Using using SBK Key

I am new to using Jetson Xavier module. Running the linux revision R35.3.1. I burned the fuses following the developer guide. I burned the PBK, SBK, KEK1, KEK2 fuses and now i am unable to read the fuses back via ./ and the module is not booting up.

How did i generate PBK hash programmed to the fuse:
For an RSA key, you can also use tegrakeyhash program to generate PublicKeyHash value:
./tegrakeyhash --pkc <pkc.pem> --chip <chip_id>

Current status:
sudo ./ -i 0x19 jetson-agx-xavier-devkit
Error: Either PKC or SBK key is not provided for SBK+PKC protected target board.

sudo ./ -i 0x19 -k ./bootloader/rsa3k.pubkey -S SBK.xml jetson-agx-xavier-devkit
Error: ECID read failed.
The target board must be attached in RCM mode.

sudo ./ -i 0x19 -k ./bootloader/rsa3k.pem -S SBK.xml jetson-agx-xavier-devkit
This does better but errors out with return code 3. Please check the log.txt file attached for details.


  1. How do we generate SBK key? I have stored the hexadecimal values that i burned to the fuse per the developer guide in SBK.xml above.
  2. What is the file that is needed for -k option prviate.pem file for RSA?
  3. I have saved my RSA privatekey.pem file and all other values programmed in the fuses via ./odmfuse, is my board bricked?

log.txt (3.9 KB)

hello smithnephewdeveloper,

may I have more details regrading to below log file. what’s the commands you’re running?

[   0.1236 ] RCM version 0X13
[   0.1523 ] Boot Rom communication failed
Error: Return value 3
Command tegrarcm_v2 --chip 0x19 0 --rcm rcm_list_signed.xml --skipuid
Reading board information failed.

here shows the error of Boot Rom communication failed,
did you put the device enter forced-recovery mode correctly?

is this Jetson Xavier NX a production module? i.e. (with internal eMMC)
you may see-also Topic 158361 for the steps to fuse and flashing Xavier NX.

Hello @JerryChang,
Thanks for getting back.

  1. I am using a Jetson Xavier AGX development kit that uses internal eMMC.
  2. Did you put the device enter forced-recovery mode correctly? - yes. verified via lsusb as described in user guide.
  3. Ran this command before command in Step 4 below. Programmed the fuses.
    sudo ./ -X Fuse_Config_Xavier.xml -i 0x19 jetson-agx-xavier-devkit
  4. Command ran when observed boot rom communicaiton error observed is below.
    sudo ./ -i 0x19 -k ./bootloader/rsa3k.pem -S SBK.xml jetson-agx-xavier-devkit
  5. How do we generate an SBK key? Can it be any random bytes as given in the user guide example - user guide doesnt specify exactly how to generate SBK.

hello smithnephewdeveloper,

I did see some similar topic to report the same issue by running to check the fuse values.
anyways, could you please check the fuse values on the target, you may go to /sys/devices/platform/tegra-fuse/ for examination.

you may use Hardware Security Module (HSM) to generate a truly random number for an SBK key.
or, creating a text files to specify the keys by yourself. note, the SBK key file is stored in big-endian hexadecimal format.

Hello @JerryChang,

  1. Could you please check the fuse values on the target, you may go to /sys/devices/platform/tegra-fuse/ for examination - No, because the Jetson is not booting up.
  2. I did not perform the step below To flash an SBKPKC-fused Jetson AGX Xavier target:
    $ sudo ./ -u <pkc_keyfile> -v <sbk_keyfile> jetson-agx-xavier-devkit mmcblk0p1

Do i need to? (my understanding is yes as i programmed the fuse and now the secure architecture needs a signed images to verify). Can you please check if the attached sbk file work?
SBK.xml (44 Bytes)

  1. <pkc_keyfile> in the command above, needs to be a private or public key or public key hash?

  2. This is the config file i used to burn the fuses for your reference.
    Fuse_Config_Xavier.xml (2.8 KB)


hello dhairya240791,

is this device ever flashed before?
odmfuse is the script file to burn the fuse, flash is the script to flash bootloader binaries, and also rootfs image to the target. you’ll need those to boot-up the target.
note, you may use private key to burn the fuse.

@JerryChang Yes, it was flashed before (without the PKC/SBK keys) and running with Jetson Linux 35.3.1.
But after burning the fuses, it has not been flashed and does not boot-up. Any thoughts?

There were two problems on my end and at least 1 has been solved. So i am going to close this thread.

  1. Issue 1: Jetson Xavier did not boot up after programming fuses (stuck in forced-recovery).
    Solution: I found some old threads which state that “production bit” needs to be enabled which worked for me.
    (I am surprised that the user guide does not mention this till date)

  2. Issue 2: Jetson doesnt work.
    No solution: but i am going to let it pass as the Jetson is up and running and i can read status of the fuses via /sys/devices/platform/tegra-fuse/on boot-up from the target.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.