Digitally sign nk.bin RRS feed

  • Question

  • Hello,

    I am just wondering if there exist a standard way of digitally signing nk.bin so that the bootloader can check if the image it loads is legitimate.

    I found a tool for signing .exe and .dlls (see signtool.exe), but this does not seem to work with nk.bin.

    Oh, and by the way I am using WEC7.

    Wednesday, April 10, 2013 2:17 PM

All replies

  • Hi Mario,

    You can use CRC calculation/verification technique.

    While flashing/storing the image to boot device (may be NAND.) , you need to calculate CRC on complete NK image and then store it,

    And while booting, you need to calculate CRC in same way on the read NK image, and compare with the stored value.

    With regards,

    Keshava G N

    Keshava G N ( ), Member - Technical, iWave Systems ( )

    • Edited by Keshava GN Wednesday, April 10, 2013 2:39 PM
    Wednesday, April 10, 2013 2:37 PM
  • Every NK.bin file should be stamped with a valid license and Platform Builder comes with a standard tool for this. You can find it in the "Tools" menu, click "Platform Builder" and choose "License Run-Time Image". This stamps the binary with a valid license, and sure there is some way you can validate it has been stamped (it's what MS does if they ever decide to check the NK binaries).

    You'll have to ask MS to see if they want to share how to check for a valid stamped binary, but I don't see any reason why they wouldn't. Maybe it's already public info somewhere...

    Good luck,

    Michel Verhagen, eMVP
    Check out my blog:

    Microsoft Embedded Partner
    Consultancy, training and development services.

    Thursday, April 11, 2013 4:16 AM
  • Is this actually necessary, because as mentioned in the above post Licensing can be done on nk and MS has a mechanism to validate .... but i suppose this is not what you need.

    ASAIK the thing which you need is already there. The bootloader actually checks for the valid nk image by reading the nk header and loads when it succeeded.

    If you further need some more protection you need to edit nk file and same you need to implement in the decoding procedure. But is it actually required ?

    --- Misbah 

    Senior Design Engineer T.E.S Electroni Solutions (Bangalore-India)

    Friday, April 12, 2013 5:16 AM
  • Perhaps my post was not perfectly clear. Let's say I am creating a new Zune player running WEC7.

    The last thing I want is someone to replace nk.bin with another (i.e. jailbreak the device).  The way to prevent this is to digitally sign both the bootloader and nk.bin. 

    It is a chain of trust.  The bootloader is checked for our digital signature.  Once checked, the bootloader is allowed to runs and checks the signature of nk.bin.  If the signature is ok, then nk.bin is run. 

    Once we are running WEC7. We can set the OS for running only apps with our digital signature.  It is well supported by Microsoft.

    So you are telling me there is no standard solution for the bootloader and the OS?

    Thursday, April 18, 2013 3:09 PM
  • Normally you would not do this in software. Most modern processors support secure boot. For instance, if you are using the Freescale iMX range you have HAB (High Assurance Boot):

    So, no, there is nothing "standard" (from Microsoft) in software apart from what is supported inside CE with certificates etc. The "standard" comes from the processor manufacturers...

    Good luck,

    Michel Verhagen, eMVP
    Check out my blog:

    Microsoft Embedded Partner
    Consultancy, training and development services.

    Thursday, April 18, 2013 9:29 PM