T113-S3 Secure Boot Guide
Disclaimer
WARNING: Blowing fuses on purpose is a one-time, irreversible operation.
If you burn the wrong key hash or incorrect configuration, your SoC may become permanently unbootable.
Many chips will fall back to FEL mode only before secure boot is enabled.
Once secure boot is active, a bad key = brick.Please test everything carefully before burning fuses on production boards.
Step 1: Generate Keys Using dragonsecboot
Tool Source:
dragonsecboot comes from:
You need the entire openssl/ directory, not just dragonsecboot.
export PATH=$PATH:/path/to/openssl
Generate Key and ROTPK:
Example config (dragon.cfg):
[key_rsa]
key=Trustkey
[toc0]
item=toc0, spl/u-boot-spl.bin, Trustkey
Run:
./dragonsecboot -key dragon.cfg dragon-keys
This generates:
dragon-keys/Trustkey.pem– RSA private keydragon-keys/rotpk.bin– SHA256 of public key (in DER format)
Copy
Trustkey.pemto U-Boot root asroot_key.pem:
cp dragon-keys/Trustkey.pem u-boot/root_key.pem
This enables U-Boot to sign the SPL automatically during build.
Step 2: Build U-Boot (Signed for TOC0)
Enable TOC0 output in U-Boot config:
CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0=y
Build U-Boot:
make CROSS_COMPILE=arm-linux-gnueabihf- -j$(nproc)
This creates:
u-boot-sunxi-with-spl.bin
This is the signed TOC0 image.
Step 3: Flash Image to SD Card
Write TOC0 image to offset 8KB (sector 16) on the SD card:
sudo dd if=u-boot-sunxi-with-spl.bin of=/dev/sdX bs=1k seek=8
sync
SID & RTC Register Map
| Region | Address | Purpose |
|---|---|---|
| SID_BASE | 0x03006000 |
eFuse controller |
| SID_SHADOW | 0x03006200 |
Shadow copy for read-only access |
| RTC_BASE | 0x07090000 |
Base for RTC registers |
| EFUSE_HV_SWITCH | 0x07090204 |
Set to 1 to enable fuse programming |
Key eFuse Byte Addresses (Not Register Offsets!)
| Name | Byte Address | Description |
|---|---|---|
EFUSE_LCJS |
0x48 |
Secure boot enable (bit 11 = enable) |
EFUSE_ROTPK |
0x70 |
Start of 32-byte SHA256 ROTPK hash |
SID_PRCTL Control Format
Bits 0–7 = Operation (0x01 = write, 0x02 = read)
Bits 8–15 = Magic: always 0xAC
Bits 16–23 = Byte offset (eFuse address)
Bits 24–31 = Reserved
Step 4: Enable Secure Boot Bit
Enable high voltage:
mw 0x07090204 0x1
Write secure mode (bit 11) to efuse 0x48:
mw 0x03006050 0x00000800 # bit 11 = 1
mw 0x03006040 0x0048AC01 # write to offset 0x48
Disable HV:
mw 0x07090204 0x0
Step 5: Burn ROTPK from rotpk.bin
Get ROTPK hash:
xxd -i dragon-keys/rotpk.bin
Example:
unsigned char dragon_keys_rotpk_bin[] = {
0x84, 0x1f, 0x36, 0x7e,
0x9d, 0x2e, 0x35, 0x1a,
0xe7, 0xfe, 0xe7, 0xfa,
0xf6, 0x50, 0xeb, 0xf7,
0xf8, 0x04, 0x7e, 0xef,
0x0d, 0xab, 0xe8, 0xe8,
0x0e, 0x2f, 0x21, 0x40,
0xb2, 0xdf, 0xca, 0xa0
};
Converted to little-endian:
0x7e361f84
0x1a352e9d
0xfae7fee7
0xf7eb50f6
0xef7e04f8
0xe8e8ab0d
0x40212f0e
0xa0cadfb2
Burn to ROTPK (Starting at efuse byte 0x70):
mw 0x07090204 0x1 # HV ON
mw 0x03006050 0x7e361f84
mw 0x03006040 0x0070AC01
mw 0x03006050 0x1a352e9d
mw 0x03006040 0x0074AC01
mw 0x03006050 0xfae7fee7
mw 0x03006040 0x0078AC01
mw 0x03006050 0xf7eb50f6
mw 0x03006040 0x007CAC01
mw 0x03006050 0xef7e04f8
mw 0x03006040 0x0080AC01
mw 0x03006050 0xe8e8ab0d
mw 0x03006040 0x0084AC01
mw 0x03006050 0x40212f0e
mw 0x03006040 0x0088AC01
mw 0x03006050 0xa0cadfb2
mw 0x03006040 0x008CAC01
mw 0x07090204 0x0 # HV OFF
Secure Boot Is Now Enabled
- TOC0 boot will only accept SPLs signed by your
Trustkey.pem - Unsigned SPLs will not boot — fallback to FEL is enabled but cannot get into secure mode being very limited
- You can view the SID shadow copy at
0x03006200to confirm fuse data