Hello I have flashed an Orin NX board with burned fuses and uefi secureboot in JP6.1, L4T 36.4. It boots successfully but I need to update my kernel and dtb. I tried manually signing Image and dtb files then sending them over to the target but I get errors at boot like:
ExtLinuxBoot: Unable to load image: \boot\Image Access Denied
I didn’t find a concrete procedure to do this in the documentation. What are the steps I need to follow to update kernel and dtb on an already flashed board ?
Thanks for the help
hello lylian.brunet,
that’s due to partition update has disabled once you’ve bootloader secureboot enabled.
you may give it a try for running capsule update, please see-also developer guide, Generate a Capsule Payload with UEFI Secure Boot Enabled.
Hello,
I tried a capsule update. I see no errors during the process but the target still boots the default kernel.
The steps I followed are:
- Replace the ${L4T_dir}/kernel/Image file by my image
- Add my dtb to the ${L4T_dir}/kernel/dtb directory
- create a custom config that
source "${LDK_DIR}/jetson-orin-nano-devkit-nvme.conf" and add the line DTBFILE="tegra234-p3767-0000-custom.dtb"
- Create the BUP
sudo ./build_l4t_bup.sh -u pkc0_ecp521.pem -v SBK.key custom-config nvme0n1p1
- Generate the capsules:
./generate_capsule/l4t_generate_soc_capsule.sh -i bootloader/payloads_t23x/bl_only_payload -o ./TEGRA_BL.Cap t234 and same with kernel_only_payload
- Send them both to the target and trigger the capsule:
sudo nv_bootloader_capsule_updater.sh -q TEGRA_BL.Cap same for the kernel. I get a warning at this step Warning: Cannot get compatible board name.
- reboot
From there, on serial, I had an update progress at boot but after all that it still booted the wrong kernel.
Any idea of what could be missing?
Thanks
hello lylian.brunet,
is it a customize board? may I know what’s the flash command-line? there should be a custom config for image flashing, right?
could you please running below to dump the BUP content for checking.
$ ./bootloader/BUP_generator.py -c bootloader/payloads_t23x/bl_only_payload
Hello,
Yes it is a custom board, that is why we need a custom kernel/dtb.
I flash in 3 steps:
./tools/kernel_flash/l4t_initrd_flash.sh -u sb_keys/pkc0_ecp521.pem -v sb_keys/SBK.key --uefi-keys uefi_keys/uefi_keys.conf --showlogs --no-flash -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --network usb0 custom-config internal
ROOTFS_ENC=1 ./tools/kernel_flash/l4t_initrd_flash.sh -u sb_keys/pkc0_ecp521.pem -v sb_keys/SBK.key --uefi-keys uefi_keys/uefi_keys.conf --uefi-enc uefi_keys/user-uefi-enc.key -i uefi_keys/user-disk-enc.key --showlogs --no-flash --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_t234_nvme_rootfs_enc.xml --external-only --append --network usb0 custom-config external
./tools/kernel_flash/l4t_initrd_flash.sh --showlogs -u sb_keys/pkc0_ecp521.pem -v sb_keys/SBK.key --network usb0 --flash-only
This is the content of the custom-config.conf:
source "${LDK_DIR}/jetson-orin-nano-devkit-nvme.conf";
OVERLAY_DTB_FILE=L4TConfiguration.dtbo,tegra234-carveouts.dtbo,tegra-optee.dtbo
PINMUX_CONFIG="custom-pinmux.dtsi";
CMDLINE_ADD+=" net.ifnames=0"
And this is the output of the BUP_generator command:
BLOB HEADER:
Magic: NVIDIA__BLOB__V3
Version: v3.1-2022.6-0 (0x01030622)
Blob Size: 37,008,289 bytes
Header Size: 48 bytes
Entry Count: 90 partition(s)
Type: 0 (0 for update, 1 for BMP)
Uncompressed
Blob Size: 37,008,289 bytes
Accessory: 0x0000000000000000
ENTRY TABLE:
| part_name | offset | part_size | version | op_mode | tnspec |
| BCT | 16608 | 8192 | 3640 | 2 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| BCT | 24800 | 8192 | 3640 | 2 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| BCT | 32992 | 8192 | 3640 | 2 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| BCT | 41184 | 8192 | 3640 | 2 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| BCT | 49376 | 8192 | 3640 | 2 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| BCT_A | 57568 | 8192 | 3640 | 2 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| BCT_A | 65760 | 8192 | 3640 | 2 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| BCT_A | 73952 | 8192 | 3640 | 2 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| BCT_A | 82144 | 8192 | 3640 | 2 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| BCT_A | 90336 | 8192 | 3640 | 2 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| BCT_B | 98528 | 8192 | 3640 | 2 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| BCT_B | 106720 | 8192 | 3640 | 2 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| BCT_B | 114912 | 8192 | 3640 | 2 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| BCT_B | 123104 | 8192 | 3640 | 2 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| BCT_B | 131296 | 8192 | 3640 | 2 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| mb1 | 139488 | 282768 | 3640 | 2 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| mb1 | 422256 | 282768 | 3640 | 2 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| mb1 | 705024 | 282768 | 3640 | 2 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| mb1 | 987792 | 282768 | 3640 | 2 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| mb1 | 1270560 | 282768 | 3640 | 2 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| psc_bl1 | 1553328 | 123008 | 3640 | 2 | |
| MB1_BCT | 1676336 | 17600 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| MB1_BCT | 1693936 | 17824 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| MB1_BCT | 1711760 | 17600 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| MB1_BCT | 1729360 | 17600 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| MB1_BCT | 1746960 | 17600 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| MEM_BCT | 1764560 | 243712 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| MEM_BCT | 2008272 | 243712 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| MEM_BCT | 2251984 | 243712 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| MEM_BCT | 2495696 | 243712 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| MEM_BCT | 2739408 | 243712 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| tsec-fw | 2983120 | 176128 | 3640 | 0 | |
| nvdec | 3159248 | 294912 | 3640 | 2 | |
| mb2 | 3454160 | 440944 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| mb2 | 3895104 | 440944 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| mb2 | 4336048 | 440944 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| mb2 | 4776992 | 440944 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| mb2 | 5217936 | 440944 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| xusb-fw | 5658880 | 164864 | 3640 | 2 | |
| bpmp-fw | 5823744 | 1027008 | 3640 | 2 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| bpmp-fw | 6850752 | 1027008 | 3640 | 2 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| bpmp-fw | 7877760 | 1027008 | 3640 | 2 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| bpmp-fw | 8904768 | 1027008 | 3640 | 2 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| bpmp-fw | 9931776 | 1027008 | 3640 | 2 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| bpmp-fw-dtb | 10958784 | 383296 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| bpmp-fw-dtb | 11342080 | 263488 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| bpmp-fw-dtb | 11605568 | 204736 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| bpmp-fw-dtb | 11810304 | 204672 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| bpmp-fw-dtb | 12014976 | 204736 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| psc-fw | 12219712 | 310768 | 3640 | 2 | |
| mts-mce | 12530480 | 187120 | 3640 | 2 | |
| sc7 | 12717600 | 186880 | 3640 | 2 | |
| pscrf | 12904480 | 122464 | 3640 | 2 | |
| mb2rf | 13026944 | 122720 | 3640 | 0 | |
| cpu-bootloader | 13149664 | 3304560 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| cpu-bootloader | 16454224 | 3300096 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| cpu-bootloader | 19754320 | 3304576 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| cpu-bootloader | 23058896 | 3304576 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| cpu-bootloader | 26363472 | 3304544 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| secure-os | 29668016 | 1887312 | 3640 | 0 | |
| eks | 31555328 | 9232 | 3640 | 0 | |
| dce-fw | 31564560 | 781408 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| dce-fw | 32345968 | 774048 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| dce-fw | 33120016 | 781424 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| dce-fw | 33901440 | 781424 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| dce-fw | 34682864 | 781392 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| spe-fw | 35464256 | 270336 | 3640 | 0 | |
| rce-fw | 35734592 | 458096 | 3640 | 0 | |
| adsp-fw | 36192688 | 415232 | 3640 | 0 | |
| pva-fw | 36607920 | 67024 | 3640 | 0 | |
| BCT-boot-chain_backup | 36674944 | 32768 | 3640 | 2 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| BCT-boot-chain_backup | 36707712 | 32768 | 3640 | 2 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| BCT-boot-chain_backup | 36740480 | 32768 | 3640 | 2 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| BCT-boot-chain_backup | 36773248 | 32768 | 3640 | 2 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| BCT-boot-chain_backup | 36806016 | 32768 | 3640 | 2 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| secondary_gpt_backup | 36838784 | 16896 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| secondary_gpt_backup | 36855680 | 16896 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| secondary_gpt_backup | 36872576 | 16896 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| secondary_gpt_backup | 36889472 | 16896 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| secondary_gpt_backup | 36906368 | 16896 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| VER | 36923264 | 109 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| VER | 36923373 | 109 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| VER | 36923482 | 109 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| VER | 36923591 | 109 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| VER | 36923700 | 109 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
| secondary_gpt | 36923809 | 16896 | 3640 | 0 | 3767-000-0000--1-0-jetson-orin-nano-devkit- |
| secondary_gpt | 36940705 | 16896 | 3640 | 0 | 3767-000-0001--1-0-jetson-orin-nano-devkit- |
| secondary_gpt | 36957601 | 16896 | 3640 | 0 | 3767-000-0003--1-0-jetson-orin-nano-devkit- |
| secondary_gpt | 36974497 | 16896 | 3640 | 0 | 3767-000-0004--1-0-jetson-orin-nano-devkit- |
| secondary_gpt | 36991393 | 16896 | 3640 | 0 | 3767-000-0005--1-0-jetson-orin-nano-devkit- |
hello lylian.brunet,
please double check the board info parsed by flash process.
it’ll report as following..
# Board ID(3767) version(600) sku(1000) revision(A.0)
# Preset RAMCODE is 0
# Chip SKU(00:00:00:D6) ramcode(0) fuselevel(fuselevel_production) board_FAB(600)
since it is a custom board, is your board info also included in that TNSPEC from BUP_generator?
for instance.. 3767-000-000X--1-0-jetson-orin-nano-devkit-
Hello JerryChang,
The board info from the flashing process is as follows:
Board ID(3767) version(300) sku(0001) revision(S.1)
Preset RAMCODE is 2
Chip SKU(00:00:00:D4) ramcode(2) fuselevel(fuselevel_production) board_FAB(300)
The contents of /etc/nv_boot_control.conf are:
TNSPEC 3767-300-0001-S.1-1-1-custom-config-
COMPATIBLE_SPEC 3767--0001--1--custom-config-
TEGRA_BOOT_STORAGE nvme0n1
TEGRA_CHIPID 0x23
TEGRA_OTA_BOOT_DEVICE /dev/mtdblock0
TEGRA_OTA_GPT_DEVICE /dev/mtdblock0
I then modified jetson_board_spec.cfg to add my config. Now tnspec matches perfectly between the payload and the device. I have 3767-300-0001-S.1-1-1-custom-config- on both.
BLOB HEADER:
Magic: NVIDIA__BLOB__V3
Version: v3.1-2022.6-0 (0x01030622)
Blob Size: 11,239,821 bytes
Header Size: 48 bytes
Entry Count: 30 partition(s)
Type: 0 (0 for update, 1 for BMP)
Uncompressed
Blob Size: 11,239,821 bytes
Accessory: 0x0000000000000000
ENTRY TABLE:
| part_name | offset | part_size | version | op_mode | tnspec |
| BCT | 5568 | 8192 | 3640 | 2 | 3767-300-0001-S.1-1-1-custom-config- |
| BCT_A | 13760 | 8192 | 3640 | 2 | 3767-300-0001-S.1-1-1-custom-config- |
| BCT_B | 21952 | 8192 | 3640 | 2 | 3767-300-0001-S.1-1-1-custom-config- |
| mb1 | 30144 | 282768 | 3640 | 2 | 3767-300-0001-S.1-1-1-custom-config- |
| psc_bl1 | 312912 | 123008 | 3640 | 2 | |
| MB1_BCT | 435920 | 17824 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| MEM_BCT | 453744 | 243712 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| tsec-fw | 697456 | 176128 | 3640 | 0 | |
| nvdec | 873584 | 294912 | 3640 | 2 | |
| mb2 | 1168496 | 440944 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| xusb-fw | 1609440 | 164864 | 3640 | 2 | |
| bpmp-fw | 1774304 | 1027008 | 3640 | 2 | 3767-300-0001-S.1-1-1-custom-config- |
| bpmp-fw-dtb | 2801312 | 263488 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| psc-fw | 3064800 | 310768 | 3640 | 2 | |
| mts-mce | 3375568 | 187120 | 3640 | 2 | |
| sc7 | 3562688 | 186880 | 3640 | 2 | |
| pscrf | 3749568 | 122464 | 3640 | 2 | |
| mb2rf | 3872032 | 122720 | 3640 | 0 | |
| cpu-bootloader | 3994752 | 3297120 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| secure-os | 7291872 | 1887312 | 3640 | 0 | |
| eks | 9179184 | 9232 | 3640 | 0 | |
| dce-fw | 9188416 | 774048 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| spe-fw | 9962464 | 270336 | 3640 | 0 | |
| rce-fw | 10232800 | 458096 | 3640 | 0 | |
| adsp-fw | 10690896 | 415232 | 3640 | 0 | |
| pva-fw | 11106128 | 67024 | 3640 | 0 | |
| BCT-boot-chain_backup | 11173152 | 32768 | 3640 | 2 | 3767-300-0001-S.1-1-1-custom-config- |
| secondary_gpt_backup | 11205920 | 16896 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| VER | 11222816 | 109 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
| secondary_gpt | 11222925 | 16896 | 3640 | 0 | 3767-300-0001-S.1-1-1-custom-config- |
Still no changes after the capsule update tho.
I went into the bios to change the boot method from extlinux to kernel partition since it seems like we are trying to modify those partitions. I get an error at boot:
��L4TLauncher: Attempting Kernel Boot
DTB signature invalid
EFI stub: Booting Linux Kernel...
It still boots afterwards but with the old kernel
hello lylian.brunet,
it’s suggest to update l4t_generate_ota_package.sh and ota_board_specs.conf for customize board to create OTA payloads.
here’s an example, please update CUSTOMIZE_JETSON , and customize-jetson to your board name accordingly.
--
scripts/ota-scripts/l4t_generate_ota_package.sh
scripts/ota-scripts/ota_board_specs.conf
diff --git a/scripts/ota-scripts/l4t_generate_ota_package.sh b/scripts/ota-scripts/l4t_generate_ota_package.sh
index ff920550..e4819b29 100755
--- a/scripts/ota-scripts/l4t_generate_ota_package.sh
+++ b/scripts/ota-scripts/l4t_generate_ota_package.sh
@@ -217,6 +217,8 @@ function construct_board_spec_name()
'jetson-agx-orin-devkit:0005'
'jetson-orin-nano-devkit:0001'
'jetson-orin-nano-devkit:0003'
'jetson-orin-nano-devkit:0004'
'jetson-orin-nano-devkit:0005'
'jetson-agx-orin-devkit-industrial:0008'
+ 'customize-jetson:0001' <=== must be the correct board sku.
@@ -1097,6 +1099,7 @@ function construct_board_spec_entry()
# For other devices, only keep the board spec entry for
# internal device.
if [[ "${item}" =~ jetson-orin-nano-devkit ]] \
+ || [[ "${item}" =~ customize-jetson ]] \
|| [[ "${item}" =~ internal ]]; then
echo "'${item}'" >>"${tmp_board_spec_file}"
fi
diff --git a/scripts/ota-scripts/ota_board_specs.conf b/scripts/ota-scripts/ota_board_specs.conf
index e3226326..a8d370c0 100644
--- a/scripts/ota-scripts/ota_board_specs.conf
+++ b/scripts/ota-scripts/ota_board_specs.conf
@@ -79,6 +79,15 @@
# customize-jetson
+ customize_jetson_ota_emmc_r36_spec=(
+ # customize-jetson
+
'boardid=3767;fab=300;boardsku=0001;boardrev=;fuselevel_s=1;chiprev=;chipsku=00:00:00:D4;board=customize-jetson;rootdev=nvme0n1p1;bup_type=bl;signed_img_dir=images-R36-ToT'
+)
+ CUSTOMIZE_JETSON_R36_3_ALIAS="customize_jetson_ota_emmc_r36_spec"
+ CUSTOMIZE_JETSON_R36_4_ALIAS="customize_jetson_ota_emmc_r36_spec"
@@ -101,4 +110,5 @@ T23X_DEVICES=(
'JETSON_AGX_ORIN_DEVKIT'
'JETSON_AGX_ORIN_DEVKIT_INDUSTRIAL'
'JETSON_ORIN_NANO_DEVKIT'
+ 'CUSTOMIZE_JETSON'
)
--
Hello JerryChang,
So I should make a full OTA ?
Those are very heavy (10GB with my custom rootfs) and seems overkill just to update a kernel Image and dtb.
Is there any solution that would be more lightweight ? When we will be going to prod, we will have some boards connected over a bad 4G connection. Uploading 10GB is not really reliable.
Also still no changes concerning the Image that is booted even with the OTA unfortunately. Would it be booting from kernel partition or extlinux. I even had to change that as is defaulted to rebooting from recovery partition after ota. From what I am seeing Image is not contained inside the archives generated in bootloader/uefi_overlay/ so I don’t know if it gets updated.
Are there more steps that I should follow?
Thank you
hello lylian.brunet,
you may generate the OTA payload package that updates the bootloader only.
it’s my concerns for customized board to create OTA payloads.
Hello JerryChang,
I made the bootloader ota which is indeed way smaller.
After triggering it, just like with the capsule update I had the “update progress” at reboot but it still didn’t boot using my kernel.
Here are the logs from the ota:
sudo ./nv_ota_start.sh ./ota_payload_package.tar.gz
Command: ./nv_ota_start.sh ./ota_payload_package.tar.gz
/usr/bin/efibootmgr
/usr/bin/efibootdump
/usr/sbin/nvme
Current rootfs is on /dev/nvme0n1
init_ota_log /ota_log
Create log file at /ota_log/ota_20250521-100227.log
OTA_LOG_FILE=/ota_log/ota_20250521-100227.log
Extract ./ota_payload_package.tar.gz
update_nv_boot_control_in_rootfs /ota_work
Warning: Cannot get compatible board name.
3767--0001--1--custom-config-
TNSPEC 3767-300-0001-S.1-1-1-custom-config-
COMPATIBLE_SPEC 3767--0001--1--custom-config-
TEGRA_BOOT_STORAGE nvme0n1
TEGRA_CHIPID 0x23
TEGRA_OTA_BOOT_DEVICE /dev/mtdblock0
TEGRA_OTA_GPT_DEVICE /dev/mtdblock0
Info: Write TegraPlatformCompatSpec with 3767--0001--1--custom-config-.
Info: The esp is already mounted to /boot/efi.
check_prerequisites
decompress_ota_package ota_package.tar /ota_work
decompress_ota_package: start at Wed May 21 10:02:32 CEST 2025
Sha1 checksum for /ota_work/ota_package.tar (c7b505affe96a1cc87c6dd971150839c40733a7e) matches
decompress_ota_package: end at Wed May 21 10:02:35 CEST 2025
Copying /home/nvidia/ota/uefi_secureboot_overlay_multi_specs.tar.gz into /ota_work
'/home/nvidia/ota/uefi_secureboot_overlay_multi_specs.tar.gz' -> '/ota_work/uefi_secureboot_overlay_multi_specs.tar.gz'
nv_ota_update_implement.sh
Command: nv_ota_update_implement.sh
check_target_board /ota_work TARGET_BOARD
get_chip_id CHIP_ID
ota_choose_images /ota_work
COMPATIBLE_SPEC=3767--0001--1--custom-config-
TEGRA_CHIPID=0x23
_BOARD_SPEC_NAME=3767--0001-
Copy files from ./images-R36-ToT/3767--0001-/ to ./images-R36-ToT/
Copy 3767--0001-/uefi_secureboot_overlay.tar.gz into /ota_work
'3767--0001-/uefi_secureboot_overlay.tar.gz' -> '/ota_work/uefi_secureboot_overlay.tar.gz'
Copy /tmp/uefi_sb_tmp/uuids_list.txt into /ota_work
'/tmp/uefi_sb_tmp/uuids_list.txt' -> '/ota_work/uuids_list.txt'
is_rootfs_a_b_enabled ROOTFS_AB_ENABLED ROOTFS_CURRENT_SLOT
ROOTFS_AB_ENABLED=0
ROOTFS_CURRENT_SLOT=0
is_rootfs_encryption_enabled ROOTFS_ENC_ENABLED
ROOTFS_ENC_ENABLED=1
get_update_slot UPDATE_SLOT
UPDATE_SLOT=B
get_update_control /ota_work UPDATE_BOOTLOADER UPDATE_ROOTFS
UPDATE_BOOTLOADER=1, UPDATE_ROOTFS=0
check_bootloader_version /ota_work
update_bootloader /ota_work
trigger_uefi_capsule_update /ota_work /dev/nvme0n1
Mount esp partition on /opt/nvidia/esp
Copying /ota_work/TEGRA_BL.Cap into /opt/nvidia/esp/EFI/UpdateCapsule
Triggering UEFI capsule update by writing \x07\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00 to UEFI variable OsIndications-8be4df61-93ca-11d2-aa0d-00e098032b8c
dd if=/tmp/var_tmp.bin of=OsIndications-8be4df61-93ca-11d2-aa0d-00e098032b8c bs=12
1+0 records in
1+0 records out
12 bytes copied, 0.00161434 s, 7.4 kB/s
Bootloader on non-current slot(B) is to be updated once device is rebooted
clean_up_ota_files
There is one line that looks interesting: Bootloader on non-current slot(B) is to be updated once device is rebooted
I don’t have ROOTFS_AB enabled so this doesn’t seems right.
Here is the output of sudo nvbootctrl dump-slots-info in case I missed something:
Current version: 36.4.0
Capsule update status: 1
Current bootloader slot: A
Active bootloader slot: A
num_slots: 2
slot: 0, status: normal
slot: 1, status: normal
Is there any way I can force the bootloader for slot A to be updated ? Is there anything else I should try ?
hello lylian.brunet,
it’s always have 2 bootloader slots, the OTA update will apply to _B partition.
please also note that,
Updating the bootloader is executed in UEFI. Once updating rootfs is finished, the device reboots, and then UEFI updates the bootloader through UEFI capsule update.
Once the UEFI capsule update is finished, the device reboots to the updated chain; otherwise, the device reboots to the original chain.
Hello JerryChang,
So if I understand correctly, if my ota is successful I should automatically boot on slot B? Are there messages That I can look for during the reboot that would indicate if the ota was successful or not and what slot I am booting?
hello lylian.brunet,
you may apply debug version UEFI binary, since the bootloader update was executed in UEFI.
please refer to Home · NVIDIA/edk2-nvidia Wiki · GitHub for the steps to rebuild UEFI binary.
Hello JerryChang,
I am part of the team of Lylian.brunet and will respond today. I built the uefi without docker on a native ubuntu22.04, combo ‘uefi-202502.0-updates’ as it is the last version for L4T 36.4 (Combos · NVIDIA/edk2-nvidia Wiki · GitHub).
I used these commands to build it:
edkrepo clone nvidia-uefi-36.4 NVIDIA-Platforms uefi-202502.0-updates
cd nvidia-uefi-36.4
edk2-nvidia/Platform/NVIDIA/Jetson/build.sh
Once built, I replaced the file ${L4T_dir}/bootloader/uefi_jetson.bin with the new uefi debug bin. Then re-flashed the board.
Here are the boot logs:
debug-uefi-boot.log (141.7 KB)
Could you help us find useful information from that log file? And if we successfully followed what you suggested.
Thank you
hello corentin.lengele,
here’s access denied failure.
let me re-cap the error logs as below.
��ExtLinuxBoot: Unable to load image: \boot\rc\Image Access Denied
L4TLauncher: Unable to boot via extlinux: Access Denied
is it file permission issue? you may double check the steps you updating kernel images.
Hello JerryChang,
The permissions are the same for the default Image and our Custom.
Based on my research an access denied could be caused by either a permission issue or a signature issue. Are the commands for preparing the Image and launching the flash described in this previous post correct ? (Update kernel and dtb with bootloader secureboot and uefi secureboot without reflashing - #6 by lylian.brunet) We execute these commands as root.
Do you think we miss something on these commands ?
In addition to the commands do we need to sign our custom Image with our uefi keys or should the commands handle it even for custom Image ?
Also a bit strange but in the flash logs, majority of the “not found” and failed part are path written with window like path “\” and not “/” as ubuntu usually do. But checking in our “*.conf” files, it’s always defined as “/” so the right one.
Thank you
hello corentin.lengele,
you may share your steps in details for cross check.