment. Here are a few potential causes for the issue:

  1. Incorrect disk encryption key: Make sure that the disk encryption key is correctly generated and aligned with the sym_key2 in the eks_<platform>.img file.
  2. Incorrect flash_t234_qspi_sdmmc_enc_rfs.xml configuration: Verify that the flash_t234_qspi_sdmmc_enc_rfs.xml file is correctly configured with the encrypted attribute set to true in the APP_ENC section.
  3. Incorrect ROOTFS_ENC option: Ensure that the ROOTFS_ENC=1 option is correctly set when executing the flash.sh command.
  4. Bootloader configuration: Verify that the bootloader is correctly configured to support disk encryption. You may need to modify the Linux_for_Tegra/bootloader/generic/cfg/flash_t234_qspi_sdmmc_enc_rfs.xml file to set the encrypted attribute to true in the APP_ENC section.
  5. UART log analysis: Review the UART logs to see if there are any error messages or hints about what’s causing the boot failure.

To further troubleshoot the issue, you can try the following:

  1. Disable disk encryption: Try flashing the device without disk encryption enabled to see if the issue persists.
  2. Use a different disk encryption key: Generate a new disk encryption key and try flashing the device again.
  3. Verify the bootloader configuration: Double-check the bootloader configuration to ensure that it’s correctly set up to support disk encryption.

If none of these suggestions help, please provide more details about your setup, including the exact commands you’re using and any error messages you’re seeing in the logs. I’ll do my best to help you troubleshoot the issue.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

4

Hi @JerryChang ,
When I flash without --no-flash using this command:

sudo ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -i ./sym2_t234.key -p "--generic-passphrase" --network usb0 -u ecp256.pem -v sbk-32.key --uefi-keys uefi_keys/uefi_keys.conf --uefi-enc sym_t234.key jetson-agx-orin-devkit mmcblk0p1

If I faced the “bash: no job control in this shell” error, could this be related to the xudc driver or USB device mode issues? (No Known UDC device found in massflash)

5

hello kyoungh,

you should generate massflash blob with --generic-passphrase option enabled.
please see-also Topic 291335 for the test steps.

6

Hi @JerryChang ,

Thank you for the suggestion. I have already included the --generic-passphrase option in my command, but the issue persists on the fused module. To check for DTB issues, I tested the mass flash command on a non-fused module, and it succeeded

  • Unfused Orin 64GB: Success. Massflash works perfectly on the same custom board.
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --no-flash --network usb0 \
 --massflash 5 jetson-agx-orin-devkit mmcblk0p1

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --network usb0 \ 
--massflash 5 --showlogs
  • Fused Orin 32GB (PKC+SBK+DiskEnc): FAIL (Timeout).
sudo BOARDID=3701 BOARDSKU=0004 ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh \ 
--network usb0 --no-flash --massflash 10 -i sym2_t234.key -u ecp256.pem \ 
-v sbk-32.key -p "--generic-passphrase" --uefi-keys uefi_keys/uefi_keys.conf \ 
--uefi-enc sym_t234.key jetson-agx-orin-devkit mmcblk0p1

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --network usb0 \ 
--massflash 10

uart-or32-0203.log (98.6 KB)
flash_3-2.4_0_20260203-172638.log (7.8 KB)
mass_flash_or32.log (609.6 KB)

What else should I verify for fused modules specifically? Could the security fuses affect the QSPI initialization or NFS mounting in the initrd?

Any advice or insights would be greatly appreciated. Thank you!

7

hello kyoungh,

let’s have issue narrow down,
did you have those AGX Orin fused with the same PKC/SBK/OEM keys?
please check you’re able to re-flash them without disk encryption.

8

hello @JerryChang

I confirmed that I can successfully generate the flash images with security options enabled using the following command. The process completes and the system boots correctly:

sudo ROOTFS_ENC=1 ./flash.sh --generic-passphrase --no-flash \ 
-i sym2_t234.key -u ecp256.pem -v sbk-32.key --uefi-keys \ 
uefi_keys/uefi_keys.conf --uefi-enc sym_t234.key \ 
jetson-agx-orin-devkit mmcblk0p1

However, when I attempted to flash without security options as you suggested, I encountered the error: ‘Reading board information failed.’"

9

To clarify, since the board is already fused, I will keep the PKC (-u) and SBK (-v) keys but remove the ROOTFS_ENC=1 and UEFI encryption options for this test.

10

Hello @JerryChang

I tested with the command. I removed “ROOTFS_ENC=1” and UEFI options. But I faced the same issue

  1. Timeout
  2. #bash prompt in the Orin
sudo ./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 \ 
-u ecp256.pem -v sbk-32.key jetson-agx-orin-devkit mmcblk0p1

mass-flash-0204-01.log (406.1 KB)
uart-0204-01.log (93.4 KB)
dmesg-host-0204-01.log (2.4 KB)
What else should I verify or look at? Thank you for your help

11

Hello @JerryChang ,

Regarding the previous test: I attempted to flash on Ubuntu 22.04 but failed. However, I successfully flashed the module on Ubuntu 24.04

So I succeeded to flash using the command on Ubuntu 24.04

./tools/kernel_flash/l4t_initrd_flash.sh --network usb0 \
 -u ecp256.pem  -v sbk-32.key jetson-agx-orin-devkit mmcblk0p1
12

I also succeeded to flash mass using the commands on Ubuntu 24.04

sudo ./tools/kernel_flash/l4t_initrd_flash.sh  --no-flash --network usb0 \ 
 -u ecp256.pem  -v sbk-32.key --massflash 10 jetson-agx-orin-devkit mmcblk0p1

cd mfi_jetson-agx-orin-devkit

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only --network usb0 \ 
 --massflash 10 --showlogs
13

I have successfully completed the mass flash using the following commands on Ubuntu 24.04 (with PKC+SBK+DiskEncrypt)

sudo BOARDID=3701 BOARDSKU=0004 FAB=500 BOARDREV=L.0 ROOTFS_ENC=1 \ 
./tools/kernel_flash/l4t_initrd_flash.sh -i ./sym2_t234.key \ 
-p "--generic-passphrase" --no-flash --network usb0 --massflash 10 \ 
-u ecp256.pem -v sbk-32.key --uefi-keys uefi_keys/uefi_keys.conf \ 
--uefi-enc sym_t234.key jetson-agx-orin-devkit mmcblk0p1

cd mfi_jetson-agx-orin-devkit

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --flash-only \ 
--network usb0 --massflash 10 --showlogs

Thank you!!!