nRF Connect SDK Intermediate

Lesson 1 – Zephyr RTOS: Beyond the basics
7 Topics | 1 Quiz
Boot-up sequence & execution context
Thread life cycle
Scheduler in-depth
Data passing
Exercise 1 – Exploring threads and ISRs
Exercise 2 – Kernel options
Summary
Lesson 1 quiz
Lesson 2 – Debugging and troubleshooting
7 Topics | 1 Quiz
Debugging in nRF Connect for VS Code
Build errors and fatal errors
Troubleshooting the devicetree
Physical debugging
Exercise 1 – Advanced debugging in nRF Connect for VS Code
Exercise 2 – Debugging with core dump and addr2line
Exercise 3 – Debugging the devicetree
Lesson 2 quiz
Lesson 3 – Adding custom board support
5 Topics | 1 Quiz
Board definition
Creating board files
Board files for multi-core hardware & TF-M
Exercise 1 – Custom board for single-core SoC
Exercise 2 – Custom board for a multi-core & TF-M capable SoC/SiP
Lesson 3 quiz
Lesson 4 – Pulse Width Modulation (PWM)
4 Topics | 1 Quiz
Pulse Width Modulation (PWM)
Zephyr PWM API
Exercise 1 – Controlling an LED with PWM
Exercise 2 – Using PWM to control a servo motor
Lesson 4 quiz
Lesson 5 – Serial Peripheral Interface (SPI)
4 Topics | 1 Quiz
Serial Peripheral Interface (SPI)
Zephyr SPI API
Exercise 1 – Interfacing with a sensor over SPI
Exercise 2 – Interfacing with a TFT screen
Lesson 5 quiz
Lesson 6 – Analog-to-digital converter (ADC)
5 Topics | 1 Quiz
ADC peripheral on Nordic devices
Choosing between Zephyr ADC API and nrfx SAADC driver API
Exercise 1 – Interfacing with ADC using Zephyr API
Exercise 2 – Interfacing with ADC using nrfx driver and software timers
Exercise 3 – Interfacing with ADC using nrfx drivers and TIMER/PPI
Lesson 6 quiz
Lesson 7 – Device driver model
4 Topics | 1 Quiz
Device driver model
Device driver implementation
Setting up a west workspace
Exercise 1 – Creating a custom driver using the sensor API
Lesson 7 quiz
Lesson 8 – Sysbuild
5 Topics | 1 Quiz
Sysbuild explained
Sysbuild configuration
Sysbuild – Partition Manager
Exercise 1 – Configuring extra image
Exercise 2 – Adding custom image
Lesson 8 quiz
Lesson 9 – Bootloaders and DFU/FOTA
12 Topics | 1 Quiz
Bootloader basics
Application verification
Device Firmware Update (DFU) essentials
MCUboot, and relevant libraries
DFU for the nRF5340 SoC
Exercise 1 – DFU over UART
Exercise 2 – DFU with custom keys
Exercise 3 – DFU with external flash
Exercise 4 – DFU over USB
Exercise 5 – FOTA over Bluetooth Low Energy
Exercise 6 – FOTA over LTE-M/NB-IoT
Exercise 7 – FOTA over Wi-Fi
Lesson 9 quiz
Get your Certificate!
Feedback
Feedback

If you are having issues with the exercises, please create a ticket on DevZone: devzone.nordicsemi.com
Click or drag files to this area to upload. You can upload up to 2 files.
Register

Exercise 2 – DFU with custom keys

v2.9.0 – v2.7.0

In this exercise, we will learn how to sign DFU images using custom keys. Only individuals with a valid key can perform a DFU on a device.

As covered in the Application verification topic. Signing a Device Firmware Update (DFU) image ensures its authenticity and integrity. A cryptographic signature is generated using a private key and attached to the DFU image. The device uses the corresponding public key to verify the signature, confirming the image is from a trusted source and has not been tampered with. The public key is automatically generated from the private key and stored in the MCUboot image.

The more observant readers might have noticed the following warning from the build logs so far:

      ---------------------------------------------------------
      --- WARNING: Using default MCUBoot key, it should not ---
      --- be used for production.                           ---
      ---------------------------------------------------------
Terminal

When building for MCUboot, a default signing key is used to ease development. For production, it is extremely important to use your own key instead!

MCUboot has a set of default keys, which can be found here. If we do not configure the application to use a custom key, anyone will be able to upload DFU to our device!

Using the Key Management Unit (KMU) on the nRF54L Series to store the public key

The nRF54L Series SoCs ( nRF54L15, nRF54L10, nRF54L05) are equipped with a Hardware Key Management Unit (KMU) that provides:

  • Safe storage for cryptographic keys
  • Direct key transfer to CRACEN RAM
  • Protection against unauthorized access

On the nRF54L Series, two options are available for storing the public key used to verify the signature on an image in the SoC.

  1. Store it in the MCUboot bootloader image itself. In this approach, the build system embeds the public key within the MCUboot bootloader image automatically
  2. Store it in the KMU (Recommended). Requires manual provisioning of the public key.

In this exercise, we will cover both approaches.

The tab “All other DKs” describes method 1, which, by the way, can also be done on the nRF54L Series SoCs

The tab “nRF54L15 DK” describes the KMU approach, which is only applicable to the nRF54L15 DK and is the recommended approach for the nRF54L Series devices.

Exercise steps

1. Creating the key.

You can create the key however you want; It is nothing but a normal key in .pem format. We will use the imgtool.py bundled with the nRF Connect SDK as an example.

1.1 To set our own key, we first need to generate a key. We will use imgtool for this:

python3 <NCS_PATH>/bootloader/mcuboot/scripts/imgtool.py keygen -t ecdsa-p256 -k private_key.pem
Terminal command

Use this command if you want to store the public key using the KMU on the nRF54L Series.

Note: only ED25519 keys are supported.

python3 <NCS_PATH>/bootloader/mcuboot/scripts/imgtool.py keygen -t ed25519 -k private_key.pem
Terminal command

1.2 Back up the key to somewhere safe. It is not uncommon to lose the key and thus be unable to ever do DFU on the devices again.

2. Configure the project to use this key.

Next up, we will configure the project to use this key. The key is used both by MCUboot to generate a custom key, and by Sysbuild to automatically create and sign DFU files. Therefore, this is set in Sysbuild Kconfig.

2.1 To configure our project to use this key, we will follow docs at Bootloader & DFU -> Signature keys. We set the path to the key in sysbuild.conf. We can use the full path of the key if it is stored elsewhere on the PC, but for this example, the key is stored in the project folder, and we will use ${APP_DIR}:

# STEP 2.1 - Add private key for MCUboot
SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APP_DIR}/private_key.pem"
Kconfig

2.2 Next, we should configure the key type to match the key we generated in step 1.1.

# STEP 2.2. - Configure key type
SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
Kconfig

On the nRF54L15 DK, we need to enable the following two parameters:

SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU – This option enables using Key Management Unit (KMU) to store keys for signature verification instead of compiling key data into the MCUboot bootloader image. Using KMU requires manually provisioning the public key, which is done in the next step.

The SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519 is to select the type of key. 

# STEP 2.2. - Configure key type
SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
Kconfig

2.3 Provision the public key to the device. THIS STEP IS ONLY APPLICABLE TO THE nRF54L15 DK. Skip this step if you are using other DKs.

No action is needed here. The public key will be stored in the MCUboot bootloader image automatically by the build system

If you are using the KMU to store the public key (Only applicable for the nRF54L15 Series ). You need to upload the public key to the device; the build system does NOT do this automatically at this stage, and it needs to be done manually. The nRF Connect SDK provides a west command, ncs-provision, allowing the upload of keys to the device through the Serial Write Debug (SWD) interface.

 west ncs-provision upload -s nrf54l15 -k private_key.pem
Terminal command

You should expect an output similar to this :

2025-02-18 14:05:29,955 INFO     nrfprovision.py:520  [main                  ] : Provision of keyslot executed, id = 226
2025-02-18 14:05:29,955 INFO     nrfprovision.py:411  [verify_pubkey         ] : Verify keyslot through readback of push destination address     
2025-02-18 14:05:29,970 INFO     nrfprovision.py:420  [verify_pubkey         ] : Asymmetric key sucsessfully provisioned
Terminal

For more information about provisioning on the nRF54L Series, you can read Performing KMU provisioning

on our technical documentation.

3. Build the project again.

  • Build (pristine build) the project and flash it normally.

During this step, you can observe that the warning about the missing key is gone and build logs lists that we are using our key.

MCUBoot bootloader key file: <PATH>/ncs-inter/v2.9.0-v2.7.0/l9/l9_e2/private_key.pem
Terminal

  • Change led blinking period and build (do not flash)
  • Use AuTerm to upload a new DFU image
  • Reset the board

Recall

These steps are described in details in Exercise 1, sections: 5.3-5.4

4. Check that it fails with the wrong key.

Lastly, checking that it fails with the wrong key is a good idea.

4.1 Generate a new custom key. Save this key as a different file to avoid losing the correct one.

python3 <NCS_PATH>/bootloader/mcuboot/scripts/imgtool.py keygen -t ecdsa-p256 -k do_not_use_this_key.pem
Terminal command
python3 <NCS_PATH>/bootloader/mcuboot/scripts/imgtool.py keygen -t ed25519 -k do_not_use_this_key.pem
Terminal command

Next, update sysbuild configuration to use the newly generated key.

SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APP_DIR}/do_not_use_this_key.pem"
Kconfig

4.2 Now, try to do DFU over UART as we learned in Exercise 1 (sections: 5.3 – 5.4) with the new zephyr.signed.bin. Since this one uses a different key than the one we flashed in step 3 , DFU should fail with the error (remember to close AuTerm before connecting serial terminal in VSCode and resetting the board):

5. Update the board again by changing the key.

It is possible to update the board again by changing the key to the proper one and pristine build (it will cause signing firmware again with the correct key).

SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APP_DIR}/private_key.pem"
Kconfig
v2.6.2 – v2.5.2

Important

While the newest version of this exercise covers only custom keys, the v2.6.2 – v2.5.2 version of Exercise 2 covers USB, external flash and Custom keys. In other words, Exercise 2 (v2.6.2-v2.5.2) replaces all Exercises 2, 3 and 4 (v2.9.0 – v2.7.0).

In this exercise, we will modify the previous exercise (DFU over UART) to use DFU over USB instead. We will also cover external flash and custom keys.

Important

This exercise is only supported on nRF5340 DK, nRF52840 DK, nRF52833 DK, and nRF7002 DK since it requires an nRF SoC with a USB peripheral. For a list of which SoCs contain a USB peripheral, check the Nordic product guide.

We will use the Zephyr CDC ACM drivers to communicate over USB. For more information on this, you can see USB device support.

Exercise steps

1. Open the code base of the exercise by navigating to Create a new application in the nRF Connect for VS Code extension, select Copy a sample, and search for Lesson 9 – Exercise 2. Exercise 2 base code is the Exercise 1 solution with comments renamed.

2. Enable CDC ACM for Serial Recovery.

To enable CDC ACM for Serial Recovery, add CONFIG_BOOT_SERIAL_CDC_ACM to child_image/mcuboot.conf.

3. Increase the partition for the MCUboot bootloader.

The partition for the MCUboot bootloader is not large enough for MCUboot with CDC ACM and USB drivers. This size is 0xC000 by default. To increase this, set CONFIG_PM_PARTITION_SIZE_MCUBOOT to 0x10000 in child_image/mcuboot.conf. Or It is possible to make MCUboot take less space. See for example this samples child_image/mcuboot/prj_release.conf.

Important

For the nRF7002 DK set CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x20000 . For the nRF5340 DK set CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x15000 . Otherwise, you will get a linker error.

4. Configure the application to use CDC ACM for DFU.

Next , we will change the application to use CDC ACM for DFU. The configuration we use here is inspired by the SMP Server sample.

4.1 As you can see. We have an app.overlay file in the application directory. This is one way to set devicetree overlays, but you can use other ways to do the same. In this app.overlay, we will first configure CDC ACM by adding the following:

4.2 Then we point the uart-mcumgr driver to CDC ACM . by adding the line zephyr,uart-mcumgr = &cdc_acm_uart0; as chosen.

4.3 Next, we will have to add Kconfig options to prj.conf:

4.4 Lastly, USB must be enabled in our source files (main.c). First, include the header file for USB

4.5 Enable USB

Testing

5. Build and flash the application to your board.

6. Connect your computer to the nRF USB port on the DK.

In this step, we will assume that the hardware has no Debugger/Interface MCU (IMCU) and we use the nRF USB port as the transport for the firmware images.

Disconnect your board from the regular Debugger USB port and connect to The nRF USB port. The nRF USB port is only available on the nRF5340 DK, nRF52840 DK, nRF52833 DK, and nRF7002 DK since it requires an nRF SoC with a USB peripheral. For a list of which SoCs contain a USB peripheral, check the Nordic product guide.

7. DFU over USB

7.1 The MCUmgr library will run in the background, letting you connect to the USB and do DFU while the application runs.

7.2 We can use mcumgr-cli to communicate with the DK. First, we will add a configuration to mcumgr-cli:

“testDK” here can be named whatever we want. COM22 should be changed to whatever port the DKs nRF USB is connected to. Please note that the COM port for nRF USB will not be listed in nRF Connect for VS Code. Use Device Manager in Windows or equivalent on Linux/macOS to find the port allocated to nRF USB. A list of supported mcumgr-cli commands can be found here.

7.3 Check the listing of current images on the DK:

This should return the slots available, as we have seen in the previous exercise.

7.4 Before we try to upload a new firmware image to the DK, we should change something in the code, so we can verify the change. This can, for example, be to change the delay in the blinky code. Then rebuild the code.

7.5 Now we can upload the new image firmware to the DK, using:

Then this should be the result. The upload is done in a separate thread in the background. So the current firmware should be running as normal.

7.6 Since we use a dual slot configuration, the uploaded application does not automatically run. To make the application swap into the primary slot, we must tag it with either “test” or “confirm”. Let’s do “test” first. First, we need to get the hash of the image:

Will return

Then we use the <HASH> to tag that slot as test, and reset:

The new image will be swapped into the primary slot and the old image to the secondary slot. We can check this with:

Which should return:

If we reset the board again, we can, in the same way, see that the image swaps back to the old firmware. This is because we passed test not confirm to mcumgr.

Adding External Flash

8. To increase the flash available for the application, we can add an external flash.

The MCUboot secondary partition can then be placed in the external flash, increasing the available space for the application.

Note

There is an MCUboot with external flash test in the nRF Connect SDK, which can be used as a reference.

The QSPI on the nRF7002 DK is used to connect the host MCU (nRF5340 SoC) to the Wi-Fi Companion IC (nRF7002 IC). Therefore, SPI is used to interface with the external memory, and special configurations are needed that are outlined here.

8.1 We can tell the partition manager that we are using an external flash. See External flash memory partitions. Then MCUboot will automatically be partitioned to use external flash for the mcuboot_seconary partition. To do this, set the chosen nordic,pm-ext-flash = &mx25r64; in both app.overlay and child_image/mcuboot.overlay:

8.2 The QSPI drivers needed for external flash on our development kits are not always automatically added to the MCUboot child image. We will add these to child_image/mcuboot.conf:

8.3 We also need to increase the number of sectors used by MCUboot now, as the partitions are larger:

8.4 Connect your computer to the DK debug port again (not nRF USB), and build and flash the new firmware.

8.5 To verify that the partitions have moved, use the Memory Report:

9. Disconnect from the debug port and connect to nRF USB port, you can retest the DFU over USB with External Flash by redoing steps 7.2 – 7.5.

nRF5340 update

The application core of the nRF5340 can be updated, as explained above.

When doing DFU from the application, no extra configurations are needed to update the network core. Another DFU package file must be used for the network core. Instead of app_update.bin, use net_core_app_update.bin.

However, for Serial Recovery, some extra configurations are needed to update the network core. The needed configurations are listed in our docs on Developing with nRF5340 DK: MCUboot’s serial recovery of the networking core image.

Custom key

The more observant readers might have noticed the following warning from the build logs so far:

When building for MCUboot, a default key is used to ease development. For production, it is extremely important to use your own key instead. If not, anyone could update your device with their code.

9.1 To set our own key, we first need to generate a key. We will use imgtool for this:

9.2 To configure our project to use this key, follow docs at MCUboot adding custom signature key file. We can do this in two different ways. Either we can set this key in child_image/mcuboot.conf.

As you can see, this uses the full path to the project, which is a limitation.
9.3 It is possible to use CMakeLists.txt to set the path relative to the project folder. This is more powerful but also more complex. To do this, set the following in CMakeLists.txt:

Here, you can use CMake variables and pathing to choose any folder, as seen relative to your project.
It is up to you if you want to use 9.2 or 9.3 in your project. I suggest that you try both and find out which you like the best.
These steps will not be included in the solution, as they require a generated key.

Make sure to Log in or Register to save your progress

Back
Next
Register an account
Already have an account? Log in
(All fields are required unless specified optional)

  • 8 or more characters
  • Upper and lower case letters
  • At least one number or special character

Forgot your password?
Enter the email associated with your account, and we will send you a link to reset your password.