Updating kernel dtb without using Nvidia's flash.sh utility

I want to make changes to the device tree without having to connect the USB, put my jetson TX2 in recovery, and use the flash.sh utility. I found a previous topic that covers this, but not for l4t 32.3.1.

Using information from this thread I was able to dump, decompile, modify, and recompile my device tree binary. But after writing the image back my jetson wouldn’t boot due what I think was a failure to authenticate the kernel dtb file:

[0001.597] I> Loading partition kernel-dtb at 0x80000000 from device(0x1)
[0001.614] I> Kernel_dtb @0x80000000
[0001.617] I> tegrabl_tca9539_init: i2c bus: 0, slave addr: 0xee
[0001.625] E> fetch_driver_phandle_from_dt: failed to get node with compatible ti,tca9539
[0001.636] E> fetch_driver_phandle_from_dt: failed to get node with compatible nxp,tca9539
[0001.644] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0001.650] I> tegrabl_tca9539_init: i2c bus: 0, slave addr: 0xe8
[0001.658] E> fetch_driver_phandle_from_dt: failed to get node with compatible ti,tca9539
[0001.668] E> fetch_driver_phandle_from_dt: failed to get node with compatible nxp,tca9539
[0001.676] W> tegrabl_tca9539_init: failed to fetch phandle from dt
[0001.684] I> fixed regulator driver initialized
[0001.711] I> register 'maxim' power off handle
[0001.716] I> virtual i2c enabled
[0001.719] I> registered 'maxim,max77620' pmic
[0001.724] I> tegrabl_gpio_driver_register: register 'max77620-gpio' driver
[0001.733] I> Find /i2c@c250000's alias i2c7
[0001.737] I> Reading eeprom i2c=7 address=0x50
[0001.767] I> Device at /i2c@c250000:0x50
[0001.771] I> create_pm_ids: id: 3310-1000-D00-J, len: 15
[0001.776] I> config: mem-type:00,power-config:00,misc-config:00,modem-config:00,touch-config:00,display-config:00,, len: 93
[0001.796] E> cannot find any other nvdisp nodes
[0001.800] E> no valid display unit config found in dtb
[0001.806] W> display init failed
[0001.809] initializing target
[0001.812] calling apps_init()
[0001.815] starting app kernel_boot_app
[0001.838] I> found decompressor handler: lz4-legacy
[0001.842] I> decompressing BMP blob ...
[0001.852] I> Kernel type = Normal
[0001.855] I> Loading partition kernel-bootctrl at 0xa8000000 from device(0x1)
[0001.869] W> tegrabl_get_kernel_bootctrl: magic number(0x00000000) is invalid
[0001.876] W> tegrabl_get_kernel_bootctrl: use default dummy boot control data
[0001.883] I> ########## Fixed storage boot ##########
[0001.888] I> Loading kernel from partition ...
[0001.892] W> No valid slot number is found in scratch register
[0001.898] W> Return default slot: _a
[0001.901] I> A/B: bin_type (24) slot 0
[0001.917] I> Boot image size read from image header: f2f08
[0001.922] I> Boot image load address: 0x0x80400000
[0001.927] I> Loading partition kernel at 0x80400000 from device(0x1)
[0002.869] I> Validate kernel ...
[0002.872] I> T18x: Authenticate kernel (bin_type 24), max size 0x4000000
[0002.880] I> kernel-dtb is already loaded
[0002.884] I> Validate kernel-dtb ...
[0002.887] I> T18x: Authenticate kernel-dtb (bin_type 21), max size 0x100000
[0002.894] E> Storage boot failed, err: 1077936141
[0002.899] E> A/B loader failure
[0002.902] E> tegrabl_display_shutdown: display is not initialized

Can someone tell me to generate a dtb file with a valid header that can be copied to the kernel-dtb partition with dd?

hello charles,

you may use dd commands to overwrite the device tree (i.e. kernel-dtb) partition.
please note that, it’s expected if you overwrite the binary directly without encryption; all binaries for bootloader partitions should be signed and encrypted.

please refer to Flash Script Usage, you may enable --no-flash options to generate files locally without flashing the board. you may further more to enable -k kernel-dtb options to process the specified partition.
for example,

$ sudo ./flash.sh --no-flash -r -k kernel-dtb jetson-tx2 mmcblk0p1
...
[   0.0757 ] Signed file: $OUT/Linux_for_Tegra/bootloader/tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt
*** tegra186-quill-p3310-1000-c03-00-base.dtb has been signed successfully. ***

you may copy this signed and encrypted binary via ssh to your target.
please check the partition labels for your device tree binary.
for example,

$ ls -al /dev/disk/by-partlabel
...
kernel-dtb -> ../../mmcblk0p30

please use the dd commands to overwrite it then perform a warm-reboot to make it works.
thanks

1 Like

Thanks Jerry. I don’t seem to be able to recover from this. Reflashing my board back to default is failing with Error: missing kernel_fs()

I created a new topic for this error.

Hi, @JerryChang:
Do the DTB.encrypt and DTB overwrite to the same partition mmcblk0p30?

sudo dd if=./tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt of=/dev/mmcblk0p30
sudo dd if=./tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb of=/dev/mmcblk0p30

1 Like

hello ctelix,

that device tree binary should be signed and encrypted for kernel-dtb partition.
hence, please overwrite tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt to your mmcblk* partition.
thanks

This:
sudo dd if=./tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt of=/dev/mmcblk0p30
worked for me