TDA4 ROM supports Backup OSPI offset. It jumps to this backup OSPI offset, if it does not find valid image at primary OSPI offset, that is offset0. For more information on backup OSPI offset, see the device-specific TRM or data sheet.

This mechanism is used in this application note to unlock the JTAG. Firstly, on HS-FS device, since JTAG connection is available for MCU R5F, keywritter1 can be flashed using the CCS/JTAG-based flash writer tool, this application programs the customer key and convert the device to HS-SE. Along with the keywriter1, the JTAG-based flash writer tool also flashes the second kerywriter2 application at the backup OSPI offset (that is, at offset 4MB). When the board is rebooted, the keywriter1 application flashes customer keys and converts the HS-FS device into HS-SE. On the second reboot, since keywriter1 application is not signed with the customer key, it is not valid and ROM jumps to the backup OSPI offset, where the customer key signed keywriter2 application is flashed. This application unlocks JTAG for MCU R5F, then CCS/JTAG-based flashing tools can be used to flash rest of the binaries. Overall process as shown in Figure 4-1.

So, two separate images need to be built. The first one is the default keywriter, named as Keywriter1, which can be compiled directly with same steps mentioned in Chapter 3. The second image adds the JTAG unlock functionality to the keywriter application and integrates the HS-SE TIFS. This is named as keywriter2 and needs the following additional steps:

1. Comment the actual key programming API at $SDK_PATH/ti-processor-sdk-rtos-j721e-evm-07_01_00_11/pdk_jacinto_07_01_00_45/packages/ti/boot/sbl/example/k3MulticoreApp/keywriter/main.c, and add the log to distinguish between keywriter1 and keywriter2 after flashing them together.

   UART_printf("Taking OTP configuration from 0x%x\n", (uint32_t *)keywriter_cert);
   UART_printf("this is keywriter2 in offset 4MB!\r\n");	
   // status = Sciclient_otpProcessKeyCfg((uint32_t *)keywriter_cert, SCICLIENT_SERVICE_WAIT_FOREVER, &debug_response);
   if (status != CSL_PASS){
   	UART_printf("Something wrong happened!!\n");
   }

2. Enable the R5F JTAG open/close flag at $SDK_PATH/ti-processor-sdk-rtos-j721e-evm-07_01_00_11/pdk_jacinto_07_01_00_45/ti/build/makerules/common.mk, need add below compile flag.

   $(SBL_CERT_GEN) -b $(SBL_BIN_PATH) -o $(SBL_TIIMAGE_PATH) -c R5 -l $(SBL_RUN_ADDRESS) -k $($(APP_NAME)_SBL_CERT_KEY) -d DEBUG -j DBG_FULL_ENABLE -m $(SBL_MCU_STARTUP_MODE)

3. Adopt the customer keys in SDK and signed the keywriter with these keys. Make sure the customer keys were updated in the $SDK_PATH/ti-processor-sdk-rtos-j721e-evm-07_01_00_11/pdk_jacinto_07_01_00_45/packages/ti/boot/sbl/example/k3MulticoreApp/keywriter/scripts/keys folder. And these keys need exactly same as the keys flashed into the TDA4 silicon while compile the keywriter1.
4. Update the TIFS for SE device. The TIFS would load the keywriter in the form of array. After manual update, use the following command; the array would update after compiling.

   $cp <pdk>/drv/sciclient/soc/V1/sciclient_firmware_V1-hs-enc.h <pdk>/<keywriter>/ti-fs-keywriter.h
   $cp <pdk>/drv/sciclient/soc/V1/tifs-hs-enc <pdk>/<keywriter>/tifs_bin/ti-fs-keywriter.bin

5. Compile the related lib, keywriter2 application and SBL. By using the following command, you can get the keywriter2 in folder $SDK_PATH/pdk_jacinto_07_01_00_45/packages/ti/boot/sbl/example/k3MulticoreApp/binary. And update SBL in $SDK_PATH/pdk_jacinto_07_01_00_45/packages/ti/binary/sbl_cust_img_hs.

   #make -s BOARD=j721e_evm BUILD_PROFILE=release sciclient_boardcfg BUILD_HS=yes
   #make sciclient_direct_hs
   #make keywriter_img -j8
   #make sbl_cust_img_hs -j8

After flash these keywriter1 and keywriter2 binaries to OSPI via JTAG on HS-FS device. On first power cycle, keywriter1 application would run and convert HS-FS device to HS-SE by programming keys. On the second power cycle, since keywriter1 application can no longer be recognized, system would jump to second keywriter application and would program TIFS and unlock JTAG. In order to run the complete system function, the updated SBL should be flashed to OSPI address 0 and care should be taken to ensure that keywriter2 is not overwritten by SBL or other images.