[Gnuk-users] Upgrading gnuk on a nitrokey start
Jan Suhr | Nitrokey
jan at nitrokey.com
Fri Dec 16 10:27:13 UTC 2016
Hi Remy,
we prepared a fix for regnual to enable updating a Nitrokey Start. It is
here:
https://github.com/Nitrokey/nitrokey-start-firmware/tree/gnuk1.2-regnual-fix
Please let me know if it works for you.
Best regards,
Jan
Am 12.10.2016 19:50, schrieb Remy van Elst:
> I tried to do the update with the provided scripts, but that failed with the same symptoms as before. The green LED keeps blinking, waiting a few minutes doesn't give any progress and after reinsertion the Nitrokey seems to not do anything. A DFU flash fixes that.
>
> Before the upgrade
>
> $ python2 usb_strings.py
> Device:
> Vendor:
> Product: Nitrokey
> Serial: FSIJ-1.2.1-87042430
> Revision: release/1.2.1-1-g2b784cb-modified
> Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
> Sys: 3.0
>
> Running the update:
>
> $ python2 upgrade_by_passwd.py -f ../regnual/regnual.bin ../src/build/gnuk.bin
> ../regnual/regnual.bin: 4412
> ../src/build/gnuk.bin: 110592
> CRC32: 303d2f62
>
> Device:
> Configuration: 1
> Interface: 0
> 20002800:20005000
> Downloading flash upgrade program...
> start 20002800
> end 20003900
> Run flash upgrade program...
> Wait 1 seconds...
> Wait 1 seconds...
> Wait 1 seconds...
> [...] #repeats until cancelled
>
> ^CTraceback (most recent call last):
> File "upgrade_by_passwd.py", line 130, in <module>
> main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
> File "upgrade_by_passwd.py", line 73, in main
> time.sleep(wait_e)
> KeyboardInterrupt
>
> dmesg output during the update:
>
> [ 2464.228628] usb 2-1.2: USB disconnect, device number 4
> [ 2468.101333] usb 1-1.1: new full-speed USB device number 3 using ehci-pci
> [ 2541.541385] usb 1-1.1: USB disconnect, device number 3
> [ 2542.831257] usb 1-1.1: new full-speed USB device number 4 using ehci-pci
> [ 2554.745022] usb 1-1.1: USB disconnect, device number 4
> [ 2557.543186] usb 1-1.1: new full-speed USB device number 5 using ehci-pci
>
> https://raymii.org
> On Wed, Oct 12, 2016 at 1:38 PM, Jan Suhr <jan at nitrokey.com> wrote:
>
> Hi Remy,
>
> I understand your Nitrokey Start is flashed with latest Gnuk 1.2 but I'm curious if regnual would work from now on or not. Did you try to update Gnuk 1.2 via regnual? (Perhaps "update" to the same Gnuk version just for the sake of testing it.)
>
> Regards,
> Jan
>
> Am 11.10.2016 17:33, schrieb Remy van Elst:
>
> Small update,
>
> I fried one Nitrokey when trying to solder on the ST Link headers. Bummer.
>
> I hot-air desoldered an USB header from an old motherboard in the e-waste bin and used the standard USB pinout, which suprisingly, worked. (https://i.imgur.com/PQ7QG2B.png [1]).
>
> The stm32flash tool was unable to remove the flash protection:
>
> $ sudo stm32flash -u /dev/ttyUSB0
> stm32flash 0.5
>
> http://stm32flash.sourceforge.net/ [2]
>
> Interface serial_posix: 57600 8E1
> Version : 0x22
> Option 1 : 0x00
> Option 2 : 0x00
> Device ID : 0x0410 (STM32F10xxx Medium-density)
> - RAM : 20KiB (512b reserved by bootloader)
> - Flash : 128KiB (size first sector: 4x1024)
> - Option RAM : 16b
> - System RAM : 2KiB
> Write-unprotecting flash
> Got NACK from device on command 0x73
> Done.
>
> so I had to use the Windows ST Demo loader tool. It worked, and I'm able to flash the gnuk 1.2 release to the Nitrokey start. (Not the fried one, another one). That seems to work so far:
>
> $ gpg --card-status
>
> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 4
> Signature key ....: 3D1B 8501 882B EA0D D813 6CAC 1437 62A5 87BD 54FE
> created ....: 2016-10-11 15:06:29
> Encryption key....: 9898 208B 7876 4F65 A06E 3E65 637A 80D6 31D5 21C2
> created ....: 2016-10-11 15:06:29
> Authentication key: 2141 3E30 8EFF F2D0 FB3D 4C9E DA3D F5B9 7130 1532
> created ....: 2016-10-11 15:06:29
> General key info..: pub rsa2048/0x143762A587BD54FE 2016-10-11 Remy test (Test gnuk1.2) <remy at test.nl>
> sec> rsa2048/0x143762A587BD54FE created: 2016-10-11 expires: 2016-10-18
> card-no: FFFE 87042430
> ssb> rsa2048/0xDA3DF5B971301532 created: 2016-10-11 expires: 2016-10-18
> card-no: FFFE 87042430
> ssb> rsa2048/0x637A80D631D521C2 created: 2016-10-11 expires: 2016-10-18
> card-no: FFFE 87042430
>
> After flashing it with the Windows tool, stm32flash does work:
>
> $ sudo stm32flash -w build/gnuk.bin -g 0x0 /dev/ttyUSB0
> stm32flash 0.5
>
> http://stm32flash.sourceforge.net/ [2]
>
> Using Parser : Raw BINARY
> Interface serial_posix: 57600 8E1
> Version : 0x22
> Option 1 : 0x00
> Option 2 : 0x00
> Device ID : 0x0410 (STM32F10xxx Medium-density)
> - RAM : 20KiB (512b reserved by bootloader)
> - Flash : 128KiB (size first sector: 4x1024)
> - Option RAM : 16b
> - System RAM : 2KiB
> Write to memory
> Erasing memory
> Wrote address 0x0801b000 (100.00%) Done.
>
> Starting execution at address 0x08000000... done.
>
> I can also place an ecc 25519 key on the device:
>
> $ gpg --card-status
>
> Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00
> Application ID ...: D276000124010200FFFE870424300000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87042430
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: ed25519 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: 3678 F2EE 1CCB 4B24 B107 38BA 101D 491F 08E7 FD60
> created ....: 2016-10-11 15:31:27
> Encryption key....: [none]
> Authentication key: [none]
> General key info..: pub ed25519/0x101D491F08E7FD60 2016-10-11 test remy ecc (gnuk 1.2) <nitrokey at raymii.nl>
> sec> ed25519/0x101D491F08E7FD60 created: 2016-10-11 expires: 2016-10-18
> card-no: FFFE 87042430
>
> Yay!
>
> https://raymii.org
> On Fri, Sep 16, 2016 at 3:26 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
> Hello, Jan,
>
> On 09/16/2016 05:38 PM, Jan Suhr wrote:
>> Nitrokey Start hardware is based on FST-01. In particular the MCU is
>> identical. The main differences are:
>> - No external flash
>> - Different pinning. See:
>> https://github.com/Nitrokey/nitrokey-start-firmware/commit/c98d6cbc4a225f10bca8f2d7b86effcbdcf534f4 [3]
>>
>> Do you think the different pinning may be a cause for the update issue?
>
> Thanks for the pointer.
>
> The file is a bit different to the one in Chopstx (Gnuk 1.2).
>
> https://git.gniibe.org/gitweb/?p=chopstx/chopstx.git;a=commitdiff;h=8650bde8a056ca8d7954837bfd6692958e263634;hp=6e7334dcfff83898ff6b8568bf24c6fe90deaa9c [4]
>
> I had thought that it's because of revision change of hardware. If it
> is same hardware, I think that Gnuk 1.0 on Nitrokey Start doesn't work
> well with upgrade through USB.
>
> One of my friends kindly showed me the board of Nitrokey Start.
> I also examined the KiCAD schematic of:
>
> https://github.com/Nitrokey/nitrokey-pro-hardware [5]
>
> Well, examining schematic is not that easy, even for such a simple
> one.
>
> PA9 and PA10 is connected to USB-D- and USB-D+. And with the
> configuration of Gnuk 1.0 for Nitrokey Start, those pins of PA9 and
> PA10 is pulled up by Vdd. I think that this interferes the USB
> shutdown and re-enumeration process of USB upgrade.
>
> I think that the configuration of Gnuk 1.2 for Nitrokey Start is
> better.
> --
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users [6]
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users [6]
_______________________________________________
gnuk-users mailing list
gnuk-users at lists.alioth.debian.org
https://lists.alioth.debian.org/mailman/listinfo/gnuk-users [6]
_______________________________________________
gnuk-users mailing list
gnuk-users at lists.alioth.debian.org
https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
Links:
------
[1] https://i.imgur.com/PQ7QG2B.png
[2] http://stm32flash.sourceforge.net/
[3]
https://github.com/Nitrokey/nitrokey-start-firmware/commit/c98d6cbc4a225f10bca8f2d7b86effcbdcf534f4
[4]
https://git.gniibe.org/gitweb/?p=chopstx/chopstx.git;a=commitdiff;h=8650bde8a056ca8d7954837bfd6692958e263634;hp=6e7334dcfff83898ff6b8568bf24c6fe90deaa9c
[5] https://github.com/Nitrokey/nitrokey-pro-hardware
[6] https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161216/98c08cfb/attachment-0001.html>
More information about the gnuk-users
mailing list