# 生成已签名的 sec.elf 镜像

此信息仅提供示例命令。请参阅 [SecTools V2: Fuse Blower User Guide](https://docs.qualcomm.com/bundle/80-NM248-9/resource/80-NM248-9_REV_AB_SecTools_V2__Fuse_Blower_User_Guide.pdf)，生成熔断器二进制文件。

以下是 Windows 上 Sectools 的示例命令：

Note

- 用户可以根据需要替换 oem-id” **0x1** “和 oem-product-id” **0xabcd** “的值。
- 您可以将“**–fuse-pk-hash-0**“的值替换为”**OEM-KEYS/qpsa\_rootca.cer**“的 **SHA384**。

> 
> 
> 要计算正确的 PK\_HASH 值，请使用以下命令：
> 
> 
> 
> > 
> > 
> > > 
> > > 
> > > openssl dgst -sha384 qpsa_rootca.cer
> > >         Copy to clipboard
> > 
> > 
> > 
> > 如需了解更多信息，请参阅[为 RSA 和 ECDSA 生成 SHA-384 哈希](https://docs.qualcomm.com/doc/80-70017-11SC/topic/generate-sha-384-hash-for-rsa-and-ecdsa.html#rsa-ecdsa-sha-384)。
- 在下面的 sec.elf 生成命令中替换此处从用户根证书生成的摘要。

- 阶段1：基本安全启动（镜像身份验证 + OEMID + 型号 ID）

    运行以下命令：

> 
> 
> Tab QCS5430/QCS6490
> Tab QCS9075/QCS9100
> 
> <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0=<sha384 of OEM-KEYS/qpsa_rootca.cer> --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
>         Copy to clipboard
> 
> <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
>         Copy to clipboard
- 阶段2：完成全部安全启动（基本安全启动 + 调试禁用 + 防回滚 + 写入权限禁用）：

    运行以下命令。

> 
> 
> Tab QCS5430/QCS6490
> Tab QCS9075/QCS9100
> 
> <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta\>/common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2 -auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
>         Copy to clipboard
> 
> <meta>/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
>         Copy to clipboard

> 
> 
> Note
> 
> 
> *SecTools* 指南可供具有授权访问权限的许可开发者使用。

Last Published: Apr 27, 2025

[Previous Topic
为镜像签名](https://docs.qualcomm.com/bundle/publicresource/80-70017-11SC/topics/sign-the-images.md) [Next Topic
刷写镜像](https://docs.qualcomm.com/bundle/publicresource/80-70017-11SC/topics/flash-the-images.md)