MCUSOPUG

MCU Secure Offline Programmer User Guide

Rev. 1 — 15 November 2023 User guide

Document information
Information Content
Keywords Secure Offline Programmer (SPGR), OTP (eFuse), secure JTAG
Abstract This document describes the Secure Offline Programmer (SPGR) features, project framework,
quick start, and various software settings. It describes the hand-on in detail, including image
programming, OTP (eFuse) programming, secure JTAG re-opening, and so on.
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

1 Introduction
This document describes the Secure Offline Programmer (SPGR) features, project framework, quick start,
and various software settings. It describes the hand-on in detail, including image programming, OTP (eFuse)
programming, secure JTAG re-opening, and so on. Based on SoC secure features and suitable tools, the
product obtains a whole security in its lifecycle. Secure Offline Programmer (SPGR) is a terminal to assist the
OEM to build a secure injection/provisioning when manufacturing and a secure debug when repairing. Other
necessary information are in the document for convenient understanding and developing.
This product is mainly composed of two distinct elements:
• SPGR Main Programmer (SPGR-MP)
• SPGR USB Dongle (SPGR-UD)

1.1 Acronyms and abbreviations

Table 1 lists the acronyms used in this document.

Table 1. Acronyms and abbreviations

Term Description
AES Advanced Encryption Standard
BEE Bus Encryption Engine
CAAM Cryptographic Accelerator and Assurance Module
CRC Cyclic Redundancy Check
DCP Data coprocessor
HAB High Assurance Boot
MCU ISP MCU In-System programming
OCOTP On-Chip One Time Programmable
OTFAD On-The-Fly AES Decryption
OTPMK One-Time Programmable Master Key
RTOS Real-time Operating System
SB NXP MCU Secure Binary
SHA Secure Hash Algorithms
SNVS Secure Non-Volatile Storage
TRNG True Random Number Generator
XIP eXecute In Place
SPGR Secure Offline Programmer
SPGR-MP Secure Offline Programmer - Main Programmer
SPGR-UD Secure Offline Programmer - USB Dongle

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

2 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

1.2 About MCU SPGR

Figure 1. MCU SPGR diagram

MCU SPGR (red circle) is a whole reference with hardware and software to extend the common-programmer
and security support when manufacturing product with security features in factory. It is consist of the main
programmer ( in Figure 1) for processing all kinds of operations and the USB dongle ( in Figure 1) for
storing sensitive keys/settings according to support functions. MCU SPGR is targeted for middle customers with
a trusted factory and a simple secure mechanism. No plain keys are available for users. Private keys are only
available for the administrator, low cost, ease of use, and portability.

1.3 Features
SPGR-MP:
• Support to program NXP MCU platforms (Table 2 lists the platforms by now) with uniform operations for all
platforms
• Complete key injection/provisioning used by the SoC secure engine for signature, encryption, and secure
JTAG mode
• Communication with programmed NXP MCU platforms via JTAG/SWD
• Complete security configurations for lock bits / lifecycle conversion
• Re-opening secure debug via the challenge-response mechanism
• Complete secure debugger via the SWD/JTAG protocol (optional, in future)
• Communication with the LPC55S69 EVK board (smartcard HSM) via USB CCID
• Support to configure the programmer via a JSON file
• Support to download the target image and configuration file via USB storage or Micro-SD
• Support for multiple toolchains and developing environments:
– Windows host: IAR, MDK, and MCUXpresso IDE
SPGR-UD:

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

3 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

• Complete key management (how to download, install, use, and revoke user keys securely), such as BEE’s
KEK and JTAG_RESP
• Support for product counter and customized requirements
• Support for the UICC APDU protocol via USB CCID

1.4 Supported MCU boards as target

Table 2 lists the NXP MCU boards supported by the SPGR to be programmed.

Table 2. Supported NXP MCU boards

Board Architecture Boot device
evkmimxrt1010 CM7 QSPI Flash
evkmimxrt1020 CM7 QSPI Flash
evkbmimxrt1050 CM7 HyperFlash
evkmimxrt1060 CM7 QSPI Flash
evkmimxrt1064 CM7 QSPI Flash
evkmimxrt1170 CM7 + CM4 QSPI Flash

See the following documents for detailed information.

• MIMXRT1010 EVK Board Hardware User’s Guide (document MIMXRT1010EVKHUG)
• MIMXRT1020 EVK Board Hardware User’s Guide (document MIMXRT1020EVKHUG)
• MIMXRT1050 EVK Board Hardware User’s Guide (document MIMXRT1050EVKBHUG)
• MIMXRT1060/1064 Evaluation Kit Board Hardware User's Guide (document MIMXRT10601064EKBHUG)
• MIMXRT1170 EVK Board Hardware User’s Guide (document MIMXRT1170EVKHUG)

1.5 SPGR directory organization

The SPGR project contains schematics, PCB, source code, and documents for main programmer and USB
dongle. The layer and description are shown in Figure 2 and Table 3.

Figure 2. SPGR-MP directory organization

Table 3. SPGR-MP source code directories

Directory Description
CMSIS This folder contains CMSIS header files.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

4 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Table 3. SPGR-MP source code directories...continued

Directory Description
components This folder contains the third middleware and SDK components source code.
board This folder contains general initialization and setup functions that are board-specific.
device This folder contains peripheral drivers and platform-related files.
rtos This folder contains FreeRTOS source code.
sec_programer This folder contains project files and application source code.
tools This folder contains tools used to extract the flash or the OTP programming algorithm.
LICENSE This is a BSD-3 license file.
README.md This is an introduction to the SPGR project.
SW-Content-Register.txt This file is used for a license check of the SPGR project.

1.6 Host system requirements

The SPGR project can be developed only in the Windows host. The system requirements are as follows:
• Windows host
• IAR IDE v9.32
• MDK IDE v5.36
• MCUXpressor v11.7.0

2 Quick start
This chapter introduces the quick start for the SPGR project.

2.1 Getting familiar with the board

The overview of the secure programmer demo board is shown in Figure 3 and Figure 4.

Figure 3. Overview of the secure programmer board (front side)

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

5 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 4. Overview of the secure programmer board (back side)

2.2 Connecting the board

This section contains information about the configuration of the programmer boards:
1. Connect a programmer board to a target board using wires or flat cables.
2. Plug a micro-USB cable to the LPC55S69 development board's port P9 (for fuse burning).
3. Connect the LPC55S69 development board to port P2 on the programmer board (if needed).
4. Connect the TFT LCD screen YT280S002 to the JP1 LCD interface.
5. Connect MCU-LINK or J-Link to port J8 on the SPGR board.
6. Copy the target binary image and the JSON configuration file to the micro-SD card and plug the SD card
into the card slot (J4).
7. Power the SPGR board through a USB connector (J5 or J1).

2.3 Building and running on Windows

On a Windows host, three toolchains can be used to build the SPGR project: IAR, MDK, and MCUXpresso.

2.3.1 IAR IDE

Use the following guide to learn how to open, build, and download the SPGR using IAR IDE.
1. To build the SPGR project:
a. Open the SPGR workspace ("sec_programer.eww"). It is located in the "secure_programer\sec_
programer\buid\IAR" folder.
b. Click the “Make” button ( ) to build the application.
2. Run the SPGR application
a. Connect the development platform to your PC via a J-Link or MCU-LINK cable to port J8.
b. Power the board on.
c. Click the "Download and Debug" button ( ) to download the SPGR to the target.
d. Run the code by clicking the "Go" button ( ) to start the application.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

6 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

2.3.2 MDK IDE

Use the following guide to learn how to open, build, and downoad the SPGR using the MDK IDE.
1. To install the CMSIS device pack:
a. Open the SPGR workspace ("sec_programer.uvmpw"). It is located in the "secure_programer\sec_
programer\buid\Keil" folder.
b. If you do not have the pack for MIMXRT1021, the IDE tells you to install the pack.
c. In the "Pack Installer" window, navigate to the "Devices" tab and select the MIMXRT1021 device under
"NXP".

Figure 5. RT1021 pack

2. In the "Packs" tab, install the DFP for the MIMXRT1020-EVK board. The DFP is named
"NXP::MIMXRT1021_DFP". Click the "Install" button next to the pack. This process requires Internet
connection to successfully complete.

Figure 6. RT1021 pack installation

3. After the installation finishes, close the "Pack Installer" window and return to the µVision IDE.
4. Build the SPGR project:
a. Select the “Rebuild” button ( ) to build the SPGR project.
5. Run the SPGR application:
a. Connect the development platform to your PC via a J-Link or MCU-LINK cable to port J8.
b. Power the board on.
c. Click the "Download" button ( ) to download the SPGR to the target.
d. Power the board off/on to start the application.

2.3.3 MCUXpresso IDE

Use the following guide to learn how to open, build, and download the SPGR using MCUXpresso IDE.
1. Import the RT1020 SDK:
a. Open the MCUXpresso IDE.
b. Choose a directory on your computer as a workspace.
c. Switch to the "Installed SDKs" view in the MCUXpresso IDE window.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

7 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 7. Installed SDKs view

2. Open Windows Explorer and drag and drop the EVK-MIMXRT1020 SDK ZIP file into the "Installed
SDKs" view.
3. You get a prompt. Click the "OK" button to continue the import.
4. The installed SDK appears in the "Installed SDKs" view, as shown in Figure 7.

Figure 8. Installed SDKs

5. Import the SPGR project:
a. Open the “Import Projects from file system” view from "File -> Open Projects from File System" in the
"Quickstart Panel" in the lower left-hand corner.

Figure 9. Open Projects from File System

6. Select "secure_programer\sec_programer\buid\mcux_sec_programmer" as the project folder.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

8 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 10. Selecting project folder

7. You get a prompt. Click the "Finish" button to import.
8. Build the SPGR project:
a. Build the project by clicking the project name and then clicking the "Build" icon.

Figure 11. Build

9. You can see the status of the build in the "Console" tab.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

9 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 12. Build log

10. Run the SPGR application:
a. Connect the development platform to your PC via a J-Link or MCU-LINK cable to port J8.
b. Power the board on.
c. Click the "Debug" button in the "QuickStart Panel".

Figure 13. Debug

11. MCUXpresso IDE probes for connected boards and it should find the J-Link/MCU-Link debug probe. Click
the "OK" button to continue.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

10 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 14. J-Link probe

12. The firmware is downloaded to the board and the debugger starts.

Figure 15. Stop at main

13. Start the application by clicking the "Resume" button ( ).

3 MCU flash program

This section describes how to select a target device and integrate flash programming algorithms. SPGR-MP
acts as a host and enables the Flash programming.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

11 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

3.1 Selecting programmer target

SPGR-MP reads the JSON configuration file in the SD card to decide which target platform is programmed. You
must select a correct JSON configuration file in the target menu.
The configuration snippet for flash programming is as follows:

"processor": "RT1170",
"imgs" : [
{
"image_path": "hello_world.bin",
"load_address": 805307392
}
],

The description of fields in the image-configuration JSON file is as follows:

• processor: target processor, such as RT1170, RT1060, RT1050, RT1020, RT1010
• image_path: path to the BIN file with the application (image) to be processed
• load_address: the start address of the image in the flash in decimal
You can specify more than one image in the JSON configuration file.

3.2 Flash algorithm

Flash programming algorithms are pieces of software to erase or download applications to Flash devices.
There is a default Flash on each EVK board. In the SPGR-MP project, it integrates the Flash algorithm for that
Flash and allows you to program/reprogram default flash devices on the EVK board. If you use the Flash with
a different EVK board, change the Flash algorithm in the project. You may check if a Flash algorithms already
exists for your Flash device. Many of the Flash algorithms are included in the Arm CMSIS Device Family Packs
(DFPs). If so, you can find the related FLM file and reuse it. You can also make flash algorithms yourself. See
https://www.keil.com/pack/doc/cmsis/Pack/html/flashAlgorithm.html for more detail.
SPGR-MP does not use the FLM file directly. You must extract the flash programming blobs (instruction arrays),
which are loaded into the target MCU RAM.
The generate_blobs.py open-source tool extracts the Flash-programming blobs into the "secure_programer
\tools\FlashAlgo" folder.
Install the necessary package list in the "requirements.txt" file:

pip install -r requirements.txt

Using the below command, you can see the generated "c_blob.c" file. It is the final file we use.

python generate_blobs.py --blob_start 0x20000000 MIMXRT10xx.FLM

You can rename the "c_blob.c" file and integrate it into a project, as shown in Section 3.3. You may change the
RAM base address to something other than the default value of "0x20000000". By default, the memory buffer
location (blob_start + 0xA00) is in the "c_blob.c" file. You may also have to update it.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

12 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

3.3 Integrating flash algorithm blob

After generating the flash programming blob, use the blob file in the SPGR-MP project. Take RT1170 as an
example. You must create a file named "mimxrt1170_evk.c". This file must contain information about the chip
type, RAM, and Flash information. Then include the blob file as in the following example:

#include "target_board.h"
#include "target_family.h"
#include "flash_algorithm/mimxrt1170_spi_flash_blob.c" //rename c_blob.c

// target device information

static target_cfg_t target_device = {
.sectors_info = sectors_info,
.sector_info_length = (sizeof(sectors_info))/
(sizeof(sector_info_t)),
.flash_regions[0].start = 0x30000000,
.flash_regions[0].end = 0x30000000 + MB(64),
.flash_regions[0].flags = kRegionIsDefault,
.flash_regions[0].flash_algo = (program_target_t *) &flash,
.ram_regions[0].start = 0x20000000,
.ram_regions[0].end = 0x20000000 + 256u * 1024,
.ocotp_map = NULL,
.ocotp_algo = NULL,
};

const board_info_t g_board_mimxrt1170 = {

.daplink_drive_name = "RT1170",
.target_cfg = &target_device,
};

Insert the "g_board_mimxrt1170" structure into the board list in the "target_devices.c" file, as follows:

extern const board_info_t g_board_mimxrt1170;

const board_info_t *g_board_info[] = {
&g_board_mimxrt1050,
&g_board_mimxrt1020,
&g_board_mimxrt1060,
&g_board_mimxrt1170,
};

3.4 Image storage

SPGR-MP uses an SD card with a FatFs file system to manage the configuration file and the image file. The
FatFs module is a free software designed for small embedded systems. For an SD card without the FatFs file
system, use the "sdcard_fatfs" demo project in the NXP RT series SDK to mount a FatFs file system. The image
file name and the load address are specified in the configuration file. The firmware in RT1020 finds out all the
configuration files and lists them in the target menu.

4 SPGR USB dongle

The SPGR USB dongle is used to store sensitive keys/settings. It is based on LPC55s69. It communicates with
the SPGR main board using the USB CCID protocol. You can use an LPC55s69 DK board instead of the SPGR
USB dongle. The binary image for LPC55S69 is in the release package. You can program the binary as follows:

blhost -p COMxx write-memory 0 <path to the plain text(.bin)>

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

13 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

5 MCU fuse provisioning

This section describes how to program the on-chip one-time programmable fuses. The NXP i.MX RT series
provides several security features, most of which are controlled using OTP fuses. The OCOTP configuration for
programs and reads is performed using 32-bit words for software convenience.

5.1 Selecting a fuse

The SPGR-MP reads the fuse configuration from a selected JSON configuration file to decide which fuse will be
provisioning. There is a fuse map for each supported platform in the SPGR-MP. It contains fuse-configuration
recommendations. Some sensitive fuse values are stored in the SPGR-UD. The SPGR-MP reads fuse values
from the SPGR-UD according to configuration information in the JSON file and finds the related fuse index
using a fuse map.

5.2 Fuse-provisioning algorithm

Fuse-provisioning algorithms are software to write a fuse value to a correct fuse region. The procedure of
making fuse-provisioning algorithms is similar to creating a flash algorithm. In fact, we reuse the project of
creating a flash algorithm to generate fuse-provisioning algorithms. The existing project of fuse-provisioning
algorithms is in the "secure_programer\tools" folder.
The SPGR-MP does not use the FLM file generated by a fuse-provisioning algorithm project directly. You must
extract the fuse-programming blobs (instruction arrays) which are loaded into the target MCU RAM from the
FLM file.
The "generate_blobs.py" tool to extract the fuse-provisioning blobs is in the "secure_programer\tools
\OCOTPAlgo" folder.
Using the following command, you can see the generated "c_blob.c" file. It is the final file to use.

python generate_blobs.py --blob_start 0x20000000 xx.FLM

5.3 Integrating OCOTP algorithm blob

After generating the fuse-provisioning blob, use the blob file in the SPGR-MP project. Include the blob file
generated in Section 5.2.
The following is an example for RT1170:

#include "flash_algorithm/mimxrt1170_ocotp_blob.c" // Rename c_blob.c here

// target device information

static target_cfg_t target_device = {
.sectors_info = sectors_info,
.sector_info_length = (sizeof(sectors_info))/
(sizeof(sector_info_t)),
.flash_regions[0].start = 0x30000000,
.flash_regions[0].end = 0x30000000 + MB(64),
.flash_regions[0].flags = kRegionIsDefault,
.flash_regions[0].flash_algo = (program_target_t *) &flash,
.ram_regions[0].start = 0x20000000,
.ram_regions[0].end = 0x20000000 + 256u * 1024,
.ocotp_map = NULL,
.ocotp_algo = (void *)&ocotp,
};

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

14 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

5.4 Fusemap
The fusemap collects some fuses that are implemented to write to a target in the SPGR-MP project. The
structure of a fusemap is as follows:

typedef struct _efuse_map_tag {

const char *fuseName;
uint8_t inConfigFile;
uint8_t cfgType;
uint16_t size;
uint32_t progVal;
uint32_t validateVal;
uint16_t firstIndex;
} efuse_map_t;

If the "progVal" is 0, the SPGR-MP tries to get the fuse value from the SPGR-UD. If the item is in the "efuse"
map and it is not controlled by a configuration file, that "efuse" is provisioning.
Put the definition of the "efusemap" to the structure of the target device information.

static target_cfg_t target_device = {

.sectors_info = sectors_info,
.sector_info_length = (sizeof(sectors_info))/
(sizeof(sector_info_t)),
.flash_regions[0].start = 0x60000000,
.flash_regions[0].end = 0x60000000 + MB(64),
.flash_regions[0].flags = kRegionIsDefault,
.flash_regions[0].flash_algo = (program_target_t *) &flash,
.ram_regions[0].start = 0x20000000,
.ram_regions[0].end = 0x20000000 + MB(64),
.ocotp_map = (void *)rt1170_efuse_map,
.ocotp_algo = (void *)&ocotp,
};

6 Manual programming
This section shows how to program the Flash/OTP and unlock a secure JTAG.

6.1 QSPI program

To download an image into the target, perform the following steps:
1. Copy the "xx.json" configuration file and image into the SD card.
2. Insert the SD card into the programmer board.
3. Power on the programmer. You may see the menu shown in Figure 16.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

15 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 16. Main menu

4. Power on the target board and connect it to a programmer.
5. Select the "Target" menu using the SW4 and SW5 buttons and press the SW3 button to enter the "Target"
menu.

Figure 17. Target menu

6. Select a correct JSON configuration file using the "Prev" or "Next" buttons.
7. Select the "OK" button and press the SW3 button to return to the main menu.
8. Select the "Flash" menu and press the SW3 button to enter it.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

16 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 18. Flash menu

9. Select the "Flash" button and press the SW3 button to start programming. The output is displayed in the log
window.

Figure 19. Programming log

Note: Do not power on the target EVK board with the USB port which connects to the DAP-Link debugger.

6.2 OTP program

To burn the OTP, perform the following steps:
1. Copy the "xx.json" configuration file and image into an SD card.
2. Insert the SD card into the programmer board.
3. Insert the USB CCID card into the P1 programmer port.
4. Power on the programmer.
5. Power on the target board and connect it to the programmer.
6. Select the "Target" menu using the SW4 and SW5 buttons and press the SW3 button to enter the "Target"
menu.
7. Select a correct JSON configuration file using the "Prev" or "Next" buttons.
8. Select the "OK" button and press the SW3 button to return to the main menu.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

17 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

9. Select the "Fuse" menu using the SW4 and SW5 buttons and press the SW3 button to enter it.

Figure 20. Fuse menu

10. Select the "Burn" button and press the SW3 button to start burning. The result is displayed in the log
window.

Figure 21. Burning fuse log

6.3 Debug unlocking

To unlock the debug, perform the following steps:
1. Copy the "xx.json" configuration file and image into an SD card.
2. Insert the SD card into the programmer board.
3. Insert the USB CCID card into the P1 programmer port.
4. Power on the programmer.
5. Power on the target board and connect it to the programmer.
6. Select the "Target" menu using the SW4 and SW5 buttons and press the SW3 button to enter the "Target"
menu.
7. Select a correct JSON configuration file using the "Prev" or "Next" button.
8. Select the "OK" button and press the SW3 button to return to the main menu.
9. Select the "Secure Debug" menu using the SW4 and SW5 buttons and press the SW3 button to enter it.
MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

18 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Figure 22. Debug unlock menu

10. Select the "Debug Unlock" button and press the SW3 button to perform challenge/response-based
authentication mechanism. The result is displayed in the log window.

Figure 23. Debug Unlock Log

Note: Connect pin 19 of J7 on the programmer board to the JTAG_MOD pin on the target EVK board to put the
chip into the secure JTAG mode.

7 JSON configuration files

JSON files contain all parameters used to control user image and OTP configuration.

7.1 Example configuration file for RT1170

The example structure of a JSON image configuration file is as follows:

{
"processor": "RT1170",
"sjc_en": false,
"imgs" : [
{
MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

19 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

"image_path": "image1.bin",
"load_address": 805307392
},
{
"image_path": "image2.bin",
"load_address": 806354944
}
],
"ocotp" : [
{
"srkh":
"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
},
{
"img_keys": true
},
{
"hab_mode": true
},
{
"sjc_resp": true
},
{
"img_keys_lock": true
},
{
"sjc_resp_lock": true
}
]
}

The description of fields in an image-configuration JSON file is as follows:

• "processor": chip type, RT1170
• "sjc_en": [false, true] if enabling SJC mode
• "image_path": path to BIN file with application (image) to be processed
• "load_address": load address of input image
• "srkh ": hex string for super root key table
• "img_keys": [false, true] if burning image keys
• "hab_mode": [false, true] if enabling HAB mode
• "sjc_resp": [false, true] if burning SJC response
• "img_keys_lock": [false, true] if burning lock bit for image key
• "sjc_resp_lock": [false, true] if burning lock bit for SJC response

7.2 Example configuration file for RT1060/50/20

RT1050 has the same configuration file as RT1060. The example structure of a JSON image-configuration file is
as follows:

{
"processor": "RT1060",
"imgs" : [
{
"image_path": "image1.bin",
"load_address": 1610612736
},
{
MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

20 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

"image_path": "image2.bin",
"load_address": 1611661312
}
],
"ocotp" : [
{
"srkh":
"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
},
{
"img_keys": true
},
{
"hab_mode": true
},
{
"sjc_resp": true
},
{
"img_keys_lock": true
},
{
"sjc_resp_lock": true
}
]
}

The description of fields in an image-configuration JSON file is as follows:

• "processor": chip type, [RT1060, RT150, RT1020]
• "image_path": path to BIN file with application (image) to be processed
• "load_address": load address of input image
• "srkh ": HEX string for super root key table
• "img_keys": [false, true] if burning image keys
• "hab_mode": [false, true] if enabling HAB mode
• "sjc_resp": [false, true] if burning SJC response
• "img_keys_lock": [false, true] if burning lock bit for image key
• "sjc_resp_lock": [false, true] if burning lock bit for SJC response

7.3 Example configuration file for RT1010

The example structure of a JSON image configuration file is as follows:

{
"processor": "RT1010",
"imgs" : [
{
"image_path": "image1.bin",
"load_address": 1610613760
},
{
"image_path": "image2.bin",
"load_address": 1611661312
}
],
"ocotp" : [
{

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

21 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

"srkh":
"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
},
{
"img_keys": true
},
{
"hab_mode": true
},
{
"sjc_resp": true
},
{
"img_keys_lock": true
},
{
"sjc_resp_lock": true
},
{
"otfad_key_scramble": false
},
{
"otfad_cfg": false
}
]
}

The description of fields in an image configuration JSON file is as follows:

• "processor": chip type, [RT1010]
• "image_path": path to BIN file with application (image) to be processed
• "load_address": load address of input image
• "srkh ": HEX string for super root key table
• "img_keys": [false, true] if burning image keys
• "hab_mode": [false, true] if enabling HAB mode
• "sjc_resp": [false, true] if burning SJC response
• "img_keys_lock": [false, true] if burning lock bit for image key
• "sjc_resp_lock": [false, true] if burning lock bit for SJC response
• "otfad_key_scramble": [false, true] if burning OTFAD key scramble value
• "otfad_cfg": [false, true] if burning OTFAD configuration

8 Note about the source code in the document

Example code shown in this document has the following copyright and BSD-3-Clause license:
Copyright 2023 NXP Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials must be provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

22 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.

9 Revision history
Table 4. Revision history
Revision number Release date Description
1 15 November 2023 Initial external release

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

23 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Legal information
Definitions Limiting values — Stress above one or more limiting values (as defined in
the Absolute Maximum Ratings System of IEC 60134) will cause permanent
damage to the device. Limiting values are stress ratings only and (proper)
Draft — A draft status on a document indicates that the content is still operation of the device at these or any other conditions above those
under internal review and subject to formal approval, which may result given in the Recommended operating conditions section (if present) or the
in modifications or additions. NXP Semiconductors does not give any Characteristics sections of this document is not warranted. Constant or
representations or warranties as to the accuracy or completeness of repeated exposure to limiting values will permanently and irreversibly affect
information included in a draft version of a document and shall have no the quality and reliability of the device.
liability for the consequences of use of such information.
Terms and conditions of commercial sale — NXP Semiconductors
products are sold subject to the general terms and conditions of commercial
Disclaimers sale, as published at https://www.nxp.com/profile/terms, unless otherwise
agreed in a valid written individual agreement. In case an individual
agreement is concluded only the terms and conditions of the respective
Limited warranty and liability — Information in this document is believed
agreement shall apply. NXP Semiconductors hereby expressly objects to
to be accurate and reliable. However, NXP Semiconductors does not give
applying the customer’s general terms and conditions with regard to the
any representations or warranties, expressed or implied, as to the accuracy
purchase of NXP Semiconductors products by customer.
or completeness of such information and shall have no liability for the
consequences of use of such information. NXP Semiconductors takes no
responsibility for the content in this document if provided by an information No offer to sell or license — Nothing in this document may be interpreted
source outside of NXP Semiconductors. or construed as an offer to sell products that is open for acceptance or
the grant, conveyance or implication of any license under any copyrights,
In no event shall NXP Semiconductors be liable for any indirect, incidental,
patents or other industrial or intellectual property rights.
punitive, special or consequential damages (including - without limitation -
lost profits, lost savings, business interruption, costs related to the removal
Quick reference data — The Quick reference data is an extract of the
or replacement of any products or rework charges) whether or not such
product data given in the Limiting values and Characteristics sections of this
damages are based on tort (including negligence), warranty, breach of
document, and as such is not complete, exhaustive or legally binding.
contract or any other legal theory.
Notwithstanding any damages that customer might incur for any reason
Export control — This document as well as the item(s) described herein
whatsoever, NXP Semiconductors’ aggregate and cumulative liability
may be subject to export control regulations. Export might require a prior
towards customer for the products described herein shall be limited in
authorization from competent authorities.
accordance with the Terms and conditions of commercial sale of NXP
Semiconductors.
Suitability for use in non-automotive qualified products — Unless
this document expressly states that this specific NXP Semiconductors
Right to make changes — NXP Semiconductors reserves the right to
product is automotive qualified, the product is not suitable for automotive
make changes to information published in this document, including without
use. It is neither qualified nor tested in accordance with automotive testing
limitation specifications and product descriptions, at any time and without
or application requirements. NXP Semiconductors accepts no liability for
notice. This document supersedes and replaces all information supplied prior
inclusion and/or use of non-automotive qualified products in automotive
to the publication hereof.
equipment or applications.
In the event that customer uses the product for design-in and use in
Suitability for use — NXP Semiconductors products are not designed,
automotive applications to automotive specifications and standards,
authorized or warranted to be suitable for use in life support, life-critical or
customer (a) shall use the product without NXP Semiconductors’ warranty
safety-critical systems or equipment, nor in applications where failure or
of the product for such automotive applications, use and specifications, and
malfunction of an NXP Semiconductors product can reasonably be expected
(b) whenever customer uses the product for automotive applications beyond
to result in personal injury, death or severe property or environmental
NXP Semiconductors’ specifications such use shall be solely at customer’s
damage. NXP Semiconductors and its suppliers accept no liability for
own risk, and (c) customer fully indemnifies NXP Semiconductors for any
inclusion and/or use of NXP Semiconductors products in such equipment or
liability, damages or failed product claims resulting from customer design and
applications and therefore such inclusion and/or use is at the customer’s own
use of the product for automotive applications beyond NXP Semiconductors’
risk.
standard warranty and NXP Semiconductors’ product specifications.
Applications — Applications that are described herein for any of these
Translations — A non-English (translated) version of a document, including
products are for illustrative purposes only. NXP Semiconductors makes no
the legal information in that document, is for reference only. The English
representation or warranty that such applications will be suitable for the
version shall prevail in case of any discrepancy between the translated and
specified use without further testing or modification.
English versions.
Customers are responsible for the design and operation of their
applications and products using NXP Semiconductors products, and NXP
Security — Customer understands that all NXP products may be subject to
Semiconductors accepts no liability for any assistance with applications or
unidentified vulnerabilities or may support established security standards or
customer product design. It is customer’s sole responsibility to determine
specifications with known limitations. Customer is responsible for the design
whether the NXP Semiconductors product is suitable and fit for the
and operation of its applications and products throughout their lifecycles
customer’s applications and products planned, as well as for the planned
to reduce the effect of these vulnerabilities on customer’s applications
application and use of customer’s third party customer(s). Customers should
and products. Customer’s responsibility also extends to other open and/or
provide appropriate design and operating safeguards to minimize the risks
proprietary technologies supported by NXP products for use in customer’s
associated with their applications and products.
applications. NXP accepts no liability for any vulnerability. Customer should
NXP Semiconductors does not accept any liability related to any default, regularly check security updates from NXP and follow up appropriately.
damage, costs or problem which is based on any weakness or default
Customer shall select products with security features that best meet rules,
in the customer’s applications or products, or the application or use by
regulations, and standards of the intended application and make the
customer’s third party customer(s). Customer is responsible for doing all
ultimate design decisions regarding its products and is solely responsible
necessary testing for the customer’s applications and products using NXP
for compliance with all legal, regulatory, and security related requirements
Semiconductors products in order to avoid a default of the applications
concerning its products, regardless of any information or support that may be
and the products or of the application or use by customer’s third party
provided by NXP.
customer(s). NXP does not accept any liability in this respect.
NXP has a Product Security Incident Response Team (PSIRT) (reachable
at PSIRT@nxp.com) that manages the investigation, reporting, and solution
release to security vulnerabilities of NXP products.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

24 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

AMBA, Arm, Arm7, Arm7TDMI, Arm9, Arm11, Artisan, big.LITTLE,

Trademarks Cordio, CoreLink, CoreSight, Cortex, DesignStart, DynamIQ, Jazelle,
Keil, Mali, Mbed, Mbed Enabled, NEON, POP, RealView, SecurCore,
Socrates, Thumb, TrustZone, ULINK, ULINK2, ULINK-ME, ULINK-
Notice: All referenced brands, product names, service names, and
PLUS, ULINKpro, μVision, Versatile — are trademarks and/or registered
trademarks are the property of their respective owners.
trademarks of Arm Limited (or its subsidiaries or affiliates) in the US and/or
NXP — wordmark and logo are trademarks of NXP B.V. elsewhere. The related technology may be protected by any or all of patents,
Amazon Web Services, AWS, the Powered by AWS logo, and FreeRTOS copyrights, designs and trade secrets. All rights reserved.
— are trademarks of Amazon.com, Inc. or its affiliates. IAR — is a trademark of IAR Systems AB.
i.MX — is a trademark of NXP B.V.
J-Link — is a trademark of SEGGER Microcontroller GmbH.
Microsoft, Azure, and ThreadX — are trademarks of the Microsoft group of
companies.

MCUSOPUG All information provided in this document is subject to legal disclaimers. © 2023 NXP B.V. All rights reserved.

User guide Rev. 1 — 15 November 2023

25 / 26
NXP Semiconductors
MCUSOPUG
MCU Secure Offline Programmer User Guide

Contents
1 Introduction ...................................................... 2
1.1 Acronyms and abbreviations ............................. 2
1.2 About MCU SPGR .............................................3
1.3 Features .............................................................3
1.4 Supported MCU boards as target ......................4
1.5 SPGR directory organization ............................. 4
1.6 Host system requirements .................................5
2 Quick start ........................................................5
2.1 Getting familiar with the board ...........................5
2.2 Connecting the board ........................................ 6
2.3 Building and running on Windows ..................... 6
2.3.1 IAR IDE ..............................................................6
2.3.2 MDK IDE ............................................................7
2.3.3 MCUXpresso IDE .............................................. 7
3 MCU flash program ....................................... 11
3.1 Selecting programmer target ........................... 12
3.2 Flash algorithm ................................................ 12
3.3 Integrating flash algorithm blob ....................... 13
3.4 Image storage ..................................................13
4 SPGR USB dongle ......................................... 13
5 MCU fuse provisioning ................................. 14
5.1 Selecting a fuse ...............................................14
5.2 Fuse-provisioning algorithm .............................14
5.3 Integrating OCOTP algorithm blob .................. 14
5.4 Fusemap .......................................................... 15
6 Manual programming .................................... 15
6.1 QSPI program ..................................................15
6.2 OTP program ...................................................17
6.3 Debug unlocking .............................................. 18
7 JSON configuration files ...............................19
7.1 Example configuration file for RT1170 ............. 19
7.2 Example configuration file for
RT1060/50/20 .................................................. 20
7.3 Example configuration file for RT1010 .............21
8 Note about the source code in the
document ........................................................22
9 Revision history .............................................23
Legal information ...........................................24

Please be aware that important notices concerning this document and the product(s)
described herein, have been included in section 'Legal information'.

© 2023 NXP B.V. All rights reserved.

For more information, please visit: https://www.nxp.com
Date of release: 15 November 2023
Document identifier: MCUSOPUG