[Gnuk-users] Upgrading gnuk on a nitrokey start
Remy van Elst
relst at relst.nl
Tue Dec 20 16:32:11 UTC 2016
> I suspect the compiler could cause this. 6.2 vs 4.9.3 is a great version
> difference (assuming this is the one from your next email). Our
> regnual's binary files' sizes are different (either compiler or
> different ./configure setting).
I use that version for the Gnuk 1.2.2-fix branch compile as well indeed. It
might very well be a breaking change then.
> Also, you have not shown in log the configuration phase. Possible other
> causes:
> - improper chopstx commit (`git submodule update` should be issued after
> checkout)
> - regnual and gnuk binaries have not been recompiled after checkout and
> ./configure command
> - vid/pid not set or set to wrong value for ./configuration script
> (defaults should be matched by upgrade script AFAIR)
I don't have my terminal log anymore, but I did a fresh checkout into a new
folder including a git submodule update. (Otherwise the chopstx folder
would be empty and the compile fails). I did also checked usb_strings.py
and gnuk_token.py because earlier versions had the FSIJ ID hardcoded in
there, but that is in a seperate file now. Therefore I do know that the
device was listed in lsusb, otherwise I woudln't know the Clay Logic ID.
My configure command for gnuk was (shell history for the win):
./configure --target=NITROKEY_START --vidpid="20a0:4211"
regnual is just a make (no ./configure file there).
Jan sent me the original nitrokey 1.0.4 firmware in compiled form:
$ md5sum nitrokey-start-firmware-1.0.4-1a.hex
5507fabe87dcc68e4a931ab014940af6 nitrokey-start-firmware-1.0.4-1a.hex
$ sha512sum ../nitrokey-start-firmware-1.0.4-1a.hex
f318d5bb375889076f109282237f28da6dc4b3e392aa9e14d4c2dac56763f48656b0e010039a0039928e8ee0087a3e6f2833cffa978fbe4ace72b506fae13260
../nitrokey-start-firmware-1.0.4-1a.hex
To downgrade the Nitrokey and try if the update then fails, since I had
errors compiling gnuk.
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-1.2.2-87042430
Revision: release/1.0.2-471-g1a76ab5
Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
Sys: 3.0
$ lsusb -v -s 002:019
Bus 002 Device 019: ID 20a0:4211 Clay Logic
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x20a0 Clay Logic
idProduct 0x4211
bcdDevice 2.00
iManufacturer 1 Nitrokey
iProduct 2 Nitrokey Start
iSerial 3 FSIJ-1.2.2-87042430
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 93
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 11 Chip/SmartCard
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
ChipCard Interface Descriptor:
bLength 54
bDescriptorType 33
bcdCCID 1.10 (Warning: Only accurate for version
1.0)
nMaxSlotIndex 0
bVoltageSupport 1 5.0V
dwProtocols 2 T=1
dwDefaultClock 4000
dwMaxiumumClock 4000
bNumClockSupported 0
dwDataRate 9600 bps
dwMaxDataRate 9600 bps
bNumDataRatesSupp. 0
dwMaxIFSD 254
dwSyncProtocols 00000000
dwMechanical 00000000
dwFeatures 0002047A
Auto configuration based on ATR
Auto voltage selection
Auto clock change
Auto baud rate change
Auto parameter negotation made by CCID
Auto IFSD exchange
Short APDU level exchange
dwMaxCCIDMsgLen 271
bClassGetResponse echo
bClassEnvelope FF
wlcdLayout none
bPINSupport 0
bMaxCCIDBusySlots 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0004 1x 4 bytes
bInterval 255
can't get debug descriptor: Resource temporarily unavailable
Device Status: 0x0000
(Bus Powered)
I suspect regnual and the device are confused about the downgrade since it
seems to work initially, but not entirely (regnual fix branch):
$ python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
../nitrokey-start-firmware-1.0.4-1a.hex
../regnual/regnual.bin: 4372
../nitrokey-start-firmware-1.0.4-1a.hex: 164224
CRC32: f3fafa79
Device:
Configuration: 1
Interface: 0
20002800:20005000
Downloading flash upgrade program...
start 20002800
end 20003900
Run flash upgrade program...
Waiting for device to appear:
- Wait 1 seconds...
Device:
08001000:08020000
Downloading the program
start 08001000
end 08028100
Traceback (most recent call last):
File "./upgrade_by_passwd.py", line 134, in <module>
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
File "./upgrade_by_passwd.py", line 87, in main
reg.download(mem_info[0], data_upgrade)
File "/home/remy/repo/nitrokey-upfix/tool/gnuk_token.py", line 513,
in download
value = i, index = 0, timeout = 10000)
File "/usr/lib/python2.7/site-packages/usb/legacy.py", line 211, in
controlMsg
timeout = timeout)
File "/usr/lib/python2.7/site-packages/usb/core.py", line 1043, in
ctrl_transfer
self.__get_timeout(timeout))
File "/usr/lib/python2.7/site-packages/usb/backend/libusb1.py", line
883, in ctrl_transfer
timeout))
File "/usr/lib/python2.7/site-packages/usb/backend/libusb1.py", line
595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 32] Pipe error
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-0.0
Did a DFU flash here to Jans binary:
$ sudo stm32flash -w nitrokey-start-firmware-1.0.4-1a.hex -g 0x0
/dev/ttyUSB0
stm32flash 0.5
http://stm32flash.sourceforge.net/
Using Parser : Intel HEX
Interface serial_posix: 57600 8E1
Version : 0x22
Option 1 : 0x00
Option 2 : 0x00
Device ID : 0x0410 (STM32F10xxx Medium-density)
- RAM : 20KiB (512b reserved by bootloader)
- Flash : 128KiB (size first sector: 4x1024)
- Option RAM : 16b
- System RAM : 2KiB
Write to memory
Erasing memory
Wrote address 0x0800e400 (100.00%) Done.
Starting execution at address 0x08000000... done.
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-1.0.4-52FF7106
Revision: release/1.0.4-6-g739e00e
Config:
NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
Sys: 1.0
$ gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.0.4-52FF7106:0
Application ID ...: D276000124010200FFFE52FF71060000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 52FF7106
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
> The blinking on the device
> shows it executed regnual's binary and waits for commands. If it is
> listed on lsusb maybe just changing/adding vid/pid in mentioned GNUK_
> file would suffice since it is parsed by upgrade script (removing
> previously the code uploading regnual to the device).
Yes, Niibe explained this in an earlier conversation I remember. The
device, after starting the flash, did not show up in lsusb again, but dmesg
gave no errors, it did that before.
However, after downgrading and trying to flash the 1.0.4 from Jan, it
failed again:
$ python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
../nitrokey-start-firmware-1.0.4-1a.hex
../regnual/regnual.bin: 4372
../nitrokey-start-firmware-1.0.4-1a.hex: 164224
CRC32: f3fafa79
Device:
Configuration: 1
Interface: 0
20001400:20004a00
Downloading flash upgrade program...
start 20001400
end 20002500
Run flash upgrade program...
Waiting for device to appear:
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
^CTraceback (most recent call last):
File "./upgrade_by_passwd.py", line 134, in <module>
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
File "./upgrade_by_passwd.py", line 75, in main
time.sleep(wait_e)
KeyboardInterrupt
This time with the green LED blinking, and the dmesg errors:
[Tue Dec 20 17:05:12 2016] usb 1-1-port1: disabled by hub (EMI?),
re-enabling...
[Tue Dec 20 17:05:12 2016] usb 1-1.1: USB disconnect, device number 4
[Tue Dec 20 17:05:12 2016] usb 1-1.1: new low-speed USB device number 5
using ehci-pci
[Tue Dec 20 17:05:13 2016] usb 1-1.1: device descriptor read/64, error
-32
[Tue Dec 20 17:05:13 2016] usb 1-1.1: device descriptor read/64, error
-32
[Tue Dec 20 17:05:13 2016] usb 1-1.1: new low-speed USB device number 6
using ehci-pci
[Tue Dec 20 17:05:13 2016] usb 1-1.1: device descriptor read/64, error
-32
[Tue Dec 20 17:05:13 2016] usb 1-1.1: device descriptor read/64, error
-32
[Tue Dec 20 17:05:13 2016] usb 1-1.1: new low-speed USB device number 7
using ehci-pci
[Tue Dec 20 17:05:14 2016] usb 1-1.1: device not accepting address 7,
error -32
[Tue Dec 20 17:05:14 2016] usb 1-1.1: new low-speed USB device number 8
using ehci-pci
[Tue Dec 20 17:05:14 2016] usb 1-1.1: device not accepting address 8,
error -32
[Tue Dec 20 17:05:14 2016] usb 1-1-port1: unable to enumerate USB device
lsusb doesn't show the device.
<DFU flash again to 1.0.4>
I fired up a VM with Ubuntu 16.10 and installed 'gcc-arm-none-eabi
binutils-arm-none-eabi libnewlib-arm-none-eabi build-essential' to compile
everything there:
root at compile:~/nitrokey-upfix/regnual# arm-none-eabi-gcc -v
Using built-in specs.
COLLECT_GCC=arm-none-eabi-gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/arm-none-eabi/4.9.3/lto-wrapper
Target: arm-none-eabi
gcc version 4.9.3 20150529 (prerelease) (15:4.9.3+svn231177-1)
Compile log (make) here: http://pastebin.com/ztLL9d5Q
$ sha512sum src/build/gnuk.bin
32770c3b05a9c7972cf249b320e38358ce7c91d9bc65bd3f2ea6d8afba167a9407fbfa94898b3d721336114d6ac253f638a4a783c58fd0956599c3b4177a2397
src/build/gnuk.bin
$ sha512sum regnual/regnual.bin
13cf8536d4a524c42ac88dac059f209c6853df1e4cc608d5f4bf07cc6fa1c65cbbb0d10393784c0dd31b7f702ca60bdb24e90d8ebb0cff421712bd30632fc4a9
regnual/regnual.bin
Trying the upgrade again with a compile from the same gcc as you (4.9) to
1.2.2 fix branch:
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-1.0.4-52FF7106
Revision: release/1.0.4-6-g739e00e
Config:
NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
Sys: 1.0
$ python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4388
../src/build/gnuk.bin: 110592
CRC32: a4811640
Device:
Configuration: 1
Interface: 0
20001400:20004a00
Downloading flash upgrade program...
start 20001400
end 20002500
Run flash upgrade program...
Waiting for device to appear:
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
- Wait 1 seconds...
^CTraceback (most recent call last):
File "./upgrade_by_passwd.py", line 134, in <module>
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
File "./upgrade_by_passwd.py", line 75, in main
time.sleep(wait_e)
KeyboardInterrupt
Then I flashed via DFU the 1.2.2-fix compiled binary, which worked:
$ sudo stm32flash -w ../src/build/gnuk.bin -g 0x0 /dev/ttyUSB0
stm32flash 0.5
http://stm32flash.sourceforge.net/
Using Parser : Raw BINARY
Interface serial_posix: 57600 8E1
Version : 0x22
Option 1 : 0x00
Option 2 : 0x00
Device ID : 0x0410 (STM32F10xxx Medium-density)
- RAM : 20KiB (512b reserved by bootloader)
- Flash : 128KiB (size first sector: 4x1024)
- Option RAM : 16b
- System RAM : 2KiB
Write to memory
Erasing memory
Wrote address 0x0801b000 (100.00%) Done.
Starting execution at address 0x08000000... done.
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-1.2.2-87042430
Revision: release/1.0.2-471-g1a76ab5-modified
Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
Sys: 3.0
After which regnual upgrade works again:
$ python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
../src/build/gnuk.bin
../regnual/regnual.bin: 4388
../src/build/gnuk.bin: 110592
CRC32: a4811640
Device:
Configuration: 1
Interface: 0
20002800:20005000
Downloading flash upgrade program...
start 20002800
end 20003900
Run flash upgrade program...
Waiting for device to appear:
- Wait 1 seconds...
Device:
08001000:08020000
Downloading the program
start 08001000
end 0801b000
Resetting device
Update procedure finished
$ python2 usb_strings.py
Device:
Vendor: Nitrokey
Product: Nitrokey Start
Serial: FSIJ-1.2.2-87042430
Revision: release/1.0.2-471-g1a76ab5-modified
Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=no
Sys: 3.0
So I'm unsure why you're unable to reproduce it and I can reliably
reproduce it. Upgrading from 1.0.4 fails with this regnual-fix and
upgrading 1.2.2 with regnual works. Downgrading with dfu to 1.0.4 and then
upgrading fails, but after dfu-ing to 1.2.2 upgrading to 1.2.2 works. Even
compiling with the same version still allows for reproducable error.
If, after upgrading with regnual to 1.2.2 I try to downgrade, it also fails
reproducably:
$ python2 ./upgrade_by_passwd.py -f ../regnual/regnual.bin
../nitrokey-start-firmware-1.0.4-1a.hex ../regnual/regnual.bin: 4388
../nitrokey-start-firmware-1.0.4-1a.hex: 164224
CRC32: a4811640
Device:
Configuration: 1
Interface: 0
20002800:20005000
Downloading flash upgrade program...
start 20002800
end 20003900
Run flash upgrade program...
Waiting for device to appear:
- Wait 1 seconds...
Device:
08001000:08020000
Downloading the program
start 08001000
end 08028100
Traceback (most recent call last):
File "./upgrade_by_passwd.py", line 134, in <module>
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
File "./upgrade_by_passwd.py", line 87, in main
reg.download(mem_info[0], data_upgrade)
File "/home/remy/repo/nitrokey-upfix/tool/gnuk_token.py", line 513,
in download
value = i, index = 0, timeout = 10000)
File "/usr/lib/python2.7/site-packages/usb/legacy.py", line 211, in
controlMsg
timeout = timeout)
File "/usr/lib/python2.7/site-packages/usb/core.py", line 1043, in
ctrl_transfer
self.__get_timeout(timeout))
File "/usr/lib/python2.7/site-packages/usb/backend/libusb1.py", line
883, in ctrl_transfer
timeout))
File "/usr/lib/python2.7/site-packages/usb/backend/libusb1.py", line
595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 32] Pipe error
Regarding the 1.0.4 compile on the GCC 4.9, that also fails, long log here:
http://pastebin.com/eMnheCKu (that's on the compile VM)
I hope this information helps, if you need any more checking or information
please don't hesitate to ask, I'm happy to help :)
https://raymii.org
On Tue, Dec 20, 2016 at 2:35 PM, Szczepan Zalega | Nitrokey <
szczepan at nitrokey.com> wrote:
> On 12/18/2016 12:22 PM, Remy van Elst wrote:
> > I was wondering if I could downgrade a Start to gnuk 1.0.4 that came
> > with the Nitrokey (from here
> > https://github.com/Nitrokey/nitrokey-start-firmware/commits/master) but
> > the make fails:
> >
> > $ make
>
> I do not know unfortunately. I make compilation with GCC 4.9.3 on Ubuntu
> 16.10 (details in attachment). Precompiled firmware's should be
> available today in `gnuk1.2-regnual-fix` branch within
> `nitrokey-start-firmware` repository [1] (`./prebuilt/` directory).
>
>
> [1]
> https://github.com/Nitrokey/nitrokey-start-firmware/tree/
> gnuk1.2-regnual-fix
>
> --
> Best regards,
> Szczepan
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161220/a1fcf4e1/attachment-0001.html>
More information about the gnuk-users
mailing list