TX2NX Secureboot fusing stuck on reading fuses

Robotics & Edge Computing Jetson & Embedded Systems Jetson TX2
1

Hello! I am in the process of enabling Secureboot for my TX2NX device on Jetpack 4.6.5.
I think I have it figured out by:

  • Extracting secureboot_r32.7.5_aarch64.tbz2 into my Linux_for_Tegra folder
  • Generating RSA (PKC) key with: openssl genrsa -out rsa-priv.pem 2048
  • Manually writing sbk.xml key as: echo "0x123456789abcdef0fedcba9876543210" > sbk.xml (Obviously not my actual key)

As I’m fine with SBKPKC secureboot, I don’t need more keys. The problem occurs when I’m trying to fuse my keys. Whenever I try to actually fuse, I’m stuck on fuse read part. When I’m generating a fuseblob, it does generate successfully but even if I call the fuseblob command, it gets stuck on fuse reading part.

These are the commands I’m using:

  • Direct fusing:
sudo ./odmfuse.sh -i 0x18 -p -k /home/flasher/keys/rsa_priv.pem -S /home/flasher/keys/sbk.xml jetson-xavier-nx-devkit-tx2-nx
  • fuseblob generation:
sudo FAB=300 BOARDID=3636 BOARDSKU=0001 ./odmfuse.sh --noburn -i 0x18 --auth SBKPKC -p -k /home/flasher/keys/rsa_priv.pem -S /home/flasher/keys/sbk.xml jetson-xavier-nx-devkit-tx2-nx
mkdir fuseblob
tar -xf fuseblob.tbz2 -C fuseblob
sudo ./fusecmd.sh

sudo ./fusecmd.sh 

Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0004 ] Burning fuses
[   0.0004 ] Boot Rom communication
[   0.0023 ] tegrarcm_v2 --chip 0x18 0 --rcm /home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/fuseblob/bootloader/encrypted_signed/rcm_1_signed.rcm
[   0.0028 ] BR_CID: 0x81801001640cf1c310000000020280c0
[   0.0033 ] Bootrom returned error 22
[   0.0141 ] Boot Rom communication failed
[   0.0141 ] 
[   0.0142 ] Send tboot failed. Bootrom is likely not running, try to detect whether mb1/mb2/cpubl is running.
[   1.0163 ] tegrarcm_v2 --isapplet

sudo ./odmfuse.sh -i 0x18 -p -k /home/flasher/keys/rsa_priv.pem -S /home/flasher/keys/sbk.xml jetson-xavier-nx-devkit-tx2-nx

./tegraflash.py --chip 0x18 --applet "/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin" --skipuid --cmd "dump eeprom boardinfo cvm.bin" 
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0019 ] Generating RCM messages
[   0.0041 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[   0.0045 ] RCM 0 is saved as rcm_0.rcm
[   0.0047 ] RCM 1 is saved as rcm_1.rcm
[   0.0047 ] List of rcm files are saved in rcm_list.xml
[   0.0047 ] 
[   0.0047 ] Signing RCM messages
[   0.0067 ] tegrasign_v3.py --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0067 ] Assuming zero filled SBK key
[   0.0099 ] Copying signature to RCM mesages
[   0.0104 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0111 ] 
[   0.0112 ] Boot Rom communication
[   0.0130 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
[   0.0134 ] RCM version 0X180001
[   0.0149 ] Boot Rom communication completed
[   1.0285 ] 
[   2.0319 ] tegrarcm_v2 --isapplet
[   2.0323 ] Applet version 01.00.0000
[   2.0709 ] 
[   2.0727 ] Retrieving EEPROM data
[   2.0728 ] tegrarcm_v2 --oem platformdetails eeprom cvm /home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/cvm.bin
[   2.0732 ] Applet version 01.00.0000
[   2.1117 ] Saved platform info in /home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/cvm.bin
[   2.2281 ] 
Board ID(3636) version(300) sku(0001) revision(H.0)
copying sdram_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-memcfg-p3636-0001-a01.cfg)... done.
copying misc_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-misc-si-l4t.cfg)... done.
copying pinmux_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pinmux-p3636-0001-a00.cfg)... done.
copying scr_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/minimal_scr.cfg)... done.
copying scr_cold_boot_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/mobile_scr.cfg)... done.
copying pmc_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pad-p3636-0001-a00.cfg)... done.
copying pmic_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-pmic-p3636-0001-a00.cfg)... done.
copying br_cmd_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-bootrom-p3636-0001-a00.cfg)... done.
copying prod_config(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/tegra186-mb1-bct-prod-p3636-0001-a00.cfg)... done.
copying dev_params(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/BCT/emmc.cfg)... done.
Existing mb2_bootloader(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/nvtboot_recovery.bin) reused.
Existing mts_preboot(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/preboot_d15_prod_cr.bin) reused.
Existing mts_bootpack(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/mce_mts_d15_prod_cr.bin) reused.
copying bootloader_dtb(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/kernel/dtb/tegra186-p3636-0001-p3509-0000-a01.dtb)... done.
Existing bpmp_fw(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/bpmp.bin) reused.
copying bpmp_fw_dtb(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/tegra186-bpmp-p3636-0001-a00-00.dtb)... done.
Existing tlk(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/tos-trusty.img) reused.
Existing eks(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/eks.img) reused.
Existing mb1file(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/mb1_prod.bin) reused.
Existing spefile(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/spe.bin) reused.
copying tegraboot(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/nvtboot.bin)... done.
Existing tbcfile(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/cboot.bin) reused.
Existing scefile(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/camera-rtcpu-sce.img) reused.
copying wb0boot(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/t186ref/warmboot.bin)... done.
done.
Existing cfg(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/flash.xml) reused.
Existing bl(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/nvtboot_recovery_cpu.bin) reused.
Existing applet(/home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin) reused.
./tegraflash.py --sdram_config tegra186-mb1-bct-memcfg-p3636-0001-a01.cfg --misc_config tegra186-mb1-bct-misc-si-l4t.cfg --pinmux_config tegra186-mb1-bct-pinmux-p3636-0001-a00.cfg --scr_config minimal_scr.cfg --scr_cold_boot_config mobile_scr.cfg --pmc_config tegra186-mb1-bct-pad-p3636-0001-a00.cfg --pmic_config tegra186-mb1-bct-pmic-p3636-0001-a00.cfg --br_cmd_config tegra186-mb1-bct-bootrom-p3636-0001-a00.cfg --prod_config tegra186-mb1-bct-prod-p3636-0001-a00.cfg --dev_params emmc.cfg  --bins "mb2_bootloader nvtboot_recovery.bin; mts_preboot preboot_d15_prod_cr.bin; mts_bootpack mce_mts_d15_prod_cr.bin; bootloader_dtb tegra186-p3636-0001-p3509-0000-a01.dtb; bpmp_fw bpmp.bin; bpmp_fw_dtb tegra186-bpmp-p3636-0001-a00-00.dtb; tlk tos-trusty.img; eks eks.img" --cfg flash.xml --bl nvtboot_recovery_cpu.bin --odmdata 0x2090000 --chip 0x18 --applet mb1_recovery_prod.bin  --skipuid --cmd "readfuses fuse_info.txt fuses_to_read.xml; reboot recovery"
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0032 ] Reading fuses
[   0.0032 ] Generating RCM messages
[   0.0056 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm mb1_recovery_prod.bin 0 0
[   0.0061 ] RCM 0 is saved as rcm_0.rcm
[   0.0062 ] RCM 1 is saved as rcm_1.rcm
[   0.0062 ] List of rcm files are saved in rcm_list.xml
[   0.0063 ] 
[   0.0063 ] Signing RCM messages
[   0.0083 ] tegrasign_v3.py --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0083 ] Assuming zero filled SBK key
[   0.0115 ] Copying signature to RCM mesages
[   0.0135 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0143 ] 
[   0.0144 ] Boot Rom communication
[   0.0160 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
[   0.0165 ] Boot Rom communication failed
[   5.1605 ] 
[   5.1606 ] Send tboot failed. Bootrom is likely not running, try to detect whether mb1/mb2/cpubl is running.
[   6.1644 ] tegrarcm_v2 --isapplet

It’s simply stuck forver on [ 1.0163 ] tegrarcm_v2 --isapplet after Boot Rom communication failed
I thought that it has to do something with USB but I have tried these things with no luck:

  • Jetson Nano Devkit
  • Custom TX2NX board
  • Ubuntu 18.04 Native installation
  • Ubuntu 18.04 VM
  • 3 different TX2NX’s (yes, I’m sure that they haven’t been fused before)

Keep in mind that flashing works fine, it’s just the fusing. I know that it’s specifically the part, which checks fuses because simple odmfuseread.sh is not working as well with the same issue.

sudo ./odmfuseread.sh -i 0x18 jetson-xavier-nx-devkit-tx2-nx

What could I do here?

2

UPDATE: I think I figured out what’s the issue. Whenever the script calls this part more than once, it freezes up:

[   0.0021 ] Generating RCM messages
[   0.0043 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm /home/flasher/nvidia/nvidia_sdk/JetPack_4.6.5_Linux_JETSON_TX2_TARGETS/Linux_for_Tegra/bootloader/mb1_recovery_prod.bin 0 0
[   0.0047 ] RCM 0 is saved as rcm_0.rcm
[   0.0049 ] RCM 1 is saved as rcm_1.rcm
[   0.0049 ] List of rcm files are saved in rcm_list.xml
[   0.0049 ] 
[   0.0049 ] Signing RCM messages
[   0.0069 ] tegrasign_v3.py --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0069 ] Assuming zero filled SBK key
[   0.0105 ] Copying signature to RCM mesages
[   0.0124 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0134 ] 
[   0.0134 ] Boot Rom communication 123
[   0.0152 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml --skipuid
[   0.0157 ] RCM version 0X180001
[   0.0180 ] Boot Rom communication completed

For example, I just managed to get ./odmfuse.sh to work by disabling the first ./odmfuse.sh script part, which calls tegraflash_dump emmc in tegraflash_internal.py. I just launched it once without the return, it generated all it needed. Then added return and now it skips the step for dumping eeprom and as the actual fuse readout calls new Boot Rom communication for the first time, it now works.

def tegraflash_dump(args, dump_args):
+    return

    values.update(args)
    if dump_args[0] == 'ram' and int(values['--chip'], 0) == 0x18:
            tegraflash_dumpram_t18x(dump_args[1:])
            return

    is_pdf = (dump_args[0] == 'eeprom')
    ...

However, now I have the same problem for flashing. It fails on Boot Rom communication, I’m yet to find if I can disable something or at least split the process into 2 processes.

The main takeaway is this - Boot Rom communication can’t happen more than once in single process, else it freezes up!

4

hello therealmatiss,

could you please refer to README_secureboot.txt,
it demonstrates the steps we’ve test and confirm on TX2 NX.
for instance,

========================================================================
Step-by-step Signing and Flashing in offline mode:
========================================================================
1. Run following command to encrypt and sign bootloader images in offline mode
   $ sudo BOARDID=3636 FAB=300 BOARDSKU=0001 ./odmfuse.sh --noburn -i 0x18 --auth NS \
     --disable-jtag -p -k rsa_priv.pem -S sbk.key jetson-xavier-nx-devkit-tx2-nx
2. Extract fuseblob to local host
   $ sudo tar xpf fuseblob.tbz2
3. Execute fuse command script to burn fuse
   $ sudo ./fusecmd.sh
4. Create image locally for flashing
   $ sudo BOARDID=3636 FAB=300 BOARDSKU=0001 ./flash.sh --no-flash -u ./rsa_priv.pem \
    -v ./sbk.key jetson-xavier-nx-devkit-tx2-nx mmcblk0p1
5. Enter the image folder and flashing the target.
   $ cd bootloader
   $ sudo bash ./flashcmd.txt
1 Like
5

I just did exactly these steps and I’m stuck on step 3 sudo ./fusecmd.sh and I have the exact same problem as I mentioned before. Tried with different TX2NX’s and native Ubuntu 18.04 & VM Ubuntu 18.04.

Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
 
[   0.0022 ] Burning fuses
[   0.0023 ] Generating RCM messages
[   0.0046 ] tegrarcm_v2 --listrcm rcm_list.xml --chip 0x18 0 --download rcm mb1_recovery_prod.bin 0 0
[   0.0052 ] RCM 0 is saved as rcm_0.rcm
[   0.0054 ] RCM 1 is saved as rcm_1.rcm
[   0.0055 ] List of rcm files are saved in rcm_list.xml
[   0.0055 ] 
[   0.0055 ] Signing RCM messages
[   0.0078 ] tegrasign_v3.py --key None --list rcm_list.xml --pubkeyhash pub_key.key
[   0.0079 ] Assuming zero filled SBK key
[   0.0113 ] Copying signature to RCM mesages
[   0.0132 ] tegrarcm_v2 --chip 0x18 0 --updatesig rcm_list_signed.xml
[   0.0141 ] 
[   0.0141 ] Boot Rom communication
[   0.0162 ] tegrarcm_v2 --chip 0x18 0 --rcm rcm_list_signed.xml
[   0.0167 ] BR_CID: 0xe1801001640cf1c310000000020280c0
[   0.0173 ] RCM version 0X13
[   0.0197 ] Boot Rom communication failed
[   5.0295 ] 
[   5.0295 ] Send tboot failed. Bootrom is likely not running, try to detect whether mb1/mb2/cpubl is running.
[   6.0334 ] tegrarcm_v2 --isapplet         <--- Stuck here forever
6

hello therealmatiss,

is it possible to test on TX2 NX developer kit?
or… could you please try another USB cable since it’s USB communication issue.

7

TX2NX doesn’t have a developer kit. We are using Jetson Nano Devkits for TX2NX. Unfortunately we don’t have a Jetson Xavier NX Devkit. Also tried different USB cables in different ports, which have different controllers.

I did managed to fuse manually using this command:

sudo FAB=300 BOARDID=3636 BOARDSKU=0001 ./odmfuse.sh -i 0x18 -p -k /home/flasher/keys/rsa_priv.pem -S /home/flasher/keys/sbk.xml jetson-xavier-nx-devkit-tx2-nx

I run it once to dump the eMMC. The first time ./odmfuse.sh calls Boot ROM communication is to run tegraflash_internal.py function tegraflash_dump(args, dump_args) at line 1347. It reads the eMMC fine because it’s the first Boot ROM communication and it gets stuck on second Boot ROM communication when it actually tries to flash. Then I stop the script and add return straight after line 1347 (so it skips eMMC dump - I suppose it saves something for the first time so it doesn’t fail to fuse). And I run the script the second time - so it completely skips the first Boot ROM communication for eMMC dump and goes straight to fusing, which works because Boot ROM communication is called only once.

The steps 4. and 5. you provided do work for me fine, I forgot to mention - no problems with flashing.

The underlying problem is that Boot ROM communication more than once in a single process is not working - this is very weird.

Technically with my fusing script workaround - I can successfully get SecureBoot to work - well at least I think so. odmfuseread.sh does show public key and 0xFFs on the output - and it does boot up after flashing using your 4. and 5. commands.

8

hello therealmatiss,

just an FYI, there’ll be USB connection/disconnection for several times during the image flashing process.

that is expected for security concern. if these fuses can be read out after burning, that will be a huge security vulnerability.

1 Like
9

Thanks for your quick responses, Jerry!

Yeah, I figured it out that it does restart in the middle - that’s probably what’s causing it. I don’t know, maybe something happened with Ubuntu 18.04 latest repositories and something with USB drivers have been updated. Could there be differences using Jetson Nano Devkit vs Jetson Xavier NX Devkit?

Of course, I understand that.

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.