Rev. 0, 05 March 2021

## i.MX RT1160 Manufacturing User's Guide



## **Contents**

| Chapter 1 Introduction                                                  | 4  |
|-------------------------------------------------------------------------|----|
| Chapter 2 Overview                                                      | 5  |
| 2.1 i.MX RT BootROM                                                     |    |
| 2.2 MCUBOOT-based Flashloader                                           |    |
|                                                                         |    |
| 2.3 Host utilities                                                      |    |
|                                                                         |    |
| Chapter 3 i.MX RT bootable image                                        |    |
| 3.1 Bootable image layout in target flash device                        |    |
| 3.2 Boot image format                                                   |    |
| 3.2.1 IVT and boot data                                                 |    |
| 3.2.2 Boot data structure                                               |    |
| 3.3 Signed image                                                        |    |
| 3.4 Encrypted image                                                     | 9  |
| Chapter 4 Generate i.MX RT bootable image                               | 10 |
| 4.1 Description of the elftosb utility                                  |    |
| 4.1.1 elftosb utility options                                           |    |
| 4.1.2 BD file                                                           |    |
| 4.1.3 BD file for i.MX RT bootable image generation                     |    |
| 4.1.3.1 Options block                                                   |    |
| 4.1.3.2 Sources block                                                   |    |
| 4.1.3.3 Constants block                                                 |    |
| 4.1.3.4 Section blocks                                                  |    |
| 4.1.4 BD file for memory programming                                    |    |
| 4.2 Generate unsigned normal i.MX RT bootable image                     |    |
| 4.3 Generate signed normal i.MX RT bootable image                       | 21 |
| 4.4 Generate encrypted normal i.MX RT bootable image                    |    |
|                                                                         |    |
| Chapter 5 Generate SB file for bootable image programming               |    |
| 5.1 Generate SB file for FlexSPI NOR image programming                  |    |
| 5.1.1 Generate Normal Bootable Image                                    |    |
| 5.1.2 Generate SB file for plaintext FlexSPI NOR image programming      |    |
| 5.1.3 Generate SB file for FlexSPI NOR Image encryption and programming |    |
| 5.2 Generate SB file for SD image programming                           |    |
| 5.2.1 Steps to Generate SB file for SD image programming                |    |
| 5.3 Generate SB file for eMMC image programming                         |    |
| 5.3.1 Normal mode                                                       |    |
| 5.3.2 Fast Mode                                                         | 31 |
| 5.4 Generate SB file for Serial NOR/EEPROM image programming            | 32 |
| 5.5 Generate SB file for fuse programming                               | 33 |
| Chapter 6 Program bootable image                                        | 35 |
| 6.1 MfgTool                                                             |    |
| 6.1.1 MfgTool Directory structure                                       | 35 |
| 5.7.1 mg 1001 Directory of dotard                                       |    |

| 6.1.2 Preparation before image programming using MfgTool | 37 |
|----------------------------------------------------------|----|
| 6.2 Connect to the i.MX RT Platform                      | 37 |
| 6.3 Program bootable image during development            | 37 |
| 6.4 Program bootable image for production                | 38 |
| Chapter 7 Appendix                                       | 39 |
| 7.1 Example of manufacturing flow for RT1160-EVK         |    |
| 7.1.1 Manufacturing process in Development phase         | 39 |
| 7.1.1.1 Templates options for the Manufacturing flow     |    |
| 7.1.1.2 Create i.MX RT bootable image                    |    |
| 7.1.1.2.1 Create image using KSDK XIP example            | 40 |
| 7.1.1.2.2 Create image using the elftosb utility         |    |
| 7.1.1.2.3 Create SB file for QSPI FLASH programming      | 41 |
| 7.1.2 Program Unsigned Image to Flash using MfgTool      |    |
| Chapter 8 Revision history                               | 44 |

# Chapter 1 Introduction

This document describes the generation of bootable images for i.MX RT devices. It also explains the process to interface i.MX RT BootROM and MCUBOOT-based Flashloader and to program a bootable image into the external flash including:

- · QuadSPI NOR / Octal Flash
- SD / eMMC
- SPI NOR / EEPROM

The i.MX RT BootROM resides in the ROM and enables loading the RAM. The Flashloader is loaded into SRAM and facilitates loading of boot images from boot devices into RAM. It also authenticates and executes the boot image.

This document introduces the Flashloader, a companion tool to i.MX RT BootROM, and a complete solution for programming boot images to bootable devices. The Flashloader runs in SRAM so it should be downloaded to SRAM via ROM serial download interface. The Flashloader prepares and configures the devices for boot. It creates boot configuration structure on the bootable media, helps in programming encrypted images, generates key blobs, and communicates with master on serial peripherals like USB and UART using MCUBOOT commands interface protocol for downloading boot images.

It also introduces the elftosb utility. The elftosb utility converts an elf image to signed, encrypted, and bootable image for i.MX RT devices. It also creates all the boot structures like image vector table, boot data. It generates the input command sequence file required to code sign or encrypt using the NXP signing tool (cst). It also calls the cst to generate the signatures and packs it as a boot image acceptable by BootROM.

The document describes the usage of MfgTool2.exe (Manufacturing Tool) in a manufacturing environment for production of devices (programming boot images on the bootable media using all the available tools).

User Guide 4 / 45

## Chapter 2 Overview

#### 2.1 i.MX RT BootROM

The i.MX RT BootROM is a standard bootloader for all i.MX RT devices. It resides in ROM and supports booting from external flash devices for both XIP and non-XIP boot cases. It also provides serial downloader feature via UART or USB-HID interface into the internal RAM of i.MX RT devices.

The i.MX RT BootROM is a specific implementation of the existing i.MX MPU ROM bootloader. The i.MX RT BootROM provides serial downloader feature for flash programming using blHost command interface. For additional information, see chapter, "System Boot" in the device's Reference Manual. Using the MfgTool application, the MCU Boot based flashloader can be downloaded into the internal SRAM. Then the flashloader code execution begins and flash programming features are enabled via MCU Boot interface.

#### 2.2 MCUBOOT-based Flashloader

The MCUBOOT-based Flashloader is a specific implementation of the MCU bootloader. It is used as a one-time programming aid for manufacturing. Most of the MCUBOOT commands are supported in the flashloader to enable external flash programming. See MCU Flashloader Reference Manual for details.

#### 2.3 Host utilities

The MfgTool is a GUI host program used to interface with devices running i.MX RT Boot ROM under serial downloader mode. It can also be used to program an application image by interfacing with the Flashloader.

The blhost is a command-line host program used to interface with devices running MCUBOOT-based bootloaders. It is part of MfgTool release.

The elftosb utility is a command-line host program used to generate bootable images for i.MX RT Boot ROM.

The cst is a command-line host program used to generate certificates, image signatures, and encrypt images for i.MX RT Boot ROM.

## 2.4 Terminology

Table 1 summarizes the terms and abbreviations included in this document.

Table 1. Terminology and Abbreviations

| Terminology | Description                                                                                                                                                                                                                                                                                                                                                    |
|-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MCUBOOT     | MCU Bootloader                                                                                                                                                                                                                                                                                                                                                 |
| KeyBlob     | KeyBlob is a data structure that wraps the DEK for image decryption using the AES-CCM algorithm                                                                                                                                                                                                                                                                |
| DEK         | "Key" used to decrypt the encrypted bootable image                                                                                                                                                                                                                                                                                                             |
| SB file     | The SB file is the NXP binary file format for bootable images. The file consists of sections, sequence of bootloader commands, and data that assists MCU Bootloader in programming the image to target memory. The image data can also be encrypted in the SB file. The file can be downloaded to the target using the MCU Bootloader receive-sb-file command. |

Table continues on the next page...

User Guide 5/45

#### Table 1. Terminology and Abbreviations (continued)

| CST | Code Signing Tool |
|-----|-------------------|
| XIP | Execute-In-Place  |

# Chapter 3 i.MX RT bootable image

### 3.1 Bootable image layout in target flash device

There are two types of supported boot image:

- XIP (Execute-In-Place) boot image: This type of boot image is only applicable to Serial NOR devices connected to QuadSPI or FlexSPI interfaces and Parallel NOR devices connected to WEIM or SEMC interface. The boot device memory is identical to the destination memory. ROM can boot this boot image directly.
- Non-XIP boot image: This type of boot image is usually for the NAND, SD, and eMMC devices. The boot device memory
  is different from the destination memory. ROM loads the boot image from the boot device memory to the destination
  memory and then boots from the destination memory.



Figure 1. Bootable image layout

## 3.2 Boot image format

This section describes the boot image format and data structures. The elftosb utility helps the customers automatically generate the boot image format file. The elftosb utility usage is described later in this document.

The bootable image must have the following data structures:

• Image Vector Table (IVT): a list of pointers located at a fixed address that ROM examines to determine the location of other components of the bootable image

User Guide 7/45

- · Boot Data: a table that indicates the bootable image location, image size in bytes, and the plugin flag
- · Device configuration data (DCD) (optional): IC configuration data configures DDR/SDRAM memory
- · User application and data
- · CSF (optional): signature block for Secure Boot generated by CST
- KeyBlob (optional): a data structure consists of wrapped DEK for encrypt boot

Each bootable image starts with appropriate IVT. In general, for the external memory devices that support XIP feature, the IVT offset is 0x1000 else it is 0x400.

#### 3.2.1 IVT and boot data

The IVT is the data structure that the BootROM reads from the boot devices. This data structure supplies the bootable image containing the required data components to perform a successful boot.

See the Program image section in the System Boot chapter of the device reference manual for more details.

Table 2. IVT data structure

| Offset      | Field     | Description                                                                                               |
|-------------|-----------|-----------------------------------------------------------------------------------------------------------|
| 0x00 - 0x03 | header    | Byte 0 tag, fixed to 0xD1                                                                                 |
|             |           | Byte 1,2 length, bit endian format containing the overall length of the IVT in bytes, fixed to 0x00, 0x20 |
|             |           | Byte 3: version, valid values: 0x40, 0x41, 0x42, 0x43                                                     |
| 0x04 - 0x07 | entry     | Absolute address of the first instruction to execute from the image, or the vector address of the image   |
| 0x08 - 0x0b | reserved1 | Reserved for future use, set to 0                                                                         |
| 0x0c - 0x0f | dcd       | Absolute address of the image DCD. It is optional, so this field can be set to NULL if no DCD is required |
| 0x10 - 0x13 | boot_data | Absolute address of the boot data                                                                         |
| 0x14 - 0x17 | self      | Absolute address of the IVT                                                                               |
| 0x18 - 0x1b | csf       | Absolute address of the Command Sequence File (CSF) used by the HAB library                               |
| 0x1c - 0x1f | reserved2 | Reserved, set to 0                                                                                        |

#### 3.2.2 Boot data structure

Table 3. Boot Data structure

| Offset    | Field  | Description                                                               |
|-----------|--------|---------------------------------------------------------------------------|
| 0x00-0x03 | start  | Absolute address of the bootable image                                    |
| 0x04-0x07 | length | Size of the bootable image                                                |
| 0x08-0x0b | plugin | Plugin flag, set to 0 because plugin boot is not supported on this device |

## 3.3 Signed image

The bootable image can be signed by CST tool. The tool generates the CSF data in the binary file format that consists of command sequences and signatures based on given input command sequence file (csf file). Refer to the documentation in the CST release package for further details.

In this document, a simple method is introduced to generate signed images using the elftosb utility.

## 3.4 Encrypted image

There are two types of encrypted image formats:

#### **Encrypted XIP image format**

The Flashloader generates the encrypted XIP image using the AES CTR algorithm when programming the image on the device. On execution, the hardware engine does on-the-fly decryption.

#### Encrypted image generated by CST

To increase the security level, the bootable image can be signed and further encrypted by the CST. The KeyBlob must be generated on the device. The hardware deletes all sensitive keys if any security violation happens so that the sensitive keys cannot be cloned.

In this document, a simple method is introduced to generate signed images using the elftosb utility.

# Chapter 4 Generate i.MX RT bootable image

There are two types of bootable image for i.MX RT devices.

- · Normal boot image: This type of image can boot directly by BootROM.
- Plugin boot image: This type of image can be used to load a boot image from devices that are not natively supported by BootROM (not supported on all i.MX RT devices).

Both types of images can be unsigned, signed, and encrypted for different production phases and different security level requirements:

- Unsigned Image: The image does not contain authentication-related data and is used during development phase.
- · Signed Image: The image contains authentication-related data (CSF section) and is used during production phase.
- Encrypted Image: The image contains encrypted application data and authentication-related data and is used during the
  production phase with higher security requirement.

The above types of bootable images can be generated by using the elftosb utility. The detailed usage of the elftosb utility is available in *elftosb Users Guide*.

## 4.1 Description of the elftosb utility

The elftosb utility is a command-line host program used to generate the i.MX RT bootable image for the i.MX RT BootROM. The utility also generates a wrapped binary file with command sequences and a bootable image. To create an SB file, use command-line options and an input text file (also called BD or command file).

## 4.1.1 elftosb utility options

Table 4 shows the command line options used to create the i.MX RT bootable image.

Option Description -f Specify the bootable image format To create the i.MX RT bootable image, the usage for family argument "-f" is: "-f imx" To create the SB file, the usage is: "-f kinetis" -C Command file to generate corresponding bootable image For example, "-c program\_flexspi\_nor\_hyperflash.bd" -0 Output file path For example, "-o ivt flashloader.bin" -V Verbose, print extra detailed log information -? Print help info

Table 4. elftosb utility options

#### 4.1.2 BD file

Each BD file consists of the following four blocks: options, sources, constants, section

The image paths are defined in the "sources" block.

User Guide 10 / 45

- The constant variables are defined in the "constants" block.
- · The memory configuration and programming-related operations are defined in the "section" block.

The elftosb utility supports two types of BD files. The first type of file is used for the i.MX RT bootable image generation. The "-f imx" option is mandatory during boot image generation using the elftosb utility. The second type of file contains commands that are used for memory programming. The "-f kinetis" flag is mandatory in this use case.

### 4.1.3 BD file for i.MX RT bootable image generation

The BD file for i.MX RT bootable image generation usually consists of four blocks. These blocks are options, sources, constants, and section.

#### 4.1.3.1 Options block

Table 5 shows the options used to generate a bootable image for the Options block.

Table 5. Supported options in the "Options" block

| Options           | Description                                                                                                                                                                                                       |  |
|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Flags             | Generates unsigned, signed, encrypted boot images, and plugin images:                                                                                                                                             |  |
|                   | bit 2 - Encrypted image flag                                                                                                                                                                                      |  |
|                   | bit 3 - Signed image flag                                                                                                                                                                                         |  |
|                   | bit 4 - Plugin image flag                                                                                                                                                                                         |  |
|                   | For example:                                                                                                                                                                                                      |  |
|                   | 0x00 - unsigned image                                                                                                                                                                                             |  |
|                   | 0x08 - signed image                                                                                                                                                                                               |  |
|                   | 0x04 - CST-encrypted image (encrypted image is always a signed image)                                                                                                                                             |  |
|                   | 0x18 - signed plugin image                                                                                                                                                                                        |  |
| startAddress      | Provides the starting address of the target memory where image should be loaded by ROM.                                                                                                                           |  |
| ivtOffset         | Provides offset where the IVT data structure must appear in the boot image. The default is 0x400 if not specified.                                                                                                |  |
|                   | For i.MX RT boot images stored in bootable memories, the valid value is 0x400 or 0x1000. For serial downloader compatible boot images the valid value is 0x0.                                                     |  |
| initialLoadSize   | Defines the start of the executable image data from elf or the srec file.                                                                                                                                         |  |
|                   | The default value is 0x2000 if not specified.                                                                                                                                                                     |  |
| DCDFilePath       | Defines the path to DCD file.                                                                                                                                                                                     |  |
|                   | If not specified, the DCD pointer in the IVT will be set to NULL (0) else the dcd file contents will be loaded at offset 0x40 from ivtOffset. The dcd file size is limited to (initialLoadSize - ivtOffset-0x40). |  |
| cstFolderPath     | Defines the path for platform dependent CST. (windows, linux)                                                                                                                                                     |  |
|                   | If not specified, elftosb tool will search for cst executable in same path as elftosb executable.                                                                                                                 |  |
| entryPointAddress | Provides the entry point address for ELF or SREC image.                                                                                                                                                           |  |

Table continues on the next page...

Table 5. Supported options in the "Options" block (continued)

If not specified, ELF image uses its source image entry point address but SREC image will use default entry point address (0).

#### 4.1.3.2 Sources block

Typically, all the application image paths are provided in this section. Currently, the ELF file and SREC file are supported for i.MX RT Bootable image generation, for example:

```
sources {
   elfFile = extern(0);
}
```

#### 4.1.3.3 Constants block

The Constants block provides a constant variable that is used to generate CSF data for image authentication and decryption. The Constants block is optional for an unsigned image. The supported constants are listed below.

```
Constants {
    SEC_CSF_HEADER = 20;
    SEC_CSF_INSTALL_SRK = 21;
    SEC_CSF_INSTALL_CSFK = 22;
    SEC_CSF_INSTALL_NOCAK = 23;
    SEC_CSF_AUTHENTICATE_CSF = 24;
    SEC_CSF_AUTHENTICATE_DATA = 26;
    SEC_CSF_AUTHENTICATE_DATA = 26;
    SEC_CSF_INSTALL_SECRET_KEY = 27;
    SEC_CSF_DECRYPT_DATA = 28;
    SEC_NOP = 29;
    SEC_SET_MID = 30;
    SEC_SET_ENGINE = 31;
    SEC_INIT = 32;
    SEC_UNLOCK = 33;
}
```

#### 4.1.3.4 Section blocks

The Section blocks are used to create the sections for an i.MX RT bootable image, for example, all sections for CSF data. For the unsigned image, the Section block is a fixed blank section, as shown below.

```
section (0)
{
}
```

For signed and encrypted image, the following sections are defined for the elftosb utility to generate the CSF descriptor file which is required by CST for CSF data generation.

SEC\_CSF\_HEADER

This section defines the necessary elements required for CSF Header generation as well as default values used for other sections throughout the remaining CSF.

13

Table 6. Elements for CSF Header section generation

| Element                      | Description                             |
|------------------------------|-----------------------------------------|
| Header_Version               | HAB library version                     |
|                              | Valid values: 4.0, 4.1, 4.2, 4.3        |
| Header_HashAlgorithm         | Default Hash Algorithm                  |
|                              | Valid values: sha1, sha256, sha512      |
| Header_Engine                | Default Engine                          |
|                              | Valid values: ANY, DCP, CAAM, SW        |
| Header_EngineConfiguration   | Default Engine Configuration            |
|                              | Recommended value: 0                    |
| Header_CertificateFormat     | Default Certificate Format              |
|                              | Valid values: WTLS, X509                |
| Header_SignatureFormat       | Default signature format                |
|                              | Valid values: PKCS, CMS                 |
| Header_SecurityConfiguration | Fused security configuration            |
|                              | Valid values: Engineering, Production   |
| Header_UID                   | Generic (matches any value)             |
|                              | U0, U1, Un                              |
|                              | where each Ui=0255 and n<255            |
| Header_CustomerCode          | Value expected in "customer code" fuses |
|                              | 0255                                    |

An example section block is shown as follows.

```
section (SEC CSF HEADER;
   Header_Version="4.3",
   Header_HashAlgorithm="sha256",
   Header_Engine="ANY",
   Header_EngineConfiguration=0,
   Header CertificateFormat="x509",
   Header SignatureFormat="CMS"
```

#### • SEC\_CSF\_INSTALL\_SRK

This section contains the elements to authenticate and install the root public key for use in subsequent sections, as shown in the following table.

Table 7. Elements for CSF Install SRK section generation

| Element                  | Description                                    |
|--------------------------|------------------------------------------------|
| InstallSRK_Table         | Path pointing to the Super Root Key Table file |
| InstallSRK_Source        | SRK index with the SRK table                   |
| InstallSRK_HashAlgorithm | SRK table hash algorithm.                      |
|                          | Valid values: SHA1, SHA256 and SHA512          |

An example section block is shown as follows.

```
section (SEC CSF INSTALL SRK;
   InstallSRK Table="keys/SRK 1 2 3 4 table.bin", // "valid file path"
   InstallSRK SourceIndex=0
```

#### • SEC\_CSF\_INSTALL\_CSFK

This section consists of the elements used to authenticate and install a public key for use in subsequent sections.

Table 8. Elements for CSF Install CSFK section generation

| Element                       | Description                            |
|-------------------------------|----------------------------------------|
| InstallCSFK_File              | File path pointing to CSFK certificate |
| InstallCSFK_CertificateFormat | CSFK certificate format                |
|                               | Valid values: WTLS, X509               |

```
section (SEC CSF INSTALL CSFK;
   InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
    InstallCSFK CertificateFormat="x509" // "x509"
```

#### SEC\_CSF\_INSTALL\_NOCAK

The Install NOCAK command authenticates and installs a public key for use with the fast authentication mechanism (HAB 4.1.2 and up). With this mechanism, one key is used for all signatures.

The following table lists the install NOCAK command arguments.

Table 9. Elements for CSF Install NOCAK section generation

| Element                        | Description                            |
|--------------------------------|----------------------------------------|
| InstallNOCAK_File              | File path pointing to CSFK certificate |
| InstallNOCAK_CertificateFormat | CSFK certificate format                |
|                                | Valid values: WTLS, X509               |

An example section block is shown as follows:

```
section (SEC_CSF_INSTALL_NOCAK;
    InstallNOCAK_File= "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem") // "valid file path"
    InstallNOCAK_CertificateFormat= "WTLS" // "WTLS", "X509"
    )
{
}
```

#### SEC\_CSF\_AUTHENTICATE\_CSF

This section is used to authenticate the CSF from which it is executed using the CSFK mentioned in the section above. See the following table for more details.

Table 10. Elements for CSF Authenticate CSF section generation

| Element                             | Description                                                                                                  |
|-------------------------------------|--------------------------------------------------------------------------------------------------------------|
| AuthenticateCSF_Engine              | CSF signature hash engine                                                                                    |
|                                     | Valid values: ANY, SAHARA, RTIC, DCP, CAAM and SW                                                            |
| AuthenticateCSF_EngineConfiguration | Configuration flags for the hash engine. Note that the hash is computed over an internal RAM copy of the CSF |
|                                     | Valid engine configuration values corresponding to engine name.                                              |
| AuthenticateCSF_SignatureFormat     | CSF signature format                                                                                         |
|                                     | Valid values: PKCS1, CMS                                                                                     |

An example section block is shown as follows:

```
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
```

#### • SEC\_CSF\_INSTALL\_KEY

This section consists of elements used to authenticate and install a public key for use in subsequent sections, as shown in the following table.

Table 11. Elements for CSF Install Key section generation

| Element                      | Description                             |  |
|------------------------------|-----------------------------------------|--|
| InstallKey_File              | File path pointing to a Public key file |  |
| InstallKey_VerificationIndex | Verification key index in Key store     |  |
|                              | Valid values: 0, 2, 3, 4                |  |
| InstallKey_TargetIndex       | Target key index in key store           |  |
|                              | Valid values: 2, 3, 4                   |  |
| InstallKey_CertificateFormat | Valid values: WTLS, X509                |  |
| InstallKey_HashAlgorithm     | Hash algorithm for certificate binding. |  |

Table continues on the next page...

Table 11. Elements for CSF Install Key section generation (continued)

| If present, a hash of the certificate specified in the File argument is included in the command to prevent installation from other sharing the same verification key |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Valid values: SHA1, SHA256, SHA512                                                                                                                                   |

```
section (SEC_CSF_INSTALL_KEY;
   InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
   InstallKey VerificationIndex=0, // Accepts integer or string
   InstallKey TargetIndex=2) // Accepts integer or string
```

#### • SEC\_CSF\_AUTHENTICATE\_DATA

This section contains elements that are used to verify the authenticity of pre-loaded data in memory.

Table 12. Elements for CSF Authenticate Data section generation

| Element                              | Description                                                                                                                                                                       |  |
|--------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| AuthenticateData_VerificationIndex   | Verification key index in key store                                                                                                                                               |  |
| AuthenticateData_Engine              | Data signature hash engine                                                                                                                                                        |  |
|                                      | Valid values: ANY, DCP, CAAM, SW                                                                                                                                                  |  |
| AuthenticateData_EngineConfiguration | Configuration flags for the engine                                                                                                                                                |  |
| AuthenticateData_SignatureFormat     | Data signature format                                                                                                                                                             |  |
|                                      | Valid values: PKCS1, CMS                                                                                                                                                          |  |
| AuthenticateData_Binding             | 64-bit unique ID (UID) for binding.                                                                                                                                               |  |
|                                      | If present, authentication succeeds only if the UID fuse value matches this argument, and the TYPE fuse value matches the Security Configuration argument from the Header command |  |
|                                      | Valid values:                                                                                                                                                                     |  |
|                                      | U0, U1, U7                                                                                                                                                                        |  |
|                                      | with                                                                                                                                                                              |  |
|                                      | Ui: 0,, 255.                                                                                                                                                                      |  |
|                                      | UID bytes separated by commas                                                                                                                                                     |  |

An example section block is shown as follows:

```
section (SEC CSF AUTHENTICATE DATA;
   AuthenticateData VerificationIndex=2,
   AuthenticateData Engine="DCP",
   AuthenticateData_EngineConfiguration=0)
```

• SEC\_CSF\_INSTALL\_SECRET\_KEY

This section contains elements used to install the secret key to the MCU secret key store which is used for KeyBlob decryption. This section is required for encrypted image generation and not for signed image.

Table 13. Elements for CSF Install Secret Key section generation

| Element               | Description                                                                     |
|-----------------------|---------------------------------------------------------------------------------|
| SecretKey_Name        | Specifies the file path used for CST to generate the random decryption key file |
| SecretKey_Length      | Key length in bits Valid values: 128, 192, and 256                              |
| SecretKey_VerifyIndex | Master KEK index Valid values: 0 or 1                                           |
| SecretKey_TargetIndex | Target secret key store index Valid values: 0-3                                 |
| SecretKey_BlobAddress | Internal or external DDR address                                                |

An example section block is shown as follows:

```
section (SEC_CSF_INSTALL_SECRET_KEY;
    SecretKey_Name="dek.bin",
    SecretKey_Length=128,
    SecretKey_VerifyIndex=0,
    SecretKey_TargetIndex=0)
{
}
```

#### • SEC\_CSF\_DECRYPT\_DATA

This section is required for encrypted image generation and not for signed image. It contains the necessary elements used to decrypt and authenticate a list of code/data blocks using the secret key stored in the secret key store, as shown in the following table.

Table 14. Elements for CSF Decrypt Data section generation

| Element                     | Description                                                                                  |  |
|-----------------------------|----------------------------------------------------------------------------------------------|--|
| Decrypt_Engine              | MAC engine                                                                                   |  |
|                             | Valid value: CAAM, DCP                                                                       |  |
| Decrypt_EngineConfiguration | Configuration flags for the engine                                                           |  |
|                             | Default value: 0                                                                             |  |
| Decrypt_VerifyIndex         | Secret key index in the Secret key store                                                     |  |
|                             | Valid values: 0-3                                                                            |  |
| Decrypt_MacBytes            | Size of MAC in bytes                                                                         |  |
|                             | If engine is CAAM, the valid value is even number between 4-16. The recommended value is 16. |  |
|                             | If engine is DCP, the valid value is 16.                                                     |  |

An example section block is shown as follows.

```
section (SEC CSF DECRYPT DATA;
  Decrypt Engine="ANY",
   Decrypt EngineConfiguration="0", // "valid engine configuration values"
   Decrypt VerifyIndex=0,
   Decrypt MacBytes=16)
}
```

#### SEC\_NOP

The command in this section has no effect. It also has no arguments.

An example section block is shown as follows.

```
section (SEC NOP)
    // NOP command has no arguments
}
```

#### · SEC\_SET\_MID

The Set MID command selects a range of fuse locations to use as a manufacturing identifier (MID). MID values are bound with Authenticate Data signatures when verified using keys with the MID binding flag in the Install Key command.

|         | Table 15. Elements for CSF Set MID section generation |             |  |
|---------|-------------------------------------------------------|-------------|--|
| Element |                                                       | Description |  |

| Element     | Description                             |  |
|-------------|-----------------------------------------|--|
| SetMID_Bank | Fuse bank containing MID.               |  |
|             | Valid values: 0,, 255                   |  |
| SetMID_Row  | Starting row number of MID within bank. |  |
|             | Valid values: 0,, 255                   |  |
| SetMID_Fuse | Starting fuse of MID within row.        |  |
|             | Valid values: 0,, 255                   |  |
| SetMID_Bits | Number of bits for MID.                 |  |
|             | Valid values: 0,, 255                   |  |

An example section block is shown as follows:

```
section (SEC SET MID;
  SetMID Bank = 4,
   SetMID Row = 0,
   SetMID_Fuse = 7,
   SetMID_Bits = 64)
{
```

#### • SEC\_SET\_ENGINE

The Set Engine command selects the default engine and engine configuration for a given algorithm.

Table 16. Elements for CSF Set Engine section generation

| Element                       | Description                                                     |  |
|-------------------------------|-----------------------------------------------------------------|--|
| SetEngine_Engine              | Engine                                                          |  |
|                               | Use ANY to restore the HAB internal criteria.                   |  |
|                               | Valid values: ANY, SAHARA, RTIC, DCP, CAAM and SW               |  |
| SetEngine_HashAlgorithm       | Hash algorithm                                                  |  |
|                               | Valid values: SHA1, SHA256 and SHA512                           |  |
| SetEngine_EngineConfiguration | Configuration flags for the engine.                             |  |
|                               | Valid engine configuration values corresponding to engine name. |  |

An example section block is shown as follows:

```
section (SEC SET ENGINE;
   SetEngine HashAlgorithm = "sha256",
   SetEngine Engine = "DCP",
   SetEngine EngineConfiguration = "0")
{
}
```

#### SEC\_INIT

The Init command initializes specified engine features when exiting the internal BootROM.

Table 17. Elements for CSF Init section generation

| Element       | Description                                            |  |
|---------------|--------------------------------------------------------|--|
| INIT_Engine   | Engine to initialize                                   |  |
|               | Valid value – SRTC                                     |  |
| INIT_Features | Comma-separated list of features to initialize         |  |
|               | Valid engine feature corresponding to engine argument. |  |

An example section block is shown as follows:

```
section (SEC INIT;
   Init_Engine = "SRTC")
   // Init Features= "MID"
{
```

#### • SEC\_UNLOCK

The Unlock command prevents specified engine features from being locked when exiting the internal BootROM.

Table 18. Elements for CSF Unlock section generation



Table continues on the next page...

Table 18. Elements for CSF Unlock section generation (continued)

| Unlock_Engine   | Engine to unlock                                                                                   |  |
|-----------------|----------------------------------------------------------------------------------------------------|--|
|                 | NOTE  Non-SW engine compatibility varies across i.MX  RT models.                                   |  |
|                 | Valid values: SRTC, CAAM, SNVS and OCOTP                                                           |  |
| Unlock_features | Comma-separated list of features to unlock  Valid engine feature corresponding to engine argument. |  |
| Unlock_UID      | Device specific 64-bit UID U0, U1,, U7 with Ui=0255 UID bytes separated by commas                  |  |

An example section block is shown as follows:

```
section (SEC_UNLOCK;
    Unlock_Engine = "OCOTP",
    Unlock_features = "JTAG, SRK REVOKE",
    Unlock_UID = "0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef")
{
}
```

## 4.1.4 BD file for memory programming

Typically, "load", "enable", and "erase" commands are the most commonly used commands in a BD file for memory programming.

- 1. "load" command: This command loads raw binary, srec file, elf file, and hex string. It also supports loading data to external memory devices, for example:
  - Load itcm\_boot\_image.bin > 0x8000; (Load data to ITCM)
  - Load flexspi\_nor\_boot\_image.bin > 0x60001000; (Load data to the memory mapped memory device)
  - Load spinand boot\_image.bin > 0x04; (Load data to SPI NAND)
  - Load sdcard boot\_image.bin > 0x400; (Load data to the SD Card)
  - Load mmccard boot\_image.bin > 0x400; (Load data to eMMC)
  - Load spieeprom boot\_image.bin > 0x400; (Load data to SPI EEPROM/NOR)
  - Load semcnand boot\_image.bin > 0x400; (Load data to SLC raw NAND via SEMC)
  - Load fuse 0x00000000 > 0x10; (Load data to the Fuse block)
- 2. "enable" command: This command configures external memory devices, for example:
  - Enable flexspinor 0x1000
  - Enable spinand 0x1000
  - Enable sdcard 0x1000
  - Enable mmccard 0x1000
  - Enable spieeprom 0x1000
  - Enable semcnand 0x1000

- "erase" command: This command erases a memory range in the selected memory device. For example:
  - Erase 0x60000000..0x60010000 (Erase 64 KB from FlexSPI NOR)
  - Erase spinand 0x4..0x08 (Erase 4 blocks from SPI NAND)
  - Erase sdcard 0x400..0x14000
  - Erase mmccard 0x400..0x14000
  - Erase spieeprom 0x400..0x14000
  - Erase semcnand 0x400..0x14000

## 4.2 Generate unsigned normal i.MX RT bootable image

Typically, the unsigned bootable image is generated and programmed to the destination memory during the development phase.

The elftosb utility supports unsigned bootable image generation using options, BD file, and ELF/SREC file generated by toolchain.

Using the Flashloader project as an example, here are the steps to create a bootable image for the Flashloader.

1. Create a BD file. For unsigned image creation, the "constants" block is optional, as shown below.

```
options {
    flags = 0x00;
    startAddress = 0x20000000;
    ivtOffset = 0x400;
    initialLoadSize = 0x2000;
}
sources {
    elfFile = extern(0);
}
section (0)
{
}
```

- 2. After the BD file is created, place it into the same folder that has the elftosb utility executable.
- Generate the bootable image using the elftosb utility.

```
$ ./elftosb.exe -f imx -V -c Example_BD_Files/imx-unsigned.bd -o ivt_flashloader_unsigned.bin flashloader.srec
Section: 0x0
```

Figure 2. Example command to generate unsigned boot image

Then, there are two bootable images generated by the elftosb utility.

- The first one is ivt\_flashloader\_unsigned.bin. The memory regions from 0 to ivt\_offset are filled with padding bytes
  (all 0x00s).
- The second one is ivt\_flashloader\_nopadding.bin, which starts from ivtdata directly without any padding before ivt.

## 4.3 Generate signed normal i.MX RT bootable image

To generate a signed bootable image using the elftosb utility, perform the following steps:

1. Create a BD file. The BD file can be as follows.

```
options {
    flags = 0x08;
    startAddress = 0x30000000;
    ivtOffset = 0x1000;
```

```
initialLoadSize = 0x2000;
}
sources {
   elfFile = extern(0);
constants {
                             = 20;
  SEC_CSF_INSTALL_SRK
                             = 21;
  SEC_CSF_INSTALL_CSFK
                              = 22;
   SEC CSF INSTALL NOCAK = 23;
   SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
   SEC CSF AUTHENTICATE DATA = 26;
   SEC CSF INSTALL SECRET KEY = 27;
   SEC_CSF_DECRYPT_DATA = 28;
SEC_NOP = 29;
  SEC_NOP
SEC_SET_MID
SEC_SET_ENGINE
SEC_INIT
   SEC NOP
                              = 30;
                          = 31;
                              = 32;
                              = 33;
section (SEC CSF HEADER;
   Header Version="4.2",
   Header HashAlgorithm="sha256",
   Header Engine="ANY",
   Header EngineConfiguration=0,
   Header CertificateFormat="x509",
   Header SignatureFormat="CMS"
{
section (SEC CSF INSTALL SRK;
   InstallSRK Table="keys/SRK 1 2 3 4 table.bin", // "valid file path"
   InstallSRK SourceIndex=0
{
}
section (SEC CSF INSTALL CSFK;
  InstallCSFK File="crts/CSF1 1 sha256 2048 65537 v3 usr crt.pem", // "valid file path"
   InstallCSFK CertificateFormat="x509" // "x509"
}
section (SEC CSF AUTHENTICATE CSF)
{
section (SEC CSF INSTALL KEY;
   InstallKey File="crts/IMG1 1 sha256 2048 65537 v3 usr crt.pem",
   InstallKey VerificationIndex=0, // Accepts integer or string
   InstallKey TargetIndex=2) // Accepts integer or string
{
}
```

i.MX RT1160 Manufacturing User's Guide, Rev. 0, 05 March 2021 **NXP Semiconductors** 22

```
section (SEC CSF AUTHENTICATE DATA;
   AuthenticateData VerificationIndex=2,
   AuthenticateData Engine="ANY",
   AuthenticateData EngineConfiguration=0)
{
}
section (SEC SET ENGINE;
   SetEngine HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512"
   SetEngine Engine = "ANY", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW"
   SetEngine EngineConfiguration = "0") // "valid engine configuration values"
{
section (SEC UNLOCK;
   Unlock Engine = "SNVS",
   Unlock features = "ZMK WRITE"
{
}
```

After the blank BD file is created, place it into the same folder that holds the elftosb utility executable.

- 2. Copy Flashloader.srec provided in the release package into the same folder that holds the elftosb utility executable.
- 3. Copy the "cst" executable, "crts" folder, and "keys" folder from "<cst\_installation\_dir>" to the same folder that holds the elftosb utility executable.
- 4. Generate a bootable image using the elftosb utility.

#### \$ ./elftosb.exe -f imx -V -c Example\_BD\_Files/imx-signed.bd -o ivt\_flashloader\_signed.bin flashloader.srec

Figure 3. Example command to generate a signed boot image

Then, there are two bootable images generated by the elftosb utility. The first one is ivt\_flashloader\_signed.bin. The memory regions from 0 to ivt\_offset is filled with padding bytes (all 0x00s). The second one is ivt\_flashloader\_signed\_nopadding.bin, which starts from ivt\_offset directly. The CSF section is generated and appended to the unsigned bootable image successfully.

**NOTE**Engine support varies across the i.MX RT devices. Not all engines are supported by a certain RT model. For details on the engine support, see the Reference Manual of the device.

## 4.4 Generate encrypted normal i.MX RT bootable image

To generate an encrypted image, perform the following steps:

1. Create a BD file.

```
options {
    flags = 0x0c;
    startAddress = 0x20000000;
    ivtOffset = 0x400;
    initialLoadSize = 0x2000;
}
sources {
    elfFile = extern(0);
}
```

```
constants {
   SEC_CSF_HEADER = 20;

SEC_CSF_INSTALL_SRK = 21;

SEC_CSF_INSTALL_CSFK = 22;

SEC_CSF_INSTALL_NOCAK = 23;
    SEC CSF AUTHENTICATE CSF = 24;
    SEC CSF INSTALL KEY = 25;
    SEC CSF AUTHENTICATE DATA = 26;
    SEC CSF INSTALL SECRET KEY = 27;

      SEC_CSF_DECRYPT_DATA
      = 28;

      SEC_NOP
      = 29;

      SEC_SET_MID
      = 30;

      SEC_SET_ENGINE
      = 31;

      SEC_INIT
      = 32;

      SEC_INIT
      = 32;

    SEC UNLOCK
                                      = 33;
section (SEC CSF HEADER;
   Header Version="4.3",
   Header HashAlgorithm="sha256",
   Header Engine="ANY",
    Header EngineConfiguration=0,
    Header CertificateFormat="x509",
    Header SignatureFormat="CMS"
{
section (SEC CSF INSTALL SRK;
   InstallSRK Table="keys/SRK 1 2 3 4 table.bin", // "valid file path"
    InstallSRK SourceIndex=0
}
section (SEC CSF INSTALL CSFK;
    InstallCSFK File="crts/CSF1 1 sha256 2048 65537 v3 usr crt.pem", // "valid file path"
    InstallCSFK CertificateFormat="x509" // "x509"
{
}
section (SEC CSF AUTHENTICATE CSF)
{
section (SEC CSF INSTALL KEY;
    InstallKey File="crts/IMG1 1 sha256 2048 65537 v3 usr crt.pem",
    InstallKey VerificationIndex=0, // Accepts integer or string
    InstallKey TargetIndex=2) // Accepts integer or string
{
}
section (SEC CSF AUTHENTICATE DATA;
  AuthenticateData VerificationIndex=2,
   AuthenticateData Engine="ANY",
    AuthenticateData EngineConfiguration=0)
{
```

i.MX RT1160 Manufacturing User's Guide, Rev. 0, 05 March 2021

NXP Semiconductors

24

```
section (SEC_CSF_INSTALL_SECRET_KEY;
    SecretKey_Name="dek.bin",
    SecretKey_Length=128,
    SecretKey_VerifyIndex=0,
    SecretKey_TargetIndex=0)
{

section (SEC_CSF_DECRYPT_DATA;
    Decrypt_Engine="ANY",
    Decrypt_EngineConfiguration="0", // "valid engine configuration values"
    Decrypt_VerifyIndex=0,
    Decrypt_MacBytes=16)
{
}
```

- 2. Copy Flashloader.srec into the same folder that holds the elftosb utility executable.
- 3. Copy the "cst" executable, "crts" folder, and "keys" folder from "<cst\_installation\_dir>" to the same folder that holds the elftosb utility executable.
- 4. Generate an encrypted bootable image using the elftosb utility.

Figure 4. Example command to generate an encrypted image

Then, there are two bootable images generated by the elftosb utility. The first one is ivt\_flashloader\_encrypt.bin. The memory regions from 0 to ivt\_offset are filled with padding bytes (all 0x00s).

The Key Blob offset in the example above is used in later section.

The second one is ivt\_flashloader\_encrypt\_nopadding.bin, which starts from ivt\_offset directly. The CSF section is generated and appended to the unsigned bootable image successfully.

5. Generate the KeyBlob section using the Flashloader.

The encrypted image generated by the elftosb utility is incomplete because the KeyBlob section must be generated on the SoC side only.

There are two methods to generate the KeyBlob block:

- Generate KeyBlob using the generate-key-blob <dek\_file> <blob\_file> command supported by the Flashloader
  and blhost. See Appendix for more details.
- Generate KeyBlob during manufacturing and use the KeyBlob option block. See the following chapter for additional information.

# Chapter 5 Generate SB file for bootable image programming

To make the manufacturing process easier, all the commands supported by the flashloader and bootable image can be wrapped into a single SB file. Even if there are any changes in the application, MfgTool still uses this SB file to manufacture. The SB file can be updated separately without updating scripts for MfgTool use.

In this chapter, a bootable image will be created using the method in former chapter. Then corresponding SB file is generated using the bootable image. The BD file is prepared first to generate SB file for bootable image.

## 5.1 Generate SB file for FlexSPI NOR image programming

#### 5.1.1 Generate Normal Bootable Image

For example, in , the FlexSPI NOR memory starts from address 0x3000\_0000 and IVT from offset 0x1000. After following the steps in Section 4.2 (*Generate unsigned normal i.MX RT bootable image*) and BD file generation, here is the usage of the elftosb utility to create bootable image for FlexSPI NOR. All the BD files are provided in the release package. The figure below refers to the example command to generate a signed image.

Figure 5. Example command to generate signed FlexSPI boot image

After running above command, a file with suffix "\_nopadding.bin" is available into destination memory via subsequent SB file based on this binary.

#### 5.1.2 Generate SB file for plaintext FlexSPI NOR image programming

Usually, a BD file for FlexSPI NOR boot consists of 7 parts.

- 1. The bootable image file path is provided in sources block.
- 2. The FlexSPI NOR Configuration Option block is provided in section block.
- 3. To enable FlexSPI NOR access, the "enable" command must be used after the option block.
- 4. If the flash device is not erased, an "erase" command is required before programming data to the flash device. The erase operation is time consuming and is not required for a blank flash device (factory setting) during manufacturing.
- 5. The FlexSPI NOR Configuration Block (FNORCB) is required for FlexSPI NOR boot. To program the FNORCB generated by FlexSPI NOR Configuration Option block, a special magic number '0xF000000F" must be loaded into RAM first.
- 6. To notify the flashloader to program the FNORCB, an "enable" command must be used after the magic number is loaded.
- 7. After the above operation, the flashloader can program the bootable image binary into Serial NOR Flash through FlexSPI module using the load command.

An example containing the above steps is shown in the figure below.

User Guide 26 / 45

27

```
# The source block assign file name to identifiers
 myBinFile = extern (0);
constants {
    kAbsAddr_Start= 0x30000000;
   kAbsAddr_Ivt = 0x30001000;
kAbsAddr_App = 0x30002000;
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
    #1. Prepare Flash option
# 0xc00000006 is the tag for Serial NOR parameter selection
    # bit [31:28] Tag fixed to 0x0C
# bit [27:24] Option size fixed to 0
# bit [23:20] Flash type option
                    0 - QuadSPI SDR NOR
                    1 - QUadSPI DDR NOR
    # bit [19:16] Query pads (Pads used for query Flash Parameters)
    # bit [15:12] CMD pads (Pads used for query Flash Parameters)
    # bit [11: 08] Quad Mode Entry Setting
                    0 - Not Configured, apply to devices:
                        - With Quad Mode enabled by default or
- Compliant with JESD216A/B or later revision
                    1 - Set bit 6 in Status Register 1
                    2 - Set bit 1 in Status Register 2
                    3 - Set bit 7 in Status Register 2
                   4 - Set bit 1 in Status Register 2 by 0x31 command
    # bit [07: 04] Misc. control field
                    3 - Data Order swapped, used for Macronix OctaFLASH devcies only (except MX25UM51345G)
                    4 - Second QSPI NOR Pinmux
    # bit [03: 00] Flash Frequency, device specific
    load 0xc0000006 > 0x20000000;
    # Configure QSP1 NOR FLASH using option a address 0x20000000
   enable flexspinor 0x20000000;
    #2 Erase flash as needed.(Here only 256KBytes are erased, need to be adjusted to the actual size based on users' application)
   erase 0x30000000..0x30010000;
    #3. Program config block
# <code>axfamammaf is the tag to notify Flashloader to program FlexSPI NOR config block to the start of device</code>
   load 0xf000000f > 0x20000000;
    # Notify Flashloader to response the option at address 0x20000000
   enable flexspinor 0x20000000;
    #5. Program image
   load myBinFile > kAbsAddr_Ivt;
```

Figure 6. Example BD file for FlexSPI NOR programming

Here is an example to generate SB file using the elftosb utility, ivt flexspi nor xip.bin, and BD file shown in the figure below.

```
elftosb -f kinetis -V -c program_flexspinor_image_qspinor.bd -o boot_image.sb ivt_fspi1_xip_nopadding.bin
Boot Section 0x00000000:
 FILL
        adr=0x20000000
                          len=0x000000004
                                           ptn=0xc0000006
                                           flg=0x0900
 ENA
        adr=0x20000000
                         cnt=0x000000004
                                           flg=0x0000
 ERAS
        adr=0x30000000
                         cnt=0x00010000
 FILL
        adr=0x20000000
                          len=0x000000004
                                           ptn=0xf000000f
                          cnt=0x000000004
                                           flg=0x0900
        adr=0x20000000
        adr=0x30001000
                          len=0x00002b44
                                           crc=0x0fdba865 | flg=0x0000
 LOAD
```

Figure 7. Example command to generate SB file for FlexSPI NOR programming

After the above command, a file named boot image.sb will be created in the same folder that holds the elftosb utility executable.

## 5.1.3 Generate SB file for FlexSPI NOR Image encryption and programming

Usually, a BD file for FlexSPI NOR image encryption and programming consists of 7 steps.

- 1. The bootable image file path is provided in sources block.
- 2. Enable FlexSPI NOR access using FlexSPI NOR Configuration Option block.
- 3. Erase the flash device if it is not blank. The erase operation is time consuming and is not required for a blank flash device (factory setting) during manufacturing.
- 4. Enable image encryption using PRDB option block.
- 5. Program FNORCB using magic number.
- 6. Program boot image binary into Serial NOR via FlexSPI module.
- 7. Enable Encrypted XIP fuse bits.

```
# The source block assign file name to identifiers
 MyBinFile = extern (0);
# The section block specifies the sequence of boot commands to be written to the SB file
         Prepare Flash option
       In this example, the 0xc0233007 represents:
HyperFLASH 1V8, Query pads: 8 pads, Cmd pads: 8 pads, Frequency: 133MHz
     Toad 0xc0233007 > 0x2000;

# Configure HyperFLASH using option a address 0x2000

enable flexspinor 0x2000;
     #2 Erase flash as needed.
erase 0x600000000..0x60010000;
     #3 Prepare PRDB options
     # OxeO120000 is an option for PRDB contruction and image encryption
       bit[31:28] tag, fixed to 0x0E
bit[27:24] Key source, fixed to 0 for AO silicon
bit[23:20] AES mode: 1 - CTR mode
bit[19:16] Encrypted region count
       bit[15:00] reserved in AO
     load 0xe0120000 > 0x4000;
     # Region 0 start
load 0x60001000 > 0x4004;
                                                           (4)
     # Region 0 length
load 0x00001000 > 0x4008;
     # Region 1 start
load 0x60002000 > 0x400c;
     # Region 1 length
load 0x0000e000 > 0x4010;
     # Program PRDBO based on option
     enable flexspinor 0x4000,
     #4. Program config block
# Oxf000000f is the tag to notify Flashloader to program FlexSPI NOR config block to the start of device load 0xf000000f > 0x3000; (5)
     # Notify Flashloader to response the option at address 0x3000 enable flexspinor 0x3000;
     #5. Program image
load myBinFile > 0x60001000:
                                                    (6)
          Program BEE_KEYO_SEL and BEE_KEYI_SEL
                                                                    (7)
     load fuse 0x0000e000 > 0x06;
```

Figure 8. Example BD file for encrypted FlexSPI NOR image generation and programming

The steps to generate SB file is the same as in the above section.

#### 5.2 Generate SB file for SD image programming

The SD image always starts at offset 0x400. The i.MX RT boot image generated by the elftosb utility with "\_nopadding.bin" will be used for programming.

#### 5.2.1 Steps to Generate SB file for SD image programming

In general, there are six steps in the BD file to program the bootable image to SD card.

- 1. The bootable image file path is provided in sources block.
- 2. Prepare SDCard option block.
- 3. Enable SDCard access using enable command.
- 4. Erase SD card memory as needed.
- 5. Program boot image binary into SD card.
- 6. Program optimal SD boot parameters into Fuse (optional, remove it if it is not required in actual project).

An example is shown in the figure below.

```
# The source block assign file name to identifiers
sources {
myBootImageFile = extern (0);
                                   (1)
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
    #1. Prepare SDCard option block
    load 0xd0000001 > 0x100;
                                             (2)
    load 0x000000000 > 0x104;
    #2. Configure SDCard
                                (3)
   enable sdcard 0x100;
    #3. Erase blocks as needed.
                                     (4)
   erase sdcard 0x400..0x14000;
    #4. Program SDCard Image
                                            (5)
   load sdcard myBootImageFile > 0x400;
    #5. Program Efuse for optimal read performance (optional)
    #load fuse 0x000000000 > 0x07;
                                                                 (6)
```

Figure 9. Example BD file for SD boot image programming

The steps to generate SB file for encrypted SD boot image and KeyBlob programming is similar to FlexSPI NAND. See the example below for more details.

```
# The source block assign file name to identifiers
sources {
   myBootImageFile = extern (0);
   dekFile = extern (1);
}

# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
    #1. Prepare SDCard option block
```

i.MX RT1160 Manufacturing User's Guide, Rev. 0, 05 March 2021

NXP Semiconductors

29

```
load 0xd0000001 > 0x100;
load 0x000000000 > 0x104;
#2. Configure SDCard
enable sdcard 0x100;
#3. Erase blocks as needed.
erase sdcard 0x400..0x14000;
#4. Program SDCard Image
load sdcard myBootImageFile > 0x400;
#5. Generate KeyBlob and program it to SD Card
# Load DEK to RAM
load dekFile > 0x10100;
# Construct KeyBlob Option
# bit [31:28] tag, fixed to 0x0b
# bit [27:24] type, 0 - Update KeyBlob context, 1 Program Keyblob to SPI NAND
# bit [23:20] keyblob option block size, must equal to 3 if type =0,
      reserved if type = 1
# bit [19:08] Reserved
# bit [07:04] DEK size, 0-128bit 1-192bit 2-256 bit, only applicable if type=0
\# bit [03:00] Firmware Index, only applicable if type = 1
# if type = 0, next words indicate the address that holds dek
               the 3rd word
# tag = 0x0b, type=0, block size=3, DEK size=128bit
load 0xb0300000 > 0x10200;
\# dek address = 0x10100
load 0x00010100 > 0x10204;
# keyblob offset in boot image
# Note: this is only an example bd file, the value must be replaced with actual
       value in users project
load 0x00004000 > 0x10208;
enable sdcard 0x10200;
#6. Program KeyBlob to firmwareO region
load 0xb1000000 > 0x10300;
enable sdcard 0x10300;
#7. Program Efuse for optimal read performance (optional)
#load fuse 0x00000000 > 0x07;
```

## 5.3 Generate SB file for eMMC image programming

The eMMC image always starts at offset 0x400. The i.MX RT boot image generated by the elftosb utility with "\_nopadding.bin" will be used for programming.

There are two types of eMMC boot mode: Normal boot and Fast boot

#### 5.3.1 Normal mode

There are 6 steps in the BD file to program the bootable image to eMMC for normal boot mode.

- 1. The bootable image file path is provided in sources block.
- 2. Prepare eMMC option block.

- 3. Enable eMMC access using enable command.
- 4. Erase eMMC card memory as needed.
- 5. Program boot image binary into eMMC.
- 6. Program optimal eMMC boot parameters into Fuse (optional, remove it if it is not required in actual project).

```
# The source block assign file name to identifiers
sources {
                                      (1)
myBootImageFile = extern (0);
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
    #1. Prepare MMCCard option block
                                       (2)
    load 0xc0000001 > 0x100;
    10ad \cdot 0x000000000 > 0x104
    #2. Configure MMCCard
                                     (3)
    enable mmccard 0x100;
    #3. Erase blocks as needed
    erase mmccard 0x400..0x14000;
    #4. Program MMCCard Image
  load mmccard myBootImageFile > 0x400;>
    #5. Program Efuse for optimal read performance (optional)
   (#load fuse 0x00000000 > 0x07;
                                           (6)
}
```

Figure 10. Example BD file for eMMC boot image programming for Normal boot mode

#### 5.3.2 Fast Mode

There are nine steps in the BD file to program the bootable image to eMMC for Fast boot mode.

- 1. The bootable image file path is provided in "sources" block.
- 2. Prepare eMMC option block and enable eMMC access using "enable" command.
- 3. Erase eMMC card memory as needed.
- 4. Program boot image binary into eMMC.
- 5. Program optimal eMMC boot parameters into Fuse (optional, remove it if it is not required in actual project).
- 6. Prepare 2nd eMMC option block.
- 7. Re-enable eMMC access using new option block.
- 8. Erase data in User Data area as required.
- 9. Load User Data file to User Data area.

```
# The source block assign file name to identifiers
sources {
   myBootImageFile = extern (0);
   myUserDataFile = extern (1);
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
       Prepare 1st MMC Card option block.
        8bit DDR, High Speed, Boot partition 1 selected for access.
       Fast boot config: Boot partition 1, 8bit DDR, ACK.
    load 0xC1121625 > 0x100;
    load 0x00000001 > 0x104;
    #2. Configure MMC Card.
   enable mmccard 0x100
    #3. rrase blocks at Boot partion 1 as needed. (3)
    erase mmccard 0x400..0x14000:
    #4. Program Boot Image to MMC Card Boot partion 1.
    load mmccard myBootImageFile > 0x400;
    #5. Program Efuse according the fast boot config. (optional if use GPIO instead of Efuse)
   #load fuse 0x000006B3 > 0x05;
    #6 Prepare 2nd MMC Card option block.
    # 8bit DDR, High Speed, User data area is selected for access.
    load 0xC0001600 > 0x100;
                                           (6)
    load 0x00000001 > 0x104;
    #7. Re-configure MMC Card
    enable mmccard 0x100;
    s. Erase blocks at User data area
    erase mmccard 0x8000..0x100000;
       Program User Data file to User data an
    load mmccard myUserDataFile > 0x8000;
                                                     (9)
```

Figure 11. Example BD file for eMMC boot image programming for Fast boot mode

The BD file for encrypted eMMC boot image and KeyBlob programming is similar to SD.

## 5.4 Generate SB file for Serial NOR/EEPROM image programming

There are five steps in the BD file to program the bootable image to SD card.

- 1. The bootable image file path is provided in sources block.
- 2. Prepare Serial NOR/EEPROM option block and enable Serial NOR/EEPROM access using enable command.
- 3. Erase Serial NOR/EEPROM memory as required.
- 4. Program boot image binary into Serial NOR/EEPROM device.
- 5. Enable Recovery Boot via Serial NOR/EEPROM as required.

An example is shown in the figure below.

```
# The source block assign file name to identifiers
sources {
myBootImageFile = extern (0);
# The section block specifies the sequence of boot commands to be written to the SB file
section (0) {
   #1. Prepare SPI NOR/EEPROM option block
    # bit [31.28] tag, fixed to 0x0c
                                                (2)
    # bit [27:24] Size, (bytes/4) - 1
    # Mit [23:20] SPI instance
    bit [19:16] PCS index
    # bit [15:12] Flash type, 0-SPI NOR, 1-SPI EEPROM
    # bit [11:08] Flash size (Bytes) 0 - 512K, 1 1M, 2-2M, 3-4M, 4-8M
                 13-64K, 14-128K, 15-256K, etc.
    # bit [07:04] Sector size (Bytes), 0-4K, 1-8K, 2-32K, 3-64K,
                  4-128K, 5-256K
    # bit [03:00] Page size (Bytes) 0-256, 1-5/2
    Nad 0xC0100300 > 0x100;
    #2. Configure SPI NOR/EEPROM
    enable spieeprom 0x100;
    #3. Erase blocks as needed.
   erase spieeprom 0x400..0x14000;
    #4. Program SPI NOR/EEPROM Image
   load spieeprom myBootImageFile > 0x400
    #5. Enable Recovery boot
    # Note: this fuse field is SoC specific, need to be updated
            according to fusemap.
    #load fuse 0x01000000 > 0x2d;
```

Figure 12. Example BD file for Serial NOR/EEPROM boot image programming

The BD file for encrypted SPI EEPRM/NOR boot image and KeyBlob programming is similar to SD.

## 5.5 Generate SB file for fuse programming

In certain cases, the fuse must be programmed first to enable specific features for selected boot devices or security levels. For example, to enable Fast boot mode for eMMC, enable HAB closed mode, the fuse must be programmed first.

The elftosb utility can support programming the fuses using the built-in command *load fuse*. An example to program SRK table and enable HAB closed mode is shown as follows.

```
# The source block assign file name to identifiers
sources {
}

constants {
}

section (0) {

# Program SRK table
load fuse 0xD132E7F1 > 0x18;
```

```
load fuse 0x63CD795E > 0x19;
 load fuse 0x8FF38102 > 0x1A;
 load fuse 0x22A78E77 > 0x1B;
 load fuse 0x01019c82 > 0x1C;
 load fuse 0xFC3AC699 > 0x1D;
load fuse 0xF2C327A3 > 0x1E;
 load fuse 0xDAC9214E > 0x1F;
 # Program SEC_CONFIG to enable HAB closed mode
 load fuse 0x00000002 > 0x06;
```

i.MX RT1160 Manufacturing User's Guide, Rev. 0, 05 March 2021

# Chapter 6 Program bootable image

Bootable image programming is supported by MfgTool only.

## 6.1 MfgTool

The MfgTool supports i.MX RT BootROM and MCUBOOT-based Flashloader. It can be used in factory production environment. The MfgTool can detect i.MX RT BootROM devices connected to a PC and invokes "blhost" to program the image on target memory devices connected to the i.MX RT device.

The template of MfgTool configuration profile is provided along with this document. It is applicable to most use cases without any modifications.

#### 6.1.1 MfgTool Directory structure



Figure 13. MfgTool organization

1. In the release package, the mfgtools-rel folder appears in the tools folder along with blhost folder.

User Guide 35 / 45

36

- 2. The blhost exe appears in the blhost/win folder and the MfgTools executable "MfgTool2.exe".
- 3. The Profiles folder contains the profile for the supported devices that include an "OS Firmware" folder and player.ini file.
- 4. The ucl2.xml file in the OS Firmware folder is the main .xml file that MfgTool processes. It contains the manufacturing process flow for the device. The process includes identification parameters for the device and blhost commands parameter to identify the device connected to the PC host and a set of blhost commands required for updating the image. The ucl2.xml file can be customized to suit custom setup or manufacturing process flow. The folder contains example XML files for user's reference. An example ucl2.xml is shown below. In general, it defines the supported states and lists.

Figure 14. Example UCL2.xml settings

- 5. The "ivt\_flashloader.bin" file under the "OS firmware" is the Flashloader released to support image programming.
- 6. The "ivt\_flashloader\_signed.bin" file under the "OS firmware" is the bootable Flashloader image file generated by users for Secure Boot solution in production phase, it can be generated by following Section 4.3.
- 7. The "boot\_image.sb" file under the "OS firmware" is the wrapped file with command sequences and bootable images generated by the users using the elftosb utility.
- 8. The "enable\_hab.sb" file under the "OS firmware" is the wrapped file with command sequences that programs Fuses to enable HAB closed mode, which is generated by the users using the elftosb utility.
- 9. The play ini in the "Device" profile folder contains configurable parameters for the manufacturing tool application.
- 10. The cfg.ini and UICfg.ini files provide customizable parameters for the look and feel of the tool's GUI. The cfg.ini in tool's GUI is used to select "chip", "platform" and "name" in list. Refer to the example below

#### NOTE

Select appropriate "chip" from Device list, "name" from list in ucl2.xml in Device/OS Firmware folder.

```
[profiles]
chip = MXRT116x

[platform]
board =

[LIST]
name = MXRT116x-DevBoot
```

- 11. UICfg.ini is used to select the number of instances supported by MfgTool UI. The valid instance range is 1-4.
- 12. The MfgTool.log text file is a useful tool to debug failures reported on MfgTool UI. The MfgTool logs the entire command line string which was used to invoke blhost and collects the output response text the blhost puts out on stdout into the MfgTool log file. The log file should be the considered first while troubleshooting.

## 6.1.2 Preparation before image programming using MfgTool

See Chapter 4, Generate i.MX RT bootable image and Chapter 5, Generate SB file for bootable image programming for more details.

#### 6.2 Connect to the i.MX RT Platform

The i.MX RT platform connects to a host computer to interface with the i.MX RT BootROM application. After the platform connects in serial downloader mode, use the MfgTool to program bootable image into the target flash memory. If both cfg.ini and UlCfg.ini files are configured appropriately, MfgTool recognizes the device and establishes the connection.

The figure below shows that the MfgTool has been connected.



Figure 15. MfgTool GUI with device connected

## 6.3 Program bootable image during development

In development phase, the device may be in HAB open mode for most use cases. Users can configure the "name" field in cfg.ini file as <Device>-DevBoot, then prepare the boot\_image.sb file using the elftosb utility. After the "boot\_image.sb" is generated, place it into "<Device>/OS Firmware/" folder. Then put device into serial downloader mode and connect it to host PC. After opening the MfgTool2.exe and click "Start" to trigger a programming sequence. When the programming completes, the window shown in the figure below appears. To exit MfgTool, click "Stop" and then "Exit".



Figure 16. Successful result for programming with MfgTool for DevBoot

## 6.4 Program bootable image for production

In production phase, the device can be in HAB closed mode for most use cases. Users can configure the "name" field in cfg.ini file as <Device>-SecureBoot, then prepare the boot\_image.sb file, enable\_hab.sb and ivt\_flashloader\_signed.bin using the elftosb utility. After all are generated, place them into "<Device>/OS Firmware/" folder, then put device in serial downloader, connect it to host PC. Open MfgTool2.exe and click "Start" to trigger a programming sequence. After the programming completes, the window below will be seen. To exit MfgTool, click "Stop" and then "Exit".



Figure 17. Successful result for programming with MfgTool for Secure Boot

## Chapter 7 Appendix

## 7.1 Example of manufacturing flow for RT1160-EVK

#### 7.1.1 Manufacturing process in Development phase

In development phase, generally the image is unsigned and is used for functional testing.

#### 7.1.1.1 Templates options for the Manufacturing flow

To simplify the complexity of the Manufacturing flow, several templates are available in ucl2.xml.

The code block below is an example which is used for programming an SDK XIP project binary into RT1160-EVK board. To enable the XiP users need to

- 1. Change the "name" item in cfg.ini to "name = MXRT116x-DevBootFlexSpi1\_FlashXiP
- 2. Compile the SDK project
- 3. Generate the binary file for the project
- 4. Rename the binary to boot\_image.bin
- 5. Copy it to the same folder as ucl2.xml

```
<!-- This List is for the MCUXpresso SDK XIP demo download via the MfqTool -->
        <LIST name="MXRT116x-DevBootFlexSpi1 FlashXiP" desc="Manufacturing with Flashloader">
        <!-- Stage 1, load and execute Flashloader -->
        <CMD state="Blhost" type="blhost" body="load-image \"Profiles\\MXRT116x\\OS Firmware\
\ivt flashloader.bin"> Loading and running Flashloader. </CMD>
        <!-- Stage 2, Program boot image into external memory using Flashloader -->
       <CMD state="Blhost" type="blhost" body="get-property 12" > Get Property 12. </CMD> <!--Used
to test if flashloader runs successfully-->
        <CMD state="Blhost" type="blhost" body="fill-memory 0x20000000 4 0xcf900001"> Select
Instance : 1</CMD>
       <CMD state="Blhost" type="blhost" body="configure-memory 0x9 0x20000000"> Enable the FLEXSPI
1 support </CMD>
        <!--Note: This configuration is just an example, please use the correct option for the flash
device soldered on the platorm
        See the usage of the configuration option from the System Boot, FLEXSPI NOR API section
       <CMD state="Blhost" type="blhost" body="fill-memory 0x20000000 4 0xc0000006> Prepare Flash
Configuration option </CMD>
       <CMD state="Blhost" type="blhost" body="configure-memory 0x9 0x20000000"> Configure QuadSPI
NOR Flash </CMD>
        <!-- This erase size need to be updated based on the actual boot image size-->
        <CMD state="Blhost" type="blhost" timeout="30000" body="flash-erase-region 0x30000000
0x100000" > Erase 1MBytes </CMD>
       <CMD state="Blhost" type="blhost" timeout="15000" body="write-memory 0x30000400 \"Profiles\
\MXRT116x\\OS Firmware\\boot image.bin\"" > Program Boot Image. </CMD>
       <CMD state="Blhost" type="blhost" body="Update Completed!">Done</CMD>
        </LIST>
```

User Guide 39 / 45

The code block below is an example which is used for programming the SDK XIP project binary into RT1160-EVK board with other FLASH device. Users may need to modify the configuration option for actual soldered FLASH devices. See chapter "External memory support" in *MCU Flashloader Reference Manual* for more details.

To enable the option, users need to

- 1. Change the "name" item in cfg.ini to MXRT116x-DevBootFlexSpi1\_FlashXiP\_NoConfigBlock"
- 2. Compile the SDK project
- 3. Generate the binary file for the project
- 4. Rename the binary to boot\_image.bin
- 5. Copy it to the same folder as ucl2.xml

```
<!-- This List is for the MCUXpresso SDK XIP demo download via the MfgTool -->
           <LIST name="MXRT116x-DevBootFlexSpi1_FlashXiP_NoConfigBlock" desc="Manufacturing</pre>
with Flashloader">
           <!-- Stage 1, load and execute Flashloader -->
            <CMD state="Blhost" type="blhost" body="load-image \"Profiles\\MXRT116x\\OS Firmware\
\ivt flashloader.bin"> Loading and running Flashloader. </CMD>
           <!-- Stage 2, Program boot image into external memory using Flashloader -->
           <CMD state="Blhost" type="blhost" body="get-property 12" > Get Property 12. </CMD> <!--
Used to test if flashloader runs successfully-->
           <CMD state="Blhost" type="blhost" body="fill-memory 0x20000000 4 0xcf900001"> Select
Instance : 1</CMD>
           <CMD state="Blhost" type="blhost" body="configure-memory 0x9 0x20000000"> Enable the
FLEXSPI 1 support </CMD>
           <!--Note: This configuration is just an example, please use the correct option for the
flash device soldered on the platorm
           See the usage of the configuration option from the System Boot, FLEXSPI NOR API section
           <CMD state="Blhost" type="blhost" body="fill-memory 0x20000000 4 0xc0000006"> Prepare
Flash Configuration option </CMD>
           <CMD state="Blhost" type="blhost" body="configure-memory 0x9 0x20000000"> Configure
QuadSPI NOR Flash </CMD>
           <!-- This erase size need to be updated based on the actual boot image size-->
           <CMD state="Blhost" type="blhost" timeout="30000" body="flash-erase-region 0x30000000
0x100000" > Erase 1MBytes </CMD>
           <!-- Program the Flash Config block to the FLASH ofset 0x400 automatically -->
           <CMD state="Blhost" type="blhost" body="fill-memory 0x20000000 4 0xf000000f"> Prepare
Flash Configuration option </CMD>
           <CMD state="Blhost" type="blhost" body="configure-memory 0x9 0x20000000"> Configure
QuadSPI NOR Flash </CMD>
           <CMD state="Blhost" type="blhost" timeout="15000" body="write-memory 0x30000400
\"Profiles\\MXRT116x\\OS Firmware\\boot image.bin\"" > Program Boot Image. </CMD>
           <CMD state="Blhost" type="blhost" body="Update Completed!">Done</CMD>
```

#### 7.1.1.2 Create i.MX RT bootable image

#### 7.1.1.2.1 Create image using KSDK XIP example

Users can create an unsigned bootable image by building a KSDK XIP project and convert the output to a binary file. The binary file needs to be renamed to the boot\_image.bin and copied to the same folder as ucl2.xml. Then users can update the cfg.ini file to enable an option of manufacturing flow which is described in previous section.

#### 7.1.1.2.2 Create image using the elftosb utility

To create a bootable image for a specific memory, users need to know the memory map of i.MX RT116x SoC. Details of generating bootable image can be found in Chapter 4. Here are the steps to create an i.MX RT bootable image for FlexSPI NOR using elftosb utility.

1. Create the BD file for boot image generation. The BD file content is showed below. It is also available in the release package in "<sdk\_package>/middleware/mcu-boot/bin/Tools/bd\_file/imxrt116x folder

```
options {
    flags = 0x00;
    startAddress = 0x30000000;
    ivtOffset = 0x1000;
    initialLoadSize = 0x2000;
}
    entryPointAddress = 0x30002000;

sources {
    elfFile = extern(0);
}

section (0)
{
}
```

2. Create the i.MX RT bootable image using elftosb utility.

Here is the example command:

```
$ elftosb -f imx -V -c imx-flexspinor-normal-unsigned.bd -o ivt_flexspi_nor_xip.bin led_demo_evk_flexspi_nor_0x30002000.srec
Section: 0x0
iMX bootable image generated successfully
```

Figure 18. Example command to generate FlexSPI NOR boot image

- · ivt\_flexspi\_nor\_xip.bin
- · ivt\_flexspi\_nor\_xip\_nopadding.bin

The ivt flexspi nor xip nopadding bin will be used to generate SB file for QSPI FLASH programming in subsequent section.

#### 7.1.1.2.3 Create SB file for QSPI FLASH programming

Here is an example to create an SB file for QSPI FLASH programming for RT1160-EVK board. The details for generating SB file for bootable image programming is available in Chapter 5.

```
# 0xc0000007 is the tag for Serial NOR parameter selection
# bit [31:28] Tag fixed to 0x0C
# bit [27:24] Option size fixed to 0
# bit [23:20] Flash type option
              0 - QuadSPI SDR NOR
              1 - QUadSPI DDR NOR
# bit [19:16] Query pads (Pads used for query Flash Parameters)
              0 - 1
# bit [15:12] CMD pads (Pads used for query Flash Parameters)
             0 - 1
# bit [11: 08] Quad Mode Entry Setting
              0 - Not Configured, apply to devices:
                  - With Quad Mode enabled by default or
                  - Compliant with JESD216A/B or later revision
              1 - Set bit 6 in Status Register 1
              2 - Set bit 1 in Status Register 2
              3 - Set bit 7 in Status Register 2
              4 - Set bit 1 in Status Register 2 by 0x31 command
# bit [07: 04] Misc. control field
              3 - Data Order swapped, used for Macronix OctaFLASH devcies only
              (except MX25UM51345G)
              4 - Second QSPI NOR Pinmux
# bit [03: 00] Flash Frequency, device specific
load 0xc0000006 > 0x2000;
# Configure QSPI NOR FLASH using option a address 0x2000
enable flexspinor 0x2000;
#2 Erase flash as needed.
#(Here only 64KBytes are erased, need to be adjusted to the actual
#size of users' application)
erase 0x 30000000..0x30040000
#3. Program config block
# 0xf000000f is the tag to notify Flashloader to program
# FlexSPI NOR config block to the start of device
load 0xf000000f > 0x3000;
# Notify Flashloader to response the option at address 0x3000
enable flexspinor 0x3000;
#4. Program image
load myBinFile > kAbsAddr Ivt;
```

After the BD file is ready, the next step is to generate the boot\_image.sb file that is for MfgTool to use later. Here is the example command:

```
elftosb -f kinetis -V -c program_flexspinor_image_qspinor.bd -o boot_image.sb ivt_flexspi_nor_xip_nopadding.bin
Boot Section 0x000000000:
                                            ptn=0xc0000107
 FILL | adr=0x00002000 |
                          len=0x00000004 |
                          cnt=0x00000004
                                            flg=0x0900
flg=0x0000
        adr=0x00002000
 FNA
                          cnt=0x00040000
 ERAS
        adr=0x30000000
 FILL
        adr=0x00003000
                          len=0x00000004
                                            ptn=0xf000000f
        adr=0x00003000
                          cnt=0x00000004
                                            flg=0x0900
 ENA
        adr=0x30001000
 LOAD
                          len=0x00001270
                                            crc=0x3d3d71d5 | flg=0x0000
```

Figure 19. Example command to generate SB file for FlexSPI NOR programming

After using the above command, the boot\_image.sb is generated in the elftosb utility folder.

## 7.1.2 Program Unsigned Image to Flash using MfgTool

Use the following steps to program a boot image into a flash device

- 1. Copy the boot\_image.sb file to "<mfgtool\_root\_dir>/Profiles/MRT116x/OS Firmware" folder.
- 2. Change the "name" under "[List]" to selected option in cfg.ini file in <mfgtool\_root\_dir> folder, for example, "name = MXRT116x-DevBootFlexSpi1\_FlashXiP'.
- 3. Put the -EVK board to Serial Downloader mode by setting SW1 to "1-OFF, 2-OFF, 3-OFF, 4-ON".
- 4. Power up RT1160-EVK board and insert USB cable to J20.
- 5. Open MfgTool, it will show as the detected device like the one shown in Figure 15.
- 6. Click "Start", MfgTool will do manufacturing process. After completion, it will show the status as success as shown in Figure 16. Click "Stop" and close the MfgTool.
- 7. Put the RT1160-EVK board to internal boot mode and select QSPI FLASH as boot device by setting SW1 to "1-OFF, 2-OFF, 3-ON, 4-OFF". Then reset the device to start running the application

# Chapter 8 Revision history

The table below summarizes the changes done to this document since the initial release.

Table 19. Revision history

| Revision number | Date    | Substantial changes |
|-----------------|---------|---------------------|
| 0               | 03/2021 | Initial release     |

How To Reach Us

Home Page:

nxp.com

Web Support:

nxp.com/support

Information in this document is provided solely to enable system and software implementers to use NXP products. There are no express or implied copyright licenses granted hereunder to design or fabricate any integrated circuits based on the information in this document. NXP reserves the right to make changes without further notice to any products herein.

NXP makes no warranty, representation, or guarantee regarding the suitability of its products for any particular purpose, nor does NXP assume any liability arising out of the application or use of any product or circuit, and specifically disclaims any and all liability, including without limitation consequential or incidental damages. "Typical" parameters that may be provided in NXP data sheets and/or specifications can and do vary in different applications, and actual performance may vary over time. All operating parameters, including "typicals," must be validated for each customer application by customer's technical experts. NXP does not convey any license under its patent rights nor the rights of others. NXP sells products pursuant to standard terms and conditions of sale, which can be found at the following address: nxp.com/SalesTermsandConditions.

**Right to make changes** - NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof.

Security — Customer understands that all NXP products may be subject to unidentified or documented vulnerabilities. Customer is responsible for the design and operation of its applications and products throughout their lifecycles to reduce the effect of these vulnerabilities on customer's applications and products. Customer's responsibility also extends to other open and/or proprietary technologies supported by NXP products for use in customer's applications. NXP accepts no liability for any vulnerability. Customer should regularly check security updates from NXP and follow up appropriately. Customer shall select products with security features that best meet rules, regulations, and standards of the intended application and make the ultimate design decisions regarding its products and is solely responsible for compliance with all legal, regulatory, and security related requirements concerning its products, regardless of any information or support that may be provided by NXP. NXP has a Product Security Incident Response Team (PSIRT) (reachable at PSIRT@nxp.com) that manages the investigation, reporting, and solution release to security vulnerabilities of NXP products.

NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, COOLFLUX, EMBRACE, GREENCHIP, HITAG, ICODE, JCOP, LIFE, VIBES, MIFARE, MIFARE CLASSIC, MIFARE DESFire, MIFARE PLUS, MIFARE FLEX, MANTIS, MIFARE ULTRALIGHT, MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET, TRENCHMOS, UCODE, Freescale, the Freescale logo, AltiVec, CodeWarrior, ColdFire, ColdFire+, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert, QorlQ, QorlQ Qonverge, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit, BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine, Tower, TurboLink, EdgeScale, EdgeLock, elQ, and Immersive3D are trademarks of NXP B.V. All other product or service names are the property of their respective owners. AMBA, Arm, Arm7, Arm7TDMI, Arm9, Arm11, Artisan, big.LITTLE, Cordio, CoreLink, CoreSight, Cortex, DesignStart, DynamlQ, Jazelle, Keil, Mali, Mbed, Mbed Enabled, NEON, POP, RealView, SecurCore, Socrates, Thumb, TrustZone, ULINK, ULINK2, ULINK-ME, ULINK-PLUS, ULINKpro, µVision, Versatile are trademarks or registered trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. The related technology may be protected by any or all of patents, copyrights, designs and trade secrets. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.

© NXP B.V. 2021.

All rights reserved.

For more information, please visit: http://www.nxp.com
For sales office addresses, please send an email to: salesaddresses@nxp.com

Date of release: 05 March 2021
Document identifier: IMXRT1160MFUUG

