[Gnuk-users] Upgrading gnuk on a nitrokey start
Remy van Elst
relst at relst.nl
Sun Dec 18 09:18:43 UTC 2016
Well, it seems to work without issues on the nitrokeys I upgraded earlier
via DFU, but it still bricks my only non-borked non-upgraded Nitrokey start:
Before upgrade (my only non-bricked nitrokey still in the original case):
$ gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.0.4-52FF6C06:0
Application ID ...: D276000124010200FFFE52FF6C060000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 52FF6C06
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-1.0.4-52FF6C06
Revision: release/1.0.4-6-g739e00e
Config:
NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
Sys: 1.0
Upgrade fails:
n python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: f3fafa79
Device:
Configuration: 1
Interface: 0
20001400:20004a00
Downloading flash upgrade program...
start 20001400
end 20002500
Run flash upgrade program...
Waiting for device to appear:
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
^CTraceback (most recent call last):
File "./upgrade_by_passwd.py", line 134, in <module>
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
File "./upgrade_by_passwd.py", line 75, in main
time.sleep(wait_e)
KeyboardInterrupt
Nitrokey blinks, green light.
The ealier-upgraded versions do work:
Before upgrade (Nitrokey start key upgraded via DFU):
$ gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.1-87042430:0
Application ID ...: D276000124010200FFFE870424300000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87042430
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
$ python2 usb_strings.py
Device:
Vendor:
Product: Nitrokey
Serial: FSIJ-1.2.1-87042430
Revision: release/1.2.1-1-g2b784cb-modified
Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
Sys: 3.0
Upgrade:
../regnual/regnual.bin: 4372
../src/build/gnuk.bin: 110592
CRC32: f3fafa79
Device:
Configuration: 1
Interface: 0
20002800:20005000
Downloading flash upgrade program...
start 20002800
end 20003900
Run flash upgrade program...
Waiting for device to appear:
- Wait 1 seconds...
Device:
08001000:08020000
Downloading the program
start 08001000
end 0801b000
Resetting device
Update procedure finished
After upgrade:
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-1.2.2-87042430
Revision: release/1.0.2-471-g1a76ab5
Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
Sys: 3.0
$ gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.2-87042430:0
Application ID ...: D276000124010200FFFE870424300000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87042430
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
EC keys:
[10:09:28] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
(gnuk1.2-regnual-fix) ]
$ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 22 ed25519" /bye
OK
[10:09:31] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
(gnuk1.2-regnual-fix) ]
$ gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.2-87042430:0
Application ID ...: D276000124010200FFFE870424300000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87042430
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
[10:09:33] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
(gnuk1.2-regnual-fix) ]
$ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 22 ed25519" /bye
OK
[10:10:05] [remy at gateway] [ ~/repo/nitrokey-upfix/tool
(gnuk1.2-regnual-fix) ]
$ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 18 cv25519" /bye
OK
$ gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.2-87042430:0
Application ID ...: D276000124010200FFFE870424300000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87042430
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
https://raymii.org
On Fri, Dec 16, 2016 at 11:27 AM, Jan Suhr | Nitrokey <jan at nitrokey.com>
wrote:
> Hi Remy,
>
> we prepared a fix for regnual to enable updating a Nitrokey Start. It is
> here: https://github.com/Nitrokey/nitrokey-start-firmware/tree/
> gnuk1.2-regnual-fix
>
> Please let me know if it works for you.
>
> Best regards,
> Jan
>
> Am 12.10.2016 19:50, schrieb Remy van Elst:
>
> I tried to do the update with the provided scripts, but that failed with
> the same symptoms as before. The green LED keeps blinking, waiting a few
> minutes doesn't give any progress and after reinsertion the Nitrokey seems
> to not do anything. A DFU flash fixes that.
>
> Before the upgrade
>
> $ python2 usb_strings.py
> Device:
> Vendor:
> Product: Nitrokey
> Serial: FSIJ-1.2.1-87042430
> Revision: release/1.2.1-1-g2b784cb-modified
> Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
> Sys: 3.0
>
>
> Running the update:
>
> $ python2 upgrade_by_passwd.py -f ../regnual/regnual.bin
> ../src/build/gnuk.bin
> ../regnual/regnual.bin: 4412
> ../src/build/gnuk.bin: 110592
> CRC32: 303d2f62
>
> Device:
> Configuration: 1
> Interface: 0
> 20002800:20005000
> Downloading flash upgrade program...
> start 20002800
> end 20003900
> Run flash upgrade program...
> Wait 1 seconds...
> Wait 1 seconds...
> Wait 1 seconds...
> [...] #repeats until cancelled
>
> ^CTraceback (most recent call last):
> File "upgrade_by_passwd.py", line 130, in <module>
> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
> File "upgrade_by_passwd.py", line 73, in main
> time.sleep(wait_e)
> KeyboardInterrupt
>
>
>
>
> dmesg output during the update:
>
> [ 2464.228628] usb 2-1.2: USB disconnect, device number 4
> [ 2468.101333] usb 1-1.1: new full-speed USB device number 3 using
> ehci-pci
> [ 2541.541385] usb 1-1.1: USB disconnect, device number 3
> [ 2542.831257] usb 1-1.1: new full-speed USB device number 4 using
> ehci-pci
> [ 2554.745022] usb 1-1.1: USB disconnect, device number 4
> [ 2557.543186] usb 1-1.1: new full-speed USB device number 5 using
> ehci-pci
>
>
>
>
>
>
>
> https://raymii.org
>
> On Wed, Oct 12, 2016 at 1:38 PM, Jan Suhr <jan at nitrokey.com> wrote:
>
>> Hi Remy,
>>
>> I understand your Nitrokey Start is flashed with latest Gnuk 1.2 but I'm
>> curious if regnual would work from now on or not. Did you try to update
>> Gnuk 1.2 via regnual? (Perhaps "update" to the same Gnuk version just for
>> the sake of testing it.)
>>
>> Regards,
>> Jan
>>
>>
>> Am 11.10.2016 17:33, schrieb Remy van Elst:
>>
>> Small update,
>>
>> I fried one Nitrokey when trying to solder on the ST Link headers. Bummer.
>>
>> I hot-air desoldered an USB header from an old motherboard in the e-waste
>> bin and used the standard USB pinout, which suprisingly, worked. (
>> https://i.imgur.com/PQ7QG2B.png).
>>
>> The stm32flash tool was unable to remove the flash protection:
>>
>> $ sudo stm32flash -u /dev/ttyUSB0
>> stm32flash 0.5
>>
>> http://stm32flash.sourceforge.net/
>>
>> Interface serial_posix: 57600 8E1
>> Version : 0x22
>> Option 1 : 0x00
>> Option 2 : 0x00
>> Device ID : 0x0410 (STM32F10xxx Medium-density)
>> - RAM : 20KiB (512b reserved by bootloader)
>> - Flash : 128KiB (size first sector: 4x1024)
>> - Option RAM : 16b
>> - System RAM : 2KiB
>> Write-unprotecting flash
>> Got NACK from device on command 0x73
>> Done.
>>
>> so I had to use the Windows ST Demo loader tool. It worked, and I'm able
>> to flash the gnuk 1.2 release to the Nitrokey start. (Not the fried one,
>> another one). That seems to work so far:
>>
>>
>>
>> $ gpg --card-status
>>
>> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00
>> 00
>> Application ID ...: D276000124010200FFFE870424300000
>> Version ..........: 2.0
>> Manufacturer .....: unmanaged S/N range
>> Serial number ....: 87042430
>> Name of cardholder: [not set]
>> Language prefs ...: [not set]
>> Sex ..............: unspecified
>> URL of public key : [not set]
>> Login data .......: [not set]
>> Signature PIN ....: forced
>> Key attributes ...: rsa2048 rsa2048 rsa2048
>> Max. PIN lengths .: 127 127 127
>> PIN retry counter : 3 3 3
>> Signature counter : 4
>> Signature key ....: 3D1B 8501 882B EA0D D813 6CAC 1437 62A5 87BD 54FE
>> created ....: 2016-10-11 15:06:29
>> Encryption key....: 9898 208B 7876 4F65 A06E 3E65 637A 80D6 31D5 21C2
>> created ....: 2016-10-11 15:06:29
>> Authentication key: 2141 3E30 8EFF F2D0 FB3D 4C9E DA3D F5B9 7130 1532
>> created ....: 2016-10-11 15:06:29
>> General key info..: pub rsa2048/0x143762A587BD54FE 2016-10-11 Remy
>> test (Test gnuk1.2) <remy at test.nl>
>> sec> rsa2048/0x143762A587BD54FE created: 2016-10-11 expires:
>> 2016-10-18
>> card-no: FFFE 87042430
>> ssb> rsa2048/0xDA3DF5B971301532 created: 2016-10-11 expires:
>> 2016-10-18
>> card-no: FFFE 87042430
>> ssb> rsa2048/0x637A80D631D521C2 created: 2016-10-11 expires:
>> 2016-10-18
>> card-no: FFFE 87042430
>>
>>
>>
>> After flashing it with the Windows tool, stm32flash does work:
>>
>>
>>
>> $ sudo stm32flash -w build/gnuk.bin -g 0x0 /dev/ttyUSB0
>> stm32flash 0.5
>>
>> http://stm32flash.sourceforge.net/
>>
>> Using Parser : Raw BINARY
>> Interface serial_posix: 57600 8E1
>> Version : 0x22
>> Option 1 : 0x00
>> Option 2 : 0x00
>> Device ID : 0x0410 (STM32F10xxx Medium-density)
>> - RAM : 20KiB (512b reserved by bootloader)
>> - Flash : 128KiB (size first sector: 4x1024)
>> - Option RAM : 16b
>> - System RAM : 2KiB
>> Write to memory
>> Erasing memory
>> Wrote address 0x0801b000 (100.00%) Done.
>>
>> Starting execution at address 0x08000000... done.
>>
>> I can also place an ecc 25519 key on the device:
>>
>> $ gpg --card-status
>>
>> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00
>> 00
>> Application ID ...: D276000124010200FFFE870424300000
>> Version ..........: 2.0
>> Manufacturer .....: unmanaged S/N range
>> Serial number ....: 87042430
>> Name of cardholder: [not set]
>> Language prefs ...: [not set]
>> Sex ..............: unspecified
>> URL of public key : [not set]
>> Login data .......: [not set]
>> Signature PIN ....: forced
>> Key attributes ...: ed25519 rsa2048 rsa2048
>> Max. PIN lengths .: 127 127 127
>> PIN retry counter : 3 3 3
>> Signature counter : 0
>> Signature key ....: 3678 F2EE 1CCB 4B24 B107 38BA 101D 491F 08E7 FD60
>> created ....: 2016-10-11 15:31:27
>> Encryption key....: [none]
>> Authentication key: [none]
>> General key info..: pub ed25519/0x101D491F08E7FD60 2016-10-11 test
>> remy ecc (gnuk 1.2) <nitrokey at raymii.nl>
>> sec> ed25519/0x101D491F08E7FD60 created: 2016-10-11 expires:
>> 2016-10-18
>> card-no: FFFE 87042430
>>
>>
>> Yay!
>>
>>
>>
>>
>> https://raymii.org
>>
>> On Fri, Sep 16, 2016 at 3:26 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
>>
>>> Hello, Jan,
>>>
>>> On 09/16/2016 05:38 PM, Jan Suhr wrote:
>>> > Nitrokey Start hardware is based on FST-01. In particular the MCU is
>>> > identical. The main differences are:
>>> > - No external flash
>>> > - Different pinning. See:
>>> > https://github.com/Nitrokey/nitrokey-start-firmware/commit/c
>>> 98d6cbc4a225f10bca8f2d7b86effcbdcf534f4
>>> >
>>> > Do you think the different pinning may be a cause for the update issue?
>>>
>>> Thanks for the pointer.
>>>
>>> The file is a bit different to the one in Chopstx (Gnuk 1.2).
>>>
>>> https://git.gniibe.org/gitweb/?p=chopstx/chopstx.git;a=commi
>>> tdiff;h=8650bde8a056ca8d7954837bfd6692958e263634;hp=6e7334dc
>>> fff83898ff6b8568bf24c6fe90deaa9c
>>>
>>> I had thought that it's because of revision change of hardware. If it
>>> is same hardware, I think that Gnuk 1.0 on Nitrokey Start doesn't work
>>> well with upgrade through USB.
>>>
>>> One of my friends kindly showed me the board of Nitrokey Start.
>>> I also examined the KiCAD schematic of:
>>>
>>> https://github.com/Nitrokey/nitrokey-pro-hardware
>>>
>>> Well, examining schematic is not that easy, even for such a simple
>>> one.
>>>
>>> PA9 and PA10 is connected to USB-D- and USB-D+. And with the
>>> configuration of Gnuk 1.0 for Nitrokey Start, those pins of PA9 and
>>> PA10 is pulled up by Vdd. I think that this interferes the USB
>>> shutdown and re-enumeration process of USB upgrade.
>>>
>>> I think that the configuration of Gnuk 1.2 for Nitrokey Start is
>>> better.
>>> --
>>>
>>> _______________________________________________
>>> gnuk-users mailing list
>>> gnuk-users at lists.alioth.debian.org
>>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>>
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161218/23653a62/attachment-0001.html>
More information about the gnuk-users
mailing list