# Examples for secure boot configuration Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html) The following examples describe the steps necessary to enable secure boot when using a single root certificate. ## Single root certificate case Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html) ### Sectools configuration The following code shows an example sectools configuration in the qcc730\_secimage.xml file. local_v2 qc_presigned_certs secboot_sha2_root 2048 257 0 1 0x0029F0E1 0x0000 0x0000 0x0000000000000002 2048 2 Copy to clipboard ### OTP configuration Based on the configuration in [Sectools configuration](https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html#single_root_certificate_case__section_lhc_xgh_h1c), use the following commands to enable secure boot: - Set `SECURE_BOOT_ENFORCE[2:0]=0x7`. python nvm_programmer.py -n otp -k SECURE_BOOT_ENFORCE=0x7 -s ch347Copy to clipboard - Set `TOTAL_ROT_NUM[7:4]=0x1`. python nvm_programmer.py -n otp -k TOTAL_ROT_NUM=0x1 -s ch347Copy to clipboard - Set PK\_HASH according to the generated hash values in sha256rootcert.txt. - Open \sectools\resources\data\_prov\_assets\Signing\Local\qc\_presigned\_certs-key2048\_exp257\sha256rootcert.txt, and then copy the SHA-256 value. SHA-256(qpsa\_rootca.cer)= de5480d49ed1cbe0813755f06324fce56e3eb391a9a40ffba8df9fd16c717744 - Set `PK_HASH` by using the SHA-256 value in the following command: python nvm_programmer.py -n otp -k PK_HASH=0xde5480d49ed1cbe0813755f06324fce56e3eb391a9a40ffba8df9fd16c717744 -s ch347 Copy to clipboard ## Disable and re‑enable JTAG debug mode Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html) Disable JTAG debug mode with setting `OEM_DEBUG_DISABLE[7:0] =0x80`. To do this, use the following command: python nvm_programmer.py -n otp -k OEM_DEBUG_DISABLE=0x80 -s ch347Copy to clipboard To re‑enable JTAG debug mode, modify the debug field to 3 in Sectools configuration file qcc730\_secimage.xml: ... 0x1234567800000003 ... Copy to clipboard For details, see [DEBUG field](https://docs.qualcomm.com/doc/80-Y8730-8/topic/secimage_configuration_file.html#debug_field). ## Configuring anti‑rollback version upgrade Source: [https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html](https://docs.qualcomm.com/doc/80-Y8730-8/topic/example_for_secure_boot_configuration.html) The following example Sectools configuration (qcc730\_secimage.xml) shows how to set anti‑rollback version to 1. 0x0000000100000000 0x0000000100000001 Copy to clipboard Last Published: Feb 10, 2026 [Previous Topic OTP format and configuration](https://docs.qualcomm.com/bundle/publicresource/80-Y8730-8/topics/otp_format_and_configuration.md) [Next Topic References](https://docs.qualcomm.com/bundle/publicresource/80-Y8730-8/topics/references.md)