LPC55S69 encrypting binary using SBKEK

Showing results for 
Search instead for 
Did you mean: 

LPC55S69 encrypting binary using SBKEK

Contributor I

I have encrypted a binary using the method described in AN12283 section 5.6. The key (SBKEK) is loaded successfully to the device with ELFTOSB-GUI tool.  The issue I have is that , after flashing the SB2 file with blhost in to the device the application is not running. Attached are the files used to generate the SB2. 

Why is the application not running?

I have skipped the signing part (section 5.5) is this necessary? I currently only want an encrypted binary. 


Labels (1)
0 Kudos
3 Replies

NXP TechSupport
NXP TechSupport

Hello hassan M,

1) If you doesn't singe image, you can still read the flash through blhost. So you can read it out to

compare with your original binary file.

2) AN12283  mainly introduce the method of Singe image to secure boot, I think the "secure boot" is meaningless if you

doesn't singe it . I recommend you refer to the steps as the AN mentioned.

Have a great day,

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos

Contributor I

Hello Alice,

Thank you for your reply.

As for your first remark. When attempting to read out the memory I get the following error from blhost utility.

"Ping responded in 1 attempt(s)
Inject command 'read-memory'
Response status = 10001 (0x2711) Command disallowed when security is enabled.
Response word 1 = 0 (0x0)
Read 0 of 10 bytes."

When the SBKEK key is set, reading of the memory is no longer possible. 

Point 2:

Application note AN12283 section 5.6.1  says the following: 

"SB2 file is symetrically encrypted. For decryption of the file, the key has to be loaded into
device. The key size for SB2 file is 256-bits. During boot, the SB key is used with AES to
decrypt the SB2 file.

What I understand from the above is that the encryption is done using the the SBKEK. The signing is for making sure only signed firmware can be flashed and will not encrypt the binary image.  

I will create a singed image and report back if this fixed the issue. 



0 Kudos

NXP TechSupport
NXP TechSupport

Hello hassan Moutar,

Using  the SBKEK just encryption transmission. 

And when when using Blhost reand memory, it said "security is enabled.", I think you have config CFPA (5.4).

Yes, please using the singed image to have a try.



0 Kudos