FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Image not executed after transferring SB2.1 file

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Image not executed after transferring SB2.1 file

‎09-21-2021 09:47 AM
3,063 Views
rnk
Contributor II

Hello,

I encountered the following issue while testing Secure Boot on the LPC55S69 (revision 1b) following the AN12283 guide:

Everything is working fine until the SB2 file load step (§ 5.6.3).  After I executed the `receive-sb-file` command with my generated SB2.1 file and reset the chip, the firmware was not executed.  I am able to go back into ISP mode by activating the ISP pin and I can change the CMPA and CFPA configuration pages, erase the flash and flash new images, but none of the flashed images is actually executed after a reset.  Even if I erase the flash, the chip only boots into ISP mode if I also activate the ISP pin.

I am positive that the signature keys (ROTKH) are set up properly because flashing a signed image worked.  I also think that the SBKEK was setup correctly because the `receive-sb-file` command did not fail.

Do you know what could cause this behavior or how I can further debug it?

Thanks,
Robin

PS: This is the .bd file that I used to generate the SB2.1 image:

options {
	flags = 0x8;
	buildNumber = 0x1;
	productVersion = "1.00.00";
	componentVersion = "1.00.00";
	secureBinaryVersion = "2.1";
}

sources {
	inputFile = extern(0);
}

section (0) {
	erase 0x0..0x40000;
	load inputFile > 0x0;
}

 

Labels (1)
Labels
0 Kudos
Reply
7 Replies

‎09-23-2021 02:12 AM
3,046 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello Robin,

Please check in step 5.6.2 SB2 file creation, refer to the example for SB2.1:

Alice_Yang_0-1632388186641.png

Pay attention change the "input.bin" to the real name of your .bin file, and put the file in elftosb.exe path.

 

BR

Alice

 

 

0 Kudos
Reply

‎09-23-2021 02:39 AM
3,040 Views
rnk
Contributor II

Hi Alice,

thanks for the reply! Here is the command I used to generate the SB2.1 file:

elftosb -f lpc55xx -k "$sbkek" -c "config.bd" -o "$output" -s "$key" -S"$cert" -R "$cert" -h"$rkth" "$binary"

$binary is the name of the binary file. The size of the binary file is ~ 17kB and the size of the SB2.1 file is ~ 20 kB, so it seems like the SB2.1 file contains the binary file.

What irritates me most is that even if I disable Secure Boot in the CMPA and flash an unsigned image, it is not executed any more.  Do you have any ideas why?

Best,
Robin

0 Kudos
Reply

‎09-23-2021 07:40 PM
3,027 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello Robin,

1) Read CMPA out to check whether disabled Secure Boot successful. 

2) Some other attentions:

  the binary file $binary should be signed image. 

The sbkek should loaded into device.

 

BR

Alice

 

Reply

‎09-28-2021 12:29 PM
2,997 Views
rnk
Contributor II

Hi Alice,

thanks for the hints!

re 1): According to the CMPA page, Secure Boot is disabled (see the attachment for the full configuration):

$ spsdk blhost -u 0x1fc9:0x0021 read-memory 0x9e400 512 cmpa.bin
$ spsdk pfr parse-binary --binary cmpa.bin --device lpc55s6x --type cmpa --output cmpa.txt
$ grep SEC_BOOT_EN: cmpa.txt
SEC_BOOT_EN: SECURE_BOOT_CFG_SEC_BOOT_EN_DISABLE # Width: 2b[0-3], Description: Secure boot enable

Flashing an unsigned image still does not work.

re 2):

I’ve set up the SBKEK and if I use a different SBKEK to generate the image, the receive-sb command fails, so I think that is working.  But indeed I’ve been using an unsigned image before.  (I assumed elftosb would add the signature when creating the SB2.1 file.)  Using the signed image makes the SB2.1 work on a different device, but my original chip is still stuck in the bootloader.

Regards,
Robin

Preview file
22 KB
0 Kudos
Reply

‎09-28-2021 07:37 PM
2,988 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello ,

re 1), does it can debug by IDE after change CMPA  Using "blhost -p COMxx write-memory 0x9E400 CMPA_empty.bin".? 

You can directly send the read back .bin file to me .

 

BR

Alice

0 Kudos
Reply

‎09-29-2021 05:41 AM
2,979 Views
rnk
Contributor II

I’ve cleared the CMPA as suggested but that did not change the behavior.  I’ve attached the CMPA that I read out after clearing.  It looks like it has been cleared successfully.

Tags (1)
cmpa.zip
0 Kudos
Reply

‎10-08-2021 08:03 PM
2,946 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello,

I have checked your cmpa.bin , there is no problem, it disabled secure boot, it should be able to debug now, and able to configure secure boot again refer to AN12283 detail steps, pay attentions the points I mentioned :

2) Some other attentions:

the binary file $binary should be signed image.

The sbkek should loaded into device.

 

If not, sorry I also don't know the reason.

 

BR

Alice

0 Kudos
Reply