<div dir="ltr"><div class="gmail_extra">Thanks for the extensive reply!<br><br><br><div class="gmail_quote">On Tue, Aug 16, 2016 at 3:17 AM, NIIBE Yutaka <span dir="ltr"><<a href="mailto:gniibe@fsij.org" target="_blank">gniibe@fsij.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
In general, I recommend to use SWD debugger to upgrade the firmware.<br>
That's because there may be various possible errors, and having the<br>
recovery method should be important.<br>
<br>
While upgrade through USB is possible, it's not easy. A simple<br>
mistake can result unusable device (and recovering requires SWD<br>
debugger).<br></blockquote><div><br></div><div>I rather not open up the device since I'm not sure it will be easily put back together and soldering wires to it for an STM upgrade is my last resort if I brick it. I've only got one nitrokey start and I'm known to fry arduino's with a soldering iron...<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span><br>
On 08/15/2016 07:40 PM, Remy van Elst wrote:<br>
> I'm trying to upgrade a nitrokey start with the latest gnuk. Compilation<br>
> for the board goes without issues or warnings, but trying to upload a<br>
> public key or the actual firmware fails.<br>
<br>
</span>Please note that I don't get any feedback from Nitrokey if Gnuk 1.2<br>
works well. I wish you will be the first. :-)<br></blockquote><div><br></div><div>I hope it works, and if not, I'll probably keep emailing with more requests :)<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span><br>
> I did change the VENDOR ID from the FST-01 to the Nitrokey (claylogic):<br>
><br>
> USB_VENDOR_FSIJ=0x20a0<br>
> USB_PRODUCT_GNUK=0x4211<br>
<br>
</span>Please change tool/gnuk_token.py and tool/usb_strings.py.<br></blockquote><div><br></div><div>I did, otherwise both scripts wouldn't locate the nitrokey.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Please note that we use reGNUal in teh upgrading process. The setting<br>
of permission with your USB ID is requires for reGNUal too.<br>
<br></blockquote><div><br></div><div>Even if I do it as the root user?<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I don't have any experience for upgrade with different USB ID. I<br>
think that it would be natural to use same USB ID of Gnuk for reGNUal<br>
too.<br></blockquote><div><br></div><div>I didn't see a specific compile option for regnual for a different vidpid like in gnuk's configure script.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span><br>
> After the change the usb_strings script sees the token:<br>
><br>
> root@ubuntu:~/gnuk# ./tool/usb_strings.py<br>
> Device: 004<br>
> Vendor: Nitrokey<br>
> Product: Nitrokey Start<br>
> Serial: FSIJ-1.0.4-52FF6E06<br>
> Revision: release/1.0.4-6-g739e00e<br>
> Config: NITROKEY_START:dfu=no:debug=no<wbr>:pinpad=no:certdo=yes:keygen=<wbr>yes<br>
> Sys: 1.0<br>
<br>
</span>So far, good.<br>
<span><br>
> But the binary upload fails:<br>
><br>
> root@ubuntu:~/gnuk# ./tool/gnuk_put_binary_libusb.<wbr>py -k 0 6B864105.bin<br>
> Device: 004<br>
> Configuration: 1<br>
> Interface: 0<br>
> Traceback (most recent call last):<br>
> File "./tool/gnuk_put_binary_libusb<wbr>.py", line 110, in <module><br>
> main(fileid, is_update, data, passwd)<br>
> File "./tool/gnuk_put_binary_libusb<wbr>.py", line 53, in main<br>
> gnuk.cmd_write_binary(fileid, data, is_update)<br>
> File "/root/gnuk/tool/gnuk_token.py<wbr>", line 288, in cmd_write_binary<br>
> raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))<br>
> ValueError: ('cmd_write_binary 1', '6581')<br>
<br>
</span>The slot for key is already occupied, thus failure. Please note that<br>
there are four slots (of 0 to 3), which is write-only. Once written,<br>
you can't modify.<br>
<br></blockquote><div><br></div><div>Is there a way to see which keys are currently in there? And, is it possible to remove those keys if they are written? Does the 'gnuk_remove_keys_libusb.py' also clean up those keys?<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The tool/gnuk_put_binary_libusb.py is lower level script which is not<br>
intended to be used by normal users. It can register RSA-2048 key;<br>
it's only a single step of upgrade of firmare.<br>
<br>
I explain the upgrade steps in my page:<br>
<br>
<a href="https://www.gniibe.org/FST-01/q_and_a/neug_overrides_gnuk.html" rel="noreferrer" target="_blank">https://www.gniibe.org/FST-01/<wbr>q_and_a/neug_overrides_gnuk.ht<wbr>ml</a><br>
<br>
Although It's for FST-01 and the firmare change to NeuG, it's useful<br>
for other cases.<br>
<br>
In the tool directory, we use upgrade_by_passwd.py (with reGNUal).<br>
<br>
For upgrade, please don't use gnuk_put_binary_libusb.py. Please use<br>
upgrade_by_passwd.py instead.<br>
<br>
You already filled the slot of 0, you can use 1..3 with -k option.<br>
<span><font color="#888888">--<br>
<br></font></span></blockquote><div><br></div><div>I followed instructions from here: <a href="http://no-passwd.net/askbot/question/34/how-gnuk-supports-firmware-upgrade/" target="_blank">http://no-passwd.net/askbot/<wbr>question/34/how-gnuk-supports-<wbr>firmware-upgrade/</a>.<br><br></div><div>When trying the upgrade with password script, this happens:<br><br>$ sudo python2 ./upgrade_by_passwd.py -f -k 4 ../regnual/regnual.bin ../src/build/gnuk.bin <br>../regnual/regnual.bin: 4372<br>../src/build/gnuk.bin: 110592<br>CRC32: 8d82b2df<br><br>Device: <br>Configuration: 1<br>Interface: 0<br>Traceback (most recent call last):<br> File "./upgrade_by_passwd.py", line 130, in <module><br> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])<br> File "./upgrade_by_passwd.py", line 48, in main<br> gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)<br> File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in cmd_write_binary<br> raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))<br>ValueError: ('cmd_write_binary 1', '6581')<br><br><br>$ sudo python2 ./upgrade_by_passwd.py -f -k 3 ../regnual/regnual.bin ../src/build/gnuk.bin <br>../regnual/regnual.bin: 4372<br>../src/build/gnuk.bin: 110592<br>CRC32: 8d82b2df<br><br>Device: <br>Configuration: 1<br>Interface: 0<br>Traceback (most recent call last):<br> File "./upgrade_by_passwd.py", line 130, in <module><br> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])<br> File "./upgrade_by_passwd.py", line 48, in main<br> gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)<br> File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in cmd_write_binary<br> raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))<br>ValueError: ('cmd_write_binary 1', '6581')<br><br>$ sudo python2 ./upgrade_by_passwd.py -f -k 2 ../regnual/regnual.bin ../src/build/gnuk.bin <br>../regnual/regnual.bin: 4372<br>../src/build/gnuk.bin: 110592<br>CRC32: 8d82b2df<br><br>Device: <br>Configuration: 1<br>Interface: 0<br>Traceback (most recent call last):<br> File "./upgrade_by_passwd.py", line 130, in <module><br> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])<br> File "./upgrade_by_passwd.py", line 48, in main<br> gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)<br> File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in cmd_write_binary<br> raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))<br>ValueError: ('cmd_write_binary 1', '6581')<br><br><br>$ sudo python2 ./upgrade_by_passwd.py -f -k 1 ../regnual/regnual.bin ../src/build/gnuk.bin <br>../regnual/regnual.bin: 4372<br>../src/build/gnuk.bin: 110592<br>CRC32: 8d82b2df<br><br>Device: <br>Configuration: 1<br>Interface: 0<br>Traceback (most recent call last):<br> File "./upgrade_by_passwd.py", line 130, in <module><br> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])<br> File "./upgrade_by_passwd.py", line 48, in main<br> gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)<br> File "/home/remy/repo/gnuk/tool/gnuk_token.py", line 288, in cmd_write_binary<br> raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))<br>ValueError: ('cmd_write_binary 1', '6581')<br><br><br><br><br></div><div>When I try the normal upgrade script, this is the output:<br><br>$ sudo python2 ./gnuk_upgrade.py -k CB1522E739DD4E26F86EBC732B58AFBDA3059107 ../regnual/regnual.bin ../src/build/gnuk.bin <br>../regnual/regnual.bin: 4372<br>../src/build/gnuk.bin: 110592<br>CRC32: 8d82b2df<br><br>Device: <br>Configuration: 1<br>Interface: 0<br>Traceback (most recent call last):<br> File "./gnuk_upgrade.py", line 148, in <module><br> main(keyno, keygrip, data_regnual, data_upgrade[4096:])<br> File "./gnuk_upgrade.py", line 95, in main<br> signed = gpg_sign(keygrip, binascii.hexlify(challenge))<br> File "./gnuk_upgrade.py", line 64, in gpg_sign<br> pos = signed.index("D (7:sig-val(3:rsa(1:s256:") + 26<br>ValueError: substring not found<br><br><br><br>$ sudo python2 ./gnuk_upgrade.py -k A3AEC6213744980307D8A5507E50E9F2F3631853 ../regnual/regnual.bin ../src/build/gnuk.bin <br>../regnual/regnual.bin: 4372<br>../src/build/gnuk.bin: 110592<br>CRC32: 8d82b2df<br><br>Device: <br>Configuration: 1<br>Interface: 0<br>Traceback (most recent call last):<br> File "./gnuk_upgrade.py", line 148, in <module><br> main(keyno, keygrip, data_regnual, data_upgrade[4096:])<br> File "./gnuk_upgrade.py", line 95, in main<br> signed = gpg_sign(keygrip, binascii.hexlify(challenge))<br> File "./gnuk_upgrade.py", line 64, in gpg_sign<br> pos = signed.index("D (7:sig-val(3:rsa(1:s256:") + 26<br>ValueError: substring not found<br><br></div><div><br></div><div>I suspect that those two keys are the firmware update keys, but I'm not sure. I'm not even sure if they were put in correctly because of the earlier error messages. Both keys are available:<br><br>$ gpg-connect-agent "READKEY A3AEC6213744980307D8A5507E50E9F2F3631853" /bye<br>D (10:public-key(3:rsa(1:n257:��+r�<br><br>$ gpg-connect-agent "READKEY CB1522E739DD4E26F86EBC732B58AFBDA3059107" /bye<br>D (10:public-key(3:rsa(1:n257:�5��<br><br></div><div>If there is no way to see or wipe the current keys for firmware update via USB, is there another way to reset the token fully?<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span><font color="#888888">
______________________________<wbr>_________________<br>
gnuk-users mailing list<br>
<a href="mailto:gnuk-users@lists.alioth.debian.org" target="_blank">gnuk-users@lists.alioth.debian<wbr>.org</a><br>
<a href="https://lists.alioth.debian.org/mailman/listinfo/gnuk-users" rel="noreferrer" target="_blank">https://lists.alioth.debian.or<wbr>g/mailman/listinfo/gnuk-users</a><br>
</font></span></blockquote></div><br></div></div>