How to disable DTB encryption of L4T 28.2

yahoo2016 · May 21, 2018, 10:39am

Signing DTBs with encryption in L4T 28.2 brought a lot of inconvenience to developers, is there a way to disable DTB signing in L4T 28.2?
Thanks in advance for suggestions.

JerryChang · May 22, 2018, 2:56am

hello yahoo2016,

sorry, we’re not suggest to disable DTB encryption.
may I know what’s the side-effect after DTB signing?
thanks

yahoo2016 · May 22, 2018, 11:02am

Jerry,
There are several posts about encrypted DTB on L4T 28.2. Developers would like to be able to update DTB on TX2 without using micro USB cable and Ubuntu host.

We build kernel and DTB on TX2, using “dd” to flash DTB on R28.1 and reboot to make new DTB take effect.

It’s much slower building new DTB on host, copy it to “kernel/dtb” folder, put TX2 in recovery mode, and run “flash.sh” on host.

How difficult would it be to disable DTB encryption?

Thanks

JerryChang · May 28, 2018, 6:01am

hello yahoo2016,

we share the steps to update the DTB files without using micro USB cable and Ubuntu host.
please refer to [url]https://devtalk.nvidia.com/default/topic/1035622/jetson-tx2/in-system-update-of-dtb-in-r28-2/post/5262418/#5262418[/url]
thanks

yahoo2016 · May 28, 2018, 9:22pm

Jerry,
Those steps still need a Ubuntu host with Intel CPU to run NV binaries and copy the encrypted DTB from Intel host to TX2.
Can source code for NV binaries needed by “tegraflash.py” be released?
Or, can Nvidia build and provide those binaries for TX2?
Thanks

linuxdev · May 28, 2018, 9:42pm

The command line tools do not require an Ubuntu host (this is purely a JetPack requirement)…any 64-bit x86 host will work if it is running Linux. However, for the signing part, I too am interested in what tools tegraflash.py might be calling indirectly.

yahoo2016 · May 29, 2018, 10:23am

Binary file tegrasign_v2 was used multiple times by tegraflash.py.

It appears signing process is done before u-boot. Tegraboot for R28.2 is changed for DTB signing.

Since Tegraboot is provide by Nvidia as binary, developers can’t “custimized” it for signing. I did not see signing option in BCT configuration.

linuxdev · May 29, 2018, 8:07pm

Some documentation hinted that the signing itself is not proprietary. I was hoping perhaps someone from NVIDIA might suggest details of how to emulate the signing via tools such as PGP or OpenSSH tools. Example: What digest the fingerprint is, and requirements of the key.

Werner1 · November 6, 2018, 3:23pm

Hello. I’m also interested in flashing the DTB files with the dd command like it can be done with R28.1. Are there any updates?

JerryChang · November 7, 2018, 2:56am

hello Werner1,

again, we do NOT support disable DTB encryption.
here are brief steps for your to update the DTB files without flashing the Jetson-TX2 device.
thanks

build the DTB
replace new DTB files with $OUT/bootloader/tegra186.dtb
generate signed files with tegraflash.py
for example,

sudo ./tegraflash.py --bl nvtboot_recovery_cpu.bin  --chip 0x18 --applet mb1_recovery_dev.bin  --cfg flash.xml  --sdram_config P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --sdram_config P3310_A00_8GB_Samsung_8GB_lpddr4_204Mhz_A02_l4t.cfg --misc_config tegra186-mb1-bct-misc-si-l4t.cfg --pinmux_config tegra186-mb1-bct-pinmux-quill-p3310-1000-a00.cfg --pmic_config tegra186-mb1-bct-pmic-quill-p3310-1000-a00.cfg --pmc_config tegra186-mb1-bct-pad-quill-p3310-1000-a00.cfg --prod_config tegra186-mb1-bct-prod-quill-p3310-1000-a00.cfg --scr_config minimal_scr.cfg --scr_cold_boot_config mobile_scr.cfg --br_cmd_config tegra186-mb1-bct-bootrom-quill-p3310-1000-a00.cfg --dev_params emmc.cfg  --cfg  flash.xml --bins "mb2_bootloader nvtboot_recovery.bin; mts_preboot preboot_d15_dev_cr.bin; mts_bootpack mce_mts_d15_dev_cr.bin; bpmp_fw bpmp.bin; bpmp_fw_dtb tegra186-a02-bpmp-quill-p3310-1000-a00-00-te770d-ucm2.dtb; tlk tos.img; eks eks.img; bootloader_dtb tegra186-quill-p3310-1000-a00-00-base.dtb"  --cmd "sign"

copy the signed DTB to target device.
list the block IDs with below commands, please check the partition ID for kernel-dtb

$ ls -al /dev/disk/by-partlabel

replace the kernel-dtb partition (/dev/mmcblk0p26) with dd command for TX2.
for example,

$ sudo dd if=tegra186-quill-p3310-1000-c03-00-base_sigheader.dtb.encrypt of=/dev/mmcblk0p26 bs=1M

you may also refer to Topic 1042852, Topic 1020708, Topic 1021660 for more details.
thanks

Werner1 · November 7, 2018, 12:05pm

Hi, can you give me a hint how the arguments for tegraflash.py should look like only to encrypt a DTB?

JerryChang · November 8, 2018, 1:36am

hello Werner1,

DTB is encrypted before flashing into the board, you should execute below commands at the first time, and rollback the flashing console messages, you may found the encrypt commands.

$ sudo ./flash.sh -r -k kernel-dtb jetson-tx2 mmcblk0p1

I’ve also update my previous comments (#10) for you checking.
thanks

Werner1 · November 15, 2018, 10:51am

Thanks. This works for me now. I found the flash messages in ./Linux_for_Tegra/bootloader/flashcmd.txt