Author Topic: NXP Secure Provisioning Settings for Bootloader on MIMXRT1060-EVP (and EA OEM)  (Read 4827 times)

Offline sw-nw2s

  • Newbie
  • *
  • Posts: 5
    • View Profile

I am just getting started with the i.MX bootloader. I have successfully built the default bootloader project using MCUxpresso.

I have also successfully uploaded both the default build and the serial bootloader demo from the RT1060 information page to the MIMXRT1060-EVK using the embedded DAPlink MSD interface.

So far so good. My goal however is to use the EA OEM which obviously doesn't have the OpenSDA DAPlink. I'm trying to get the EVK running as a control and then move to the EA OEM board once I know it's running on the EVK.

That means that I need to use the NXP Secure Provisioning Tool as I'm on OS X and the python open source tool listed in the utasker docs requires Windows.

The Secure Provisioning Tool does a few things, but I'm trying to just use it in it's most basic form (no encryption, no signing). My understanding is that I have two options.

1. Add a DCD header to the *.bin file prior to uploading so that it's a "bootable" image.
2. Don't add the DCD header in case you already have compiled in the proper structs at the beginning of the binary data.

If you choose to add the DCD header, you need to add the start address which seems to default to 0x60000000. I'm not sure if that's correct or not based on the utasker complete loader binary (BM, Fallback, and Bootloader all in one bin)

So I'm not sure if the utasker binary that I'm uploading includes the DCD block and if it does not, what I should be setting the start address to.

Ive attached a screenshot of the image build log output and the blank screen with the options populated as built. When I upload, the indications are that it uploads successfully via USB-HID.

The problem is that neither the default build nor the downloaded example bin file will boot when uploaded using the secure provisioning tool even though the both work with the DAP link. I'm sure I'm missing something here.

Thanks,

Scott




Offline mark

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3234
    • View Profile
    • uTasker
Hi Scott

I don't use the NXP provisioning tool. The idea is that the uTasker project gives a simplified and more integrated solution and thus needing to use the provisioning tool together with it would defeat the object. For help with using the provisioning tool you can contact NXP.

For EA OEM there is also a solution: https://www.utasker.com/iMX/iMX_RT1062_OEM.html

Loading is simple using ISP mode and MCUBootUtility via USB. OpenSDA is never needed.

For production programming the uTasker i.MX RT Production Programmer is foreseen: https://www.utasker.com/docs/iMX/uTasker_iMX-RT-Programmer.pdf This is not yet released but allows any 'other' board to be used to clone new boards directly over USB.

The uTasker utilities have been used on Windows, MAC and Linux, although I only work with Windows and so only supply the Windows exes. MAC users can build their own exes from the source code (available on request).

Regards

Mark


Offline sw-nw2s

  • Newbie
  • *
  • Posts: 5
    • View Profile
Thanks. I have intermittent access to a windows machine, so I can test some things out - again as a control so I can try to adapt to my normal workflow.

So for now I am able to flash the locally compiled boot loader to the 1060 EVK. Great news. I am also able to download your demo 1060 app and run that using the bootloader... and switch between the application and the bootloader at will. Again progress!

The MCUBootUtility you reference in your docs and videos is just a wrapper around sdphost and blhost just like the NXP provided secure provisioning tools, so I should be able to adapt that to os x since those command line tools are cross platform. I'll work on documenting that and provide any details if anyone is interested for posterity here.

The next little bit of complication is that I am trying to upload a *.bin which has been compiled independently of the utasker app framework. You have a video here which references a generate.bat file which I don't seem to see anywhere, but it's readable in the video, so I can see that the part I'm interested  in seems to be just one command which is in the other specific generate.bat files in your application folders...

https://www.youtube.com/watch?v=5iT7KP691ls&ab_channel=mjbcswitzerland

Roughly translated:

uTaskerConvert.exe blinky.bin blinky-upload.bin -0x1234 -a748b6531124

however, when I copy this new bin file over to UPLOAD_FOLDER, it does not "consume" it... it just sits there unlike when I upload the sample app from website and/or the built sample utasker application, it reboots itself as soon as it copies and begins running immediately.

I assume I'm missing something, but I'm not sure. Still trying to work through that. I verified that the auth value and magic number are the same as in the build of the bootloader... Must be something else the loader is verifying.









Offline sw-nw2s

  • Newbie
  • *
  • Posts: 5
    • View Profile
I see... one thing I missed was I was watching the "Pearl Izumi" video... Didn't see there was another one for setting up ITC builds to run. Looks like you mentioned in the video that the code should start at 0x300 and I can confirm that your demo app output *.map file indicates .text starts at 0x300... so for it to work, that's what I'm going to need to work on. (and some things with the vector table it looks like)

Weird tho that the bootloader doesn't load my app with the auth and magic number set correctly. I guess it's also validating other stuff before it will burn it to flash - is that documented anywhere?

s
« Last Edit: May 04, 2021, 02:36:52 AM by sw-nw2s »

Offline mark

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3234
    • View Profile
    • uTasker
Hi

Guides an videos for specific IDE are here: https://www.utasker.com/iMX/developers.html

The documents give the bat file contents and detail the authentication/encryption settings.

Regards

Mark

Offline jackking

  • Newbie
  • *
  • Posts: 31
    • View Profile
I tried a similar path, using Secure Provisioning.
 Looking at the log output, and comparing to MCUBootUtility, the image location is not correct in Secure Provisioning.

 In my case it was 0x60001000 instead of 0x60000000.

 I don’t see a way to change this in Secure Provisioning.

Offline sw-nw2s

  • Newbie
  • *
  • Posts: 5
    • View Profile
Thanks for the heads up. Yeah, I was planning on just mimicking MCUBootUtility using command line tools. Worst case, I guess I will just have to use a Windows box for production flashing. I just need to get a generic app migrated to be loadable by utasker boot loader so I can continue to develop using the projects already in place in my os x world... Depending on how long I bang my head there tho, that may have to change as well. Have to take a couple of days to catch up on orders, do some soldering and will be back at it.

Scott

Offline jackking

  • Newbie
  • *
  • Posts: 31
    • View Profile
I am in exactly the same boat. 

I run all my dev on Mac, I even wrote a cocoa app to run all of the sdp/blhost commands directly over USB, but things keep changing, and I can’t keep up with a desktop “updater” for my users. 

Things continually stop working or get locked down with IOKit.  The Windows side was a little easier, but I am not a desktop programmer.

So my hope is that my generic imxrt app can be seamlessly integrated with the uTasker Loader to take the desktop issues out of the equation.

I will try and post any tips I find along the way, and maybe we can from each other’s “journey”!

oh, and don’t update to Big Sur...  MCUXpresso isn’t really ready for it.

Offline jackking

  • Newbie
  • *
  • Posts: 31
    • View Profile
I am now trying to build the SerialLoader project on Mac using MCUXpresso.
I will update this post as I move to each step.

For the uTaskerBM_Loader (uTaskerBoot configuration), the post build step is supposed to call generate.bat (which isn't usable on Mac)

I replaced this with the direct call:
Code: [Select]
arm-none-eabi-objcopy -v -O binary "${BuildArtifactFileName}" "${ProjDirPath}/Applications/uTaskerBoot/MCUXpresso_iMX/uTaskerBM_loader/${BuildArtifactFileBaseName}_${TargetBoard}.bin"
I also rewrote this as generate.sh.  You will need to add the arm bin directory to your shell path to do it this way (in ~/.zshrc on Big Sur).  Here is the generate.sh for uTaskerBoot build config:
Code: [Select]
#!/bin/sh

TARGET_DIR="../Applications/uTaskerBoot/MCUXpresso_iMX"
echo "TARGET_DIR:$TARGET_DIR"

BM_TARGET_DIR="$TARGET_DIR/uTaskerBM_Loader"
echo "BM_TARGET_DIR:$BM_TARGET_DIR"

TARGET="$TARGET_DIR/uTaskerBM_loader_$1.bin"
echo "TARGET:$TARGET"

#rem generate a binary output file
arm-none-eabi-objcopy -v -O binary "uTaskerBM_loader.axf" "$TARGET"


I also rewrote the generate script for uTaskerFallbackLoader and uTaskerSerialLoader, but I could only find a Mac version of uTaskerConvert, not uTaskerCombine...   so this won't completely work (yet?)

Code: [Select]
#!/bin/sh

OFFSET="0x10000"
if [ $2 == "MIMXRT1050" ];
then
  OFFSET="0x40000"
fi
echo "OFFSET:$OFFSET"

TOOLS_DIR="../Tools"
echo "TOOLS_DIR:$TOOLS_DIR"

TARGET_DIR="../Applications/uTaskerSerialBoot/MCUXpresso_iMX"
echo "TARGET_DIR:$TARGET_DIR"

BM_TARGET_DIR="$TARGET_DIR/uTaskerBM_loader"
echo "BM_TARGET_DIR:$BM_TARGET_DIR"

SERIAL_TARGET_DIR="$TARGET_DIR/uTaskerSerialLoader"
echo "SERIAL_TARGET_DIR:$SERIAL_TARGET_DIR"

TARGET="$TARGET_DIR/uTaskerFallbackLoaderImage_$2.bin"
echo "TARGET:$TARGET"


#rem generate a binary output file
arm-none-eabi-objcopy -v -O binary "uTaskerSerialLoader.axf" "$SERIAL_TARGET_DIR/uTaskerSerialLoader.bin"

#rem Encrypt using AES256
$TOOLS_DIR/uTaskerConvert "$SERIAL_TARGET_DIR/uTaskerSerialLoader.bin" "$SERIAL_TARGET_DIR/_temp.bin" $3 $4

#rem Add header and authentication to the encrypted image - this is uploaded to a board programmed with the uTaskerBootLoader [build without iMX_FALLBACK_SERIAL_LOADER]
$TOOLS_DIR/uTaskerConvert "$SERIAL_TARGET_DIR/_temp.bin" "$SERIAL_TARGET_DIR/uTaskerSerialLoaderUpload.bin" -0x9$5 -$6

if [ $1 == "0" ]
then
 cp "$SERIAL_TARGET_DIR/uTaskerSerialLoaderUpload.bin" "$SERIAL_TARGET_DIR/uTaskerSerialLoaderUpload_$2.bin"
fi

#rem combine the boot loader with the serial loader (fallback loader) - this image is loaded to a fresh board  [build with iMX_FALLBACK_SERIAL_LOADER]
$TOOLS_DIR/uTaskerCombine "$BM_TARGET_DIR/uTaskerBoot_$2.bin" "$SERIAL_TARGET_DIR/uTaskerSerialLoaderUpload.bin" 0x4000 "$SERIAL_TARGET_DIR/uTaskerBootLoaderImage.bin"

#rem - Prepare the Fall-back binary archive or combine the serial loader with the Fall-back loader
if [ $1 == "1" ]
then
  cp "$SERIAL_TARGET_DIR\uTaskerBootLoaderImage.bin" $TARGET 
else
  $TOOLS_DIR/uTaskerCombine $TARGET "$SERIAL_TARGET_DIR\uTaskerSerialLoaderUpload_$2.bin" $OFFSET[0x100-FALLBACK_LD] "$SERIAL_TARGET_DIR\uTaskerBootComplete_$2.bin" "$SERIAL_TARGET_DIR\uTaskerBootComplete_$2.hex"
fi

#rem Clean up
rm "$SERIAL_TARGET_DIR\_temp.bin"
rm "$SERIAL_TARGET_DIR\uTaskerSerialLoader.bin"
rm "$SERIAL_TARGET_DIR\uTaskerBootLoaderImage.bin"
rm "$SERIAL_TARGET_DIR\uTaskerSerialLoaderUpload.bin"

Here is the output from the uTaskerFallbackLoader build (as it stands now, it can't complete without uTaskerCombine)

Code: [Select]
09:23:08 **** Incremental Build of configuration uTaskerFallbackLoader for project uTaskerV1.4 ****
make -r -j19 all
Building target: uTaskerSerialLoader.axf
Invoking: MCU Linker
arm-none-eabi-gcc -nostartfiles -Xlinker -Map="uTaskerSerialLoader.map" -Xlinker --gc-sections -Xlinker -print-memory-usage -Xlinker --sort-section=alignment -Xlinker --cref -mcpu=cortex-m7 -mfpu=fpv5-sp-d16 -mfloat-abi=hard -mthumb -T iMX_RT_10XX_FlexSPI_NOR_BOOT.ld -L "/Users/jackking/Documents/MCUXpressoIDE_11.2.0/workspace/uTaskerV1.4/Applications/uTaskerSerialBoot/GNU_iMX" -o "uTaskerSerialLoader.axf"  ./uTasker/utFAT/mass_storage.o  ./uTasker/uGLCDLIB/FT_CoPro_Cmds.o ./uTasker/uGLCDLIB/GLCD.o ./uTasker/uGLCDLIB/LCD.o  ./uTasker/MODBUS/MODBUS.o  ./uTasker/DSP.o ./uTasker/Driver.o ./uTasker/GlobalTimer.o ./uTasker/SPI_drv.o ./uTasker/SSC_drv.o ./uTasker/Tty_drv.o ./uTasker/USB_drv.o ./uTasker/Watchdog.o ./uTasker/can_drv.o ./uTasker/crypto.o ./uTasker/eth_drv.o ./uTasker/i2c_drv.o ./uTasker/low_power.o ./uTasker/time_keeper.o ./uTasker/uFile.o ./uTasker/uMalloc.o ./uTasker/uNetwork.o ./uTasker/uTasker.o  ./stack/SSL/wolfssl-3.9.6/w_aes.o  ./stack/SSL/openssl-1.0.2/aes_cbc.o ./stack/SSL/openssl-1.0.2/aes_core.o ./stack/SSL/openssl-1.0.2/cbc128.o  ./stack/SSL/mbedtls-1.3.10/aes_mbedTLS.o ./stack/SSL/mbedtls-1.3.10/sha256_mbedTLS.o  ./stack/PPP/auth.o ./stack/PPP/chap.o ./stack/PPP/chpms.o ./stack/PPP/fsm.o ./stack/PPP/ipcp.o ./stack/PPP/lcp.o ./stack/PPP/lwppp.o ./stack/PPP/magic.o ./stack/PPP/md5.o ./stack/PPP/pap.o ./stack/PPP/ppp_oe.o ./stack/PPP/randm.o ./stack/PPP/vj.o  ./stack/Ethernet.o ./stack/NetBIOS.o ./stack/arp.o ./stack/dhcp.o ./stack/dns.o ./stack/ftp.o ./stack/ftp_client.o ./stack/http.o ./stack/icmp.o ./stack/igmp.o ./stack/ip.o ./stack/ip_utils.o ./stack/mqtt.o ./stack/pop3.o ./stack/ppp.o ./stack/secure_layer.o ./stack/smtp.o ./stack/snmp.o ./stack/tcp.o ./stack/telnet.o ./stack/tftp.o ./stack/udp.o ./stack/webutils.o ./stack/zero_config.o  ./Hardware/iMX/iMX.o  ./Applications/uTaskerSerialBoot/disk_loader.o ./Applications/uTaskerSerialBoot/modbus_app.o ./Applications/uTaskerSerialBoot/serial_loader.o ./Applications/uTaskerSerialBoot/usb_application.o ./Applications/uTaskerSerialBoot/usb_device_loader.o ./Applications/uTaskerSerialBoot/usb_host_loader.o ./Applications/uTaskerSerialBoot/webInterface.o  ./Applications/uTaskerBoot/uTaskerBootLoader.o   
Memory region         Used Size  Region Size  %age Used
       SPI_FLASH:          0 GB         8 MB      0.00%
        SRAM_DTC:       13308 B       128 KB     10.15%
        SRAM_ITC:       39767 B       128 KB     30.34%
         SRAM_OC:          0 GB       128 KB      0.00%
/Applications/MCUXpressoIDE_11.2.0_4120/ide/plugins/com.nxp.mcuxpresso.tools.macosx_11.2.0.202001021529/tools/bin/../lib/gcc/arm-none-eabi/9.2.1/../../../../arm-none-eabi/bin/ld: warning: dot moved backwards before `.data_run'
     BOARD_SDRAM:          0 GB        32 MB      0.00%
/Applications/MCUXpressoIDE_11.2.0_4120/ide/plugins/com.nxp.mcuxpresso.tools.macosx_11.2.0.202001021529/tools/bin/../lib/gcc/arm-none-eabi/9.2.1/../../../../arm-none-eabi/bin/ld: warning: dot moved backwards before `.data_run'
/Applications/MCUXpressoIDE_11.2.0_4120/ide/plugins/com.nxp.mcuxpresso.tools.macosx_11.2.0.202001021529/tools/bin/../lib/gcc/arm-none-eabi/9.2.1/../../../../arm-none-eabi/bin/ld: warning: dot moved backwards before `.data_run'
Finished building target: uTaskerSerialLoader.axf
/Applications/MCUXpressoIDE_11.2.0_4120/ide/plugins/com.nxp.mcuxpresso.tools.macosx_11.2.0.202001021529/tools/bin/../lib/gcc/arm-none-eabi/9.2.1/../../../../arm-none-eabi/bin/ld: warning: dot moved backwards before `.data_run'
 
/Applications/MCUXpressoIDE_11.2.0_4120/ide/plugins/com.nxp.mcuxpresso.tools.macosx_11.2.0.202001021529/tools/bin/../lib/gcc/arm-none-eabi/9.2.1/../../../../arm-none-eabi/bin/ld: warning: dot moved backwards before `.data_run'
/Applications/MCUXpressoIDE_11.2.0_4120/ide/plugins/com.nxp.mcuxpresso.tools.macosx_11.2.0.202001021529/tools/bin/../lib/gcc/arm-none-eabi/9.2.1/../../../../arm-none-eabi/bin/ld: warning: dot moved backwards before `.data_run'
make --no-print-directory post-build
Performing post-build steps
"/Users/jackking/Documents/MCUXpressoIDE_11.2.0/workspace/uTaskerV1.4/Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader/generate.sh" 1 MIMXRT1060 "aes256 secret key" "initial vector" 234 a748b6531124
OFFSET:0x10000
TOOLS_DIR:../Tools
TARGET_DIR:../Applications/uTaskerSerialBoot/MCUXpresso_iMX
BM_TARGET_DIR:../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerBM_loader
SERIAL_TARGET_DIR:../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader
TARGET:../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerFallbackLoaderImage_MIMXRT1060.bin
copy from `uTaskerSerialLoader.axf' [elf32-littlearm] to `../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader/uTaskerSerialLoader.bin' [binary]
      uTaskerConvert V1.11 - supporting encryption, AES256 and Motorola binary format [2M binary support]

      uTaskerConvert V1.11 - supporting encryption, AES256 and Motorola binary format [2M binary support]

/Users/jackking/Documents/MCUXpressoIDE_11.2.0/workspace/uTaskerV1.4/Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader/generate.sh: line 41: ../Tools/uTaskerCombine: No such file or directory
cp: ../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader\uTaskerBootLoaderImage.bin: No such file or directory
rm: ../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader\_temp.bin: No such file or directory
rm: ../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader\uTaskerSerialLoader.bin: No such file or directory
rm: ../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader\uTaskerBootLoaderImage.bin: No such file or directory
rm: ../Applications/uTaskerSerialBoot/MCUXpresso_iMX/uTaskerSerialLoader\uTaskerSerialLoaderUpload.bin: No such file or directory
make[1]: [makefile:55: post-build] Error 1 (ignored)
 

09:23:09 Build Finished. 0 errors, 6 warnings. (took 830ms)

« Last Edit: May 08, 2021, 03:25:43 PM by jackking »

Offline jackking

  • Newbie
  • *
  • Posts: 31
    • View Profile
OK, maybe this was obvious, but I didn't see it in the docs...

You need to set the Build Variable specifically for the Embedded Artists board. 

The default is MIMXRT1060, which is the correct part, but for the EA module, it should be iMX_RT1062_EMB_ART

Offline mark

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 3234
    • View Profile
    • uTasker
Hi

To ensure that the project and its output files all match, the build variable needs to be set for the board being built for otherwise it will build maybe for the correct processor but have things like LPUART and LEDs potentially at different locations.

At the time of writing these are the standard targets that are supported (users can extend with their own custom boards):
            //#define MIMXRT1010                                         // i.MX RT 1011 http://www.utasker.com/iMX/RT1010.html
            //#define MIMXRT1015                                         // i.MX RT 1015 http://www.utasker.com/iMX/RT1015.html
            //#define MIMXRT1020                                         // i.MX RT 1021 http://www.utasker.com/iMX/RT1020.html
            //#define MIMXRT1024                                         // i.MX RT 1024 (4M internal QSPI flash) http://www.utasker.com/iMX/RT1024.html
            //#define MIMXRT1050                                         // i.MX RT 1052 http://www.utasker.com/iMX/RT1050.html
            //#define iMX_RT1052_EMB_ART                                 // i.MX RT 1052 http://www.utasker.com/iMX/iMX_RT1052_OEM.html
            //#define ARCH_MIX                                           // i.MX RT 1052 http://www.utasker.com/iMX/ArchMix.html
            //#define MIMXRT1060                                         // i.MX RT 1062 http://www.utasker.com/iMX/RT1060.html
            //#define TEENSY_4_0                                         // i.MX RT 1062 http://www.utasker.com/iMX/Teensy_4_0.html
            //#define TEENSY_4_1                                         // i.MX RT 1062 http://www.utasker.com/iMX/Teensy_4_1.html
              #define iMX_RT1062_EMB_ART                                 // i.MX RT 1062 http://www.utasker.com/iMX/iMX_RT1062_OEM.html
            //#define MIMXRT1064                                         // i.MX RT 1064 (4M internal QSPI flash) http://www.utasker.com/iMX/RT1064.html
            //#define MIMXRT1170                                         // i.MX RT 1170 http://www.utasker.com/iMX/iMX_RT1170.html


As well as selecting the processor, its memory layout and its board configuration, it also ensures that all outputs (primary boot loader, fall-back loader, serial loader and application) are named and combined correctly.

The primary loader can be build once for all targets and there there is a corresponding binary available for combining with the other projects build for that target. The same is valid for the serial loaders and application, meaning that a complete set of binaries for all targets can be easily generated for any application (for programming just loader images or combined loader and application images, etc.).

The exception is when building with the GCC make files (usually from VS). in thie case the target should be manually set in config.h for each project to ensure they all match.


Regards

Mark

Offline sw-nw2s

  • Newbie
  • *
  • Posts: 5
    • View Profile
Thanks for continuing the discussion. I've been assembling hardware, getting caught up with orders and will be back to this shortly. Everything has been a big help so far. I appreciate all the feedback.