SK-AM62-LP: Keywriter Debug Response: 0x2000800 (custom keys)

Hi Lars,

Did you capture the TIFS logs which can provide more insights of the error?

Ok, I installed CCS, and got this on ttyUSB1:

0x4F8A0000
0x4F8B0000
0x4F80001C
0x4003007
0x4400907
0x20800000
0x20800001
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x420021
0x820024
0x42000C
0x820024
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x420002
0x820024
0x4003007
0x4400907
FWL Bit 0x4
Exception addr 0x45B09000
FWL Exception 0x1008000
0x90000
0x400A78
0x0
0xFF923D4
0x8

0x409031
0x800023
#
# Decrypting extensions..
#
MPK Options: 0x0
MEK Options: 0x0
MPK Opt P1: 0x0
MPK Opt P2: 0x0
MEK Opt : 0x0
* SMPKH Part 1 BCH code: e050cadb

* SMPKH Part 2 BCH code: c099dd36

* SMPK Hash (part-1,2):

1f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189700

60dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d00

* SMEK BCH code: a0c6de4e

* SMEK Hash: 92785809a3dfefea57f6bbed642d730ba5d05e601222a72e815bf01ceb3a50f96ab85d282425f684436fabd4c7da624b791da411615035314103cc64e611f532

* BMPKH Part 1 BCH code: c00807d5

* BMPKH Part 2 BCH code: 60311e36

* BMPK Hash (part-1,2):

07b5fd6f33cdba0c745bcc07e50805639713ec517614eac89754da1138d24dac00

5f1600a593b7100f0e1ca3c3a49e59b3622ab0651e08c0ffd2c88b04465cf7c900

* BMEK BCH code: a0da286f

* BMEK Hash: f5fbda1d62b46374de68e763ecd5a72227e7be73ca0d54a6d986ceb784b1bb0d06b6d95a8b399d421e41b7d3e7076220cd3992df255be068bd8924e86ae3a02d

EXT OTP extension programming disabled
* BCH code & MSV: fe0fac8b

* KEY CNT: 03030000

* KEY REV: 01010000

SWREV extension programming disabled

FW CFG REV extension programming disabled

* KEYWR VERSION: 0x20000

#
# Programming Keys..
#

* MSV:
[u32] bch + msv: 0x0
Error in programming MSV
debug_response: 0x2000000
[u32] bch + msv: 0x0

* SWREV:
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1
SWREV extension programming disabled
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1

* FW CFG REV:
[u32] SWREV-FW-CFG-REV: 0x1
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV: 0x1

* EXT OTP:
EXT OTP extension programming disabled

* BMPKH, BMEK:
Error in programming BMPKH part 1
debug_response: 0x2000800

----
I would expect to see "programming enabled"..

Hi Lars,

Are you using a custom board or TI board? Also what MCU+ SDK version you are using to build the OTP Keywriter?

Hi Prashant,

The board is the TI SK-AM62-LP EVM, PROC124E2.

SDK:
mcu_plus_sdk_am62x_09_01_00_39
otp_keywriter_am62x_09_00_00
sysconfig_1.18.0

openssl version
OpenSSL 1.1.1 11 Sep 2018

Hi Lars,

Thanks for the information. Everything actually looks good at least from the software perspective.

Can you try programming just the MSV with the following command:

./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -a keys/aes256.key --msv 0xC0FFE

Regards,

Prashant

Hi Prashant,

I generated the msv only cert as instructed and rebuild the tiboot3.bin.

Then I get:
Starting Keywriting
Enabled VPP
keys Certificate found: 0x43c18a80
Keywriter Debug Response:0x2000000
Error occured...

And:

0x4F8A0000
0x4F8B0000
0x4F80001C
0x4003007
0x4400907
0x20800000
0x20800001
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x420021
0x820024
0x42000C
0x820024
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x420002
0x820024
0x4003007
0x4400907
FWL Bit 0x4
Exception addr 0x45B09000
FWL Exception 0x1008000
0x90000
0x400A78
0x0
0xFF923D4
0x8

0x409031
0x800023
#
# Decrypting extensions..
#
MPK Options: 0x0
MEK Options: 0x0
MPK Opt P1: 0x0
MPK Opt P2: 0x0
MEK Opt : 0x0
SMPKH extension programming disabled
SMEK extension programming disabled
EXT OTP extension programming disabled
* BCH code & MSV: fe0fac8b

KEY CNT extension programming disabled

KEY REV extension programming disabled

SWREV extension programming disabled

FW CFG REV extension programming disabled

* KEYWR VERSION: 0x20000

#
# Programming Keys..
#

* MSV:
[u32] bch + msv: 0x0
Error in programming MSV
debug_response: 0x2000000
[u32] bch + msv: 0x0

* SWREV:
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1
SWREV extension programming disabled
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1

* FW CFG REV:
[u32] SWREV-FW-CFG-REV: 0x1
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV: 0x1

* EXT OTP:
EXT OTP extension programming disabled

* BMPKH, BMEK:
BMPKH extension programming disabled
BMEK extension programming disabled

* SMPKH, SMEK:
SMPKH extension programming disabled
SMEK extension programming disabled

* KEYCNT:
[u32] keycnt: 0x0
KEY CNT extension programming disabled
[u32] keycnt: 0x0

* KEYREV:
[u32] keyrev: 0x0
KEY REV extension programming disabled
[u32] keyrev: 0x0

I hope this helps in troubleshooting.

Thanks and regards,

Lars

Hi Lars,

Mostly, it looks like some issue with VPP not being set correctly.

Can you please try a different boot mode preferably UART? You can send the tiboot3.bin with minicom, picocom, etc.

Please remove the USB cable from J13 (DFU) and use the certificate with only MSV to make sure we don't yet write any other field and the device is still HSFS.

Regards,

Prashant

Hi Prashant,

Ok, thanks - I will try that - however, it may take a few weeks for me to get back to you with the result.

Regards, Lars

Lars Horvath said:

Ok, thanks - I will try that - however, it may take a few weeks for me to get back to you with the result.

Sure, no problem. Let me know whenever you have the results.

Thanks!

Hi Prashant,

I am back, and I tried the UART boot mode, I transferred as:

➜ UART_BOOT_MAIN_UART=/dev/ttyUSB0
➜ sb --xmodem tiboot3.bin.msv > $UART_BOOT_MAIN_UART < $UART_BOOT_MAIN_UART

And on ttyUSB1 I got this output:

0x4F8A0000
0x4F8B0000
0x4F80001C
0x4003007
0x4400907
0x20800000
0x20800001
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x4C40001C
0x420021
0x820024
0x42000C
0x820024
0x4F8A00FF
0x4F8B0001
0x4F80001C
0x420002
0x820024
0x4003007
0x4400907
FWL Bit 0x4
Exception addr 0x45B09000
FWL Exception 0x1008000
0x90000
0x400A78
0x0
0xFF923D4
0x8

0x409031
0x800023
#
# Decrypting extensions..
#
MPK Options: 0x0
MEK Options: 0x0
MPK Opt P1: 0x0
MPK Opt P2: 0x0
MEK Opt : 0x0
SMPKH extension programming disabled
SMEK extension programming disabled
EXT OTP extension programming disabled
* BCH code & MSV: fe0fac8b

KEY CNT extension programming disabled

KEY REV extension programming disabled

SWREV extension programming disabled

FW CFG REV extension programming disabled

* KEYWR VERSION: 0x20000

#
# Programming Keys..
#

* MSV:
[u32] bch + msv: 0x0
Error in programming MSV
debug_response: 0x2000000
[u32] bch + msv: 0x0

* SWREV:
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1
SWREV extension programming disabled
[u32] SWREV-SBL: 0x1
[u32] SWREV-SYSFW : 0x1

* FW CFG REV:
[u32] SWREV-FW-CFG-REV: 0x1
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV: 0x1

* EXT OTP:
EXT OTP extension programming disabled

* BMPKH, BMEK:
BMPKH extension programming disabled
BMEK extension programming disabled

* SMPKH, SMEK:
SMPKH extension programming disabled
SMEK extension programming disabled

* KEYCNT:
[u32] keycnt: 0x0
KEY CNT extension programming disabled
[u32] keycnt: 0x0

* KEYREV:
[u32] keyrev: 0x0
KEY REV extension programming disabled
[u32] keyrev: 0x0

It looks the same. I have a power supply on J13. Should we try to measure the VPP voltage while doing the programming?

Regards,

Lars

Hi Lars,

Good to see you!!

Lars Horvath said:

I have a power supply on J13. Should we try to measure the VPP voltage while doing the programming?

Could you please use J11 once for power supply?

Regards,

Prashant

Hi Prashant,

I had an external PS 3V3 and powered the J11 pins 1 and 2. But it gives the same result.

Regards,
Lars

Hi Lars,

Can you please share the output of the Python script mentioned in this FAQ

(+) [FAQ] [AM6XX]: How to check if device type is HS-SE, HS-FS or GP? - Processors forum - Processors - TI E2E support forums

Regards,

Prashant

Hi Prashant,

Certainly, I get the below. Can you help me understand the output? I believe the HSFS type is as expected.

➜ cpb639 python3 7080.uart_boot_socid.py data.txt
-----------------------
SoC ID Header Info:
-----------------------
NumBlocks : [2]
-----------------------
SoC ID Public ROM Info:
-----------------------
SubBlockId :
SubBlockSize :
DeviceName : am62x
DeviceType : HSFS
DMSC ROM Version : [0, 1, 0, 1]
R5 ROM Version : [0, 1, 0, 1]
-----------------------
SoC ID Secure ROM Info:
-----------------------
Sec SubBlockId : 2
Sec SubBlockSize : 166
Sec Prime : 0
Sec Key Revision : 0
Sec Key Count : 0
Sec TI MPK Hash : d68ecb2c055dff11ade95bd927e837d2a53bc23b0a2800cebce4f106bcf309df2213912d77a157a8b7c2df40672a06a918034aa4c7d603e462481475225d49b8
Sec Cust MPK Hash : ad0bc40b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Sec Unique ID : 1689ef84411ae94b9f694d19508baa6fe199ea01cfae11d09458012a8fd37e35

Hi Lars,

Lars Horvath said:

Can you help me understand the output?

The output contains important information related to the SoC. The fields of interest are:

- DeviceName: The SoC you are using.

- DeviceType: Initially HSFS. Once keys are programmed, it becomes HSSE.

- Sec Key Revision: Key revision value (1 => S-keys active, 2 => B-keys active)

- Sec Key Count: Key count value (1 => Only S-keys programmed, 2 => Both S-keys and B-keys programmed)

- Sec Cust MPK Hash: Active key SHA512 hash

- Sec Unique ID: Unique identifier for the SoC.

I wanted the script output for cross verification. And everything is on the expected line.

The update is I finally got hold of one TI AM62x-LP E2 revision board. And the issue is reproducible. On debugging, it looks like the issue is related to the VPP. When I measured the voltage, it was 0.8V instead of the expected 1.8V.

This issue is for sure related to the LP board probably E2 revision only. I will work on this and get back to you.

Thanks for your co-ordination and patience!!

Regards,

Prashant

Hi Lars,

Can you please apply the following patch and try running the keywriter? This patch modifies the package from ALW to AMC in the sbl_keywriter's makefile to allow Sysconfig to generate the pinmuxing for LP board.

diff --git a/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/makefile b/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/makefile
index a0fce92..b1a8213 100644
--- a/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/makefile
+++ b/source/security/sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang/makefile
@@ -200,10 +200,10 @@ $(SYSCFG_GEN_FILES): syscfg
 
 syscfg: ../example.syscfg
 	@echo Generating SysConfig files ...
-	$(SYSCFG_NODE) $(SYSCFG_CLI_PATH)/dist/cli.js --product $(SYSCFG_SDKPRODUCT) --context r5fss0-0 --part Default --package ALW --output generated/ ../example.syscfg
+	$(SYSCFG_NODE) $(SYSCFG_CLI_PATH)/dist/cli.js --product $(SYSCFG_SDKPRODUCT) --context r5fss0-0 --part Default --package AMC --output generated/ ../example.syscfg
 
 syscfg-gui:
-	$(SYSCFG_NWJS) $(SYSCFG_PATH) --product $(SYSCFG_SDKPRODUCT) --device AM62x --context r5fss0-0 --part Default --package ALW --output generated/  ../example.syscfg
+	$(SYSCFG_NWJS) $(SYSCFG_PATH) --product $(SYSCFG_SDKPRODUCT) --device AM62x --context r5fss0-0 --part Default --package AMC --output generated/  ../example.syscfg
 
 #
 # Generation of boot image which can be loaded by ROM Boot Loader (RBL)

I would recommend to only try programming MSV for now. If this succeeds, the keys and other fields can be programmed later.

Regards,

Prashant

Hi Prashant,

Thanks - I try and build from scratch. Now I am using mcu sdk 9.02.00.38. I can't access the secure site for otp keywriter download, is the 9.00.00 ok?
Regards, Lars

Hi Lars,

I tried today the changes I suggested and it didn't work. Let me work on this over the week and get back to you with the working solution.

Thanks for your patience.

Regards,

Prashant

Hi Prashant,

May I please ask for a status of this issue?

Thanks and regards,

Lars

Hello  Lars,

Thank you for waiting. 

You mentioned you have the below Board

The board is the TI SK-AM62-LP EVM, PROC124E2.

Do you have a single board or multiple boards.

Do you have hardware capabilities to probe the board or make some quick board changes?

Regards,

Sreenivasa

Hello Sreenivasa,

Since you are able to reproduce the issue on that particular board revision, I prefer to wait for your verified solution. Then we will carry out the required changes as per your instructions. I believe that is the best way to proceed.

Thanks

Hello  Lars,

Thank you for the note.

Based on your inputs, i understand you have the facility to make solder changes as required.

Regards,

Sreenivasa 

Hello  Lars,

On the board we had we observed that the below LDO

orientation was shifted by 90 deg.

The LDO is a 1 X 1 mm LDO that allows change of orientation while mounting.

Details have been added in the below FAQ 

https://e2e.ti.com/e2eprivate/processors-security/processsors_security_support/f/processsors-security-support---forum/1344678/sk-am62-lp-keywriter-debug-response-0x2000800-custom-keys/5217088#5217088

Here are the rework instructions 

Verify if the LDO orientation matches the board marking.

Likely, there could be a mis-match.

Remove the LDO, re-orient as per the board marking and solder back the LDO.

The Board assembly files - PDF version is available as part of the ZIP folder download.

Please let me know if you have any query or clarification.

Regards,

Sreenivasa

Hello Sreenivasa,

Thanks for the information, we will look into it.

Regards, Lars

Hello Sreeniva,

The part is too small for us to rework. Maybe we can remove it, and apply an external 1.8V supply.

The faq link you posted is the link to this thread, not a faq doc as such.

Regards, Lars

Hello lars, 

Thank you.

Lars Horvath said:

The part is too small for us to rework. Maybe we can remove it, and apply an external 1.8V supply.

Agree with you. 

Apologies for the wrong link.

Please refer below.

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1220816/faq-am625-am623-am625sip-am625-q1-am620-q1-custom-board-hardware-design-queries-regarding-vpp-efuse-programming-power-supply-selection-and-application

You should be able to apply external voltage.

The FAQ describes the care to be taken while applying external voltage.

Regards,

Sreenivasa

Hello lars, 

Have you been able to make some progress.

When you use an external LDO, do note the sequence and the timing requirements and take care of the same.

Regards,

Sreenivasa

Hello,

Sreenivasa, unfortunately not, I think we are trying to get an updated EVM revision.

Thanks, Lars

Hello Sreenivasa,

An update. We removed the LDO and attached an ext. 1.8V power supply. Then right before loading tiboot3.bin (msv only) I switch on the PS.

I get this logged:

Starting Keywriting
Enabled VPP
keys Certificate found: 0x43c18a80
Keywriter Debug Response:0x0
Success Programming Keys

* MSV:
[u32] bch + msv: 0x0
Programmed 2/2 rows successfully
[u32] bch + msv: 0x8BAC0FFE

I guess I can now try to burn our custom keys?

Lars

Hello Lars,

Good to see you!!

Lars Horvath said:

I guess I can now try to burn our custom keys?

Yes, indeed. The MSV is programmed successfully. You can now program the keys with the VPP procedure.

Regards,

Prashant

Hello Lars,

Thank you for updating. This is good progress.

Lars Horvath said:

We removed the LDO and attached an ext. 1.8V power supply. Then right before loading tiboot3.bin (msv only) I switch on the PS.

Looks good.

Please be sure to switch off the VPP supply once the keys are programmed before you switch off the board supply.

FYI, please refer below as required.

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1220816/faq-am625-am623-am625sip-am625-q1-am620-q1-custom-board-hardware-design-queries-regarding-vpp-efuse-programming-power-supply-selection-and-application

Regards,

Sreenivasa

Hi Prashant!

Next, I try to burn custom keys. I used this:

# Gen x.509 cert
./gen_keywr_cert.sh -t tifek/ti_fek_public.pem -a keys/aes256.key --msv 0xC0FFE --bmpk keys/bmpk.pem -b-wp --bmek keys/bmek.key --bmek-wp --smpk keys/smpk.pem --smek keys/smek.key --keycnt 2 --keyrev 1

But I get:

Starting Keywriting
Enabled VPP
keys Certificate found: 0x43c16780
Keywriter Debug Response:0x20
Error occured...

More logging:

Download [=========================] 100% 276147 bytes
Download done.
state(6) = dfuMANIFEST-SYNC, status(0) = No error condition is present
dfu-util: unable to read DFU status after completion
dfu-util: can't detach
Resetting USB to switch back to runtime mode

---------------------

0x409031
0x800023
0x20C00001
0x20C00002
Internal Operation Error
debug_response: 0x20
Internal Operation Error
debug_response: 0x20

I removed Vpp as soon as the dfu-util terminate.

Is it a problem to specify --msv when I just burned it in the previous step?

Thanks!

Lars

Hello Lars,

I will let prashanth address your query.

I wanted you to be aware the VPP voltage should be with the ROC during programming.

Given the load current transient requirement up to a max of 400 mA, please ensure the supply source is stable.

Regards,

Sreenivasa

Hi Lars,

Lars Horvath said:

Is it a problem to specify --msv when I just burned it in the previous step?

Yes. You should skip this option now and generate the certificate with the rest of the options.

Regards,

Prashant

Hi Prashant,

The msv is not the issue for: Keywriter Debug Response:0x20.  I installed openssl 1.1.1v and rebuild. Then programming succeeds. HSSE mode is now enabled!! 

Next - I need to re-build tiboot3.bin using my CustMpk.pem. I do the following:

1. Copy my keys/smpk.pem to board/ti/keys/custMpk.pem
2. Copy my keys/smek.key to board/ti/keys/custMpk.key
3. openssl req -batch -new -x509 -key custMpk.pem -out custMpk.crt

In yocto local.conf:
MACHINE ??= 'am62xx-lp-evm-k3r5'

Build output: tiboot3-am62x-hs-evm.bin

I run:  dfu-util -R -a bootloader -D tiboot3-am62x-hs-evm.bin

In the output I get:

state(6) = dfuMANIFEST-SYNC, status(0) = No error condition is present
dfu-util: unable to read DFU status after completion

Then it exits dfu mode!

But when the board was not fused, I got 

state(6) = dfuMANIFEST-SYNC, status(0) = No error condition is present
state(2) = dfuIDLE, status(0) = No error condition is present

Then the dfu would prompt for tispl.bin and u-image.bin

What am I missing here?

Thanks and regards!

Lars

Hi Lars,

Lars Horvath said:

The msv is not the issue for: Keywriter Debug Response:0x20.  I installed openssl 1.1.1v and rebuild.

Indeed, it is the case. I forgot about mentioning the strict OpenSSL version requirement.

Lars Horvath said:

Build output: tiboot3-am62x-hs-evm.bin

I run:  dfu-util -R -a bootloader -D tiboot3-am62x-hs-evm.bin

Are you not getting at all on the UART console?

Maybe you didn't build the R5 U-Boot SPL with DFU defconfig so it might have booted but have failed later.

Regards,

Prashant

Hi Prashant,

I use:
UBOOT_MACHINE = "am62x_lpsk_r5_usbdfu_defconfig"

(the board is sk- am62-lp)

The console:
U-Boot SPL 2023.04-ti-gf9b966c67473 (Mar 19 2024 - 20:31:40 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.7--v09.02.07 (Kool Koala)')
SPL initial stack usage: 13392 bytes
SPL: failed to boot from all boot devices
### ERROR ### Please RESET the board ###

Thanks Lars

Hi Prashant!

Ok, there was some issue with the yocto config files, the usbdfu defconfig was not selected, now fixed it - and i get:

U-Boot SPL 2023.04-ti-gf9b966c67473 (Mar 19 2024 - 20:31:40 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.7--v09.02.07 (Kool Koala)')
SPL initial stack usage: 13392 bytes
Trying to boot from DFU

From there i could load and run the signed tispl and u-image.

Thanks for your help

Regards,

Lars