From ed980c3093e860335c12d9daea2cbe91b1761429 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 22 Jan 2026 11:59:46 +0100
Subject: [PATCH 1/8] Use new layout

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 CMakeLists.txt         | 4 ++--
 pico-keys-sdk          | 2 +-
 src/hsm/CMakeLists.txt | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d83a9f8..dd97dfc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -18,7 +18,7 @@
 cmake_minimum_required(VERSION 3.13)
 
 if(ESP_PLATFORM)
-    set(EXTRA_COMPONENT_DIRS src pico-keys-sdk/src)
+    set(EXTRA_COMPONENT_DIRS pico-keys-sdk/config/esp32/components src/hsm)
     include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 else()
     if(NOT ENABLE_EMULATION)
@@ -124,7 +124,7 @@ if(NOT ESP_PLATFORM)
                 -Wl,--gc-sections
             )
         endif(APPLE)
-        target_link_libraries(pico_hsm PRIVATE pthread m)
+        target_link_libraries(pico_hsm PRIVATE pico_keys_sdk pthread m mbedtls)
     else()
         pico_add_extra_outputs(${CMAKE_PROJECT_NAME})
     endif()
diff --git a/pico-keys-sdk b/pico-keys-sdk
index 263e554..6860029 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 263e554cc6c59a5f168f8589c4bdabe6e1e64c25
+Subproject commit 68600291d0a85cbf695d798a330ebe78fb163a4d
diff --git a/src/hsm/CMakeLists.txt b/src/hsm/CMakeLists.txt
index 9a802b3..b5a83a6 100644
--- a/src/hsm/CMakeLists.txt
+++ b/src/hsm/CMakeLists.txt
@@ -1,6 +1,6 @@
 idf_component_register(
     SRCS ${SOURCES}
-    INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb
-    REQUIRES mbedtls efuse
+    INCLUDE_DIRS .
+    REQUIRES mbedtls efuse pico-keys-sdk
 )
 idf_component_set_property(${COMPONENT_NAME} WHOLE_ARCHIVE ON)

From 868caff6653868f8b9d81022dcd22c1b44564796 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 22 Jan 2026 12:33:42 +0100
Subject: [PATCH 2/8] Use new VID:PID allocated to Pico HSM.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 CMakeLists.txt | 3 +++
 README.md      | 4 ++--
 pico-keys-sdk  | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index dd97dfc..9712906 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -17,6 +17,9 @@
 
 cmake_minimum_required(VERSION 3.13)
 
+set(USB_VID 0x2E8A)
+set(USB_PID 0x10FD)
+
 if(ESP_PLATFORM)
     set(EXTRA_COMPONENT_DIRS pico-keys-sdk/config/esp32/components src/hsm)
     include($ENV{IDF_PATH}/tools/cmake/project.cmake)
diff --git a/README.md b/README.md
index b41c1ab..264434f 100644
--- a/README.md
+++ b/README.md
@@ -184,9 +184,9 @@ RP2350 and ESP32-S3 microcontrollers are equipped with advanced security feature
 
 If you own a Raspberry Pico (RP2040 or RP2350), go to [Download page](https://www.picokeys.com/getting-started/). If your board is mounted with the RP2040, then select Pico. If your board is mounted with the RP2350 or RP2354, select Pico2.
 
-Note that UF2 files are shiped with a dummy VID/PID to avoid license issues (FEFF:FCFD). If you plan to use it with OpenSC or similar tools, you should modify Info.plist of CCID driver to add these VID/PID or use the [PicoKey App](https://www.picokeys.com/picokeyapp/ "PicoKey App").
+UF2 files are shiped with a VID/PID granted by RaspberryPi (2E8A:10FD). If you plan to use it with OpenSC or similar tools, you should modify Info.plist of CCID driver to add these VID/PID or use the [PicoKey App](https://www.picokeys.com/picokeyapp/ "PicoKey App").
 
-You can use whatever VID/PID (i.e., 234b:0000 from FISJ), but remember that you are not authorized to distribute the binary with a VID/PID that you do not own.
+You can use whatever VID/PID for internal purposes, but remember that you are not authorized to distribute the binary with a VID/PID that you do not own.
 
 Note that the [PicoKey App](https://www.picokeys.com/picokeyapp/ "PicoKey App") is the most recommended.
 
diff --git a/pico-keys-sdk b/pico-keys-sdk
index 6860029..42267cb 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 68600291d0a85cbf695d798a330ebe78fb163a4d
+Subproject commit 42267cb237cb0a610ad7d3aa3feab9baa31a0fa1

From 0b18ab5e3da085fda8a654fdf209861c0cba303e Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 29 Jan 2026 16:12:41 +0100
Subject: [PATCH 3/8] Upgrade to Pico Keys SDK 8.5

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico-keys-sdk |  2 +-
 src/hsm/kek.c | 13 -------------
 2 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/pico-keys-sdk b/pico-keys-sdk
index 42267cb..61d4515 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 42267cb237cb0a610ad7d3aa3feab9baa31a0fa1
+Subproject commit 61d4515eccf7add9d39689734eccd2cdf0aab83b
diff --git a/src/hsm/kek.c b/src/hsm/kek.c
index 1a7b9ad..815b578 100644
--- a/src/hsm/kek.c
+++ b/src/hsm/kek.c
@@ -37,19 +37,6 @@ uint8_t mkek_mask[MKEK_KEY_SIZE];
 bool has_mkek_mask = false;
 uint8_t pending_save_dkek = 0xff;
 
-#define POLY 0xedb88320
-
-uint32_t crc32c(const uint8_t *buf, size_t len) {
-    uint32_t crc = 0xffffffff;
-    while (len--) {
-        crc ^= *buf++;
-        for (int k = 0; k < 8; k++) {
-            crc = (crc >> 1) ^ (POLY & (0 - (crc & 1)));
-        }
-    }
-    return ~crc;
-}
-
 void mkek_masked(uint8_t *mkek, const uint8_t *mask) {
     if (mask) {
         for (int i = 0; i < MKEK_KEY_SIZE; i++) {

From 2dec7c0b4edba2b2e65a0d5d7cc5bc3dfa27b809 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Sun, 1 Feb 2026 20:34:24 +0100
Subject: [PATCH 4/8] Fix phy marker write.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico-keys-sdk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pico-keys-sdk b/pico-keys-sdk
index 61d4515..6f996c6 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 61d4515eccf7add9d39689734eccd2cdf0aab83b
+Subproject commit 6f996c67c20e28df8d5be89948c8e274a479c2c4

From 7e651c78e383c0e0bd2edf3bbe6cee1346e97e98 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Sun, 1 Feb 2026 20:34:41 +0100
Subject: [PATCH 5/8] Upgrade to v6.4

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 CMakeLists.txt    | 2 +-
 build_pico_hsm.sh | 2 +-
 src/hsm/version.h | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9712906..98eec65 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -83,7 +83,7 @@ set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_LIST_DIR}/src/hsm/kek.c
 )
 
-SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/hsm/version.h" 2)
+SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/hsm/version.h" 3)
 
 if(ESP_PLATFORM)
     project(pico_hsm)
diff --git a/build_pico_hsm.sh b/build_pico_hsm.sh
index 98d0dd3..adb14fc 100755
--- a/build_pico_hsm.sh
+++ b/build_pico_hsm.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 VERSION_MAJOR="6"
-VERSION_MINOR="2"
+VERSION_MINOR="4"
 SUFFIX="${VERSION_MAJOR}.${VERSION_MINOR}"
 #if ! [[ -z "${GITHUB_SHA}" ]]; then
 #    SUFFIX="${SUFFIX}.${GITHUB_SHA}"
diff --git a/src/hsm/version.h b/src/hsm/version.h
index a55ec03..219a868 100644
--- a/src/hsm/version.h
+++ b/src/hsm/version.h
@@ -18,7 +18,7 @@
 #ifndef __VERSION_H_
 #define __VERSION_H_
 
-#define HSM_VERSION 0x0602
+#define HSM_VERSION 0x0604
 
 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
 #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)

From b78c1485c1da197e2a6bb61b8246526f47761f40 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Wed, 4 Feb 2026 23:45:14 +0100
Subject: [PATCH 6/8] Add support for HIGH/LOW ESP32 LED

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico-keys-sdk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pico-keys-sdk b/pico-keys-sdk
index 6f996c6..87e9f9e 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 6f996c67c20e28df8d5be89948c8e274a479c2c4
+Subproject commit 87e9f9e58b562ca08b1cac4533a0c48b5f0d1d15

From 25889094e554f9f19184b94ef881c7d002e5da47 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Sat, 7 Feb 2026 14:32:31 +0100
Subject: [PATCH 7/8] [BETA] Add support to Secure Boot in ESP32.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico-keys-sdk      | 2 +-
 sdkconfig.defaults | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/pico-keys-sdk b/pico-keys-sdk
index 87e9f9e..b8aa022 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 87e9f9e58b562ca08b1cac4533a0c48b5f0d1d15
+Subproject commit b8aa0221dbd01a9c404f454b7759f443ca844f5e
diff --git a/sdkconfig.defaults b/sdkconfig.defaults
index 587bae1..0c6af4d 100755
--- a/sdkconfig.defaults
+++ b/sdkconfig.defaults
@@ -9,6 +9,7 @@ CONFIG_TINYUSB_TASK_STACK_SIZE=16384
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="pico-keys-sdk/config/esp32/partitions.csv"
 CONFIG_PARTITION_TABLE_FILENAME="pico-keys-sdk/config/esp32/partitions.csv"
+CONFIG_PARTITION_TABLE_OFFSET=0x10000
 CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
 CONFIG_ESPTOOLPY_FLASHMODE_QIO=y
 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y

From 0ad7e3a610e7dff7eaf2c9774b173e05bbded19e Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Mon, 16 Feb 2026 16:03:01 +0100
Subject: [PATCH 8/8] Fix Secure boot enable.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico-keys-sdk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pico-keys-sdk b/pico-keys-sdk
index b8aa022..7abedc5 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit b8aa0221dbd01a9c404f454b7759f443ca844f5e
+Subproject commit 7abedc5b0e6bf390913b68f5e5f37a997f54a92b