[Gnuk-users] Upgrading gnuk on a nitrokey start

Remy van Elst relst at relst.nl
Tue Aug 16 13:25:04 UTC 2016 

Thanks for the extensive reply!


On Tue, Aug 16, 2016 at 3:17 AM, NIIBE Yutaka <gniibe at fsij.org> wrote:

> Hello,
>
> In general, I recommend to use SWD debugger to upgrade the firmware.
> That's because there may be various possible errors, and having the
> recovery method should be important.
>
> While upgrade through USB is possible, it's not easy.  A simple
> mistake can result unusable device (and recovering requires SWD
> debugger).
>

I rather not open up the device since I'm not sure it will be easily put
back together and soldering wires to it for an STM upgrade is my last
resort if I brick it. I've only got one nitrokey start and I'm known to fry
arduino's with a soldering iron...


>
> On 08/15/2016 07:40 PM, Remy van Elst wrote:
> > I'm trying to upgrade a nitrokey start with the latest gnuk. Compilation
> > for the board goes without issues or warnings, but trying to upload a
> > public key or the actual firmware fails.
>
> Please note that I don't get any feedback from Nitrokey if Gnuk 1.2
> works well.  I wish you will be the first. :-)
>

I hope it works, and if not, I'll probably keep emailing with more requests
:)


>
> > I did change the VENDOR ID from the FST-01 to the Nitrokey (claylogic):
> >
> > USB_VENDOR_FSIJ=0x20a0
> > USB_PRODUCT_GNUK=0x4211
>
> Please change tool/gnuk_token.py and tool/usb_strings.py.
>

I did, otherwise both scripts wouldn't locate the nitrokey.


>
> Please note that we use reGNUal in teh upgrading process.  The setting
> of permission with your USB ID is requires for reGNUal too.
>
>
Even if I do it as the root user?


> I don't have any experience for upgrade with different USB ID.  I
> think that it would be natural to use same USB ID of Gnuk for reGNUal
> too.
>

I didn't see a specific compile option for regnual for a different vidpid
like in gnuk's configure script.


>
> > After the change the usb_strings script sees the token:
> >
> > root at ubuntu:~/gnuk# ./tool/usb_strings.py
> > Device: 004
> >     Vendor: Nitrokey
> >    Product: Nitrokey Start
> >     Serial: FSIJ-1.0.4-52FF6E06
> >   Revision: release/1.0.4-6-g739e00e
> >     Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=
> yes
> >        Sys: 1.0
>
> So far, good.
>
> > But the binary upload fails:
> >
> > root at ubuntu:~/gnuk# ./tool/gnuk_put_binary_libusb.py -k 0 6B864105.bin
> > Device: 004
> > Configuration: 1
> > Interface: 0
> > Traceback (most recent call last):
> >   File "./tool/gnuk_put_binary_libusb.py", line 110, in <module>
> >     main(fileid, is_update, data, passwd)
> >   File "./tool/gnuk_put_binary_libusb.py", line 53, in main
> >     gnuk.cmd_write_binary(fileid, data, is_update)
> >   File "/root/gnuk/tool/gnuk_token.py", line 288, in cmd_write_binary
> >     raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
> > ValueError: ('cmd_write_binary 1', '6581')
>
> The slot for key is already occupied, thus failure.  Please note that
> there are four slots (of 0 to 3), which is write-only.  Once written,
> you can't modify.
>
>
Is there a way to see which keys are currently in there? And, is it
possible to remove those keys if they are written? Does the
'gnuk_remove_keys_libusb.py' also clean up those keys?


> The tool/gnuk_put_binary_libusb.py is lower level script which is not
> intended to be used by normal users.  It can register RSA-2048 key;
> it's only a single step of upgrade of firmare.
>
> I explain the upgrade steps in my page:
>
>     https://www.gniibe.org/FST-01/q_and_a/neug_overrides_gnuk.html
>
> Although It's for FST-01 and the firmare change to NeuG, it's useful
> for other cases.
>
> In the tool directory, we use upgrade_by_passwd.py (with reGNUal).
>
> For upgrade, please don't use gnuk_put_binary_libusb.py.  Please use
> upgrade_by_passwd.py instead.
>
> You already filled the slot of 0, you can use 1..3 with -k option.
> --
>
>
I followed instructions from here: http://no-passwd.net/askbot/
question/34/how-gnuk-supports-firmware-upgrade/.

When trying the upgrade with password script, this happens:

$ sudo python2 ./upgrade_by_passwd.py -f -k 4 ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: 8d82b2df

Device:
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./upgrade_by_passwd.py", line 130, in <module>
    main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
  File "./upgrade_by_passwd.py", line 48, in main
    gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)
  File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in
cmd_write_binary
    raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
ValueError: ('cmd_write_binary 1', '6581')


$ sudo python2 ./upgrade_by_passwd.py -f -k 3 ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: 8d82b2df

Device:
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./upgrade_by_passwd.py", line 130, in <module>
    main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
  File "./upgrade_by_passwd.py", line 48, in main
    gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)
  File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in
cmd_write_binary
    raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
ValueError: ('cmd_write_binary 1', '6581')

$ sudo python2 ./upgrade_by_passwd.py -f -k 2 ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: 8d82b2df

Device:
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./upgrade_by_passwd.py", line 130, in <module>
    main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
  File "./upgrade_by_passwd.py", line 48, in main
    gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)
  File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in
cmd_write_binary
    raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
ValueError: ('cmd_write_binary 1', '6581')


$ sudo python2 ./upgrade_by_passwd.py -f -k 1 ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: 8d82b2df

Device:
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./upgrade_by_passwd.py", line 130, in <module>
    main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
  File "./upgrade_by_passwd.py", line 48, in main
    gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)
  File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in
cmd_write_binary
    raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
ValueError: ('cmd_write_binary 1', '6581')




When I try the normal upgrade script, this is the output:

$ sudo python2 ./gnuk_upgrade.py -k
CB1522E739DD4E26F86EBC732B58AFBDA3059107 ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: 8d82b2df

Device:
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./gnuk_upgrade.py", line 148, in <module>
    main(keyno, keygrip, data_regnual, data_upgrade[4096:])
  File "./gnuk_upgrade.py", line 95, in main
    signed = gpg_sign(keygrip, binascii.hexlify(challenge))
  File "./gnuk_upgrade.py", line 64, in gpg_sign
    pos = signed.index("D (7:sig-val(3:rsa(1:s256:") + 26
ValueError: substring not found



$ sudo python2 ./gnuk_upgrade.py -k
A3AEC6213744980307D8A5507E50E9F2F3631853 ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: 8d82b2df

Device:
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./gnuk_upgrade.py", line 148, in <module>
    main(keyno, keygrip, data_regnual, data_upgrade[4096:])
  File "./gnuk_upgrade.py", line 95, in main
    signed = gpg_sign(keygrip, binascii.hexlify(challenge))
  File "./gnuk_upgrade.py", line 64, in gpg_sign
    pos = signed.index("D (7:sig-val(3:rsa(1:s256:") + 26
ValueError: substring not found


I suspect that those two keys are the firmware update keys, but I'm not
sure.  I'm not even sure if they were put in correctly because of the
earlier error messages. Both keys are available:

$ gpg-connect-agent "READKEY A3AEC6213744980307D8A5507E50E9F2F3631853" /bye
D (10:public-key(3:rsa(1:n257:��+r�

$ gpg-connect-agent "READKEY CB1522E739DD4E26F86EBC732B58AFBDA3059107" /bye
D (10:public-key(3:rsa(1:n257:�5��

If there is no way to see or wipe the current keys for firmware update via
USB, is there another way to reset the token fully?



> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20160816/99f642e1/attachment.html>

More information about the gnuk-users mailing list