[Gnuk-users] Upgrading gnuk on a nitrokey start

NIIBE Yutaka gniibe at fsij.org
Tue Aug 16 01:17:27 UTC 2016 

Hello,

In general, I recommend to use SWD debugger to upgrade the firmware.
That's because there may be various possible errors, and having the
recovery method should be important.

While upgrade through USB is possible, it's not easy.  A simple
mistake can result unusable device (and recovering requires SWD
debugger).

On 08/15/2016 07:40 PM, Remy van Elst wrote:
> I'm trying to upgrade a nitrokey start with the latest gnuk. Compilation
> for the board goes without issues or warnings, but trying to upload a
> public key or the actual firmware fails.

Please note that I don't get any feedback from Nitrokey if Gnuk 1.2
works well.  I wish you will be the first. :-)

> I did change the VENDOR ID from the FST-01 to the Nitrokey (claylogic):
> 
> USB_VENDOR_FSIJ=0x20a0
> USB_PRODUCT_GNUK=0x4211

Please change tool/gnuk_token.py and tool/usb_strings.py.

Please note that we use reGNUal in teh upgrading process.  The setting
of permission with your USB ID is requires for reGNUal too.

I don't have any experience for upgrade with different USB ID.  I
think that it would be natural to use same USB ID of Gnuk for reGNUal
too.

> After the change the usb_strings script sees the token:
> 
> root at ubuntu:~/gnuk# ./tool/usb_strings.py
> Device: 004
>     Vendor: Nitrokey
>    Product: Nitrokey Start
>     Serial: FSIJ-1.0.4-52FF6E06
>   Revision: release/1.0.4-6-g739e00e
>     Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
>        Sys: 1.0

So far, good.

> But the binary upload fails:
> 
> root at ubuntu:~/gnuk# ./tool/gnuk_put_binary_libusb.py -k 0 6B864105.bin
> Device: 004
> Configuration: 1
> Interface: 0
> Traceback (most recent call last):
>   File "./tool/gnuk_put_binary_libusb.py", line 110, in <module>
>     main(fileid, is_update, data, passwd)
>   File "./tool/gnuk_put_binary_libusb.py", line 53, in main
>     gnuk.cmd_write_binary(fileid, data, is_update)
>   File "/root/gnuk/tool/gnuk_token.py", line 288, in cmd_write_binary
>     raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
> ValueError: ('cmd_write_binary 1', '6581')

The slot for key is already occupied, thus failure.  Please note that
there are four slots (of 0 to 3), which is write-only.  Once written,
you can't modify.

The tool/gnuk_put_binary_libusb.py is lower level script which is not
intended to be used by normal users.  It can register RSA-2048 key;
it's only a single step of upgrade of firmare.

I explain the upgrade steps in my page:

    https://www.gniibe.org/FST-01/q_and_a/neug_overrides_gnuk.html

Although It's for FST-01 and the firmare change to NeuG, it's useful
for other cases.

In the tool directory, we use upgrade_by_passwd.py (with reGNUal).

For upgrade, please don't use gnuk_put_binary_libusb.py.  Please use
upgrade_by_passwd.py instead.

You already filled the slot of 0, you can use 1..3 with -k option.
--

More information about the gnuk-users mailing list