[Gnuk-users] reflash without working pin?

Vagrant Cascadian vagrant at debian.org
Fri Sep 29 17:38:05 UTC 2017 

> Vagrant Cascadian <vagrant at debian.org> wrote:
>> Without a reset pin, admin pin, or user pin, how can I reflash the
>> firmware?
>
> When you build your Gnuk with --enable-factory-reset option, you can do
> reset by the subcommand "factory-reset" of "gpg --card-edit".

Yes, I like that option.


> Or, you can flash it by SWD debugger.  When doing some experiments (of
> trials and errors), I recommend having SWD debugger, so that you can
> recover the functionality of device.

I've managed to reset both of my FST-01 devices multiple times now with
a black magic probe v2.1. Had to poke holes in the nice shrink-tube, so
not as tamper evident anymore, but it worked!

The black magic probe is documented here:

  https://github.com/blacksphere/blackmagic/wiki/Debugger-Hardware


I've tried this a few times, and seemed to work, if a bit cumbersome.

Create a file called flash.begin:

  monitor tpwr enable
  monitor swdp_scan
  attach 1
  load
  compare-sections

and flash.end:

  monitor option erase
  kill
  quit

Then run the following commands, with regnual.elf and gnuk.elf in the
same directory:

  arm-none-eabi-gdb \
    -ex 'target extended-remote /dev/ttyACM0' \
    -x flash.begin \
    -ex 'monitor option erase' \
    -x flash.end \
    regnual.elf

  arm-none-eabi-gdb \
    -ex 'target extended-remote /dev/ttyACM0' \
    -x flash.begin \
    -x flash.end \
    gnuk.elf

This got me most of the way there:

  https://github.com/blacksphere/blackmagic/wiki/GDB-Automation

And found this useful for identifying exactly which pins to use:

  https://www.earth.li/~noodles/blog/2015/08/program-fst01-with-buspirate.html


> That's because the locked state of Gnuk is irreversible (non-recoverble)
> by its design.

That's good.

After messing with SWD it makes me wonder: is it feasible to dump the
key material using an SWD debugger?


> I recommend building Gnuk with --enable-factory-reset option, only when
> needed, because it means inviting another attack vector.  Default is
> --disable-factory-reset option.

What sort of attacks are you concerned about with enabling factory reset
by default? Someone wiping the keys with access to the device, or worse
than that?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20170929/d394f86c/attachment.sig>

More information about the gnuk-users mailing list