# Sign and flash the images ## Prerequisites ### Check metabuild Identify the correct images for signing by checking the following files in the metabuild. - `/.LE.X.x/contents.xml` > > > This file has details about: > > > > > > > > > - The source path of each image. > > - The format of each image (for example, pil-split or mbn). - `/.LE.X.x/common/sectoolsv2/_security_profile.xml` > > > This file provides signing-related metadata, including: > > > > > > > > > - `--image-id` values. > > - A list of images that must be signed by users to ensure device security. ### Change SecTools commands for Windows To use SecTools commands on Windows platform, replace the `/.LE.X.x/common/sectoolsv2/ext/Linux/sectools` with `/.LE.X.x/common/sectoolsv2/ext/Windows/sectools.exe`. ## Sign the images Image signing is a security process that involves adding a cryptographic signature to a digital image. This signature serves as a unique identifier, verifying the authenticity, integrity, and origin of the image. Without image signing, there is no assurance of an image’s integrity or trusted origin, leading to potential security breaches and data loss. Follow these steps to sign the images. 1. You can sign the images using SecTools V2. Different signing methods and secure image functionality are available. For more information see [SecTools V2: Secure Image User Guide](https://docs.qualcomm.com/doc/80-NM248-12/topic/secure-image-usage.html). 2. You can generate the keys and certificates using a local signer. For more information, see [Generate local (insecure) root key and certificate](https://docs.qualcomm.com/doc/80-80022-11/topic/generate-keys-and-certificates.html#section-generate-local-root-key-certificate-lable). 3. To sign a single image, run the following command, where `tz.mbn` is used as an example. > > > Note > > > You can replace the values of OEM ID “**0x1**” and OEM Product ID “**0xabcd**” according to your requirement. /.LE.X.x/common/sectoolsv2/ext/Linux/sectools secure-image --sign /trustzone_images/build/ms/bin//tz.mbn --image-id=TZ --security-profile /.LE.X.x/common/sectoolsv2/_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn Copy to clipboard The following is a sample command for IQ-9075/IQ-9100. > > > > > > > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools secure-image --sign /trustzone_images/build/ms/bin//tz.mbn --image-id=TZ --security-profile /.LE.X.x/common/sectoolsv2/lemans_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn > > Copy to clipboard > > > > Note > > > Update the image path according to the path specified in the contents.xml file. 4. Check for all images with the `pil_split` flag in the contents.xml file. > > > Example: `pil_split = "adsp"` > > > For images that should be split, use the `--pil-split` option. 5. For signing the complete metabuild, use the following commands. > > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools metabuild-secure-image --image-finder /common/build/app/image_finder.py --sign --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --chipset --outdir meta_signing_output/ --storage ufs > Copy to clipboard For more information, see [SecTools V2: Metabuild Secure Image User Guide](https://docs.qualcomm.com/bundle/80-NM248-17/resource/80-NM248-17_REV_AB_SecTools_V2__Metabuild_Secure_Image_User_Guide.pdf). > > > Note > > > The *SecTools* guides are available to licensed users with authorized access. ## Generate the signed sec.elf image Generating a signed sec.elf image involves creating a secure executable and linkable format (ELF) file with a cryptographic signature. Signing this image ensures its authenticity, integrity, and origin. A fuse blower binary is used to permanently disable certain functionalities or components of a device for security reasons. Generating a signed sec.elf image along with a fuse blower binary involves a series of steps to ensure both the integrity of the firmware and the security of the device. To generate fuse blower binary, see [SecTools V2: Fuse Blower User Guide](https://docs.qualcomm.com/bundle/80-NM248-9/resource/80-NM248-9_REV_AB_SecTools_V2__Fuse_Blower_User_Guide.pdf). ## Integrate the sample commands using SecTools This section provides sample commands only. The following are sample commands for SecTools on Windows. Note - Ensure that the values such as PK hash, OEM ID, and Product ID in the command are in hexadecimal format. - You can replace the values of OEM ID “**0x1**” and OEM Product ID “**0xabcd**” according to your requirement. - You can replace the value of `--fuse-pk-hash-0` with the SHA384 of `OEM-KEYS/qpsa_rootca.cer`. > > > To calculate the correct PK hash value, use the following command: > > > > > > > > > > > > > > > > openssl dgst -sha384 qpsa_rootca.cer >sha384rootcert.txt > > > Copy to clipboard > > > > > > > > For more information, see [Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/doc/80-80022-11/topic/generate-keys-and-certificates.html#section-generate-sha-384-hash-rsa-ecdsa-lable). - Replace the digest generated here from the user Root cert in the sec.elf generation command below. - Stage 1: Basic secure boot (image authentication + OEM ID + MODEL ID) Run the following command: > > > Tab QCS5430/QCS6490 > Tab IQ-9075/IQ-9100 > Tab IQ-8275/IQ-8300 > Tab IQ-615 > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /.LE.X.x/common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf > Copy to clipboard > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /.LE.X.x/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf > Copy to clipboard > > </.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --generate --security-profile /.LE.X.x/common/sectoolsv2/monaco_security_profile.xml --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-hw-id=0x1 --fuse-oem-product-id=0xabcd --fuse-pk-hash-0= --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile basic_sec.elf > Copy to clipboard > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /.LE.X.x/common/sectoolsv2/talos_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf > Copy to clipboard - Stage 2: Complete secure boot (basic secure boot + debug disable + anti-rollback + write permission disable): Run the following commands. > > > Tab QCS5430/QCS6490 > Tab IQ-9075/IQ-9100 > Tab IQ-8275/IQ-8300 > Tab IQ-615 > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-write-permissions-write-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./ OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf > Copy to clipboard > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /.LE.X.x/common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --fuse-write-permissions-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf > Copy to clipboard > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --generate --security-profile /.LE.X.x/common/sectoolsv2/monaco_security_profile.xml --fuse-secondary-key-derivation-key-read-disable --fuse-read-permissions-write-disable --fuse-write-permissions-write-disable --fuse-fec-enables-write-disable --fuse-public-key-hash-0-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-oem-secure-boot-fec-enable --fuse-secondary-key-derivation-key-fec-enable --fuse-wdog-en --fuse-eku-enforcement-en --fuse-oem-configuration-write-disable --fuse-oem-secure-boot-write-disable --fuse-anti-rollback-feature-en=0xf --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-usb-pipo-disable --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-hw-id=0x1 --fuse-oem-product-id=0xabcd --fuse-pk-hash-0= --fuse-sec-key-derivation-key=0x00 --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile sec.elf > Copy to clipboard > > /.LE.X.x/common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /.LE.X.x/common/sectoolsv2/talos_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-apps-apb-dfd-disable --fuse-dcc-debug-disable --fuse-debug-bus-disable --fuse-aoss-aop-dfd-disable --fuse-eud-disable --fuse-dap-deviceen-disable --fuse-apps-dbgen-disable --fuse-dap-dbgen-disable --fuse-lpass-turing-dbgen-disable --fuse-wcss-dbgen-disable --fuse-aoss-aop-dbgen-disable --fuse-cam-icp-dbgen-disable --fuse-ssc-dbgen-disable --fuse-venus-0-dbgen-disable --fuse-a5x-isdb-dbgen-disable --fuse-mss-dbgen-disable --fuse-apps-niden-disable --fuse-dap-niden-disable --fuse-lpass-turing-niden-disable --fuse-wcss-niden-disable --fuse-aoss-aop-niden-disable --fuse-cam-icp-niden-disable --fuse-ssc-niden-disable --fuse-mss-niden-disable --fuse-apps-spniden-disable --fuse-dap-spniden-disable --fuse-apps-spiden-disable --fuse-dap-spiden-disable --fuse-llcc-dsrw-disable --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-sec-key-derivation-key=0x00 --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf > Copy to clipboard > > > Note > > > The *SecTools* guides are available to licensed users with authorized access. > > > Important > > > The `OEM_enable_bootup_from_a_b_partition` configuration is optional and located in `trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config//oem_config.xml`. Its default value is 0. When set to 1 and `devcfg` recompiled, it enables rollback safety. After the boot confirmation using SMC from UEFI or client applications, it allows TrustZone to update image rollback versions. ## Use unified image encryption Unified image encryption (UIE) is a standardized image‑encryption scheme. It uses a hierarchical L1-L2-L3 AES key ladder, L1 is the root key which is fused in Hardware. L2 is the next level key wrapped with the L1 key and L3 is the key used to encrypt the image. It’s wrapped with the L2 key. For command-line usage related to UIE encryption, see [SecTools V2: Secure Image User Guide](https://docs.qualcomm.com/doc/80-NM248-12/topic/secure-image-usage.html). UIE encryption isn’t supported for IQ-9075/IQ-9100 and IQ-8275/IQ-8300. > > > Note > > > The *SecTools* guides are available to licensed users with authorized access. ### Generate your own key for encryption 1. The user UIE keys are the standard AES 128 keys and can be generated using the OpenSSL tool. > > > Use the command: > > > > > > > > > openssl enc -aes-128-cbc -k -P -md sha1 > > Copy to clipboard > > > > Where: > > - `openssl enc`: Invokes the OpenSSL encryption tool. > - `-aes-128-cbc`: Specifies the encryption algorithm — AES with a 128-bit key in the cipher block chaining (CBC) mode. > - `-k secret`: Provides the password (secret) from which the key and initialization vector (IV) are derived. > - `-P`: Prints the derived key and IV instead of performing an encryption or decryption. > - `-md sha1`: Specifies the message digest algorithm (sha1) used in the key derivation function (KDF). > > > > For example: > > > > > > > > > openssl enc -aes-128-cbc -k "secret_passphrase" -P -md sha1 > > Copy to clipboard > > > - `salt=E2A1F3C4D5B6A798` > - `key=5F4DCC3B5AA765D61D8327DEB882CF99` > - `iv =AABBCCDDEEFF00112233445566778899` 2. Copy the key to a file to make your key. > > > `echo -n "5F4DCC3B5AA765D61D8327DEB882CF99"  | xxd -r -p > l1_key.key` ### Generate a UIE sec.elf file 1. Use the command to generate a UIE sec.elf file. ./sectools fuse-blower --security-profile _security_profile.xml --outfile uie_sec.elf --fuse-image-encryption-enable --generate --sign --signing-mode TEST --fuse-oem-image-encryption-key=0x5F4DCC3B5AA765D61D8327DEB882CF99 --fuse-oem-image-encryption-key-fec-enable Copy to clipboard 2. Update the security profile XML appropriate to the chipset. 3. Use the signing mode as LOCAL or PLUGIN according to the requirement. 4. Update the encryption key according to your key. Once the UIE sec.elf file is generated, you can flash it onto the non-secure device. After flashing the UIE sec.elf, you should then flash the secure boot enablement sec.elf along with the other fuses. ### Encrypt the binaries To encrypt the binaries with the test keys, use the following arguments along with the signing command. > > > --encrypt --encryption-mode TEST > Copy to clipboard To encrypt the binaries with the local keys, use the following arguments along with the signing command. > > > --encrypt --encryption-mode LOCAL --l1-key l1_key.key > Copy to clipboard ## Flash the images Flashing images involves writing an entire image, including partitions, file systems, and data, onto a storage device. This process helps keep the functionality, security, and performance of the device. Follow these steps to flash the images: 1. See [Set QFPROM fuses](https://docs.qualcomm.com/doc/80-80022-11/topic/appendix-fuse-configurations.html#appendix-fuse-configurations) for the list of fuses to configure. 2. Replace all binaries with the signed non-Linux binaries generated in [Sign the images](https://docs.qualcomm.com/doc/80-80022-11/topic/sign-and-flash-images.html#section-sign-image-lable), including `prog_firehose_ddr.elf`. To replace the PIL images, replace the existing PIL images with their corresponding signed versions generated earlier. > > > - Extract the `/common/build/ufs/bin/_fw.zip` file. > - Replace the PIL split binaries and the `.mdt` files generated in the signed output into the extracted directory `/common/build/ufs/bin/_fw/lib/firmware/qcom/`. > - Zip the `/common/build/ufs/bin/_fw` directory with `_fw.zip` name. > - Recompile the Yocto build. 3. To flash all the signed binaries to the device, see [Qualcomm Linux Build Guide](https://docs.qualcomm.com/bundle/publicresource/topics/80-80022-254/build_frm_source_qsc_cli.html). 4. After generating the signed images and `sec.elf`, enable secure boot: 1. Flash the signed images first without `sec.elf` and ensure that the device boots successfully. 2. Flash sec.elf by updating the correct `rawprogramX.xml` file. > > > Flash sec.elf by updating the correct `rawprogramX.xml` file. Find the rawprogramX.xml file with label=“secdata” entry and update the filename in that entry with `sec.elf`. For example, in QCM6490: > > > `` 3. Flash the signed images and `sec.elf` using the flash procedure from [Qualcomm Linux Build Guide](https://docs.qualcomm.com/bundle/publicresource/topics/80-80022-254/flash_images.html). 4. Flash the image using PCAT. 5. Verify that the secure boot is enabled using [Bring up → Verified secure boot](https://docs.qualcomm.com/doc/80-80022-11/topic/bring-up.html#section-bringup-verify-secure-boot-label). Important With the secure boot enabled, the device expects images to be flashed using a secure programming method called validated image programming (VIP). To proceed, see [Perform VIP flashing](https://docs.qualcomm.com/doc/80-80022-11/topic/vip-flashing.html#vip-flashing) ## Next steps - To ensure device security by allowing only digitally signed images to be programmed, see [Perform VIP flashing](https://docs.qualcomm.com/doc/80-80022-11/topic/vip-flashing.html#vip-flashing). - To enforce strict access controls, see [Enable SELinux](https://docs.qualcomm.com/doc/80-80022-11/topic/enable-selinux.html#enable-selinux). Last Published: May 18, 2026 [Previous Topic Generate keys and certificates](https://docs.qualcomm.com/bundle/publicresource/80-80022-11/topics/generate-keys-and-certificates.md) [Next Topic Perform VIP flashing](https://docs.qualcomm.com/bundle/publicresource/80-80022-11/topics/vip-flashing.md)