# Generate signed sec.elf image

This information provides sample commands only.
For generating fuse blower binary, see [SecTools V2: Fuse Blower User Guide](https://docs.qualcomm.com/bundle/80-NM248-9/resource/80-NM248-9_REV_AB_SecTools_V2__Fuse_Blower_User_Guide.pdf).

The following are sample commands for Sectools on Windows:

Note

- You can replace the values of oem-id “**0x1**” and oem-product-id “**0xabcd**” according your requirement.
- You can replace the value of “**–fuse-pk-hash-0**” with the **SHA384** of “**OEM-KEYS/qpsa\_rootca.cer**”.

> 
> 
> To calculate the correct PK\_HASH value, use the following command:
> 
> 
> 
> > 
> > 
> > > 
> > > 
> > > openssl dgst -sha384 qpsa_rootca.cer
> > >         Copy to clipboard
> > 
> > 
> > 
> > For more information, see [Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/doc/80-70017-11/topic/generate-sha-384-hash-for-rsa-and-ecdsa.html#generate-sha-384-hash-for-rsa-and-ecdsa).
- Replace the digest generated here from user Root cert in the sec.elf generation command below.

- Stage 1: Basic secure boot (image authentication + OEMID + MODEL ID)

    Run the following command:

> 
> 
> Tab QCS5430/QCS6490
> Tab QCS9075/QCS9100
> 
> <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0=<sha384 of OEM-KEYS/qpsa_rootca.cer> --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
>         Copy to clipboard
> 
> <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
>         Copy to clipboard
- Stage 2: Complete secure boot (basic secure boot + debug disable +
anti-rollback + write permission disable):

    Run the following commands.

> 
> 
> Tab QCS5430/QCS6490
> Tab QCS9075/QCS9100
> 
> <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta\>/common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2 -auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
>         Copy to clipboard
> 
> <meta>/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
>         Copy to clipboard

> 
> 
> Note
> 
> 
> The *SecTools* guides are available to licensed developers with authorized access.

Last Published: Jan 30, 2025

[Previous Topic
Sign images](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/sign-the-images.md) [Next Topic
Flash images](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/flash-the-images.md)