FlashMyPico.com
log in about discover docs scratchpad
topics howto compatibility known issues security q&a api reference
chapters uploading & flashing version tracking boot signing configurable constants

Firmware signatures

Introduction

RP2350 introduced security features that make it possible to verify your firmware's integrity, and authenticity post-flashing.

FlashMyPico can put your signed firmware on your chip, but it won't attempt to sign it for you due to security considerations. This document will guide you through the signing process. You'll need a Linux OS, or a WSL installation, to execute the commands included below.

Setup

Dependencies

First, we need to make sure the software dependencies of both Pico SDK, and Picotool are installed. On the popular Ubuntu Linux-distribution, and the WSL, you can perform this action by entering the following shell command: 

sudo apt install git cmake make g++ libusb-1.0-0-dev openssl

PicoSDK

PicoSDK belongs to the dependencies of Picotool - the tool we'll later use to sign our firmware. In this step, we're going to download and build PicoSDK. 

git clone https://github.com/raspberrypi/pico-sdk.git

cd pico-sdk
git submodule update --init
nice -n 15 make -j $(nproc) # or just "make"
cd ..

This should leave you with a compiled PicoSDK installation available in the pico-sdk directory. We'll use this directory's path as one of the build configuration inputs in the next step.

Picotool

Similarly, we're going to download, and build Picotool. 

git clone https://github.com/raspberrypi/picotool.git

cd picotool
cmake -DPICO_SDK_PATH=../pico-sdk .
nice -n 15 make -j $(nproc) # or just "make"
cd ..

Signing

Generating a signing key

If you already own a signing key, you may skip this step.

Now we're going to generate a private key that we'll later use to sign your UF2 firmware images. The following commands create a project directory my_project where you'll find your keyfile ec-secp256k1-priv-key.pem after execution. 

mkdir my_project
cd my_project
openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-priv-key.pem
cd ..

Please protect your secret key, as:

  1. It can be used to install any firmware on your devices, including firmware than may cause electrical malfunction, or one that could leak the user's private data.
  2. Losing access to this key would mean that no further updates could be installed on your devices.

Sealing

Here we'll use our signing key to sign (or, in Picotool nomenclature: seal) your firmware image.

Before entering the below commands, please put your firmware image file image.uf2 in your newly created project directory my_project. 

cd picotool
./picotool seal \
    --verbose \
    --major 1 --minor 0 \
    --sign \
    ../my_project/image.uf2 \
    ../my_project/image_signed.uf2 \
    ../my_project/ec-secp256k1-priv-key.pem \
    ../my_project/image_signed_otp.json

If all went well, you'll find two new files in the project directory:

  1. image_signed_otp.json, which we'll use next to secure your target chip.
  2. image_signed.uf2, containing your signed firmware.

Securing the chip

Your firmware is now signed, but your target chip isn't yet configured to only allow signed images to boot. Here we'll aim to change this.

Please note that this operation is irreversible. Afterwards, the target chip will only accept firmware signed with your key.

Please plug in your chip, and execute the following command: 

./picotool otp load ../my_project/image_signed_otp.json

Flashing

Your signed firmware image can now be flashed with Picotool, FlashMyPico, or the filesystem based method.

detect device © 2025 flashmypico.com legal ack