Attachments (0)
Nordic Case Info
  • Case ID: 341838
Options

How to use Hardware-based downgrade protection

a.da

Hello.

I am trying to follow Downgrade protection using MCUboot to enable Hardware-based downgrade protection.
However, an error occurred, and the software did not start. It is also from the initial flash, not after the update.

The "sysbuild.conf" is as follows.
It is the minimum configuration according to Exercise 5 – FOTA over Bluetooth Low Energy and Simultaneous updates for both cores of the nRF5340.
Naturally, if the last three lines related to downgrade protection are disabled, the software will start.

Also, a similar issue was reported in another person's ticket.
However, even following the configuration there, the issue did not change.

Thanks for reading.

a.da

  • 0

    Hi, 

    I am working on your case and will update it when I collect enough information. 

    Regards,
    Amanda H. 

  • 0

    Hi, 

    It should get fixed by this PR: https://github.com/nrfconnect/sdk-nrf/pull/20787

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi Amanda, thanks for your reply.

    Unfortunately, the issue has not changed.
    I have reflected the changes written in the PR into nRF Connect SDK v2.9.0.
    Since overwriting directly with the files attached to the PR results in a Build Error, I only applied the differences.
    Do you know the steps to confirm that the issue has been fixed?

    Also, I have some doubts about the changes.
    It seems that dependencies necessary for enabling MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION have been added.
    Even after reflecting these changes, MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION remained enabled.
    What could be the problem?

    a.da

    Addendum:

    I overlooked this. This PR also needs to be reflected, right?
    I’ll check again.

  • 0 in reply to a.da
    a.da said:
    I overlooked this. This PR also needs to be reflected, right?

    Yes.

    a.da said:
    Also, I have some doubts about the changes.
    It seems that dependencies necessary for enabling MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION have been added.
    Even after reflecting these changes, MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION remained enabled.
    What could be the problem?

    You can check the .config file under build\zephyr for the dependent configs.

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    By applying the differences in loader.c, the software has started successfully.

    However, there are still some questions.
    When I tried DFU, the Application Core ( Image 0 ) was updated, but the Network Core ( Image 1 ) was not.
    It seems the transfer to the Secondary Slot was successful, but the image was reported as invalid.
    The only change made to the transferred binary file was incrementing the SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE from 1 to 2.

    Is there anything I can do to help resolve this?

    Kind regards,

    a.da

1 2
Terms of service