Release Notes#
3.10.0#
New Product Introduction or Updates
add mcxn246t, mcxn247t, mcxn527t, mcxn536t, mcxn537t, mcxn546t, mcxn547t, mcxn556t, mcxn557t, mcxn946t, and mcxn947t
add i.mx93 and i.mx95 part numbers
New features
- nxpimage:
add LZMA compression support to SB3.1 CmdLoad commands
add AHAB SRKH fuse generation for supported devices
add signed template generation to
bootable-image get-templateswith--signand-sadd xSPI NAND support in memcfg
change the default bootable image output filename to
flash.bin
- nxpdebugmbox:
add Jupyter notebook examples for debug authentication, including password-based authentication for mcxc151, mcxc161, and mcxc162
- nxpdevhsm:
add
writeIFRprovisioning step support
- nxpele:
add address-based
authKeyHandlesupport forHSE_KEY_TYPE_*_PUB_EXTkeys in SMR configuration
- nxpdevscan:
add
--baudratesupport for UART scans
Bugfixes
- blhost:
treat
ROMLDR_PENDING_JUMP_COMMANDandROMLDR_PENDING_RESET_COMMANDas successfulreceive-sb-filecompletion
- el2go-host:
fix default UUU wait timeout for
UBOOT_FASTBOOTprovisioningseparate
oem_provisioning_confighost path from uploaded device filename
- nxpcrypto:
fix SM2 support
remove unsupported
nonehash choice from the CLI
- nxpdebugmbox:
accept zero value in debug credential UUID
- nxpimage:
keep existing AHAB container flags when signing bootable images for MPUs
fix AHAB verification for images with multiple data encryption keys
fix key exchange salt and user-provided info handling in signed messages
fix HAB encryption to reuse an existing random key
prevent eMMC bootable image corruption when
init_offsetchangesvalidate family and revision consistency between bootable-image and AHAB sub-configs
require
image_pathin whole-AHAB image configurationsvalidate
wrappingKeyIdin SB3.1CmdLoadKeyBlobconfigurations
- pfr:
correct mcxc151 CPU identifier in CMPA configuration files
group mcxc151 128-bit password fields as one configuration item
- nxpdevhsm:
log the loadKeyBlob position warning only once per image generation
- nxpele:
accept
port,baudratesyntax for U-Boot serial connectionsprevent unsupported
DH_PAIRkey type selection in HSE key info configuration
- nxpdevscan:
prevent one failing UART port from aborting the whole scan
improve UART ping failure hints and narrow-terminal output
- nxpuuu:
make the run command and scripts interruptible with Ctrl-C
fix missing
Logger.tracehandling in the UUU runner
improve libusbsio scan diagnostics and UART ping error reporting
3.9.0 (20-May-2026)#
New Product Introduction
add support for MCXC151, MCXC161, and MCXC162 microcontroller families
update support for MCXL255, MCXL254, and MCXL253 device families
New features
- crypto:
add clear notification when Post-Quantum Cryptography (PQC) support is not available
add mapping for Elliptic Curve to Secure Memory Region (SMR) ECC-CURVE-ID attribute for improved key validation
add Hardware Security Module (HSM) signature provider example for i.MX RT10xx HAB-based devices
- nxpdebugmbox:
add challenge-response debug authentication support for MCXE31B, MCXC315, MCXE316, and MCXE317 devices
add password-based debug authentication support for MCXE31B, MCXC315, MCXE316, and MCXE317 devices
add ISP mode requirement warning for MCXA55x debug authentication to prevent configuration errors
add debug access protection configuration and debug authentication support for MCXE31B, MCXC315, MCXE316, and MCXE317 devices
- nxpdevhsm:
add devhsm function support for MCXL255, MCXL254, and MCXL253 devices
add warning for MCXA55x devices when loadKeyBlob is not at end of configuration to prevent key slot conflicts
- nxpele:
add devhsm function support for MCXL255, MCXL254, and MCXL253 devices
- nxpfuses:
unify shadowregs and fuses under same base class to eliminate code duplication and improve maintainability
- nxpimage:
implement SBc v2 support for MCXL255, MCXL254, and MCXL253 devices
- AHAB container enhancements:
add support for i.MX943 AHAB debug authentication with IEE region clearing capability
add support for i.MX952 unsigned AHAB container building for multiple boot memories (eMMC, SD card, Serial Downloader)
add AES_CCM DEK blob support in AHAB containers
- Boot image support:
add FlexSPI NOR flash boot image support for MCXA55x device
add support for i.MX952 imx-bootloader integration
add support for MCXC151, MCXC161, and MCXC162 device families with Plain, CRC, and MISR boot image types
add secure installer (SI) support for MCXL255, MCXL254, and MCXL253 devices with P-256 secure boot and OEM provisioning firmware
- pfr:
- Documentation improvements:
update documentation to recommend pfr tool for writing PFR regions instead of write-memory command for better reliability
- Device support for MCXC151, MCXC161, and MCXC162:
add support for these device families including CMPA configuration areas (CMPA_CFG, CMPA_BOOT, CMPA_KEY_STORE)
add support for MISR image format generation with IMG_MISR_SEED configuration
- Enhanced signing and security:
add support for MCXA55x signed boot with ECC and ECC+MLDSA signing for FlexSPI NOR boot
Enhance WriteIfr command with monotonic counter field interpretation (0xFFFFFFFF for keep same, 0xFFFFFFFE for auto-increment)
fix RW61x boot failure when using LOCK_CFG with shadow registers
add dynamic Universal Update Utility (UUU) rules generation from device database with helper subcommand for improved device detection
fix pip path traversal security vulnerability
Bugfixes
- blhost:
improve error code descriptions for RT5xx flash-erase-all operations on eMMC to provide clearer feedback
- nxpimage:
- i.MX95 specific fixes:
fix bootable-image verify tool to properly detect signature issues in OEM container headers
fix fast boot image padding to ensure proper 128-byte alignment for i.MX95 B0 silicon
- Security and validation improvements:
add support for multiple data encryption keys in AHAB verify command for enhanced security validation
add data decryption support for bootable image verification
- General bug fixes:
fix RT700 load-to-ram image recognition in bootable image verification
fix binary-image convert command to preserve original memory addresses
improve error message clarity for user-facing operations
fix MCXA55 SB4 file validation to allow keyblob placement before PFR write command
add format definition for data property in writeIFR command schema
add support for MP (Miyaguchi-Preneel) hash algorithm in SMR-entry or remove from template options
- nxpuuu:
fix PowerShell display issues when running list-devices command
fix progress bar to properly update during operations
fix stdout environment variable handling to prevent synchronous abort after cancelling fastboot mode
fix broken link to Linux user guide in documentation
3.8.0 (27-March-2026)#
Backwards incompatible
Certificate block module has been refactored - cert_block.py split into individual files per certification block type to maintain clear code organization
New features
- nxpcrypto:
add PQC (Post-Quantum Cryptography) support in pki-tree ahab command for i.MX95/i.MX943 hybrid keys
- nxpdebugmbox:
add warning that there is an exception and DAT must be performed in ISP mode
- nxpele:
make U-Boot prompt configurable instead of hardcoded value
- nxpfuses:
add bitfields display to rich print output for improved fuse register visualization
- nxpimage:
add SPI support for RT118x device family
add MBI verifier functionality for Master Boot Image validation
adopt flexible format support for AHAB containers
restore QB data availability for i.MX95 device
fix signed message flag handling for i.MX95 B0 HSM keystore reprovisioning
resolve ML-DSA PQC signing issues for i.MX95 platform
add signature provider support for MCXN55xS
create jupyter notebook documentation for Secure Memory Region feature on MCX E31
unify indentation of data files across SPSDK for consistency
notify user when PQC support is not available
Bugfixes
- blhost:
fix CAN interface operation with rx/tx arbitration IDs specified
- el2go-host:
fix provision_device_command() missing uboot_prompt parameter
- nxpele:
clarify HSE secure lifecycle transition requirements and error handling
- nxpfuses:
i.MX95 fix reading single fuses for grouped fuses like SRKH
i.MX95 resolve read failures on i.MX95 B0 silicon and synchronize with CRR data
i.MX95 fix nxpfuses failures when reading all fuses
fix fuse address display showing incorrect 0x0 value when using –rich parameter
- nxpimage:
i.MX95 correct keystore reprovisioning flag in signed message for HSM
i.MX95 add support for OTFAD scramble mode on i.MX95 B0 silicon
i.MX95/i.MX943 update AHAB metadata for System Manager core mapping
fix bootable image HAB parse method to properly store parsed files
improve error reporting when segment parsing fails in bimg
fix AHAB flexSPI NOR image signing issues
correct A35 core count for i.MX8ULP in database
fix AHAB export failures with OEI extra sections on i.MX95
- nxpuuu:
fix synchronous abort handler after cancelling uboot fastboot mode
- pfr:
fix cert block parsing error for lpc55s36 family support
validate embedded YAML config definitions in main configuration files
correct documentation error for signed u-boot replacement sequence
remove appended hash from signed FA messages for OEM-Return transitions
3.7.1 (20-March-2026)#
New Product Introduction or Updates
add support for MCXE31x device family
add support for MCXA577/567/566/557/556/537/536/457/456 devices
New features
- nxpimage:
add SPI support for RT118x
add support with AHAB QB data for i.MX95
- pfr:
update PFR implementation for mw30/mcxa55 devices
improve mcxa55 CFPA/CMPA grouping
improve error messages for incorrect YAML indentation in configuration files
- nxpele:
add support for MCXE31 device family with Core Reset Entry Install command
implement key import functionality for MCXE31 with hardware testing and fixes
add automatic authentication tag calculation for Secure Memory Regions (SMR) on MCX E31
add HSE_SRV_ID_ACTIVATE_PASSIVE_BLOCK service for MCXE31 passive block activation
Bugfixes
- nxpimage:
rename image version to firmware version for plain and CRC images on PQC devices
- pfr:
mcxa55: fix ROTKH first 4 bytes inversion in CMPA
mcxa55: replace mcxa455 with mcxa457 device support and correct memory map configuration
mcxa55: fix reading of additional CMPA data with update_cfpa_cmpa command
mcxa55: fix verifier issue for debug authentication with hybrid keys (ECC384 + MLDSA87)
3.7.0 (30-January-2026)#
New Product Introduction or Updates
MCXE31
MCXN556S
i.MX952
i.MX95
New features
- Highlights:
SPARSE file format support added
Added support for the imx-bootloader, which simplifies bootloader creation compared to generic templates. When generating templates for a bootable image using the nxpimage bootable-image get-templates command, comprehensive templates are created, including SPL and U-Boot configurations. All required files can be copied directly to the inputs directory without modifying configuration files. Currently, i.MX95 and i.MX93 flash_all imx bootloaders are supported.
- nxpimage:
implement SBc v2 support for MCXL20 new product introduction
add support for RSA and ECC P-521 keys in TLV blob functionality
implement SPARSE format support
enable hash algorithm specification in nxpcrypto rot calculate-hash command
move output and output-format options from command line to config in bootable image
implement update-keyblob command with SPARSE support
add missing memory type option for booting from eMMC boot0/1 partitions
update MPU bootable-image with optional boot media input and workspace creation
- blhost:
add SPARSE format support
- nxpele:
add MCX E31 set attribute command support for new product introduction
implement secure memory region (SMR) based secure boot for MCX E31 device
support multiple MU channels in HSE commands for MCX E31
add optional parameter to get info command for retrieving specific attributes
create jupyter notebook describing basic secure boot feature
Bugfixes
- nxpimage:
fix trust zone template that was bricking MCXN556S devices
resolve signed image boot failure due to incorrect firmware version check on MCXN556S
fix authenticated image boot failure for MCXE3x devices
correct CSF/IMG certificate issuer from CA to SRK for pki-tree command
- nxpwpc:
fix malformed signature in WPC CSR preventing verification by systems like EL2GO
- nxpele:
fix SRKH fuse BCF generation issue for i.MX952 device support
resolve image order issue for SDP/Flash hash/eMMC fastboot on i.MX952
fix export NXP production key failure for i.MX95 device support
resolve i.MX95 B0 boot image parsing with SignatureBlockV2 version compatibility
fix HSE firmware update exit code handling when update fails
3.6.0 (19-December-2025)#
New features
- el2go-host:
enable product based provisioning over fastboot
enable EL2GO support for mcxn556s device
add unclaim skip interactive mode option
sync error codes between SPSDK and TP FW
- nxpimage:
implement Key Import feature for MCX E31
add NBU signing support for KW47
add support for reserved bitfields access information in database JSON files
enable support for all available USB devices in Serial Downloader mode
drop support for Python 3.9
Bugfixes
- nxpimage:
fix SB4.0 parsing support in AHAB
- el2go-host:
fix product based flow for MPUs
Fix spsdk utils clear-cache command when cache is broken
3.5.0 28-November-2025#
New features
- el2go-host:
enhance SecureObject and TLVElement string representations and size handling
- nxpcrypto:
add RoT binary parsing functionality with public key extraction
- nxpimage:
add image descriptor flag support to AHAB Image Array Entry
add support for configuration strings in SB3.1 and SB4.0 PCK validation
add case-insensitive config key matching for registers and bitfields
support i.MX95294
Bugfixes
- el2go-host:
add PROV_ID element tag to secure objects
fix i.MX93 El2go provisioning batch mode issue with more robust handling of loading bootloaders with temporary timeouts
disable cleanup method on mcxn236
- nxpdice:
add support for truncated RKTH length validation in DICE target
- nxpdevhsm:
explicitly enable execute command for RT700
- nxpimage:
fix multiple warnings for update in AHAB container
fix image size should not be aligned in AHAB with reworked offsets handling
make update-keyblob work with different ahab container types
fix the last ahab image size is aligned to 8 bytes but the image itself NOT
fix handling YAML boolean auto-conversion for plainInput field in SB31/SB4
correct RADIO_IP enum name to RADIO_LP in firmware version check command for SB31
reduce the minimum alignment requirement for AHAB binary images when using serial downloader target memory from 512 bytes to 4 bytes
improve HSE IVT address handling with optional fields
- nxpuuu:
fix -d flag timeout
add printout of the error message string and change the computation of click progress bar
3.4.0 (24-October-2025)#
New features
- blhost:
add property warnings system for device-specific safety alerts
- nxpimage:
add HSE lifecycle configuration support to MBI for mcx-e31b device family
Bugfixes
- el2go-host:
fix u-boot support for product flow
- blhost:
add fuse-program-voltage property to blhost overrides
- nxpimage:
add selecting AHAB images to be updated in multiple ahab image binaries
- pfr:
fix data for mcxn556s
fix revisions for kw47xx and kw32w1
3.3.0 (26-September-2025)#
New features
- el2go-host:
extend error codes for EL2GO product-based provisioning
- nxpdebugmbox:
add validation in DAT authentication of SRKH for MCU PQC
unify get-template output messages
- nxpele:
secure enclave key provision support
- nxpimage:
implement iae templates for kernel image and dtb
reorganize AHAB image types and add V2X support for i.MX8 devices
add default instance value to FlexSPI RAM XMCD configurations
- nxpshe:
add verify_only flag support and enable additional user keys
add shell autocompletion setup command for SPSDK tools
Bugfixes
3.2.0 (29-August-2025)#
Rapid blhost
Introducing RAPID BLHOST - a high-performance version of our blhost application written in Rust for significantly faster startup times and improved overall performance compared to the Python-based implementation. Available on GitHub, Crates, and PyPI.
New features
- nxpimage:
implement MBI PQC
support configurable hash algorithms in ahab certificate
add SHAKE hash algorithms to SPSDK and AHAB container
- el2go-host:
add API/command to get stats of db file with product-based secure objects
add prepare-device command to prod command group
- nxpdevhsm:
add new format for sbfile for mcxa family devices with secure installer/extended bootloader
support mcxe24
support mcxn556s
add S19 to binary converter
update CLI apps to display subgroups as trees
update way how SVN’s are handled in the template for DICE
Bugfixes
- el2go-host:
fix parameter “–secure-objects-file” for prod prepare-device
fix get-next-so fails with static-only database
- nxpdevhsm:
fix final reset jump out of ISP for mcxa series
fix invalid OEM ENC MASTER SHARE size for mcxn556s
- nxpimage:
fix container offset in verbose is incorrect
fix SB31 export issue with plain encryption key
fix AHAB certificate confusing comments in DAT template
- pfr:
fix pfr for mcxa, mcxal series
3.1.0 (11-July-2025)#
New features
- el2go-host:
implement product based provisioning for RW61x
improved exit code handling on error
- nxpdebugmbox:
add –help parameter description for ispmode command
add -d flag to nxpuuu write
- nxpimage:
support for BCA and FCF configuration for MCX devices
support for DAT protocol 3.0
support for verifying MLDSA signature from DICE Hybrid CSR
support for verifying PRK & PUK from DICE Alias keys
support for i.MX943
add offline HSM signature provider as a plugin
fix offline signature provider script errors
implement SB3.1 data compression
add DICE CSR verifier
add support for DAT on MX943/MX95 B0
add support for hybrid PQC keys in PQC plugin
add support for MLDSA variant
Bugfixes
- el2go-host:
fix exit code on error
fix YAML configuration loading
- nxpdebugmbox:
fix debug mailbox protocol handling
fix UUID truncation in DAR message header
- nxpfuses:
fix progress bar ending prematurely
- nxpimage:
fix invalid length in AHAB verify
fix unclear error messages during export
fix container verification for ATF/U-Boot image
fix typo in MBI config template
fix XMCD data for mimxrt798s
- nxpmemcfg:
fix wrong dictionary access
fix parsing of MLDSA private keys
3.0.1 (27-June-2025)#
Bugfixes
- nxpcrypto:
improve serial number validation in certificate generation
- nxpimage:
fix AHAB container header info display
fix MBI parameter for mcxa series
add input data size validation for HAB segments
add hardware key mixin to NHS52S04 MBI types
add load address mixin to every MBI type
improve CA Flag description in AHAB schemas
fix AHAB update keyblob
add new Fast Boot flags to AHABContainerV2
- nxpmemcfg:
add missing memory types (MicronOPI_SDR, AdestoOPI_SDR)
update default BOOT_FLAGS value in MC56F81x68 BCA configuration
validate and clean up the contents of SPSDK data files
3.0.0 (16-May-2025)#
ANNOUNCEMENT
Current version introduces breaking changes, which are described in details in migration guide.
New features
- el2go-host:
check UUID fuse index
- nxpcrypto:
allow adding image key into existing PKI tree
remove nxpcertgen application (all functionality is now available in nxpcrypto application)
consolidate options
-k/--private-keyand-sp/--signature-providerreplace with option-s/--signer
- nxpdebugmbox:
move commands to separated groups with clearer organization
move parameter –family from the root command to individual command groups
derive test address from the family parameter
- nxpdevhsm:
require oemRandomShare when oemEncMasterShare is defined
add new format for sbfile for mcxa family devices with secure installer/extended bootloader
- nxpimage:
generate fuse script when merging signed image
add unicode characters for better BinaryImage visualization
remove the deprecated ‘image_type’ key in ahab configuration and replace by ‘target_memory’
remove input_binary and base_address parameters from bee
rename merge commands in bootable-image and binary-image to export
remove ‘mainCertChainId’ key in cert-block configuration by ‘mainRootCertId’
replace hab export /parse commands with unified configuration approach
implement SB3.1 data compression
add parser of SB3.1
consolidate all keys for data of SB3.1 load command into one
simplify load command configuration
simplify input data values
- pfr:
remove option –show-calc from parse/read commands
remove option –calc-inverse from generate binary command
rename generate-binary command to export
rename parse-binary command to parse
require ‘family’ in BD file for SB2.1 and optionally ‘revision’ in the ‘options’ block
remove family option from main top command to individual subcommands
remove ‘–plugin’ as optional parameter
rename merge commands to export
improve displaying of –help
all applications that support the
--configoption now also support the-oc/--override-configoption
Bugfixes
- blhost:
fix receive-sb-file command failures with usb
- el2go-host:
fix family parameter issue
- nxpdebugmbox:
fix famode-image get-templates command
resolve debug authentication issues
fix general error handling
- nxpdevhsm:
fix config file issues
- nxpele:
fix get-info error
- nxpfuses:
fix get-config errors
- nxpimage:
fix HAB and BIMG issues
fix ahab export assertion error
fix RT118x build IEE image failure
fix parsing of imx943 bootable image
fix issues with receiving sb31
fix conversion binary from S19
fix parsing of FCB for RT7xx
remove unnecessary enableTrustZone parameter in MBI config files
fix overlapping detection and adjust-offsets functionality in binary-image merge
- nxpmemcfg:
fix deprecation warning
- nxpwpc:
fix missing family parameter for service parameters
fix api key existence
- shadowregs:
fix general error
fix invalid -oc option behavior
3.0.0 - future release#
Backwards incompatible
BD file support for HAB will be dropped. Only the yaml configuration files will be supported. The conversion from BD file to yaml will be available
The obscure way of determination of private key file path from certificate in HAB path will be dropped. The public key will need to be specified explicitly
The family will be mandatory for most tools in SPSDK
The family option will be moved in most tools to sub-commands
Complete redesign handling of configuration files through all SPSDK
All backward compatibility code will be removed (deprecated commands and configurations)
The definition of signing local key and signature provider definition in configuration will be implemented into one configuration record
All data in database will be unified under one style (utility/registers.py)
The configuration option on CLI will be extended by new -oc/–override-config to override any configuration in CLI
SmartCard Trust Provisioning has been discontinued. Associated applications (tphost, tpconfig) will be removed.
2.6.0 (7-February-2025)#
New features
- el2go-host:
support iMX8ULP
add possibility to save OEM app config
- lpcprog:
support set CRP in lpcprog
add optional parameter to repeat the command several times if fails
- nxpimage:
support BCA and FCF configuration for mcxc family devices
support mcxw23x
support i.MX943
implement Key Import signed message
add support for RSA in DAT on RT118x
Bugfixes
- el2go-host:
fix loading item yaml configuration
- nxpimage:
fix XMCD data for mimxrt798s
fix invalid scramble mechanism in OTFAD
- nxpmemcfg:
fix wrong dict access
2.5.0 (20-December-2024)#
New features
- nxpdevscan:
add timeout option
- el2go-host:
enablement on i.MX 93
support i.MX RT735S and i.MX RT758S
support i.MX RT1043 and i.MX RT1046
support mcxa13x variants
support Python 3.13
drop pyocd requirement and replace by spsdk-mcu-link and spsdk-pyocd
support kw47xx and mcxw72x devices
add loading of OTPS-encoded public keys
add nxpfuses tool for handling operations with fuses
Bugfixes
- nxpimage:
fix encryption in OTFAD
fix bootable image creation with just one bootable image
- nxpdevscan:
fix filtering the correct serial port devices on macOS
Known issues
- nxpdebugmbox:
interface mcu-link is not working on Ubuntu 24.04
2.4.0 (15-November-2024)#
New features
- el2go-host:
implement parallel download of Secure Objects using database
speed up repeated calls to EL2GO server
allow to specify scope of Secure Objects to download
- nxpdebugmbox:
support halt, resume commands
AHB access test address remove as an option and move into database
support for block memory transfer over debug probes
- nxpmemcfg:
add support for RT700
Bugfixes
- el2go-host:
fix memory buffer used for data exchange for KW45
- nxpimage:
allow to parse AHAB image with empty image hash for rt118x
2.3.0 (11-October-2024)#
ANNOUNCEMENT
Current version introduces breaking changes, which are described in details in migration guide.
New features
- blhost:
support nIRQ pin feature
- el2go-host:
unify subcommands for RW61x
add get-otp-binary command
add UUID harvesting
add default handler to unknown errors while assigning device to a group
add checker for max amount of Secure Objects and their size
add Remote Database for Secure Objects for Azurewave
add close_device to blhost; display response of RW TPFW responses
implement database storage for UUIDs harvesting
erase CMPA in EdgeLock2GO indirect flow
- lpcprog:
add programmer for LPC8xx parts
- nxpcrypto:
add subcommand for creating PKI tree
- nxpdebugmbox:
support for MX95 revision A0/A1/B0 (PQC support)
- nxpdevhsm:
add execute command for mcxn9xx
allow SB files without loading the wrapped CUST_MK_SK
implement oem duk certificate provisioning
- nxpdice:
add nxpdice application
- nxpele:
support nxpele over fastboot
- nxpimage:
support AHAB version 2
add verificator to bootable image
support linux image in bootable image
add ahab sign command for signing existing AHAB images
- nxpmemcfg:
add blhost-script option for exporting configuration for secure address
- nxpuuu:
new tool based on the UUU (Universal Update Utility), add capability to deploy images to i.MX MPU targets
- nxpwpc:
add special handler when pre-CSR are are empty
support MCXC series (blhost)
support RT7xx
support MCXN23x, MCXN9xx, KW45xx EL2Go
support MCXW71 and its variants
Bugfixes
- el2go-host:
fix general error when database has no blob
fix revision in configuration
- nxpdebugmbox:
fix get-crp command for mcxa series
fix template for famode-image
fix dat for RT1180
fix template for RT1180
- nxpele:
fix get-info details
- nxpimage:
fix flag in AHAB
fix plain MBI for NHS52sxx
fix trustzone for NHS52Sxx
remove header form XMCD segment
- pfr:
fix erase-cmpa for mcxa series
- shadowregs:
fix fuses-script
fix loading shadow registers on RW61x
2.2.1 (26-July-2024)#
Bugfixes
2.2.0 (7-June-2024)#
ANNOUNCEMENT
Current version introduces breaking changes, which are described in details in migration guide.
New features
- blhost:
add can interface
- el2go-host:
support for mwct2x12, mwct2xd2
- ifr:
add option to configure sector 2
- nxpdebugmbox:
add family and revision info into DAC config file
- nxpdevhsm:
commands limited based on specific devices capabilities
- nxpele:
add fuses script
- nxpimage:
add support for RAW image
add re-sign subcommand to ahab
support parsing FCB block with swapped bytes
support MBI CRC for mwct2x12, mwct2xd2, mc56f818xx, mc56f817xx
support BinaryImage in MBI export
support i.MX 95 unsigned build image
- nxpwpc:
add correlation-id into REST request
drop support for Python 3.8
support NHS52Sxx, mcxw71xx
support RW61x EL2Go
P&E Micro and J-Link as separate plugins
all options in sub-commands case-insensitive
Bugfixes
- nxpdebugmbox:
fix debug authentication on NHS52Sxx
fix generation of DC config file
fix dac response length on kw45xx
- nxpele:
fix timeout
fix verify image for i.mx93
fix failure in communication with uboot
- nxpimage:
fix signed-msg incorrect signature
fix wrong offset in FCB
fix xmcd generation
fix mbi export
fix ahab with invalid SRK
fix bootable-image for RW61x
fix mbi config for kw45xx
fix bootable-image with dynamic offset segments
fix inconsistent core ID in parser and export
- pfr:
fix generate-binary argument position
fix generating cmpa template for mcxa1xx
fix default cmpa page for mcxa1xx
- shadowregs:
fix shadow registers on RW61x
fix loadconfig command
2.1.1 (27-March-2024)#
New features
Bugfixes
2.1.0 (2-February-2024)#
New features
- nxpcrypto:
add signing commands (create, verify)
- nxpdebugmbox:
add subcommands for Fault Analysis Mode (export, parse, get-templates)
add printing the result of auth command
add dedicated plugin system
- nxpele:
U-BOOT interface
add commit command
add commands related to release-container
- nxpimage:
enable IEE encryption for RT1180
add key exchange signed message
add signature provider for RT1xxx
support mcxn23x
deployment of new database
EL2GO mockup for S32K WPC
introduce memory configuration tool
Bugfixes
2.0.1 (15-December-2023)#
Bugfixes
- nxpele:
remove temporary file
- nxpdebugmbox:
fix test memory AP address
- nxpimage:
fix detection of input file for FCB in bootable image
fix IEE encryption for RT1180
fix signed MBI for Anguilla Nano
fix SB21 export with yaml config
- shadowregs:
fix behavior of the RKTH registers
fix invalid names of CRC field in database
fix setting a register value as raw value when loading from configuration
2.0.0 (13-October-2023)#
ANNOUNCEMENT
Current version introduces breaking changes, which are described in details in migration guide.
New features
- blhost:
dedicated plugin system
check of written data length in USB Interface
- nxpcrypto:
remove dependency on PyCryptodome
add rot command for calculating RoT hash
- nxpimage:
distinguish between fw version and image version
support YAML configuration for HAB
support build RT11xx image with ECC keys
support OSCCA
support AHAB NAND
implement HTTP Proxy Signature Provider
signature provider for OSCCA
add validation of signature in AHAB
support OTFAD for RT1010
export HAB from yaml config in bootable image
revision of offsets in AHAB container
command filter in SB 2.1 based on family
refactor memory types for mbi
add to AHAB key identifier for encrypted images
- sdpshost:
connection support for iMX91 and iMX95
- shadowregs:
unify endianness
tool for converting JSON configuration into YAML with comments
support mcxa1xx
unify naming: RKTH/RKHT
remove nxpkeygen and nxpcertgen apps, replaced by nxpcrypto
remove elftosb app, replaced by nxpcrypto
positional arguments replaced by options for all parameters with an exception to blhost, sdphost and dk6prog
remove backward compatibility with command get-cfg-template, replaced fully with get-template(s)
unify family name within all modules
remove lpc55xx from family names
Bugfixes
- blhost:
fix error of SPI connection
- nxpdevhsm:
add missing sdio in generate command
- nxpele:
fix generate-keyblob IEE
fix issue with get-info command
- nxpimage:
fix certificate block in AHAB
fix signature in AHAB
fix some commands for SB21
fix non generated keys for AHAB parse
fix RAM images for LPC55Sxx
fix MBI signed for xip for MCXN9xx
fix sb21 export yaml errors
fix OTFAD with DUK
fix wrong core ID in parse for iMX93
fix binary certificate block for MBI
fix manifest for mcxn9xx
fix bootable image merge
fix in MBI configurations
fix missing parameters in MBI config in bootable-image parse
fix sb21 file generation without SBKEK
update list of supported MBI images for mcxn9xx
1.11.0 (7-July-2023)#
ANNOUNCEMENT
Next version of spsdk (2.0) will introduce breaking changes:
elftosb will be replaced by nxpimage
nxpcertgen and nxpkeygen will be replaced by nxpcrypto
select appropriate family will be done using: -f/–family parameter
move towards options for all parameters with an exception to BLHost
removal of crypto backends
extend dedicated spsdk.crypto module - serve as the de-facto backend of SPSDK
module level imports via init files
New features
- nxpimage:
enable signature providers for AHAB image and signed messages
add support for rt104x in bootable-image
add support for mcxn9xx
add API for FuseLockedStatus
possibility to declare private keys with passphrase in signature provider config
add checking of written data length in usb interface
add support for dk6 tools
Bugfixes
- nxpimage:
fix offset on NAND memory in AHAB image
fix plugin error for signature Provider for sb21
1.10.2 (7-July-2023)#
New features
1.10.1 (26-May-2023)#
New features
- nxpimage:
support encrypted image hab
support for RT11xx and RT10xx
improve OTFAD/IEE names generation
add API to retrieve info about fuses
Bugfixes
- nxpimage:
fix XMCD load_from_config
fix IEE template
fix circular dependency in signature provider import
fix issue with loading keys as INT
not enable logging when spsdk is used as a library
1.10.0 (5-April-2023)#
New features
- blhost:
add new command: ele_message
- nxpdebugmbox:
add command: read UUID from device
update PyOCD to latest version to support MCU LINK FW v3, implementing CMSIS-DAP v2.1
- nxpdevhsm:
USER_PCK rename to CUST_MK_SK
- nxpimage:
add subcommand group for generate and parse certificate block
replace private key to signature provider in master boot image
OTFAD support for RT1170
- ifr:
add commands read/write
- pfr:
add CMPA erase command
Bugfixes
- nxpdebugmbox:
fix AP selection issue for PyOCD and PEMICRO
fix DAC verification when there is only 1 root key
- nxpimage:
fix MBI issue with HMAC
- shadowregs:
fix endianness for OTP MASTER KEY
drop support for Python 3.7
1.9.1 (17-March-2023)#
New features
- nxpdevhsm:
split reset option in nxpdevhsm into two; disable init reset by default
Bugfixes
- nxpdebugmbox:
fix Linux error on PyOCD
fix PyOCD and PEmicro connection for kw45xx and k32w1xx
- nxpdevhsm:
fix buffer base address for DevHSM operations
- nxpimage:
fix handling exception when the root cert index is wrong
1.9.0 (30-January-2023)#
New features
- nxpdebugmbox:
add check of root of trust hash in dat authentication
enable debug authentication protocol on RT1180
- nxpdevhsm:
reset target before and after DevHSM SB3 file creation
- nxpimage:
XMCD support
signed messages support for RT1180
add bootable image for RT10xx, RT1180, RT1170, LPC55S3x
implement IEE encryption
support Memory ID for erase in sb21
support Memory ID for enable and load in sb21
implement JUMP and JUMP_SP commands in BD file for SB2.1
enable encryption in AHAB container
debug authentication improvements
unify memory access cross all debuggers
replace json file with yml file for TZ
support for k32w1xx, kw45xx
improve format of debugging logger
Bugfixes
- nxpdebugmbox:
remove duplicated option –protocol for gendc command
- nxpdevhsm:
fix skipping commands from config file
- nxpimage:
fix non working 384/521 ECC keys for signature in AHAB container
fix CRC mode in external flash for lpc55s3x
failure on start due to boot_image hook definition
- pfr:
command line parameter ‘-t’ is duplicated
Known issues
- nxpdebugmbox:
we do not support CMSIS-DAP version 2 (bulk pipes, https://arm-software.github.io/CMSIS_5/DAP/html/group__DAP__ConfigUSB__gr.html) This means sw debuggers such as MCU-Link v3 will not work (nxpdebugmbox will not detect the debugger probe) This issue will be resolved in next version of SPSDK
1.8.0 (21-October-2022)#
New features
- nxpimage:
add support for BEE
enable OTFAD on RT1180
- pfr:
move the functionality of pfrc tool into PFR tool
unify option for getting template across tools
add API for parsing XMCD
support cryptography >= 37.0.0
support bincopy 17.14
Bugfixes
- nxpdevscan:
fix hanging up for serial communication
fix documentation regarding SB31 programFuses
1.7.1 (16-September-2022)#
New features
- nxpimage:
add OTFAD support for RT5xx and RT6xx devices
- pfr:
read command allows independent binary and yaml exports
- shadowregs:
new subcommand: fuses-script
add OEM cert size check into TPConfig
Bugfixes
- nxpdebugmbox:
fix debug authentication for RT595
- nxpimage:
fix sb21 command line argument in documentation
fix the use of pyyaml’s load in tests (use safe_load())
1.7.0 (29-July-2022)#
New features
nxpimage application as replacement for elftosb
nxpcrypto application for generating and verifying keys, certificates, hash digest, converting key’s format
- blhost:
support LifeCycleUpdate command for RT1180
add option to specify peripheral index of SPI/I2C for LIBUSBSIO
allow lowercase names in the filter for USB mboot devices
- nxpdebugmbox:
utility to read/write memory using debug probe
- nxpimage:
support of Master Boot Images
support AHAB container for RT1180
support of Secure Binary 2.1 / 3.1
support for TrustZone blocks
support for Bootable images for RTxxx devices
support for FCB block parsing and exporting for RTxxx and some RTxxxx devices
simply binary image support, like create, merge, extract and convert (S19,HEX,ELF and BIN format)
- pfr:
load PFR configuration directly from chip using BLHOST
- sdphost:
support for SET_BAUDRATE command
support for iMX93
drop support for Python 3.6
pypemicro dependency update in order to cover latest bug fixes in this package
libusbsio update to version 2.1.11
unify debug options within applications
add API to compute RKTH
support LPC553x in elftosb/nxpimage
support dual image boot on RT5xx and RT6xx
replace click/sys.exit with raising an SPSDKAppError exception
encryption of remapped images
Bugfixes
- blhost:
efuse_program_once returns failure message when using ‘lock’ option but still the fuse is burnt
fix in re-scanning LIBUSBSIO devices when target MCU is not connected
scan_usb() should return nxp devices
read memory command doesn’t print read data when mem region is defined
- elftosb:
fix trustzone config template for rt5xx and rt6xx
fix MBI_PLainRamRTxxx image
fix CRC bootable image on RT685 EVK
fix image located in FLASH executed in RAM on RT6xx
fix burning fuses in BD file
- nxpdebugmbox:
fix in Jlink debugger probe initialization
fix get-crp command
1.6.3 (1-April-2022)#
New features
pypemicro dependency update in order to cover latest bug fixes in this package
libusbsio update to version 2.1.11
Bugfixes
fix in rescanning LIBUSBSIO devices when target MCU is not connected
efuse_program_once returns failure message when using ‘lock’ option but still the fuse is burnt
fix memory leaks in elftosb
1.6.2 (11-March-2022)#
New features
bump-up version of bincopy to <17.11
add plain load image to build example bootable i.MX-RT image
align docs requirements with project dependencies
add stability notice to documentation
speed-up application’s start due to move of bincopy import
1.6.1 (04-March-2022)#
New features
- blhost:
add parameter –no-verify for efuse-program-once
add possibility to select USBSIO bridge device via VID:PID, USB path, serial number
lower the timeout during MBoot’s UART Ping command
improve type hints for scan_* functions for detecting devices
- elftosb:
dynamically generate config json schema per family
- nxpdevscan:
extend scan with device serial number information
list all connected USB or UART or SIO devices
update device’s USB path (usb_device_identification)
- sdphost:
improve type hints for scan_* functions for detecting SDP devices
reduce number of findings from Pylint
update JINJA2 requirement
Bugfixes
1.6.0 (04-February-2022)#
New features
-
add experimental batch mode into blhost
support command get property 30
change output display for blhost get-property 8
provide the real exit code (status code) from BLHOST application
report progress of data transfer operations in blhost
performance boost in receive-sb-file
-
validation inputs using jsonschemas
reorganize and improve elftosb
add support for more input file types
[RTxxx] HMAC_KEY is now accepted in binary form
-
move gendc into nxpdebugmbox
pfr:
unify CMPA/CFPA fields descriptions and bit-field values within XML registers data
implement CMPA data generator and parser
improve documentation
remove dependency on munch and construct modules
add support for reserved bitfields in registers
support multiple occurrence of certificate attributes for subject/issuer
remove backward compatibility mode in Registers
reorganize functions from misc.py
add support for bumpversion
Bugfixes
-
generate-key-blob does not generate blob.bin on RT1176
parse_property_tag in blhost_helper converts incorrectly in some cases
different return code on Linux/Mac and Windows
USBSIO - fixed issue when busy signal on I2C was interpreted as data
-
DER encoded certificates are loaded as PEM
fixed dependency on cryptography’s internal keys
moved to fully typed versions of cryptography
-
cannot build CRC image into ext flash for lpc55s3x
cannot generate signed image with <4 ROT keys
fixed some failing cases in regards of TZ
[rtxxx] missing plain for load-to-ram image
configuration validation failed in some cases
-
return code is 0 in case of fail
nxpdebugmbox fails on Linux
-
generate ends with general error when no container is provided
pfr:
fix problem in registers class with another size of register than 32 bits
pfrc:
displays false brick conditions
wrong validation of CMPA.CC_SOCU_PIN bits
1.5.0 (07-August-2021)#
New features
nxpdevhsm - new application added:
The nxpdevhsm is a tool to create initial provisioning SB3 file for LPC55S36 to provision device with SB KEK needed to validate in device all standard SB3 files.
LIBUSBSIO integration as a replacement for HID_API module:
blhost - extend blhost by LPCUSBSIO interface
blhost - following trust-provisioning sub-commands added:
oem_get_cust_cert_dice_puk - creates the initial trust provisioning keys
oem_gen_master_share - creates shares for initial trust provisioning keys
oem_set_master_share - takes the entropy seed and the Encrypted OEM Master Share
hsm_gen_key - creates OEM common keys, including encryption keys and signing keys
hsm_store_key - stores known keys, and generate the corresponding key blob
hsm_enc_blk - encrypts the given SB3 data bloc
hsm_enc_sign - signs the given data
-
support for SB 2.1 generation using BD file
LPC55S3x - add support for unsigned/plain images
SB2.1 - SHA256 digest of all sections included in signed SB2.1 header
add supported families listing into elftosb
implement chip family option as a click.Choice
allow loading certificates for MBI in PEM format
-
generate the template for yml configuration file containing the parameters for certificate
improve yml template description for nxpcertgen
add support for generating certificates in DER format
-
moved option -p from general space to gendc subcommand.
add new -k keygen subcommand option to specify key type to generate
-
refactor DebugCredential base class so that it will be possible to pass certificates in yml config file
check nxpdebugmbox on LPC55S3x
pfr: - update CMPA/CFPA registers XML data for LPC55S3x with CRR update
SPSDK Applications:
spsdk applications show help message when no parameter on command line provided
improved help messages
support Ctrl+C in cmd applications
replace functional asserts with raising a SPSDK-based exception
replace all general exception with SPSDK-based exceptions
Bugfixes
nxpkeygen - regenerates a key without –force
elftosb - unclear error message: No such file or directory: ‘None’
pfr: - duplicated error message: The silicon revision is not specified
nxpdebugmbox - fix Retry of AP register reads after Chip reset
nxpdebugmbox - add timeout to never ending loops in spin_read/write methods in Debug mailbox
blhost - flash-erase-region command doesn’t accept the memory_id argument in hex form
elftosb - using kdkAccessRights = 0 in SB31 is throwing an error in KeyDerivator
1.4.0 (25-June-2021)#
New features
version flag added for all command-line application
support for Python 3.9 added
- blhost - following sub-commands added:
list-memory
flash-program-once
set-property
flash-erase-all-unsecure
flash-security-disable
flash-read-resource
reliable-update
fuse-program
flash-image
program-aeskey
blhost - memoryId clamp-down for mapped external memories added
elftosb - support for SB 2.1 added
elftosb - basic support for BD configuration file added
nxpdebugmbox - debug port enabled check added
nxpkeygen - new sub-command added to nxpkeygen to create a template for configuration YML file for DC keys
nxpkeygen - new sub-command added to create a template for configuration YML file for DC keys
pfr: - default JSON config file generation removed, but still accepted as an input. The preferred is the YML configuration format.
docs - Read The Docs documentation improvements
Bugfixes
wrong DCD size by BootImgRT.parse
cmdKeyStoreBackupRestore wrong param description
blhost - typo in McuBootConnectionError exception
blhost - mcuBoot Uart doesn’t close the device after failed ping command
blhost - assertion error when connection lost during fuses readout
blhost - sub-command flash-read-resource fails when the length is not aligned
pfr: - incorrect keys hash computation for LPC55S3x
pfr: - wrong LPC55S69 silicon revision
pfr: - parse does not show PRINCE IV fields
sdphost - running spdhost –help fails
shadowregs - bad DEV_TEST_BIT in shadow registers
1.3.1 (29-March-2021)#
pfr: - configuration template supports YAML with description, backward compatibility with JSON ensured
pfr: - API change: “keys” parameter has been moved from __init__ to export
pfr: - sub-commands renamed: * user-config -> get-cfg-template * parse -> parse-binary * generate -> generate-binary
blhost - allow key names for key-provisioning commands
blhost - support for RT1170, RT1160
shadowregs - shadow registers tool is now top-level module
blhost - fix baud rate parameter
pfr: - fix in data for LPC55S6x, LPC55S1x, LPC55S0x
blhost - communication stack breaks down on RT1170 after unsuccessful key-prov enroll command
1.3.0 (5-March-2021)#
support creation of SB version 3.1
elftosb application based on legacy elf2sb supporting SB 3.1 support
nxpdevscan - application for connected USB, UART devices discovery
shadowregs - application for shadow registers management using DebugProbe
support USB path argument in blhost/sdphost (all supported OS)
nxpcertgen CLI application (basicConstrains, self-signed)
- blhost - commands added:
flash-erase-all
call
load-image
execute
key-provisioning
receive-sb-file
- blhost - extend commands’ options:
configure-memory now allows usage of internal memory
extend error code in the output
add parameters lock/nolock into efuse-program-once command
add key selector option to the generate-key-blob command
add nolock/lock selector to efuse-program-once command
add hexdata option to the write-memory command
1.2.0 (11-December-2020)#
support for LPC55S3x devices
extend support for LPC55S1x, LPC55S0x
pfrc - console script for searching for brick conditions in pfr settings
custom HSM support
sdpshost CLI utility using sdpshost communication protocol
remote signing for Debug Credential
added command read-register into sdphost CLI
dynamic plugin support
MCU Link Debugger support
pfr: - added CMAC-based seal
pfr: - load Root of Trust from elf2sb configuration file
1.1.0 (4-September-2020)#
support for i.MX RT1170 device
support for elliptic-curve cryptography (ECC)
support for SDPS protocol
included Debug Authentication functionality
included support for debuggers
nxpkeygen - utility for generating debug credential files and corresponding keys
1.0.0 (4-April-2020)#
support for LPC55S69 and LPC55S16 devices
support for i.MX RT105x and RT106x devices
support for i.MX RT595S and RT685S devices
connectivity to the target via UART, USB-HID.
support for generating, saving, loading RSA keys with different sizes
generation and management of certificate
blhost - CLI utility for communication with boot loader on a target
sdphost - CLI utility for communication with ROM on a target
pfr: - CLI utility for generating and parsing Protected Flash Regions - CMPA and CFPA regions