Skip to main content
Zaher
Zaher
Senior II
November 23, 2024
Question

SBSFU - Changing the default AES_CBC and ECDSA keys always fails...STM32F407

  • November 23, 2024
  • 5 replies
  • 2288 views

Hello everyone,

I've spent a considerable amount of time trying to change the default AES and ECDSA (ECCKEY1) keys, but I can't figure out why it always results in a 'Fw header authentication error' during the firmware image update process.

The project is built with STM32CubeIDE under Windows, all paths and necessary modifications needed for the scripts to work from the new project location (prebuild, postbuild, and the encryption scripts) are done and I can confirm 'se_key.s' is updated with the same data as in 'OEM_KEY_COMPANY1'. SeCoreBin compiles without any issues, the same also applies to SBSFU and the UserApp project.

I followed the instructions found here:
\Middlewares\ST\STM32_Secure_Engine\Utilities\KeysAndImages\readme
and looks like the prepareimage.exe works and generates the 'ECCKEY1', which also when used instead of the one that comes delivered with the package causes the firmware to be rejected immediately. 

Changing the AES key either manually using a Hex Editor or by using 'prepareimage.exe keygen -k OEM_KEY_COMPANY1_key_AES_CBC.bin -t aes-cbc' didn't work either. Just like if the AES and ECCKEY values are already hard-coded somehow into the binary so any change to any of these keys would result in the failure to authenticate the firmware. And by the way, what is the purpose of the 'iv.bin' file and is there any connection between this file and a new value in 'OEM_KEY_COMPANY1_key_AES_CBC.bin' or 'ECCKEY1'?

The cryptographic scheme used is: 'SECBOOT_ECCDSA_WITH_AES128_CBC_SHA256'
SBSFU version: 2.6.2

Thanks

5 replies

Zaher
ZaherAuthor
Senior II
November 24, 2024

*** UPDATE ***
I believe I have found a solution, or more likely a workaround for this. I will try to share details later in case someone is facing the same issue in firmware authentication after changing the default keys. It all had to do with the script/s.

    Bubbles
    Bubbles
    ST Employee
    December 18, 2024

    Hello @Zaher ,

    please share your workaround. There are other community members porting SBSFU to the STM32F4.

    BR,

    J

    To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
    S
    starmour
    Associate II
    January 23, 2025

    I have started working on sbsfu and came across this post. 

    What I found out is that you must CLEAN and build all 3 projects after you make any major changes like changing the keys. Hope that will help others that come against same issue.

      Clark Sann
      Clark Sann
      Associate III
      March 5, 2025

      Do you have anything to share regarding the migration to Linux? Several years ago I modified the scripts for macOS…it was quite a project. 

      Zaher
      ZaherAuthor
      Senior II
      April 16, 2025

      @Clark SannYes, I would love to share that once I have a working and stable set of projects (SeCoreBin, SBSFU, and UserApp) under Linux. I will try to share a working project template here once I'm done with it, but it could take some time as I'm extremely busy with other projects. By the way, I presume the target is still F4?

      Zaher
      ZaherAuthor
      Senior II
      April 16, 2025

      @Clark SannAh, by the way, your macOS scripts should work with minimal or no modification under Linux, given you provided the same paths.

      Terms & ConditionsAccessibility statement