[Gnuk-users] Upgrading gnuk on a nitrokey start

Remy van Elst relst at relst.nl
Tue Oct 11 16:26:41 UTC 2016


I've written a small guide for anyone else with a bricked nitrokey:

https://raymii.org/s/tutorials/Nitrokey_gnuk_firmware_update_via_DFU.html



https://raymii.org

On Tue, Oct 11, 2016 at 5:33 PM, Remy van Elst <relst at relst.nl> wrote:

> Small update,
>
> I fried one Nitrokey when trying to solder on the ST Link headers. Bummer.
>
> I hot-air desoldered an USB header from an old motherboard in the e-waste
> bin and used the standard USB pinout, which suprisingly, worked. (
> https://i.imgur.com/PQ7QG2B.png).
>
> The stm32flash tool was unable to remove the flash protection:
>
>     $ sudo stm32flash -u  /dev/ttyUSB0
>     stm32flash 0.5
>
>     http://stm32flash.sourceforge.net/
>
>     Interface serial_posix: 57600 8E1
>     Version      : 0x22
>     Option 1     : 0x00
>     Option 2     : 0x00
>     Device ID    : 0x0410 (STM32F10xxx Medium-density)
>     - RAM        : 20KiB  (512b reserved by bootloader)
>     - Flash      : 128KiB (size first sector: 4x1024)
>     - Option RAM : 16b
>     - System RAM : 2KiB
>     Write-unprotecting flash
>     Got NACK from device on command 0x73
>     Done.
>
> so I had to use the Windows ST Demo loader tool. It worked, and I'm able
> to flash the gnuk 1.2 release to the Nitrokey start. (Not the fried one,
> another one). That seems to work so far:
>
>
>
> $ gpg --card-status
>
>     Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
>     Application ID ...: D276000124010200FFFE870424300000
>     Version ..........: 2.0
>     Manufacturer .....: unmanaged S/N range
>     Serial number ....: 87042430
>     Name of cardholder: [not set]
>     Language prefs ...: [not set]
>     Sex ..............: unspecified
>     URL of public key : [not set]
>     Login data .......: [not set]
>     Signature PIN ....: forced
>     Key attributes ...: rsa2048 rsa2048 rsa2048
>     Max. PIN lengths .: 127 127 127
>     PIN retry counter : 3 3 3
>     Signature counter : 4
>     Signature key ....: 3D1B 8501 882B EA0D D813  6CAC 1437 62A5 87BD 54FE
>           created ....: 2016-10-11 15:06:29
>     Encryption key....: 9898 208B 7876 4F65 A06E  3E65 637A 80D6 31D5 21C2
>           created ....: 2016-10-11 15:06:29
>     Authentication key: 2141 3E30 8EFF F2D0 FB3D  4C9E DA3D F5B9 7130 1532
>           created ....: 2016-10-11 15:06:29
>     General key info..: pub  rsa2048/0x143762A587BD54FE 2016-10-11 Remy
> test (Test gnuk1.2) <remy at test.nl>
>     sec>  rsa2048/0x143762A587BD54FE  created: 2016-10-11  expires:
> 2016-10-18
>                                       card-no: FFFE 87042430
>     ssb>  rsa2048/0xDA3DF5B971301532  created: 2016-10-11  expires:
> 2016-10-18
>                                       card-no: FFFE 87042430
>     ssb>  rsa2048/0x637A80D631D521C2  created: 2016-10-11  expires:
> 2016-10-18
>                                       card-no: FFFE 87042430
>
>
>
> After flashing it with the Windows tool, stm32flash does work:
>
>
>
>     $ sudo stm32flash -w build/gnuk.bin -g 0x0 /dev/ttyUSB0
>     stm32flash 0.5
>
>     http://stm32flash.sourceforge.net/
>
>     Using Parser : Raw BINARY
>     Interface serial_posix: 57600 8E1
>     Version      : 0x22
>     Option 1     : 0x00
>     Option 2     : 0x00
>     Device ID    : 0x0410 (STM32F10xxx Medium-density)
>     - RAM        : 20KiB  (512b reserved by bootloader)
>     - Flash      : 128KiB (size first sector: 4x1024)
>     - Option RAM : 16b
>     - System RAM : 2KiB
>     Write to memory
>     Erasing memory
>     Wrote address 0x0801b000 (100.00%) Done.
>
>     Starting execution at address 0x08000000... done.
>
> I can also place an ecc 25519 key on the device:
>
>     $ gpg --card-status
>
>     Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
>     Application ID ...: D276000124010200FFFE870424300000
>     Version ..........: 2.0
>     Manufacturer .....: unmanaged S/N range
>     Serial number ....: 87042430
>     Name of cardholder: [not set]
>     Language prefs ...: [not set]
>     Sex ..............: unspecified
>     URL of public key : [not set]
>     Login data .......: [not set]
>     Signature PIN ....: forced
>     Key attributes ...: ed25519 rsa2048 rsa2048
>     Max. PIN lengths .: 127 127 127
>     PIN retry counter : 3 3 3
>     Signature counter : 0
>     Signature key ....: 3678 F2EE 1CCB 4B24 B107  38BA 101D 491F 08E7 FD60
>           created ....: 2016-10-11 15:31:27
>     Encryption key....: [none]
>     Authentication key: [none]
>     General key info..: pub  ed25519/0x101D491F08E7FD60 2016-10-11 test
> remy ecc (gnuk 1.2) <nitrokey at raymii.nl>
>     sec>  ed25519/0x101D491F08E7FD60  created: 2016-10-11  expires:
> 2016-10-18
>                                       card-no: FFFE 87042430
>
>
> Yay!
>
>
>
>
> https://raymii.org
>
> On Fri, Sep 16, 2016 at 3:26 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
>
>> Hello, Jan,
>>
>> On 09/16/2016 05:38 PM, Jan Suhr wrote:
>> > Nitrokey Start hardware is based on FST-01. In particular the MCU is
>> > identical. The main differences are:
>> > - No external flash
>> > - Different pinning. See:
>> > https://github.com/Nitrokey/nitrokey-start-firmware/commit/c
>> 98d6cbc4a225f10bca8f2d7b86effcbdcf534f4
>> >
>> > Do you think the different pinning may be a cause for the update issue?
>>
>> Thanks for the pointer.
>>
>> The file is a bit different to the one in Chopstx (Gnuk 1.2).
>>
>> https://git.gniibe.org/gitweb/?p=chopstx/chopstx.git;a=commi
>> tdiff;h=8650bde8a056ca8d7954837bfd6692958e263634;hp=6e7334dc
>> fff83898ff6b8568bf24c6fe90deaa9c
>>
>> I had thought that it's because of revision change of hardware.  If it
>> is same hardware, I think that Gnuk 1.0 on Nitrokey Start doesn't work
>> well with upgrade through USB.
>>
>> One of my friends kindly showed me the board of Nitrokey Start.
>> I also examined the KiCAD schematic of:
>>
>>     https://github.com/Nitrokey/nitrokey-pro-hardware
>>
>> Well, examining schematic is not that easy, even for such a simple
>> one.
>>
>> PA9 and PA10 is connected to USB-D- and USB-D+.  And with the
>> configuration of Gnuk 1.0 for Nitrokey Start, those pins of PA9 and
>> PA10 is pulled up by Vdd.  I think that this interferes the USB
>> shutdown and re-enumeration process of USB upgrade.
>>
>> I think that the configuration of Gnuk 1.2 for Nitrokey Start is
>> better.
>> --
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161011/1a86bd58/attachment-0001.html>


More information about the gnuk-users mailing list