Other Parts Discussed in Thread: TDA4VM
Tool/software:
Hi Customer,
This FAQ is about TDA4VM SR2.0 HS Keywriter, there is some change need apply to Default keywriter:
1. Download and Install ti-processor-sdk-rtos-j721e-evm-09_02_00_05 and OTP_KEYWRITER_ADD_ON_j721e_sr2_09_02_00_05. Addon need apply via mysecure SW or contact with your support window.
2. Follow the readme.txt in addon package as below to replace two binaries.
Copy the OTP keywriter firmware `ti-fs-keywriter.bin` file to
<Your SDK path>/pdk_jacinto_09_02_00_30/packages/ti/boot/keywriter/tifs_bin/j721e/ti-fs-keywriter.bin
Copy the TIFEK Public key `ti_fek_public.pem` file to
<Your SDK path>/pdk_jacinto_09_02_00_30/packages/ti/boot/keywriter/scripts/ti_fek_public.pem
3. Generate or replace your customer key to specify path.
# This will randomly generate 5 keys files locate in ti-processor-sdk-rtos-j721e-evm-09_02_00_05/pdk_jacinto_09_02_00_30/packages/ti/boot/keywriter/scripts/keys
cd ti-processor-sdk-rtos-j721e-evm-09_02_00_05/pdk_jacinto_09_02_00_30/packages/ti/boot/keywriter/scripts
./gen_keywr_cert.sh -g
# if you want using the dummy key from TI
# Copy the customer dummy private key (SMPK private key, PEM format)
cp build/makerules/k3_dev_mpk.pem boot/keywriter/scripts/keys/smpk.pem
# Copy the customer dummy encryption key (SMEK, converted to binary file)
xxd -p -r build/makerules/k3_dev_mek.txt > boot/keywriter/scripts/keys/smek.key
# using your own keys need replace accordingly.
4. Generate the final_certificate.bin, below command will not burn the backup key.
cd ti-processor-sdk-rtos-j721e-evm-09_02_00_05/pdk_jacinto_09_02_00_30/packages/ti/boot/keywriter/scripts
./gen_keywr_cert.sh -s keys/smpk.pem --smek keys/smek.key -t ti_fek_public.pem -a keys/aes256.key --msv 0xC0FFE --keycnt 1 --keyrev 1
log for reference
# Using MSV[19:0]: 0x000C0FFE
# Using Key Count: 0x00000001
# Using Key Rev: 0x00000001
Generating Single signed certificate!!
# encrypt aes256 key with tifek public part
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
# encrypt SMPK-priv signed aes256 key(hash) with tifek public part
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
# encrypt smpk-pub hash using aes256 key
writing RSA key
# encrypt smek (sym key) using aes256 key
4031 primary_cert.bin
4031 ../x509cert/final_certificate.bin
# SHA512 Hashes of keys are stored in verify_hash.csv for reference..
The hash codes of Sme and smpk are stored in CSV files, and the Keywriter compilation will use final_ccertifie.bin.
5. Apply below patch to main.c, this will open the MCU uart pll.
diff --git a/packages/ti/boot/keywriter/main.c b/packages/ti/boot/keywriter/main.c
index 410b32a..0826bdd 100644
--- a/packages/ti/boot/keywriter/main.c
+++ b/packages/ti/boot/keywriter/main.c
@@ -197,6 +205,16 @@ int main()
/* pinmux for M3 logs */
HW_WR_REG32(WKUP_UART_TXD_MUX_ADDR, PIN_OUTPUT | PIN_MODE(0));
+#if 1
+ *((volatile unsigned int *)(0x40d01010)) = 0x68EF3490;
+ *((volatile unsigned int *)(0x40d01014)) = 0xD172BC5A;
+
+ *((volatile unsigned int *)(0x40d0108C)) = 0x00008031;
+
+ *((volatile unsigned int *)(0x40d01010)) = 0x0;
+ *((volatile unsigned int *)(0x40d01014)) = 0x0;
+#endif
+
UART_socGetInitCfg(KEYWRITER_BOARD_UART_INSTANCE, &uart_cfg);
uart_cfg.frequency = SBL_ROM_UART_MODULE_INPUT_CLK;
uart_cfg.enableInterrupt = UFALSE;
6a.(optional) due to keywriter can only burn one time, we need take this carefully. so that we can comment the OTP function to see other part work normal or not. you can see the log will output on MCU UART and WKUP UART. log for reference see step 7. confirm the debug_response=0x0 and both UART have output, you can open the OTP function and go on the step6 again.
int main()
{
+//int32_t status = CSL_EFAIL;
- int32_t status = CSL_EFAIL;
uint32_t debug_response = 0;
uint32_t *keywriter_cert = &keywr_end + 1;
UART_HwAttrs uart_cfg;
+#if 0
status = Sciclient_otpProcessKeyCfg((uint32_t *)keywriter_cert,
SCICLIENT_SERVICE_WAIT_FOREVER,
&debug_response);
@@ -219,7 +238,7 @@ int main()
{
UART_printf("Sciclient_otpProcessKeyCfg returns: %d\n", status);
}
-
+#endif
6. using below command to generate keywriter_img.
ti-processor-sdk-rtos-j721e-evm-09_02_00_05/pdk_jacinto_09_02_00_30/packages/ti/build$
make keywriter_img_clean
make keywriter_img
7. copy the binary to SD card boot partition and rename to tiboot3.bin. (other bootmode also be supported)
/ti-processor-sdk-rtos-j721e-evm-09_02_00_05/pdk_jacinto_09_02_00_30/packages/ti/build$ sudo cp ../boot/keywriter/binary/j721e/keywriter_img_j721e_release.tiimage /media/biao/boot/tiboot3.bin
log for reference:
MCU log
OTP Keywriter Version: 02.00.00.00 (Aug 2 2024 - 16:53:57)
OTP Keywriter ver: 9.1.2--v09.01.02 (Kool Koala)
OTP_VppEn
test_pmic_i2c_lld_intf_setup(): 487: PMIC_MAIN_INST I2C Setup...
test_pmic_i2c_lld_intf_setup(): 529: done...
I2C1: Passed for address 0x4c !!!
I2C1: Passed for address 0x13 !!!
INT STAT[0]: 0x00000000
INT STAT[1]: 0x00002002
INT STAT[2]: 0x00000000
INT STAT[3]: 0x00000000
Pmic_gpioSetValue ret: 0 Works!!!
Key programming sequence initialted
Taking OTP certificate from 0x41c7f004
Debug response: 0x0
Key programming sequence completed
M3 log
0x700002
0xB00004
0x4003007
0x4400912
0x70000B
0xB00004
0x4003007
0x4400912
0x70000D
0xB00004
0x20800000
0x20800001
0x700002
0xB00004
0x4003007
0x4400912
0x709031
0xB00004
#
# Decrypting extensions..
#
MPK Options: 0x0
MEK Options: 0x0
MPK Opt P1: 0x0
MPK Opt P2: 0x0
MEK Opt : 0x0
* SMPKH Part 1 BCH code: e050cadb
* SMPKH Part 2 BCH code: c099dd36
* SMPK Hash (part-1,2):
1f6002b07cd9b0b7c47d9ca8d1aae57b8e8784a12f636b2b760d7d98a18f189700
60dfd0f23e2b0cb10ec7edc7c6edac3d9bdfefe0eddc3fff7fe9ad875195527d00
* SMEK BCH code: a0c6de4e
* SMEK Hash: 92785809a3dfefea57f6bbed642d730ba5d05e601222a72e815bf01ceb3a50f96ab85d282425f684436fabd4c7
da624b791da411615035314103cc64e611f532
EXT OTP extension programming disabled
* BCH code & MSV: fe0fac8b
* KEY CNT: 01010000
* KEY REV: 01010000
SWREV extension programming disabled
FW CFG REV extension programming disabled
* KEYWR VERSION: 0x20000
#
# Programming Keys..
#
* MSV:
[u32] bch + msv: 0x0
Programmed 2/2 rows successfully
[u32] bch + msv: 0x8BAC0FFE
* SWREV:
[u32] SWREV-SBL: 0x0
[u32] SWREV-SYSFW : 0x0
SWREV extension programming disabled
[u32] SWREV-SBL: 0x0
[u32] SWREV-SYSFW : 0x0
* FW CFG REV:
[u32] SWREV-FW-CFG-REV: 0x0
SWREV SEC BCFG extension programming disabled
[u32] SWREV-FW-CFG-REV: 0x0
* EXT OTP:
EXT OTP extension programming disabled
* BMPKH, BMEK:
BMPKH extension programming disabled
BMEK extension programming disabled
* SMPKH, SMEK:
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully
Programmed 11/11 rows successfully
Programmed 2/2 rows successfully
* KEYCNT:
[u32] keycnt: 0x0
Programmed 2/2 rows successfully
[u32] keycnt: 0x1
* KEYREV:
[u32] keyrev: 0x0
Programmed 2/2 rows successfully
[u32] keyrev: 0x1
8. Check device status, switch the bootmode to Uart boot, you can see array output as below:
02000000011a00006a376573000000000000000048535345010901000109010002a600000100010078ec546294cdf3fc0bfbbb146bf8621bd4d1c312f1bc76b67811e1c5dcbe820067f4156a94c70d9cbae981aa4cce04b7f83390ed79f92e8448d72881fe37C
The ASCII characters highlighted in red confirm this. 48535345 (ASCII characters for 'H', 'S, 'S', 'E') mean you have completed the Keywriter process.
A HS-FS device shall have the value 48534653 (ASCII characters for 'H', 'S, 'F', 'S')
BR,
Biao