[Gnuk-users] Upgrading gnuk on a nitrokey start

Remy van Elst relst at relst.nl
Tue Oct 11 15:33:16 UTC 2016


Small update,

I fried one Nitrokey when trying to solder on the ST Link headers. Bummer.

I hot-air desoldered an USB header from an old motherboard in the e-waste
bin and used the standard USB pinout, which suprisingly, worked. (
https://i.imgur.com/PQ7QG2B.png).

The stm32flash tool was unable to remove the flash protection:

    $ sudo stm32flash -u  /dev/ttyUSB0
    stm32flash 0.5

    http://stm32flash.sourceforge.net/

    Interface serial_posix: 57600 8E1
    Version      : 0x22
    Option 1     : 0x00
    Option 2     : 0x00
    Device ID    : 0x0410 (STM32F10xxx Medium-density)
    - RAM        : 20KiB  (512b reserved by bootloader)
    - Flash      : 128KiB (size first sector: 4x1024)
    - Option RAM : 16b
    - System RAM : 2KiB
    Write-unprotecting flash
    Got NACK from device on command 0x73
    Done.

so I had to use the Windows ST Demo loader tool. It worked, and I'm able to
flash the gnuk 1.2 release to the Nitrokey start. (Not the fried one,
another one). That seems to work so far:



$ gpg --card-status

    Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
    Application ID ...: D276000124010200FFFE870424300000
    Version ..........: 2.0
    Manufacturer .....: unmanaged S/N range
    Serial number ....: 87042430
    Name of cardholder: [not set]
    Language prefs ...: [not set]
    Sex ..............: unspecified
    URL of public key : [not set]
    Login data .......: [not set]
    Signature PIN ....: forced
    Key attributes ...: rsa2048 rsa2048 rsa2048
    Max. PIN lengths .: 127 127 127
    PIN retry counter : 3 3 3
    Signature counter : 4
    Signature key ....: 3D1B 8501 882B EA0D D813  6CAC 1437 62A5 87BD 54FE
          created ....: 2016-10-11 15:06:29
    Encryption key....: 9898 208B 7876 4F65 A06E  3E65 637A 80D6 31D5 21C2
          created ....: 2016-10-11 15:06:29
    Authentication key: 2141 3E30 8EFF F2D0 FB3D  4C9E DA3D F5B9 7130 1532
          created ....: 2016-10-11 15:06:29
    General key info..: pub  rsa2048/0x143762A587BD54FE 2016-10-11 Remy
test (Test gnuk1.2) <remy at test.nl>
    sec>  rsa2048/0x143762A587BD54FE  created: 2016-10-11  expires:
2016-10-18
                                      card-no: FFFE 87042430
    ssb>  rsa2048/0xDA3DF5B971301532  created: 2016-10-11  expires:
2016-10-18
                                      card-no: FFFE 87042430
    ssb>  rsa2048/0x637A80D631D521C2  created: 2016-10-11  expires:
2016-10-18
                                      card-no: FFFE 87042430



After flashing it with the Windows tool, stm32flash does work:



    $ sudo stm32flash -w build/gnuk.bin -g 0x0 /dev/ttyUSB0
    stm32flash 0.5

    http://stm32flash.sourceforge.net/

    Using Parser : Raw BINARY
    Interface serial_posix: 57600 8E1
    Version      : 0x22
    Option 1     : 0x00
    Option 2     : 0x00
    Device ID    : 0x0410 (STM32F10xxx Medium-density)
    - RAM        : 20KiB  (512b reserved by bootloader)
    - Flash      : 128KiB (size first sector: 4x1024)
    - Option RAM : 16b
    - System RAM : 2KiB
    Write to memory
    Erasing memory
    Wrote address 0x0801b000 (100.00%) Done.

    Starting execution at address 0x08000000... done.

I can also place an ecc 25519 key on the device:

    $ gpg --card-status

    Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
    Application ID ...: D276000124010200FFFE870424300000
    Version ..........: 2.0
    Manufacturer .....: unmanaged S/N range
    Serial number ....: 87042430
    Name of cardholder: [not set]
    Language prefs ...: [not set]
    Sex ..............: unspecified
    URL of public key : [not set]
    Login data .......: [not set]
    Signature PIN ....: forced
    Key attributes ...: ed25519 rsa2048 rsa2048
    Max. PIN lengths .: 127 127 127
    PIN retry counter : 3 3 3
    Signature counter : 0
    Signature key ....: 3678 F2EE 1CCB 4B24 B107  38BA 101D 491F 08E7 FD60
          created ....: 2016-10-11 15:31:27
    Encryption key....: [none]
    Authentication key: [none]
    General key info..: pub  ed25519/0x101D491F08E7FD60 2016-10-11 test
remy ecc (gnuk 1.2) <nitrokey at raymii.nl>
    sec>  ed25519/0x101D491F08E7FD60  created: 2016-10-11  expires:
2016-10-18
                                      card-no: FFFE 87042430


Yay!




https://raymii.org

On Fri, Sep 16, 2016 at 3:26 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:

> Hello, Jan,
>
> On 09/16/2016 05:38 PM, Jan Suhr wrote:
> > Nitrokey Start hardware is based on FST-01. In particular the MCU is
> > identical. The main differences are:
> > - No external flash
> > - Different pinning. See:
> > https://github.com/Nitrokey/nitrokey-start-firmware/commit/
> c98d6cbc4a225f10bca8f2d7b86effcbdcf534f4
> >
> > Do you think the different pinning may be a cause for the update issue?
>
> Thanks for the pointer.
>
> The file is a bit different to the one in Chopstx (Gnuk 1.2).
>
> https://git.gniibe.org/gitweb/?p=chopstx/chopstx.git;a=commitdiff;h=
> 8650bde8a056ca8d7954837bfd6692958e263634;hp=6e7334dcfff83898ff6b8568bf24c6
> fe90deaa9c
>
> I had thought that it's because of revision change of hardware.  If it
> is same hardware, I think that Gnuk 1.0 on Nitrokey Start doesn't work
> well with upgrade through USB.
>
> One of my friends kindly showed me the board of Nitrokey Start.
> I also examined the KiCAD schematic of:
>
>     https://github.com/Nitrokey/nitrokey-pro-hardware
>
> Well, examining schematic is not that easy, even for such a simple
> one.
>
> PA9 and PA10 is connected to USB-D- and USB-D+.  And with the
> configuration of Gnuk 1.0 for Nitrokey Start, those pins of PA9 and
> PA10 is pulled up by Vdd.  I think that this interferes the USB
> shutdown and re-enumeration process of USB upgrade.
>
> I think that the configuration of Gnuk 1.2 for Nitrokey Start is
> better.
> --
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161011/b614a5ca/attachment.html>


More information about the gnuk-users mailing list