This is Secure Provisioning SDK (spsdk) scripts package is used for KW45 secure boot, including generating keys, programming fuse, signing image, generating sb3 file, debugging authentication and advancing lifecycle.
https://spsdk.readthedocs.io/
python: 3.13.5+
spsdk: 3.0.1
J-Link Commander: 8.50+
KW45B41Z-EVK / Custom board
If the custom board is tested:
J-Link
USB-serial adapter
If you are using KW45B41Z-EVK, it's easy, just connect the USB port(J14) of EVK to the computer.
Getting Started with the KW45B41Z Evaluation Kit
If you are using your own custom board, connect KW45 UART1 to USB-UART adapter, for some scripts, J-Link is needed.
To enter ISP mode, KW45's PTA4 pin (BOOT_CONFIG) needs to be in logic high during reset.
If KW45B41Z-EVK is used, press the button SW4(PTA4) when reset, KW45 will enter ISP mode.
Install spsdk (Run as administrator)
python -m pip install --upgrade pip
pip install spsdk==3.0.1
spsdk --version
Enter the directory "script" and double-click the script to run.
check the lifecycle and keys
enter ISP mode
0.read_version_and_lifecycle.cmd
The default lifecycle should be 7 (OEM_Open).
KW45's fuses on EVK have been programmed when production and the fuse is one time programming, it is not allowed to be programmed again.
KW45 on KW45B41Z-EVK default keys:
KW45 factory default keys:
generate keys and put sb3kdk & RoTHTH to script "2.program_keys_to_device.cmd"
1.generate_keys.cmd
If KW45B41Z-EVK is used, this step is not needed, please copy the evk default keys from ".\how to import keys to SPSDK or SPT\kw45evk_keys" to ".\workspace\keys"
program keys to device
WARNING!!!
Script performs destructive operation (programs fuses), make sure script is updated with valid data. And note that the fuses are one time programming.
2.program_keys_to_device.cmd
advance lifecycle to OEM_Closed
3.advance LC to OEM_Closed.cmd
sign main core image
Copy the image of main core to the root directory, then change inputImageFile in the configuration file.
4.create_signed_app_maincore.cmd
generate sb3 file for maincore and/or NBU
5.create_sb3_app_maincore.cmd
OR generate sb3 file for NBU
OR 5.create_sb3_app_maincore_nbu.cmd
If the NBU is involved, copy the signed image of NBU (*.xip) from "SDK\middleware\wireless\ble_controller\bin" to the root directory.
upload the firmware of maincore and/or NBU to device
6.upload_sb3_to_device_maincore.cmd
OR 6.upload_sb3_to_device_maincore_nbu.cmd
OR 6.upload_sb3_to_device_nbu.cmd
debug authentication
Note: J-Link is needed
7.generate_debug_auth_dc.cmd
8.debug_auth.cmd
If successful then J-Link commander can be used to debug KW45.
Note some IDE may reset KW45, KW45 will lose authentication status.
The recommended IDE is Ozone.
advance lifecycle to OEM_Return
Note: debuging auth is needed
9.create_signed_OEM_Return_Bin.cmd
10.advance LC to OEM_Return.cmd
-
Failure to read fuse 0x20 is expected because this fuse is unreadable
-
How to use ISK?
-
At the Lifecycle OME_Open and OEM_Return, the firmware of main core can be written directly by writing Flash, but the firmware of NBU can only be uploaded via SB3 at any time.
-
If wireless example is used, change gEraseNVMLink_d to 0.
rm885660-KW45 Security Reference Manual(6.0).pdf
AN13838 Secure Boot for KW45 and K32W
AN13883 Updating KW45 Radio Firmware via ISP using SPSDK
AN13931 Managing Lifecycles on KW45 and K32W148
AN14109 KW45 and K32W148 Secure Boot Using the SEC Tool
AN14158Debug Authentication on KW45/K32W148
AN14003 Programming the KW45 flash for Application and Radio firmware via Serial Wire Debug during mass production
AN13859 KW45B41Z and K32W148 In-System Programming Utility
Questions regarding the content/correctness of this example can be entered as Issues within this GitHub repository.
Warning: For more general technical questions regarding NXP Microcontrollers and the difference in expected functionality, enter your questions on the NXP Community Forum
| Version | Description / Update | Date |
|---|---|---|
| 1.0 | Initial release on Application Code Hub | February 19th 2025 |