[Gnuk-users] Upgrading gnuk on a nitrokey start
Remy van Elst
relst at relst.nl
Tue Oct 11 16:26:41 UTC 2016
I've written a small guide for anyone else with a bricked nitrokey:
https://raymii.org/s/tutorials/Nitrokey_gnuk_firmware_update_via_DFU.html
https://raymii.org
On Tue, Oct 11, 2016 at 5:33 PM, Remy van Elst <relst at relst.nl> wrote:
> Small update,
>
> I fried one Nitrokey when trying to solder on the ST Link headers. Bummer.
>
> I hot-air desoldered an USB header from an old motherboard in the e-waste
> bin and used the standard USB pinout, which suprisingly, worked. (
> https://i.imgur.com/PQ7QG2B.png).
>
> The stm32flash tool was unable to remove the flash protection:
>
> $ sudo stm32flash -u /dev/ttyUSB0
> stm32flash 0.5
>
> http://stm32flash.sourceforge.net/
>
> Interface serial_posix: 57600 8E1
> Version : 0x22
> Option 1 : 0x00
> Option 2 : 0x00
> Device ID : 0x0410 (STM32F10xxx Medium-density)
> - RAM : 20KiB (512b reserved by bootloader)
> - Flash : 128KiB (size first sector: 4x1024)
> - Option RAM : 16b
> - System RAM : 2KiB
> Write-unprotecting flash
> Got NACK from device on command 0x73
> Done.
>
> so I had to use the Windows ST Demo loader tool. It worked, and I'm able
> to flash the gnuk 1.2 release to the Nitrokey start. (Not the fried one,
> another one). That seems to work so far:
>
>
>
> $ gpg --card-status
>
> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 4
> Signature key ....: 3D1B 8501 882B EA0D D813 6CAC 1437 62A5 87BD 54FE
> created ....: 2016-10-11 15:06:29
> Encryption key....: 9898 208B 7876 4F65 A06E 3E65 637A 80D6 31D5 21C2
> created ....: 2016-10-11 15:06:29
> Authentication key: 2141 3E30 8EFF F2D0 FB3D 4C9E DA3D F5B9 7130 1532
> created ....: 2016-10-11 15:06:29
> General key info..: pub rsa2048/0x143762A587BD54FE 2016-10-11 Remy
> test (Test gnuk1.2) <remy at test.nl>
> sec> rsa2048/0x143762A587BD54FE created: 2016-10-11 expires:
> 2016-10-18
> card-no: FFFE 87042430
> ssb> rsa2048/0xDA3DF5B971301532 created: 2016-10-11 expires:
> 2016-10-18
> card-no: FFFE 87042430
> ssb> rsa2048/0x637A80D631D521C2 created: 2016-10-11 expires:
> 2016-10-18
> card-no: FFFE 87042430
>
>
>
> After flashing it with the Windows tool, stm32flash does work:
>
>
>
> $ sudo stm32flash -w build/gnuk.bin -g 0x0 /dev/ttyUSB0
> stm32flash 0.5
>
> http://stm32flash.sourceforge.net/
>
> Using Parser : Raw BINARY
> Interface serial_posix: 57600 8E1
> Version : 0x22
> Option 1 : 0x00
> Option 2 : 0x00
> Device ID : 0x0410 (STM32F10xxx Medium-density)
> - RAM : 20KiB (512b reserved by bootloader)
> - Flash : 128KiB (size first sector: 4x1024)
> - Option RAM : 16b
> - System RAM : 2KiB
> Write to memory
> Erasing memory
> Wrote address 0x0801b000 (100.00%) Done.
>
> Starting execution at address 0x08000000... done.
>
> I can also place an ecc 25519 key on the device:
>
> $ gpg --card-status
>
> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: ed25519 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: 3678 F2EE 1CCB 4B24 B107 38BA 101D 491F 08E7 FD60
> created ....: 2016-10-11 15:31:27
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: pub ed25519/0x101D491F08E7FD60 2016-10-11 test
> remy ecc (gnuk 1.2) <nitrokey at raymii.nl>
> sec> ed25519/0x101D491F08E7FD60 created: 2016-10-11 expires:
> 2016-10-18
> card-no: FFFE 87042430
>
>
> Yay!
>
>
>
>
> https://raymii.org
>
> On Fri, Sep 16, 2016 at 3:26 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
>
>> Hello, Jan,
>>
>> On 09/16/2016 05:38 PM, Jan Suhr wrote:
>> > Nitrokey Start hardware is based on FST-01. In particular the MCU is
>> > identical. The main differences are:
>> > - No external flash
>> > - Different pinning. See:
>> > https://github.com/Nitrokey/nitrokey-start-firmware/commit/c
>> 98d6cbc4a225f10bca8f2d7b86effcbdcf534f4
>> >
>> > Do you think the different pinning may be a cause for the update issue?
>>
>> Thanks for the pointer.
>>
>> The file is a bit different to the one in Chopstx (Gnuk 1.2).
>>
>> https://git.gniibe.org/gitweb/?p=chopstx/chopstx.git;a=commi
>> tdiff;h=8650bde8a056ca8d7954837bfd6692958e263634;hp=6e7334dc
>> fff83898ff6b8568bf24c6fe90deaa9c
>>
>> I had thought that it's because of revision change of hardware. If it
>> is same hardware, I think that Gnuk 1.0 on Nitrokey Start doesn't work
>> well with upgrade through USB.
>>
>> One of my friends kindly showed me the board of Nitrokey Start.
>> I also examined the KiCAD schematic of:
>>
>> https://github.com/Nitrokey/nitrokey-pro-hardware
>>
>> Well, examining schematic is not that easy, even for such a simple
>> one.
>>
>> PA9 and PA10 is connected to USB-D- and USB-D+. And with the
>> configuration of Gnuk 1.0 for Nitrokey Start, those pins of PA9 and
>> PA10 is pulled up by Vdd. I think that this interferes the USB
>> shutdown and re-enumeration process of USB upgrade.
>>
>> I think that the configuration of Gnuk 1.2 for Nitrokey Start is
>> better.
>> --
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161011/1a86bd58/attachment-0001.html>
More information about the gnuk-users
mailing list