Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

CYW4390X Application Note: OTP Programming and Using Secure Boot and Secure Flash

Moderator 250 sign-ins 25 comments on blog 10 comments on blog

This application note describes how the secure boot and secure flash features operate with the Cypress® CYW4390X family of embedded wireless system-on-a-chip (SoC) devices. Secure boot and secure flash features are not required during the early product development phase. As feature functionality involves programming one-time programmable (OTP) nonvolatile memory, it is important to exercise diligent precautions before starting the process.

2 Replies
25 sign-ins 5 questions asked First solution authored

below is my test experience for share.


During boot-up, the second stage bootloader is decrypted and authenticated by the ROM bootloader. The ROM boot loader supports the following algorithms.

Encryption: AES128-CBC       Authentication: HMAC_SHA256 or RSA (2048-bit)


In this folder there is a NULL folder as default. boot_aes.key and boot_sha.key fill with 0x00

I copy and modify a new folder, MY_KEY, 0x00~0x10 and 0x00~0x20 (use UltraEdit hex view)

I programming SHA key and AES key in OTP according AN214842 9.2.1. but use MY_KEY content

I programming Enable Secure Boot bit in OTP according AN214842 9.1.1.  But found normal build "scan" still can run.

I programming Enable HW Crypto/Enable AES128-CBC Encryption/Enable HMAC_SHA256 Authentication (Signature) bit in OTP according AN214842 9.1.2.  Thus I get expected result,only build with SECURE_BOOT can run.

Make snip.scan-CYW943907AEVAL1F download  SECURE_BOOT=1 KEYS=MY_KEY run

If change a key when build, it can't run

I tested ota_fr.

Make snip.ota_fr-CYW943907AEVAL1F SECURE_BOOT=1 SECURE_SFLASH=1 KEYS=MY_KEY download download_apps run




Flash Partitions can be marked as secure during build time, during which the contents of the partitions is signed and encrypted before being programmed to the flash.

By default, Secure Flash ensures that the following flash partitions are secure:

 ❐ User application

 ❐ File System

 ❐ Device Configuration Table (DCT)

 ❐ OTA2 (Over the air upgrade version2) application

❐ OTA2 Failsafe application

❐ Factory Reset application


Encryption: AES128-CBC       Authentication: HMAC_SHA256

Secure flash supports AES128-CBC for encryption and HMAC_SHA256 for authentication. A 256 bit HMC_SHA256 digest is stored at the end of each flash sector.

there no need set in OTP.

In case  hacker got the image from serial flash. It can not run on the other board without correct key in OTP. 




It is important to prevent any external host from reading OTP-secured keys. Note: Once SECURE_BIT is set to 1, OTP and flash cannot be programmed, so this must be the last task performed after the secure boot and secure flash procedures are completed. When the secure bit (SECURE_BIT) is set to 1, JTAG, SDIO, USB and HSIC interfaces are disabled on the device. This prevents any external host from reading secure keys stored in OTP.

  1. Set up the programming environment using WICED-SDK.
  2. Set the SECURE_BIT address shown below. This is identical for both version B0 and version B1.

# .\wl43909_B0.exe --serial otpraw 387 1 1

  1. Download the target application. This must be done before step 4, otherwise the JTAG port will be disabled and the application download will not be possible. 4. Power cycle the device.



25 sign-ins 5 questions asked First solution authored

!!! In HW Crypto, the second stage Bootloader size is limited to 16 KB.

and waf.ota2_bootloader app size bigger than 16KB.

So when you use ota2_bootloader, can't use HW_CRYPTO.