Release Notes#


Current version introduces breaking changes, which are described in details in migration guide.

2.2.0 (7-June-2024)#

New features

  • blhost:
    • add can interface

  • el2go:
    • support for mwct2x12, mwct2xd2

  • ifr:
    • add option to configure sector 2

  • nxpdebugmbox:
    • add family and revision info into DAC config file

  • nxpdevhsm:
    • commands limited based on specific devices capabilities

    • add fuses script

  • nxpimage:
    • add support for RAW image

    • add re-sign subcommand to ahab

    • support parsing FCB block with swapped bytes

    • support MBI CRC for mwct2x12, mwct2xd2, mc56f818xx, mc56f817xx

    • support BinaryImage in MBI export

    • support i.MX 95 unsigned build image

  • nxpwpc:
    • add correlation-id into REST request

  • drop support for Python 3.8

  • support NHS52Sxx, mcxw71xx

  • support RW61x EL2Go

  • P&E Micro and J-Link as separate plugins

  • all options in sub-commands case-insensitive


  • nxpdebugmbox:
    • fix debug authentication on NHS52Sxx

    • fix generation of DC config file

    • fix dac response length on kw45xx

    • fix timeout

    • fix verify image for i.mx93

    • fix failure in communication with uboot

  • nxpimage:
    • fix signed-msg incorrect signature

    • fix wrong offset in FCB

    • fix xmcd generation

    • fix mbi export

    • fix ahab with invalid SRK

    • fix bootable-image for RW61x

    • fix mbi config for kw45xx

    • fix bootable-image with dynamic offset segments

    • fix inconsistent core ID in parser and export

  • pfr:
    • fix generate-binary argument position

    • fix generating cmpa template for mcxa1xx

    • fix default cmpa page for mcxa1xx

  • shadowregs:
    • fix shadow registers on RW61x

    • fix loadconfig command

2.1.1 (27-March-2024)#

New features


  • dk6prog:
    • fix DK6 operations

  • nxpdevhsm:
    • fix buffer address MC56

    • fix write fuse

  • nxpimage:
    • add advanced params setting to configurations (padding, keys, timestamp, etc.)

    • fix manifest hash digest KW45/K32W1

2.1.0 (2-February-2024)#

New features

  • nxpcrypto:
    • add signing commands (create, verify)

  • nxpdebugmbox:
    • add subcommands for Fault Analysis Mode (export, parse, get-templates)

    • add printing the result of auth command

    • add dedicated plugin system

    • U-BOOT interface

    • add commit command

    • add commands related to release-container

  • nxpimage:
    • enable IEE encryption for RT1180

    • add key exchange signed message

    • add signature provider for RT1xxx

  • support mcxn23x

  • deployment of new database

  • EL2GO mockup for S32K WPC

  • introduce memory configuration tool


    • fix get-trng state command

  • nxpimage:
    • fix cmpa template

    • fix parsing ahab image for i.MX95

    • fix xmcd export command

    • fix certificate block as binary file

    • fix sb21 get-template command

  • nxpmemcfg:
    • fix export command

  • pfr:
    • fix pfr generate command

  • shadowregs:
    • fix default family parameter

2.0.1 (15-December-2023)#


    • remove temporary file

  • nxpdebugmbox:
    • fix test memory AP address

  • nxpimage:
    • fix detection of input file for FCB in bootable image

    • fix IEE encryption for RT1180

    • fix signed MBI for Anguilla Nano

    • fix SB21 export with yaml config

  • shadowregs:
    • fix behavior of the RKTH registers

    • fix invalid names of CRC field in database

  • fix setting a register value as raw value when loading from configuration

2.0.0 (13-October-2023)#


Current version introduces breaking changes, which are described in details in migration guide.

New features

  • blhost:
    • dedicated plugin system

    • check of written data length in USB Interface

  • nxpcrypto:
    • remove dependency on PyCryptodome

    • add rot command for calculating RoT hash

  • nxpimage:
    • distinguish between fw version and image version

    • support YAML configuration for HAB

    • support build RT11xx image with ECC keys

    • support OSCCA

    • support AHAB NAND

    • implement HTTP Proxy Signature Provider

    • signature provider for OSCCA

    • add validation of signature in AHAB

    • support OTFAD for RT1010

    • export HAB from yaml config in bootable image

    • revision of offsets in AHAB container

    • command filter in SB 2.1 based on family

    • refactor memory types for mbi

    • add to AHAB key identifier for encrypted images

  • pfr/ifr:
    • remove devices subcommand

  • sdpshost:
    • connection support for iMX91 and iMX95

  • shadowregs:
    • unify endianness

  • tool for converting JSON configuration into YAML with comments

  • support mcxa1xx

  • unify naming: RKTH/RKHT

  • remove nxpkeygen and nxpcertgen apps, replaced by nxpcrypto

  • remove elftosb app, replaced by nxpcrypto

  • positional arguments replaced by options for all parameters with an exception to blhost, sdphost and dk6prog

  • remove backward compatibility with command get-cfg-template, replaced fully with get-template(s)

  • unify family name within all modules

  • remove lpc55xx from family names


  • blhost:
    • fix error of SPI connection

  • nxpdevhsm:
    • add missing sdio in generate command

    • fix generate-keyblob IEE

    • fix issue with get-info command

  • nxpimage:
    • fix certificate block in AHAB

    • fix signature in AHAB

    • fix some commands for SB21

    • fix non generated keys for AHAB parse

    • fix RAM images for LPC55Sxx

    • fix MBI signed for xip for MCXN9xx

    • fix sb21 export yaml errors

    • fix OTFAD with DUK

    • fix wrong core ID in parse for iMX93

    • fix binary certificate block for MBI

    • fix manifest for mcxn9xx

    • fix bootable image merge

    • fix in MBI configurations

    • fix missing parameters in MBI config in bootable-image parse

    • fix sb21 file generation without SBKEK

    • update list of supported MBI images for mcxn9xx

1.11.0 (7-July-2023)#


Next version of spsdk (2.0) will introduce breaking changes:

  • elftosb will be replaced by nxpimage

  • nxpcertgen and nxpkeygen will be replaced by nxpcrypto

  • select appropriate family will be done using: -f/–family parameter

  • move towards options for all parameters with an exception to BLHost

  • removal of crypto backends

  • extend dedicated spsdk.crypto module - serve as the de-facto backend of SPSDK

  • module level imports via init files

New features

  • nxpimage:
    • enable signature providers for AHAB image and signed messages

    • add support for rt104x in bootable-image

  • tphost/tpconfig:
    • add possibility to check TP_RESPONSE only with NXP_PROD raw binary key

  • add support for mcxn9xx

  • add API for FuseLockedStatus

  • possibility to declare private keys with passphrase in signature provider config

  • add checking of written data length in usb interface

  • add support for dk6 tools


  • nxpimage:

  • nxpimage:
    • fix offset on NAND memory in AHAB image

  • fix plugin error for signature Provider for sb21

1.10.2 (7-July-2023)#

New features

  • tphost/tpconfig:
    • add support for LPC55S3x

  • nxpimage:
    • add possibility to define multiple regions in OTFAD in one data blob

1.10.1 (26-May-2023)#

New features

  • nxpimage:
    • support encrypted image hab

    • support for RT11xx and RT10xx

    • improve OTFAD/IEE names generation

  • add API to retrieve info about fuses


  • nxpimage:
    • fix XMCD load_from_config

    • fix IEE template

  • fix circular dependency in signature provider import

  • fix issue with loading keys as INT

  • not enable logging when spsdk is used as a library

1.10.0 (5-April-2023)#

New features

  • blhost:
    • add new command: ele_message

  • nxpdebugmbox:
    • add command: read UUID from device

    • update PyOCD to latest version to support MCU LINK FW v3, implementing CMSIS-DAP v2.1

  • nxpdevhsm:
    • USER_PCK rename to CUST_MK_SK

  • nxpimage:
    • add subcommand group for generate and parse certificate block

    • replace private key to signature provider in master boot image

    • OTFAD support for RT1170

  • ifr:
    • add commands read/write

  • pfr:
    • add CMPA erase command


  • nxpdebugmbox:
    • fix AP selection issue for PyOCD and PEMICRO

    • fix DAC verification when there is only 1 root key

  • nxpimage:
    • fix MBI issue with HMAC

  • shadowregs:
    • fix endianness for OTP MASTER KEY

  • drop support for Python 3.7

1.9.1 (17-March-2023)#

New features

  • nxpdevhsm:
    • split reset option in nxpdevhsm into two; disable init reset by default


  • nxpdebugmbox:
    • fix Linux error on PyOCD

    • fix PyOCD and PEmicro connection for kw45xx and k32w1xx

  • nxpdevhsm:
    • fix buffer base address for DevHSM operations

  • nxpimage:
    • fix handling exception when the root cert index is wrong

  • tphost/tpconfig:
    • Incorrect output in TP PG command in case of an failure

1.9.0 (30-January-2023)#

New features

  • nxpdebugmbox:
    • add check of root of trust hash in dat authentication

    • enable debug authentication protocol on RT1180

  • nxpdevhsm:
    • reset target before and after DevHSM SB3 file creation

  • nxpimage:
    • XMCD support

    • signed messages support for RT1180

    • add bootable image for RT10xx, RT1180, RT1170, LPC55S3x

    • implement IEE encryption

    • support Memory ID for erase in sb21

    • support Memory ID for enable and load in sb21

    • implement JUMP and JUMP_SP commands in BD file for SB2.1

    • enable encryption in AHAB container

  • tphost/tpconfig:
    • create command for loading ProvFW

    • add command for retrieving TP_RESPONSE without models or smart card

    • smart card reader name hash identification

  • debug authentication improvements

  • unify memory access cross all debuggers

  • replace json file with yml file for TZ

  • support for k32w1xx, kw45xx

  • improve format of debugging logger


  • nxpdebugmbox:
    • remove duplicated option –protocol for gendc command

  • nxpdevhsm:
    • fix skipping commands from config file

  • nxpimage:
    • fix non working 384/521 ECC keys for signature in AHAB container

    • fix CRC mode in external flash for lpc55s3x

    • failure on start due to boot_image hook definition

  • pfr:
    • command line parameter ‘-t’ is duplicated

  • tphost/tpconfig:
    • TPhost load-tpfw requires TP device definition

    • OEM ProvFW boot-check incorrectly fails with non-verbose flavor

Known issues

1.8.0 (21-October-2022)#

New features

  • nxpimage:
    • add support for BEE

    • enable OTFAD on RT1180

  • pfr:
    • move the functionality of pfrc tool into PFR tool

  • tphost/tpconfig:
    • implement USB re-enumeration in TPHost after OEM ProvFW is started

    • create command for checking the Chain of Trust used in TP

    • investigate TP performance loss during device reset after TP is completed

    • add possibility to select TP SmartCard via card reader’s name

  • unify option for getting template across tools

  • add API for parsing XMCD

  • support cryptography >= 37.0.0

  • support bincopy 17.14


  • nxpdevscan:
    • fix hanging up for serial communication

  • tphost/tpconfig:
    • blhost_port should not be mandatory in TP target settings

    • fix disabling timeout in TP is ignored

  • fix documentation regarding SB31 programFuses

1.7.1 (16-September-2022)#

New features

  • nxpimage:
    • add OTFAD support for RT5xx and RT6xx devices

  • pfr:
    • read command allows independent binary and yaml exports

  • shadowregs:
    • new subcommand: fuses-script

  • add OEM cert size check into TPConfig


  • nxpdebugmbox:
    • fix debug authentication for RT595

  • nxpimage:
    • fix sb21 command line argument in documentation

  • fix the use of pyyaml’s load in tests (use safe_load())

1.7.0 (29-July-2022)#

New features

  • nxpimage application as replacement for elftosb

  • nxpcrypto application for generating and verifying keys, certificates, hash digest, converting key’s format

  • trust provisioning applications (tphost and tpconfig)

  • blhost:
    • support LifeCycleUpdate command for RT1180

    • add option to specify peripheral index of SPI/I2C for LIBUSBSIO

    • allow lowercase names in the filter for USB mboot devices

  • nxpdebugmbox:
    • utility to read/write memory using debug probe

  • nxpimage:
    • support of Master Boot Images

    • support AHAB container for RT1180

    • support of Secure Binary 2.1 / 3.1

    • support for TrustZone blocks

    • support for Bootable images for RTxxx devices

    • support for FCB block parsing and exporting for RTxxx and some RTxxxx devices

    • simply binary image support, like create, merge, extract and convert (S19,HEX,ELF and BIN format)

  • pfr:
    • load PFR configuration directly from chip using BLHOST

  • sdphost:
    • support for SET_BAUDRATE command

    • support for iMX93

  • drop support for Python 3.6

  • pypemicro dependency update in order to cover latest bug fixes in this package

  • libusbsio update to version 2.1.11

  • unify debug options within applications

  • add API to compute RKTH

  • support LPC553x in elftosb/nxpimage

  • support dual image boot on RT5xx and RT6xx

  • replace click/sys.exit with raising an SPSDKAppError exception

  • encryption of remapped images


  • blhost:
    • efuse_program_once returns failure message when using ‘lock’ option but still the fuse is burnt

    • fix in re-scanning LIBUSBSIO devices when target MCU is not connected

    • scan_usb() should return nxp devices

    • read memory command doesn’t print read data when mem region is defined

  • elftosb:
    • fix trustzone config template for rt5xx and rt6xx

    • fix MBI_PLainRamRTxxx image

    • fix CRC bootable image on RT685 EVK

    • fix image located in FLASH executed in RAM on RT6xx

    • fix burning fuses in BD file

  • nxpdebugmbox:
    • fix in Jlink debugger probe initialization

    • fix get-crp command

1.6.3 (1-April-2022)#

New features

  • pypemicro dependency update in order to cover latest bug fixes in this package

  • libusbsio update to version 2.1.11


  • fix in rescanning LIBUSBSIO devices when target MCU is not connected

  • efuse_program_once returns failure message when using ‘lock’ option but still the fuse is burnt

  • fix memory leaks in elftosb

1.6.2 (11-March-2022)#

New features

  • bump-up version of bincopy to <17.11

  • add plain load image to build example bootable i.MX-RT image

  • align docs requirements with project dependencies

  • add stability notice to documentation

  • speed-up application’s start due to move of bincopy import

1.6.1 (04-March-2022)#

New features

  • blhost:
    • add parameter –no-verify for efuse-program-once

    • add possibility to select USBSIO bridge device via VID:PID, USB path, serial number

    • lower the timeout during MBoot’s UART Ping command

    • improve type hints for scan_* functions for detecting devices

  • elftosb:
    • dynamically generate config json schema per family

  • nxpdevscan:
    • extend scan with device serial number information

    • list all connected USB or UART or SIO devices

    • update device’s USB path (usb_device_identification)

  • sdphost:
    • improve type hints for scan_* functions for detecting SDP devices

  • reduce number of findings from Pylint

  • update JINJA2 requirement


  • blhost:
    • fix UART open operation for RT1176, RT1050 and LPC55S06 platforms (and probably others)

  • elftosb:
    • fix preset data for lpc55s0x, lpc55s1x

  • SPI communication failure (changed FRAME_START_NOT_READY to 0xFF for SPI)

  • PYI files are not included in the distribution package

1.6.0 (04-February-2022)#

New features

  • blhost:

    • add experimental batch mode into blhost

    • support command get property 30

    • change output display for blhost get-property 8

    • provide the real exit code (status code) from BLHOST application

    • report progress of data transfer operations in blhost

    • performance boost in receive-sb-file

  • elftosb:

    • validation inputs using jsonschemas

    • reorganize and improve elftosb

    • add support for more input file types

    • [RTxxx] HMAC_KEY is now accepted in binary form

  • nxpdebugmbox:

    • move gendc into nxpdebugmbox

  • pfr:

    • unify CMPA/CFPA fields descriptions and bit-field values within XML registers data

    • implement CMPA data generator and parser

  • improve documentation

  • remove dependency on munch and construct modules

  • add support for reserved bitfields in registers

  • support multiple occurrence of certificate attributes for subject/issuer

  • remove backward compatibility mode in Registers

  • reorganize functions from

  • add support for bumpversion


  • blhost:

    • generate-key-blob does not generate blob.bin on RT1176

    • parse_property_tag in blhost_helper converts incorrectly in some cases

    • different return code on Linux/Mac and Windows

    • USBSIO - fixed issue when busy signal on I2C was interpreted as data

  • crypto:

    • DER encoded certificates are loaded as PEM

    • fixed dependency on cryptography’s internal keys

    • moved to fully typed versions of cryptography

  • elftosb:

    • cannot build CRC image into ext flash for lpc55s3x

    • cannot generate signed image with <4 ROT keys

    • fixed some failing cases in regards of TZ

    • [rtxxx] missing plain for load-to-ram image

    • configuration validation failed in some cases

  • nxpdebugmbox:

    • return code is 0 in case of fail

    • nxpdebugmbox fails on Linux

  • nxpdevhsm:

    • generate ends with general error when no container is provided

  • pfr:

    • fix problem in registers class with another size of register than 32 bits

  • pfrc:

    • displays false brick conditions

    • wrong validation of CMPA.CC_SOCU_PIN bits

1.5.0 (07-August-2021)#

New features

  • nxpdevhsm - new application added:

    • The nxpdevhsm is a tool to create initial provisioning SB3 file for LPC55S36 to provision device with SB KEK needed to validate in device all standard SB3 files.

  • LIBUSBSIO integration as a replacement for HID_API module:

    • blhost - extend blhost by LPCUSBSIO interface

  • blhost - following trust-provisioning sub-commands added:

  • elftosb:

    • support for SB 2.1 generation using BD file

    • LPC55S3x - add support for unsigned/plain images

    • SB2.1 - SHA256 digest of all sections included in signed SB2.1 header

    • add supported families listing into elftosb

    • implement chip family option as a click.Choice

    • allow loading certificates for MBI in PEM format

  • nxpcertgen:

    • generate the template for yml configuration file containing the parameters for certificate

    • improve yml template description for nxpcertgen

    • add support for generating certificates in DER format

  • nxpkeygen:

    • moved option -p from general space to gendc subcommand.

    • add new -k keygen subcommand option to specify key type to generate

  • nxpdebugmbox:

    • refactor DebugCredential base class so that it will be possible to pass certificates in yml config file

    • check nxpdebugmbox on LPC55S3x

  • pfr: - update CMPA/CFPA registers XML data for LPC55S3x with CRR update

  • SPSDK Applications:

    • spsdk applications show help message when no parameter on command line provided

    • improved help messages

    • support Ctrl+C in cmd applications

  • replace functional asserts with raising a SPSDK-based exception

  • replace all general exception with SPSDK-based exceptions


  • nxpkeygen - regenerates a key without –force

  • elftosb - unclear error message: No such file or directory: ‘None’

  • pfr: - duplicated error message: The silicon revision is not specified

  • nxpdebugmbox - fix Retry of AP register reads after Chip reset

  • nxpdebugmbox - add timeout to never ending loops in spin_read/write methods in Debug mailbox

  • blhost - flash-erase-region command doesn’t accept the memory_id argument in hex form

  • elftosb - using kdkAccessRigths = 0 in SB31 is throwing an error in KeyDerivator

1.4.0 (25-June-2021)#

New features

  • version flag added for all command-line application

  • support for Python 3.9 added

  • blhost - following sub-commands added:
    • list-memory

    • flash-program-once

    • set-property

    • flash-erase-all-unsecure

    • flash-security-disable

    • flash-read-resource

    • reliable-update

    • fuse-program

    • flash-image

    • program-aeskey

  • blhost - memoryId calmp-down for mapped external memories added

  • elftosb - support for SB 2.1 added

  • elftosb - basic support for BD configuration file added

  • nxpdebugmbox - debug port enabled check added

  • nxpkeygen - new sub-command added to nxpkeygen to create a template for configuration YML file for DC keys

  • nxpkeygen - new sub-command added to create a template for configuration YML file for DC keys

  • pfr: - default JSON config file generation removed, but still accepted as an input. The preferred is the YML configuration format.

  • docs - Read The Docs documentation improvements


  • wrong DCD size by BootImgRT.parse

  • cmdKeyStoreBackupRestore wrong param description

  • blhost - typo in McuBootConnectionError exception

  • blhost - mcuBoot Uart doesn’t close the device after failed ping command

  • blhost - assertion error when connection lost during fuses readout

  • blhost - sub-command flash-read-resource fails when the length is not aligned

  • pfr: - incorrect keys hash computation for LPC55S3x

  • pfr: - wrong LPC55S69 silicon revision

  • pfr: - parse does not show PRINCE IV fields

  • sdphost - running spdhost –help fails

  • shadowregs - bad DEV_TEST_BIT in shadow registers

1.3.1 (29-March-2021)#

  • pfr: - configuration template supports YAML with description, backward compatibility with JSON ensured

  • pfr: - API change: “keys” parameter has been moved from __init__ to export

  • pfr: - sub-commands renamed: * user-config -> get-cfg-template * parse -> parse-binary * generate -> generate-binary

  • blhost - allow key names for key-provisioning commands

  • blhost - support for RT1170, RT1160

  • shadowregs - shadow registers tool is now top-level module

  • blhost - fix baud rate parameter

  • pfr: - fix in data for LPC55S6x, LPC55S1x, LPC55S0x

  • blhost - communication stack breaks down on RT1170 after unsuccessful key-prov enroll command

1.3.0 (5-March-2021)#

  • support creation of SB version 3.1

  • elftosb application based on legacy elf2sb supporting SB 3.1 support

  • nxpdevscan - application for connected USB, UART devices discovery

  • shadowregs - application for shadow registers management using DebugProbe

  • support USB path argument in blhost/sdphost (all supported OS)

  • nxpcertgen CLI application (basicConstrains, self-signed)

  • blhost - commands added:
    • flash-erase-all

    • call

    • load-image

    • execute

    • key-provisioning

    • receive-sb-file

  • blhost - extend commands’ options:
    • configure-memory now allows usage of internal memory

    • extend error code in the output

    • add parameters lock/nolock into efuse-program-once command

    • add key selector option to the generate-key-blob command

    • add nolock/lock selector to efuse-program-once command

    • add hexdata option to the write-memory command

1.2.0 (11-December-2020)#

  • support for LPC55S3x devices

  • extend support for LPC55S1x, LPC55S0x

  • pfrc - console script for searching for brick conditions in pfr settings

  • custom HSM support

  • sdpshost CLI utility using sdpshost communication protocol

  • remote signing for Debug Credential

  • added command read-register into sdphost CLI

  • dynamic plugin support

  • MCU Link Debugger support

  • pfr: - added CMAC-based seal

  • pfr: - load Root of Trust from elf2sb configuration file

1.1.0 (4-September-2020)#

  • support for i.MX RT1170 device

  • support for elliptic-curve cryptography (ECC)

  • support for SDPS protocol

  • included Debug Authentication functionality

  • included support for debuggers

  • nxpkeygen - utility for generating debug credential files and corresponding keys

1.0.0 (4-April-2020)#

  • support for LPC55S69 and LPC55S16 devices

  • support for i.MX RT105x and RT106x devices

  • support for i.MX RT595S and RT685S devices

  • connectivity to the target via UART, USB-HID.

  • support for generating, saving, loading RSA keys with different sizes

  • generation and management of certificate

  • blhost - CLI utility for communication with boot loader on a target

  • sdphost - CLI utility for communication with ROM on a target

  • pfr: - CLI utility for generating and parsing Protected Flash Regions - CMPA and CFPA regions