Restoring SecureBoot Images

In case of a blank eMMC or NOR device, the following instructions can be applied for the initial bringup of a LAN969x or LAN969x SoC.

The procedure described here will not work for the EVB-LAN9668 (PCB8290), as this board is using a USB device as console and TFA monitor for lan966x it is using FlexCom3 which is a different device. For this board you will have to use a flash programmer. An alternative would be to wire cables to the board to get access to FlexCom3 to use the method described here.

1. Reference information

This is where you can find more details about enabling EVB image restoration and the actual images to use:

SoC Name Strapping Pins Monitor Mode USB Device

LAN966x

LAN966x Strapping Pins

LAN966x UART Monitor

MCP2221 USB-I2C/UART Combo

LAN969x

LAN969x Strapping Pins

LAN969x UART Monitor

MCP2200 USB Serial Port Emulator

2. How to restore an image using FWU

See the table below for information about where to download the artifact to use and an overview of the actual artifacts:

SoC Name Artifacts

LAN966x

Images and artifacts

LAN969x

Images and artifacts

2.1. Enable TF-A-Monitor on the default console

This section will give an overview on how the TF-A monitor can be loaded to the SoC and used for e.g. writing a FIP or a GPT image on a flash device.

First locate the appropriate HTML file for your device on the TF-A Release website.

The name is:

fwu-<soc-name>_<version>-release.html

where:

<soc-name> = lan966x | lan969x

and

<version> = a0 | b0

See the FWU section for links to the releases and a description of the artifacts.

The following description is based on a host PC running Ubuntu Linux:

  1. Set the strapping mode on the eval board to the "Monitor Mode" to enabling the UART monitor mode. See the Reference Information section for details.

  2. Connect the eval board via USB cable to the host PC.

  3. The host machine should now enumerate a new USB Device (use lsusb) and a TTY device like e.g. '/dev/ttyACM0'.

  4. From now on, no other application should be attached to this port (e.g. Putty or Termhub).

  5. Use a Chrome or MS Edge browser and open the fwu-<soc-name>_<version>-release.html file in the address bar.

bl2

Please follow the instructions and the red arrows, illustrated on the previous screenshot.

  1. Arrow #1, Press the [Connect Device] button

  2. Arrow #2, Choose the appropriate console interface in the dropdown menu

  3. Arrow #3, Press [Connect] button

  4. After successful connection, the 'BL1 bootstrap' page should be loaded.

2.2. Download BL2U

This downloads and runs the BL2U image embedded in the fwu.html page.

This image will allow other firmware images to be updated and various other maintenance operations.

bl3

  1. Arrow #1, Press the [Download BL2U] button

After download and execution, the 'BL2U bootstrap' screen should be appear.

bl2u_ready

Notice the "BL2U operational" information.

2.3. Program NOR with FIP

The main purpose of this description is to a write a FIP file to a blank NOR device. Be aware, that only a FIP file format can be written to the NOR flash. Using a GPT file will not work here.

Locate the appropriate FIP file for your device on the TF-A Release website. See the FWU section.

The name is one of these:

<soc-name>_<version>-release.fip
<soc-name>_<version>-release.fip.gz

where soc-name> and <version> must match what you used when selecting the FWU HTML file.

You can use the gzipped version of the file for a faster download. The FWU tool will automatically unzip it after the file has been transferred.

The following description assumes that the TF-A monitor mode has been started.

bl2u

Please follow the instructions and the red arrows, shown on the previous screenshot.

  • Arrow #1, Choose the proper .fip file [Choose File].

  • Arrow #2, Upload the file by pressing the [Upload file] button.

  • Arrow #3, When the upload has finished, press the 'Write Image' tab

write_nor

  • Arrow #1, Change dropdown value to [NOR Flash] device.

  • Arrow #2, Press the [Write Flash Image] button.

  • Arrow #3, Press the [OK] button to confirm the operation.

  • Wait until the write operation is completed. The process can take a few minutes. The progress can followed in the [Transaction Log:] field.

  • Change the strapping mode back to normal the NOR boot mode. See Reference Information

  • Reset the board

2.4. Program eMMC with GPT image

The main purpose of this description is to a write a GPT image to a blank eMMC device. Writing this image will trigger following actions to the device:

  • Creates a GPT based partition table and all required partitions.

  • Stores a FIP file inside the 'fip' named partition.

  • According the chosen GPT image, the BL33 can contain an 'UBoot' or a 'Linux' image as payload.

Locate the appropriate image file for your device on the TF-A Release website. See the FWU section.

The name is one of these:

<soc-name>_<version>-release-mmc.gpt.gz
<soc-name>_<version>-release-mmc-linux.gpt.gz

where soc-name> and <version> must match what you used when selecting the FWU HTML file.

The first image contains U-Boot and the second image contains Linux.

A simple file copy of the GPT image to the eMMC device will not work! Only a raw byte copy will work correctly.

The GPT image can be written to the eMMC device using following methods:

  1. Using UBoot with network and upload/write the GPT image with mmc commands

  2. Using external programmer and write the GPT image to the eMMC address offset of 0x0 (zero).

  3. Use the HTML5 based firmware update browser tool (fwu.html).

This section will describe, how to proceed with the third approach here. Therefore no further programmer hardware is required.

First boot into the TF-A monitor using the correct strapping pin setting. See Reference Information

bl2u_gpt

Then follow the instructions and the red arrows, illustrated on the previous screenshot.

  • Arrow #1, Choose now the proper .gpt file [Choose File]

  • Arrow #2, Upload the file by pressing the [Upload file] button

  • Arrow #3, When the upload has finished, press the 'Write Image' tab

emmc_gpt

  • Arrow #1, Change dropdown value to [eMMC] device.

  • Arrow #2, Press the [Write Flash Image] button.

  • Arrow #3, Press the [OK] button to confirm the operation.

  • Wait till the write procedure has completed. This process can take a few minutes. The progress can followed in the [Transaction Log:] field.

  • Change the strapping mode back normal eMMC boot mode. See Reference Information

  • Reset the board

2.5. Program eMMC with FIP

A FIP file can only be programmed, if the eMMC device is already partitioned, which is what was done with the GPT image in the previous section.

The description in this section is also valid for updating an existing FIP on the target.

The FIP file can be written by using one of this following methods.

  1. Using UBoot console with network and upload/write the FIP using mmc commands

  2. Use the HTML5 based firmware update browser tool (fwu.html).

We will focus here on the second approach.

First Boot into the TF-A monitor using the correct strapping pin setting. See Reference Information

Then follow the description for the BL2U bootstrap monitor page.

bl2u

Download the appropriate FIP image for your platform. See the FWU section for details.

Please follow the instructions and the red arrows, shown in the previous screenshot.

  • Arrow #1, Choose the proper .fip file [Choose File].

  • Arrow #2, Upload the file by pressing the [Upload file] button.

  • Arrow #3, When the upload has finished, press the 'Write Image' tab

fip_emmc

  • Arrow #1, Change dropdown value to [eMMC] device.

  • Arrow #2, Press the [Write FIP Image] button to start the operation.

  • Wait until the write operation has completed. The process can take a few minutes. The progress can followed in the [Transaction Log:] field.

  • Change the strapping mode back to normal the eMMC boot mode. See Reference Information

  • Reset the board