Neither the provided binaries nor binaries built from source from the SDK for sdphost and blhost would run on my Mac (OS 10.15.3 Catalina). I tracked the issue down to a pair of bugs in the function get_string_property_utf8 in middleware/mcu-boot/tools/src/blfwk/src/hid-mac.c.
buf isn't cleared at the start of the function and CFStringGetBytes doesn't terminate the set of bytes pulled so buf may have stale data on return (if, for example, on a previous call a longer string was returned). This is corrected by clearing buf with memset at the start of the function.
Also, range.length passed to CFStringGetBytes must not exceed the length of the string. See Apple's documentation:
CFStringGetBytes(_:_:_:_:_:_:_:_:) - Core Foundation | Apple Developer Documentation
This is fixed by setting range.length with CFStringGetLength(str) instead of the length of buf. On my Mac both applications abort with an invalid argument exception without this fix. With it all is well.
The corrected function is below. I hope this will save someone some time and that it eventually works its way back into the source tree.
static int get_string_property_utf8(IOHIDDeviceRef device, CFStringRef prop, char *buf, size_t len)
CFStringRef str = IOHIDDeviceGetProperty(device, prop);
range.location = 0;
range.length = CFStringGetLength(str);
CFStringGetBytes(str, range, kCFStringEncodingUTF8, (char)'?', FALSE, (UInt8 *)buf, len, &used_buf_len);