This is a text-only version of the following page on https://raymii.org: --- Title : FST-01 gnuk firmware update via USB Author : Remy van Elst Date : 09-09-2016 URL : https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html Format : Markdown/HTML --- The FST-01 (Flying Stone 1) ([wiki link][1]), [niibe link][2] is a small STM32F103TB based USB device designed to run `gnuk` and `neug` (gpg usb token or true random number generator). ([order here][3], no affiliate link). This guide shows you how to upgrade the firmware on the FST-01 so that you can enjoy newer gnuk features like 4096 bit RSA keys. I'm a huge fan of [the Nitrokey][4] line of devices. The [Nitrokey Start][5] is a software-only USB token for gnupg. The other Nitrokey devices all use a smartcard (SmartCard-HSM for the Nitrokey HSM and OpenGPG Card for the Nitrokey Pro) for their key storage, but the Nitrokey Start does that all in the microcontroller. The Nitrokey Start is based on the FST-01 device, as are the other Nitrokeys, since the Nitrokey Start runs the same firmware, gnuk 1.0.4.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

![][7] > The FST-01 device This guide will show you how to compile and upgrade the latest firmware onto the device via USB. The recommended way is to upgrade via the ST-Link protocol, but that requires opening the device, soldering wires and a special adapter. The USB upgrade works most of the time. ### Why upgrade? If your device is working as intended, then don't upgrade. But, a lot has changes since the 1.0.1 firmware that came on my FST-01. A small list from the [git commit log][8] and the [website][9]: * Support for 4096 bit RSA keys * ECDSA, ECDH, Curve25519, secp256k1 and Ed25519 support (experimental) * More boards supported (STM32 Nucleo, Maple Mini and ST Dongle) * Replaced thread library from ChibiOS/RT to ChopSTX * OpenPGPcard specification v3.0 compatibility * Upgrade of the NeuG routine to the one of NeuG 1.0 (TRNG) * an incompatible change to support overriding key * Improvements in the RSA code (Prime number generation is done by Fouque-Tibouchi method, changes from upstream PolarSSL 1.2.10 You could also flash the NeuG firmware onto the device so that you get a True random number generator instead of a crypto token. ### A word of caution ![][10] **Do not try to upgrade the Nitrokey.** It [fails at the moment][11]. If you want to upgrade the Nitrokey Start, [you need to use DFU, see my guide here][12] Also, **do not try to upgrade if you don't have a backup of the key material**. The upgrade will WIPE the entire device. Last, **you will probably brick the device**. Make sure you have another way to access and recover the device, like an ST-Link V2 adapter [link][13]. So to wrap up, if you're not comfortable with a few bricked devices and all key material wiped, then don't try to upgrade. ### Build dependencies You need to install the entire arm cross compilation toolchain. On Arch Linux this requires installing the entire `base-dev` group and the following packages: pacman -Sy arm-none-eabi-gcc arm-none-eabi-newlib arm-none-eabi-binutils python2-pyusb You also need `git` installed. On Ubuntu the package names are the same, so you can install those as well: apt-get install git build-essential arm-none-eabi-gcc arm-none-eabi-newlib arm-none-eabi-binutils python-usb To make sure we can update the token as a regular user, we need to add some `udev` rules: vim /etc/udev/rules.d/69-gnuk.rules Contents: # Gnuk Token by FSIJ SUBSYSTEMS=="usb", ACTION=="add", \ ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0000", \ ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" Reboot the machine, or on Arch do a `systemctl restart systemd-udevd.service`. ### Compile gnuk The first thing we need to do is get the source code. Clone the repositories: git clone https://anonscm.debian.org/cgit/gnuk/gnuk/gnuk.git gnuk cd gnuk rm -rf chopstx git clone https://anonscm.debian.org/cgit/gnuk/chopstx/chopstx.git chopstx They use git submodules upstream but that fails for me, therefore the chopstx folder is removed and the repository is cloned over. This guide uses commit `452c15c908b1d10fe14d71c3314c6550c3e3a471`, (`* 452c15c - (HEAD -> master, tag: release/1.2.1, origin/master, origin/HEAD) Version 1.2.1 (8 weeks ago) `). Go in the `src` folder and start the compile: cd src ./configure --target=FST_01 --vidpid="234b:0000" Output: Header file is: board-fst-01.h Debug option disabled Configured for bare system (no-DFU) PIN pad option disabled CERT.3 Data Object is NOT supported Card insert/removal by HID device is NOT supported If you want to see the other target options you can do a `./configure -h`: $ ./configure -h Usage: ./configure [OPTION]... Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit [no] --vidpid=VID:PID specify vendor/product ID [] --target=TARGET specify target [FST_01] supported targets are: FST_01 OLIMEX_STM32_H103 STM32_PRIMER2 STBEE STBEE_MINI MAPLE_MINI ST_DONGLE ST_NUCLEO_F103 NITROKEY_START CQ_STARM FST_01_00 (unreleased version with 8MHz XTAL) Start the make, this might take some time. It will end with output like below: arm-none-eabi-objcopy -O binary build/gnuk.elf build/gnuk.bin `ReGNUal` is the firmware update tool, we need to compile that as well: cd ../regnual/ make The make ends with: arm-none-eabi-objcopy -Obinary regnual.elf regnual.bin arm-none-eabi-objcopy -Oihex regnual.elf regnual.hex All the required compilations are done now. The next step is testing the token before we use it. ### Test the token It is important to test if the scripts and GPG recognize the token before we upgrade, so that we know that it worked. In the `gnuk/tools` folder is a script called `usb_strings.py`: $ python2 usb_strings.py Device: Vendor: Free Software Initiative of Japan Product: FSIJ USB Token Serial: FSIJ-1.0.1-87022326 Revision: release/1.0.1 Config: FST_01:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes Sys: 1.0 And you can use GnuPG: $ gpg --card-status Reader ...........: 234B:0000:FSIJ-1.0.1-87022326:0 Application ID ...: D276000124010200FFFE870223260000 Version ..........: 2.0 Manufacturer .....: unmanaged S/N range Serial number ....: 87022326 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] ### The upgrade Go in the `gnuk/tools` folder. Execute the actual upgrade: $ python2 ./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin It will ask you for the admin password. The output afterwars is like below, if the upgrade goes correct: ../regnual/regnual.bin: 4412 ../src/build/gnuk.bin: 110592 CRC32: 303d2f62 Device: Configuration: 1 Interface: 0 20001400:20004a00 Downloading flash upgrade program... start 20001400 end 20002500 Run flash upgrade program... Wait 1 seconds... Device: 08001000:08020000 Downloading the program start 08001000 end 0801b000 After the upgrade you can check if it succeeded: $ python2 usb_strings.py Device: Vendor: Free Software Initiative of Japan Product: Gnuk Token Serial: FSIJ-1.2.1-87022326 Revision: release/1.2.1-1-g2b784cb-modified Config: FST_01:dfu=no:debug=no:pinpad=no:certdo=no Sys: 1.0 The version went from 1.0.1 to 1.2.1. For reference, here is my `dmesg`: [ 294.977933] thinkpad_acpi: EC reports that Thermal Table has changed [ 726.481249] usb 1-1.1: new full-speed USB device number 3 using ehci-pci [ 1408.628722] usb 1-1.1: USB disconnect, device number 3 [ 1412.817498] usb 2-1.2: new full-speed USB device number 4 using ehci-pci [ 1461.011520] usb 2-1.2: USB disconnect, device number 4 [ 1464.014677] usb 2-1.2: new full-speed USB device number 5 using ehci-pci [ 1469.705384] usb 2-1.2: USB disconnect, device number 5 [ 1469.893972] usb 2-1.2: new full-speed USB device number 6 using ehci-pci You can also use GPG to check the new firmware: [20:20:18] [remy@gateway] [ ~ ] $ gpg --card-status Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0 Application ID ...: D276000124010200FFFE870223260000 Version ..........: 2.0 Manufacturer .....: unmanaged S/N range Serial number ....: 87022326 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] ### If it goes wrong? You need to use the ST Link v2 adapter to reflash the firmware. [See this tutorial][14] for a guide. ### Now what? You can put 4096 bit keys on the card, or use any of the new algorithms. See my [Nitrokey Start Getting Started][5] guide for how to put keys on the card. You can also reflash the device to NeuG firmware, then it will become a True Random Number Generator. But that is for another tutorial. [1]: http://wiki.seeedstudio.com/wiki/FST-01 [2]: http://www.gniibe.org/FST-01/fst-01.html [3]: https://www.seeedstudio.com/FST-01-with-White-Enclosure-p-1279.html [4]: https://raymii.org/s/tags/nitrokey.html [5]: https://raymii.org/s/articles/Nitrokey_Start_Getting_started_guide.html [6]: https://www.digitalocean.com/?refcode=7435ae6b8212 [7]: https://raymii.org/s/inc/img/FST-01_board.jpg [8]: https://anonscm.debian.org/cgit/gnuk/gnuk/gnuk.git/tree/ChangeLog [9]: http://www.fsij.org/gnuk/version1_2_1.html [10]: https://raymii.org/s/inc/img/caution.png [11]: https://lists.alioth.debian.org/pipermail/gnuk-users/2016q3/000369.html [12]: https://raymii.org/s/tutorials/Nitrokey_gnuk_firmware_update_via_DFU.html [13]: https://www.aliexpress.com/item/FREE-SHIPPING-1PCS-ST-Link-V2-stlink-mini-STM8STM32-STLINK-simulator-download-programming-With-Cover/32329418477.html [14]: http://blog.nodonogard.net/2015/11/compiling-and-flashing-gnuk-binaries-to.html --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.