https://devzone.nordicsemi.com/f/nordic-q-a/77160/dfu-keys-updateHi, I tried to update DFU keys via update on SDK-4.1 and I didin&#39;t to do it. Its possible to change DFU keys via upgrade. I did this process on SDK-2 and there was no validation of dfu key via Bootloader but not in SDK-4. My steps: Prepare keyen-USTelligent Community 13Fri, 09 Jul 2021 05:54:20 GMThttps://devzone.nordicsemi.com/thread/319269?ContentTypeID=1Fri, 09 Jul 2021 05:54:20 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a56bb0f1-981e-4a41-91de-f770debd07b5PBeS<div class="author"> <div class="avatar"><a class="internal-link view-user-profile" href="https://devzone.nordicsemi.com/members/piotr-barcinski"><img alt="PBeS" border="0px" src="https://devzone.nordicsemi.com/cfs-filesystemfile/__key/communityserver-components-imagefileviewer/system-images/anonymous.gif_2D00_44x44x2.png?_=637367229955000086" /></a></div> </div> <div class="content full threaded-reply-content user-defined-markup"> <div class="content"> <p>Hi&nbsp;Terje,</p> <p><span>Little update:</span></p> <p><span>I try to update like this (SDK4):</span></p> <ol> <li>Prepare keys pair 1 (let&#39;s call them pub1 and priv1) and pair 2&nbsp;<span>(pub2 and priv2)</span></li> <li>On SoC: Bootloader 1, Application 1, compiled with public key 1 (pub1), signed with private key 1 (priv1).</li> <li><span>Prepare bootlader dfu package (compiled with pub2, signed with priv1)</span></li> <li><span>DFU is performed</span></li> <li><span>Prepare&nbsp;application dfu package (compiled with pub2, signed with priv1)</span></li> <li><span>DFU is performed</span><span></span> <ol> <li>application is downloaded correctly</li> <li>reboot after DFU</li> <li>bootloader - signature error&nbsp;</li> </ol> </li> </ol> <p><span>In case 9.c I got bootloader error debug:</span></p> <div class="evolution-code-editor theme-clouds"> <div class=" ace_editor ace-clouds"> <div class="ace_scroller"> <div class="ace_content"> <div class="ace_layer ace_text-layer"> <div class="ace_line"></div> </div> <pre class="ui-code" data-mode="text">&lt;error&gt; nrf_dfu_validation: Signature failed (err_code: 0x8542) </pre> <div class="ace_layer ace_cursor-layer ace_hidden-cursors"> <div class="ace_cursor"></div> </div> </div> </div> <div> <div></div> </div> </div> </div> <div class="content-scrollable-wrapper">I know that it&nbsp;<span>should not update bootloader and keys but is there any other way to change the keys via dfu?</span></div> <p></p> <p>Regards&nbsp;</p> <p><span>Piotr</span></p> </div> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/319099?ContentTypeID=1Thu, 08 Jul 2021 09:11:12 GMT137ad170-7792-4731-bb38-c0d22fbe4515:9ad224f4-27c4-49f1-b113-88fa6566d04aPBeS<p>Hi&nbsp;Terje,</p> <p>Thanks for quick reaction.&nbsp;</p> <p>I&#39;m using&nbsp;<span>Thread Secure DFU.&nbsp;You are right, I missed step when I update keys for bootloader (Is not required for SDK2, because there is no signature validation by bootloder).&nbsp;</span></p> <p><span>I try to update like this (SDK4):</span></p> <ol> <li>Prepare keys pair 1 (let&#39;s call them pub1 and priv1) and pair 2&nbsp;<span>(pub2 and priv2)</span></li> <li>On SoC: Bootloader 1, Application 1, compiled with public key 1 (pub1), signed with private key 1 (priv1).</li> <li><span>Prepare bootlader dfu package (compiled with pub2, signed with priv1)</span></li> <li><span>DFU is performed</span></li> <li><span>Prepare&nbsp;application dfu package (compiled with pub2, signed with priv1)</span></li> <li><span>DFU is performed</span></li> <li><span>Now I have bootloader 2 and application 2</span></li> <li><span>Prepare&nbsp;application dfu package (compiled with pub2, signed with priv2)</span></li> <li><span>DFU is performed</span><span></span> <ol> <li>application is downloaded correctly</li> <li>reboot after DFU</li> <li>bootloader - signature error&nbsp;</li> </ol> </li> </ol> <p><span>In case 9.c I got bootloader error debug:</span></p> <p><span><pre class="ui-code" data-mode="text">&lt;error&gt; nrf_dfu_validation: Signature failed (err_code: 0x8542)</pre></span></p> <p><span>Please let me know if my steps are ok.</span></p> <p><span></span></p> <p><span>Regards&nbsp;</span></p> <p><span>Piotr</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/318988?ContentTypeID=1Wed, 07 Jul 2021 13:00:24 GMT137ad170-7792-4731-bb38-c0d22fbe4515:71f809c8-f464-4865-94dd-7c60cc1b7be9tesc<p>Hi,</p> <p>Which DFU solution are you using? There is both the standard DFU bootloader solution from nRF5 SDK, and the particular solution for Thread Secure DFU. The latter can only be used for application updates, and so I assume that you are talking about the (serial) DFU bootloader from nRF5 SDK.</p> <p>For the one from nRF5 SDK, the DFU bootloader contains a public key, which is used for checking the signing. It will therefore accept any update signed with the corresponding private key.</p> <p>With key pairs 1 and 2, and bootloaders 1 and 2, the update will go like this:</p> <ol> <li>On SoC: Bootloader 1, compiled with public key 1.</li> <li>Bootloader 2 (compiled with public key 2) is put into an update package signed with private key 1.</li> <li>DFU is performed.</li> <li>Now on SoC: Bootloader 2, compiled with public key 2.</li> <li>New updates can be prepared and signed with private key 2.</li> <li>The SoC, now with bootloader 2, can accept those new updates.</li> </ol> <p>In your case, in 6, the bootloader claims the signing is wrong. This may be either because the old bootloader (with old key) is still on the SoC (i.e. the first update failed), or because there is something wrong with the update.</p> <p>Have you confirmed that the first bootloader update succeeded?<br />Have you confirmed that the upgrade zip packet is working as expected if programming bootloader 2 directly first?</p> <p>Regards,<br />Terje</p><div style="clear:both;"></div>