• State
  • Locked Locked
  • Replies 16 replies
  • Subscribers 40 subscribers
  • Views 295 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF: Flashing with embedded programming fails with code -10289

Swapnil
Intellectual 550 points
Part Number: CC3220SF
Other Parts Discussed in Thread: UNIFLASH,

Tool/software:

Hello everyone,

I am encountering an issue while flashing firmware using embedded programming exe. Previously, flashing with a dummy certificate chain worked without any issues. However, after switching to our custom certificate chain, the process fails with the error code -10289 and an extended error code 2633.

Interestingly, when I use UniFlash with the same custom certificates, the flashing completes successfully. Any insights on troubleshooting or addressing this would be greatly appreciated.

Thank you!

  • 0
    TI__Guru 61575 points

    Hi,

    This error means a signature error of a file (when closing the file).

    What catalog have you included in the image and how files (MCU image file and other user files if you have any) are configured in terms of the certificate?

    If it  works with Uniflash, there is no reason it would not work with embedded programming.

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 550 points

    Hi,

    We are using a self.signed certificate.

    Then we created a certificate catalog and the certificate catalog is signed by our root private key.


    Our certificates are
    root ca certificate vmedd_root_ca_cert

    vendor certificate vmedd_cert_trusted

    MCU images are signed by private key of this this respective vendor certificate “vmedd_cert_trusted”  
    no other file is signed or encrypted


  • 0 in reply to Swapnil
    Intellectual 550 points

    We generated catalog like this

    REM Generate certificate catalog
    SLImageCreator.exe tools make_cert_catalog --cert_folder %CertificatesFolder% --out_file %CatalogPath%

    REM Sign catalog with vendor private key
    SLImageCreator.exe tools sign --file %CatalogPath% --priv %PrivateKeyPath% --out_file %CatalogSignedPath% --fmt "BINARY_SHA1"

  • 0 in reply to Swapnil
    TI__Guru 61575 points

    Hi,

    Not sure how your OTP procedure went but just to make sure, have you included the root CA you are using in your private catalog? I would assume the OTP is OK for now as you mentioned that it works with Uniflash.

    Just want to make sure I understand, with Uniflash the programming is successful, right? and also the application is loaded and works as expected. Is this correct? is it only the embedded programming that does not work?

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 550 points

    Hi,
    Both of our certificate is present in root Directory such as 

    root ca certificate = vmedd_root_ca_cert

    vendor certificate =  vmedd_cert_trusted

    Programmng with uniflash is 100% success. we have tested hundreds of devices so far and working  fine for last two months.


    "is it only the embedded programming that does not work?"
    Yes with our private certificate, embedded programming does not work. We previously tested embedded programming with dummy certificates and worked perfectly

  • 0 in reply to Swapnil
    TI__Guru 61575 points

    what I still don't understand in the flow is where does the OTP take place.

    OTP can only be achieved using Uniflash. Can you describe the flow in both cases (Uniflash and embedded programming)?

  • 0 in reply to Shlomi Itzhak
    Intellectual 550 points

    Hi Shlomi,
    This is my json file of the project. In the files para, SM_MCU_CERT_NAME always remain empty. Is this something relevant? 

    {
        "header": {
            "AddClstOta": false,
            "DEV_MAC_ADDR": "e4:15:f6:66:e5:81",
            "Description": "",
            "DeviceType": "CC3220SF",
            "EnableReturnToFactory": "defaults_and_image",
            "Is5GSupport": false,
            "IsGen3": false,
            "IsModule": "0",
            "IsTheDeviceSecure": true,
            "KeyFileLocation": "",
            "Mode": "production",
            "Name": "ProductionR0_34",
            "ProductionNWP": "1",
            "ReturnToFactoryGPIO": "0",
            "ServicePackFileLocation": "sp_3.22.0.1_2.7.0.0_2.2.0.7.bin",
            "StorageCapacityBytes": "8388608",
            "UseDefaultCertStore": false,
            "UseDefaultPlayGroundCatalog": true,
            "UseDefaultSP": true,
            "UseKey": 0,
            "UseOtp": false,
            "UseSecBtldr": true
        },
        "systemFiles": {
            "CONFIG_TYPE_AP": {
                "CHANNEL": "1",
                "HIDDEN_SSID": "0",
                "MAX_STT": "4",
                "PASSWORD": "",
                "SECURITY": "0",
                "SSID": "mysimplelink"
            },
            "CONFIG_TYPE_CSR_DICE_CFG": {
                "CREATE_CSR": false,
                "CSR_CERT_NUMBER": "",
                "CSR_COUNTRY_CODE": "",
                "CSR_EMAIL": "",
                "CSR_END_DAY": "31",
                "CSR_END_MONTH": "12",
                "CSR_END_YEAR": "2020",
                "CSR_ISCA": false,
                "CSR_LOCALITY": "",
                "CSR_NAME": "",
                "CSR_ORGANIZATION": "",
                "CSR_ORGANIZATION_UNIT": "",
                "CSR_START_DAY": "01",
                "CSR_START_MONTH": "01",
                "CSR_START_YEAR": "2013",
                "CSR_STATE": "",
                "CSR_SURNAME": "",
                "CSR_TOKEN": "",
                "CSR_USE_UDID_AS_COMMON_NAME": false,
                "CSR_VENDOR": false,
                "ENABLE_DICE": "0",
                "SystemFileId": "CONFIG_TYPE_CSR_DICE_CFG",
                "USE_RAND_NUMBER": false,
                "USE_SELF_SIGNED_CERT": false
            },
            "CONFIG_TYPE_DEVICE_NAME": {
                "DEVICE_URN": "mysimplelink",
                "DOMAIN_NAME": "mysimplelink.net"
            },
            "CONFIG_TYPE_DHCP_SRV": {
                "AP_DHCP_SERVER_LAST_IP_ADDRESS": "10.123.45.254",
                "AP_DHCP_SERVER_LEASE_TIME": "24",
                "AP_DHCP_SERVER_START_IP_ADDRESS": "10.123.45.2",
                "SystemFileId": "CONFIG_TYPE_DHCP_SRV"
            },
            "CONFIG_TYPE_HTTP_SRV": {
                "ACCESS_CA_CERT": false,
                "ACCESS_ROM": true,
                "CA_CERTIFICATE_FILE_NAME": "",
                "CERTIFICATE_FILE_NAME": "",
                "DEFAULT_CHANGED": false,
                "PRIM_PORT_SECURE": false,
                "PRIM_PORT_VAL": "80",
                "PRIVATEKEY_FILE_NAME": "",
                "SEC_PORT_ENABLE": false,
                "SEC_PORT_VAL": "8080"
            },
            "CONFIG_TYPE_IP_CONFIG": {
                "AP_ARP_RENEW_TIME": null,
                "AP_DEFAULT_GATEWAY": "10.123.45.1",
                "AP_DHCP_CLIENT_TIME_OUT": null,
                "AP_DHCP_SERVER_LAST_IP_ADDRESS": "10.123.45.254",
                "AP_DHCP_SERVER_MODE": null,
                "AP_DHCP_SERVER_START_IP_ADDRESS": "10.123.45.2",
                "AP_DNS_CLIENT_TIME": null,
                "AP_INACTIVITY_TIME": null,
                "AP_IPV4_DNS_SERVER": "10.123.45.1",
                "AP_IPV6_DNS_SERVER": null,
                "AP_IP_MODE": null,
                "AP_KEEP_ALIVE_TIME": null,
                "AP_STATIC_IP": "10.123.45.1",
                "AP_STATIC_IPV6_GLOBAL_ADDRESS": null,
                "AP_STATIC_IPV6_LOCAL_ADDRESS": null,
                "AP_SUBNET_MASK": null,
                "STA_ARP_RENEW_TIME": null,
                "STA_DEFAULT_GATEWAY": "192.168.1.31",
                "STA_DHCP_CLIENT_TIME_OUT": null,
                "STA_DHCP_SERVER_LAST_IP_ADDRESS": null,
                "STA_DHCP_SERVER_MODE": null,
                "STA_DHCP_SERVER_START_IP_ADDRESS": null,
                "STA_DNS_CLIENT_TIME": null,
                "STA_INACTIVITY_TIME": null,
                "STA_IPV4_DNS_SERVER": "192.168.1.31",
                "STA_IPV6_DNS_SERVER": null,
                "STA_IP_MODE": "True",
                "STA_KEEP_ALIVE_TIME": null,
                "STA_STATIC_IP": "192.168.1.101",
                "STA_STATIC_IPV6_GLOBAL_ADDRESS": null,
                "STA_STATIC_IPV6_LOCAL_ADDRESS": null,
                "STA_SUBNET_MASK": "255.255.255.0",
                "SystemFileId": "CONFIG_TYPE_IP_CONFIG"
            },
            "CONFIG_TYPE_MAC": {
                "MAC_ADDR": "08:00:28:11:22:33",
                "SystemFileId": "CONFIG_TYPE_MAC",
                "USE_DEFAULT": 1
            },
            "CONFIG_TYPE_MODE": {
                "AP_START_APPS": 15,
                "AP_TX_POWER_LEVEL": "0",
                "AUTO_PROV_EXTERNAL_CONFIRMATION": "0",
                "COUNTRY_CODE": "EU",
                "IGNORE_FORCE_AP": "0",
                "Is5GEnabled": false,
                "NO_PSPOLL_MODE": false,
                "P2P_CLS_START_APPS": 5,
                "P2P_GO_START_APPS": 15,
                "PHY_AP_HIGH_TX_POWER": 0,
                "PHY_CAL_MODE": "0",
                "PHY_STA_HIGH_TX_POWER": 0,
                "PROVISIONING_MODE": 2,
                "PROVISIONING_MONITOR_TIMER": 0,
                "PROVISIONING_RESULT": 0,
                "PROVISIONING_ROLE_AFTER_SUCCESS": 0,
                "PROVISIONING_SAVED_AUTO_START": 1,
                "PROVISIONING_SAVED_ROLE": 0,
                "PROVISIONING_STATE": 0,
                "SL_EVENT_CLASS_BSD": 0,
                "SL_EVENT_CLASS_DEVICE": 0,
                "SL_EVENT_CLASS_FS": 0,
                "SL_EVENT_CLASS_GLOBAL": 0,
                "SL_EVENT_CLASS_NETAPP": 0,
                "SL_EVENT_CLASS_NETCFG": 0,
                "SL_EVENT_CLASS_WLAN": 0,
                "START_ROLE": "2",
                "STA_START_APPS": 5,
                "STA_TX_POWER_LEVEL": "0",
                "SystemFileId": "CONFIG_TYPE_MODE"
            },
            "CONFIG_TYPE_STA_CONFIG": {
                "AUTOPROVISIONING": "1",
                "AUTOSTART": "1",
                "CONNECTTOANYP2P": "0",
                "USEFASTCONNECT": "0"
            },
            "FILES": {
                "CSS_FILE_NAME": "/files/certcatalogPlayGround.lst.signed_gen2.bin",
                "CS_FILE_NAME": "/files/certcatalogPlayGround.lst",
                "OTP_NAME": "vmedd_otp.inf",
                "SM_MCU_CERT_NAME": "",
                "SM_MCU_NAME": "mcuflashimg.bin",
                "SP_FILE_NAME": "sp_3.22.0.1_2.7.0.0_2.2.0.7.bin",
                "SystemFileId": "FILES"
            }
        }
    }
  • 0 in reply to Shlomi Itzhak
    Intellectual 550 points

    Hi,

    I dont need otp for embedded programming. We are alreading doing otp with uniflash.

    Shlomi Itzhak said:
    Can you describe the flow in both cases (Uniflash and embedded programming)?

    Can you little bit more explain what did you mean by flow?

  • 0 in reply to Swapnil
    TI__Guru 61575 points

    so you are programming when the OTP is already flash?

    by flow I mean the steps you take when programming via embedded.

    Can you attach the ImageConfig.xml file? I want to see the filenames and configuration.

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 550 points

    ImageConfig.xml
    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    <?xml version="1.0" ?>
    <Root>
    <ImageBuilderProp StorageCapacityBytes="8388608" IsTheDeviceSecure="true">
    <RetToFactoryFlagsList>
    <RetToFactoryFlag>RET_TO_IMAGE_HOST</RetToFactoryFlag>
    <RetToFactoryFlag>RET_TO_DEFAULT_HOST</RetToFactoryFlag>
    <RetToFactoryFlag>RET_TO_IMAGE_GPIO</RetToFactoryFlag>
    </RetToFactoryFlagsList>
    </ImageBuilderProp>
    <CommandsSetList>
    <CommandsSet>
    <Command>
    <CommandFormatStorage EraseStorage="false" SecurityAlertThreshold="15"/>
    </Command>
    <Command>
    <CommandWriteCertificateStore SignatureFileName="C:/Users/Build-server/.SLImageCreator/projects\ProductionR0_34\sl_css\vmedd_certCatalog.lst.signed.bin">
    <FileLocation>C:/Users/Build-server/.SLImageCreator/projects\ProductionR0_34\sl_cs\vmedd_certCatalog.lst</FileLocation>
    </CommandWriteCertificateStore>
    </Command>
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


    Here is my  ImageConfig.xml.

  • 0 in reply to Swapnil
    Intellectual 550 points

    Shlomi Itzhak said:
    so you are programming when the OTP is already flash?

    Yes, otp is already flashed

    Generally, i use both dslite cli or GUI to create an uniflash image

    Using dslite cli, i am doing these steps

    1. Add files
    3. Add the Root Certificate Authority file 

    ${dslite}  --mode cc32xx  project add_file --name  ${uniflash_project_name}  --file         ${vmedd_root_ca-cert} --fs_path vmedd_root_ca_cert --flags nofailsafe,nopublicwrite --overwrite

             3. Add trusted cert file

    ${dslite}  --mode cc32xx  project add_file --name  ${uniflash_project_name}  --file         ${vmedd_cert} --fs_path vmedd_cert_trusted --flags nofailsafe,nopublicwrite --overwrite

    4. Set trusted catalog

     ${dslite} --mode cc32xx project set_certstore   --name ${uniflash_project_name}  --file ${vmedd_catalog}  --sign ${vmedd_catalog_signed} --overwrite

           

      5. Add MCU image

     ${dslite} --mode cc32xx project add_file --name ${uniflash_project_name} --project_path ${uniflash_project_path}  --file ${mcu_image} --mcu  --flags failsafe,secure,publicwrite --overwrite --cert ${vmedd_cert} --priv ${priv_key}

      6. Create Uniflash  image

      ${dslite} --mode cc32xx project create_image --name ${uniflash_project_name} --project_path ${uniflash_project_path}

     7. Flash devices using embedded programming

    ImageProgramming.exe -p ${port} -i ${ucf_file} -v

  • 0 in reply to Swapnil
    TI__Guru 61575 points

    Hi,

    If I look at the procedure of Uniflash CLI (or GUI) to flash an image, there is a checkbox for using the vendor certificate catalog.

    This flag is not part of the xml file so embedded programming fails on signature since it cannot be verified against the OTP public key.

    To summarize, when OTP feature is used, Uniflash has to be used for image programming.

    I don't have a way to verify it but seems this way.

    Can you double check on your side and program via Uniflash CLI and see if programming succeeds?

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 550 points
    Shlomi Itzhak said:
    This flag is not part of the xml file so embedded programming fails on signature since it cannot be verified against the OTP public key.

    For uniflash, when vendor certificate catalog is checked, programming succeds. 
    For embedded programming, when vendor certificate catalog is checked, programming fails.

    Shlomi Itzhak said:
    This flag is not part of the xml file so embedded programming fails on signature since it cannot be verified against the OTP public key.

    Does that mean i cant use my private catalog ?
    In that case  what should i do now?

  • 0 in reply to Swapnil
    TI__Guru 61575 points

    Hi,

    The problem is that the OTP support was added in later phase and requires a secondary bootloader to be loaded to RAM and executed.

    This is done by Uniflash while embedded programming is using a much thinner secondary bootloader (older one) that does not have these capabilities.

    Just changing to the new bootloader would not work since the procedure must also be modified (writing to different locations in RAM for example).

    Thus, OTP is only supported via Uniflash.

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 550 points

    Thanks a lot for your detailed Response. Can we expect any update of embedded programming tool in the near future?

  • 0 in reply to Swapnil
    Guru 78485 points

    Hi Swapnil,

    Just a side note. Do you know python? Unilfash Image creator is written at Python 2.7 and compiled into exe file. I hope I don't need to say more...

    Jan