CC3220SF-LAUNCHXL: custom certificates + custom vendor catalog generation (FS_WRONG_SIGNATURE)

Francesco Prosperi

Part Number: CC3220SF-LAUNCHXL
Other Parts Discussed in Thread: UNIFLASH, CC3200, CC3100

Hi all,

we are struggling with the error FS_WRONG_SIGNATURE (ret: -10289, ex_err 2632).

We have performed all the steps in the http://www.ti.com/lit/ug/swru368b/swru368b.pdf and http://www.ti.com/lit/ug/swru547/swru547.pdf

Following are the commands to (try to) accomplish that:

#Generate CA Key
openssl genrsa -out root-ca-key.pem 2048

#Convert Key to DER format
openssl rsa -in root-ca-key.pem -inform PEM -out root-ca-key.der -outform DER

#Generate CA cert
openssl req -new -x509 -days 10000 -key root-ca-key.pem -out root-ca-cert.pem

#Convert CA cert to DER format
openssl x509 -in root-ca-cert.pem -inform PEM -out root-ca-cert.der -outform DER

#Removing DER extension
mv root-ca-cert.der root-ca-cert

#=================================================================================

#Generate my private key
openssl genrsa -out my-key.pem 2048

#Convert my Key to DER format
openssl rsa -in my-key.pem -inform PEM -out my-key.der -outform DER

#Generate my Cert (untrusted)
openssl req -new -key my-key.pem -out my-cert.pem

#Sign with CA key
openssl x509 -req -days 10000 -in my-cert.pem -CA root-ca-cert.pem -CAkey root-ca-key.pem -set_serial 01 -out my-cert-trusted.pem

#Convert my Cert (trusted) to DER format
openssl x509 -in my-cert-trusted.pem -inform PEM -out my-cert-trusted.der -outform DER

mv my-cert-trusted.der my-cert-trusted

We then placed root-ca-cert certificate inside ExampleknownCA folder (to insert it into catalog - the only one that we need)

Then we created the custom catalog and the OTP (windows powershell prompt):

cd "C:\ti\uniflash_4.4.0\simplelink\imagecreator\bin"

.\SLImageCreator.exe tools make_cert_catalog --cert_folder "C:\Certs\ExampleknownCA" --out_file "C:\Certs\certificate_Catalog.lst"

.\SLImageCreator.exe tools sign --file "C:\Certs\certificate_Catalog.lst" --priv "C:\Certs\root-ca-key.pem" --out_file "C:\Certs\certificate_Catalog.lst.signed.bin" --fmt "BINARY_SHA1"

# # creating OTP file

.\SLImageCreator.exe tools meta --cert "C:\Certs\root-ca-cert.pem" --out_file "C:\Certs\vendor_otp.meta"

.\SLImageCreator.exe tools sign --file "C:\Certs\vendor_otp.meta" --priv "C:\Certs\root-ca-key.pem" --out_file "C:\Certs\vendor_otp.meta.sig" --fmt "BINARY_SHA2"

.\SLImageCreator.exe tools inf --algo 2 --sign1 "C:\Certs\vendor_otp.meta.sig" --sign2 "C:\Certs\vendor_otp.meta.sig" --meta "C:\Certs\vendor_otp.meta" --out_file "C:\Certs\vendor_otp.inf"

As you can see, we are using root-ca-cert as root of trust.

We have attached also the certificates generated (and the other files) that eventually you can check for.

cert_generated.zip

In some way, the MCU can't validate our binary image. What are we doing wrong?

Any help is appreciated.

Thanks in advance,

over 7 years ago

0 Sarah P over 7 years ago

TI__Mastermind 38980 points

Hi FP,

Can you share the error you see when the image creation fails?

Best regards,
Sarah

0 Francesco Prosperi over 7 years ago in reply to Sarah P

Intellectual 390 points

Hi Sarah,

thanks for the reply.

Right now I have no board so I can't take the screenshot but I can tell you the error code:

ret: -10289, ex_err 2632 - FS_WRONG_SIGNATURE

The error occurs during the programming operation (about the 99%).

I can't tell if the error is in the OTP or in the certificates.

Is there a way to understand what is the wrong file loaded?

Thansk you,

0 Sarah P over 7 years ago in reply to Francesco Prosperi

TI__Mastermind 38980 points

Hi FP,

I missed it earlier, but it looks like you're using UniFlash version 4.4. You need version 4.5 or later for this new feature. The minimum requirements for the UniFlash version and servicepack are in the Vendor Device Authentication User's Guide.

Can you try this with the latest UniFlash and servicepack?

Best regards,
Sarah

0 Sarah P over 7 years ago in reply to Sarah P

TI__Mastermind 38980 points

Hi FP,

Also, please note that you linked to the Gen 1 CC3100/CC3200 User's Guide above. You should be using the NWP Programmer's Guide for the CC3220 device instead: http://www.ti.com/lit/swru455

Best regards,

Sarah

0 Francesco Prosperi over 6 years ago in reply to Sarah P

Intellectual 390 points

Hi Sarah,

UniFlash version is 4.5 (I just checked).

I hope, for now, that when I'll have the true certificates form the CA, I will not experiment problems loading such files.

Thanks for the feedback,
FP

0 Sarah P over 6 years ago

TI__Mastermind 38980 points

Hi FP,

You may want to check your installed versions and be sure you only have the latest. Your file path indicates you are using v4.4 still.

Francesco Prosperi said:

cd "C:\ti\uniflash_4.4.0\simplelink\imagecreator\bin"

.\SLImageCreator.exe tools make_cert_catalog --cert_folder "C:\Certs\ExampleknownCA" --out_file "C:\Certs\certificate_Catalog.lst"

.\SLImageCreator.exe tools sign --file "C:\Certs\certificate_Catalog.lst" --priv "C:\Certs\root-ca-key.pem" --out_file "C:\Certs\certificate_Catalog.lst.signed.bin" --fmt "BINARY_SHA1"

Best regards,

Sarah

0 Francesco Prosperi over 6 years ago in reply to Sarah P

Intellectual 390 points

Hi Sarah,

yes, the folder is still called 4.4 but I've already updated Uniflash.

Regards,

0 Sarah P over 6 years ago in reply to Francesco Prosperi

TI__Mastermind 38980 points

Hi FP,

Occasionally with new installations, old files may not have been removed. If you continue to have issues, I suggest trying a fresh installation of the latest UniFlash and uninstall all older versions first.

Best regards,
Sarah

0 Francesco Prosperi over 6 years ago in reply to Sarah P

Intellectual 390 points

Hi Sarah,

thanks for the hint. I'll try tomorrow (01:00 here). I'll write here the result.

Regards,

Wi-Fi

Wi-Fi forum

CC3220SF-LAUNCHXL: custom certificates + custom vendor catalog generation (FS_WRONG_SIGNATURE)