Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Nitrokey gnuk firmware update via DFU

Published: 11-10-2016 | Author: Remy van Elst | Text only version of this article


Table of Contents


The Nitrokey (start) can be upgraded to a newer GNUK firmware. However, this canonly be done via ST Link or DFU, if you use the Gnuk USB firmware upgrade youwill brick the device. This guide shows you how to attach a DFU adapter and howto flash firmware to a Nitrokey, both for upgrading or unbricking an USBupgraded one.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

You need to build the gnuk firmware. The Device ID needs to be changed to20a0:4211 in the file gnuk/USB_DEBVICE_ID:

$ cat GNUK_USB_DEVICE_ID # VID:PID bcdDev  Product_STRING  Vendor_STRING234b:0000 0200  Gnuk Token  Free Software Initiative of Japan20a0:4211 0200  Nitrokey##########<TAB> ##<TAB> ##########<TAB> #################

For the gnuk firmware compilation, please see this article. I will notcover that here any further.

Requirements and connection

You do need the following:

- stm32flash

DFU is a simple protocol via serial port which allows programming but nodebugging. On the Nitrokey hardware the appropriate pins are exposed over theUSB connector.

Connect the wires from the USB serial adapter to the USB header (Nitrokey USBPlug <-> Serial/TTL adapter):

This diagram represents the pinout of the USB socket:

  ###################   #                 #   # ############### #   #                 #   #                 #   ###################      #   #   #   #        #   #   #   #         1   2   3   4

(This nice ascii art comes from the Nitrokey Pro Hardware repo.)

You also need a small wire to bridge the two holes before you attach theNitrokey so that it boots into DFU mode.

Here is a picture of my setup:

This was my complete workspace:

Unblocking the flash

The STM32 controller has a flash-protection bit which prohibits writing to theflash. The stm32flash tool says it's able to unblock that, but for theNitrokey this fails:

sudo stm32flash -u /dev/ttyUSB0 

Output:

stm32flash 0.5http://stm32flash.sourceforge.net/Interface serial_posix: 57600 8E1Version      : 0x22Option 1     : 0x00Option 2     : 0x00Device ID    : 0x0410 (STM32F10xxx Medium-density)- RAM        : 20KiB  (512b reserved by bootloader)- Flash      : 128KiB (size first sector: 4x1024)- Option RAM : 16b- System RAM : 2KiBWrite-unprotecting flashGot NACK from device on command 0x73Done.

So sadly I have to use Windows software, the ST Demo Loader. Download andinstall it and connect the DFU-Nitrokey to the Windows machine.

Update

This post on the mailinglist states that you could use the -k flag withstm32flash to remove the read protection as well. It also states to notforget to use the -j to read-protect the Nitrokey again after you're doneflashing if you intend to put real keys on there.

I tested this and it works, so you don't need the Windows tool in the end.Scroll down for the Linux/stm32flash way.

End update

Also copy the compiled GNUK binary (gnuk/src/build/gnuk.bin) to the Windowsmachine.

Flashing via Windows

Start the utility up and select the correct COM port (COM4 for me):

If the protection is set the tool will show a red traffic light and a RemoveProtection button. Click and complete that, then click next:

Click Next:

Select Download to device, Erase the necessary pages and choose thegnuk.bin file:

It will erase the flash:

Then upload the firmware:

It will complete with a nice green bar:

Now the binary is flashed and your Nitrokey should work. In my case, itsucessfully worked with gnuk 1.2:

$ gpg --card-statusReader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00Application ID ...: D276000124010200FFFE870424300000Version ..........: 2.0Manufacturer .....: unmanaged S/N rangeSerial number ....: 87042430Name of cardholder: [not set]Language prefs ...: [not set]Sex ..............: unspecifiedURL of public key : [not set]Login data .......: [not set]Signature PIN ....: forcedKey attributes ...: rsa2048 rsa2048 rsa2048Max. PIN lengths .: 127 127 127PIN retry counter : 3 3 3Signature counter : 4Signature key ....: 3D1B 8501 882B EA0D D813  6CAC 1437 62A5 87BD 54FE      created ....: 2016-10-11 15:06:29Encryption key....: 9898 208B 7876 4F65 A06E  3E65 637A 80D6 31D5 21C2      created ....: 2016-10-11 15:06:29Authentication key: 2141 3E30 8EFF F2D0 FB3D  4C9E DA3D F5B9 7130 1532      created ....: 2016-10-11 15:06:29General key info..: pub  rsa2048/0x143762A587BD54FE 2016-10-11 Remy test (Test gnuk1.2) <remy@test.nl>sec>  rsa2048/0x143762A587BD54FE  created: 2016-10-11  expires: 2016-10-18                                  card-no: FFFE 87042430ssb>  rsa2048/0xDA3DF5B971301532  created: 2016-10-11  expires: 2016-10-18                                  card-no: FFFE 87042430ssb>  rsa2048/0x637A80D631D521C2  created: 2016-10-11  expires: 2016-10-18                                  card-no: FFFE 87042430

An EC 25519 key can now also be used:

$ gpg --card-statusReader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.1-87042430) 00 00Application ID ...: D276000124010200FFFE870424300000Version ..........: 2.0Manufacturer .....: unmanaged S/N rangeSerial number ....: 87042430Name of cardholder: [not set]Language prefs ...: [not set]Sex ..............: unspecifiedURL of public key : [not set]Login data .......: [not set]Signature PIN ....: forcedKey attributes ...: ed25519 rsa2048 rsa2048Max. PIN lengths .: 127 127 127PIN retry counter : 3 3 3Signature counter : 0Signature key ....: 3678 F2EE 1CCB 4B24 B107  38BA 101D 491F 08E7 FD60      created ....: 2016-10-11 15:31:27Encryption key....: [none]Authentication key: [none]General key info..: pub  ed25519/0x101D491F08E7FD60 2016-10-11 test remy ecc (gnuk 1.2) <nitrokey@raymii.nl>sec>  ed25519/0x101D491F08E7FD60  created: 2016-10-11  expires: 2016-10-18                                  card-no: FFFE 87042430

Flashing via Linux

First remote the read protection bit from the device (Device should be inbootloader mode with the wire bridge for all these actions):

sudo stm32flash -k /dev/ttyUSB0 

Output:

stm32flash 0.5http://stm32flash.sourceforge.net/Interface serial_posix: 57600 8E1Version      : 0x22Option 1     : 0x00Option 2     : 0x00Device ID    : 0x0410 (STM32F10xxx Medium-density)- RAM        : 20KiB  (512b reserved by bootloader)- Flash      : 128KiB (size first sector: 4x1024)- Option RAM : 16b- System RAM : 2KiBRead-UnProtecting flashDone.

Flash the binary and start it up after the flash:

sudo stm32flash -w build/gnuk.bin -g 0x0 /dev/ttyUSB0 

Output:

stm32flash 0.5http://stm32flash.sourceforge.net/Using Parser : Raw BINARYInterface serial_posix: 57600 8E1Version      : 0x22Option 1     : 0x00Option 2     : 0x00Device ID    : 0x0410 (STM32F10xxx Medium-density)- RAM        : 20KiB  (512b reserved by bootloader)- Flash      : 128KiB (size first sector: 4x1024)- Option RAM : 16b- System RAM : 2KiBWrite to memoryErasing memoryWrote address 0x0801b000 (100.00%) Done.Starting execution at address 0x08000000... done.

Do set the read protection back on after flashing, otherwise your keys mightbe exposed:

sudo stm32flash -j /dev/ttyUSB0 

Output:

stm32flash 0.5http://stm32flash.sourceforge.net/Interface serial_posix: 57600 8E1Version      : 0x22Option 1     : 0x00Option 2     : 0x00Device ID    : 0x0410 (STM32F10xxx Medium-density)- RAM        : 20KiB  (512b reserved by bootloader)- Flash      : 128KiB (size first sector: 4x1024)- Option RAM : 16b- System RAM : 2KiBRead-Protecting flashDone.

NeuG on the Nitrokey Start

I did try to flash NeuG to the device, but that resulted in a blinking green LEDand nothing else. Here's the command for reference.

sudo stm32flash -w ../../neug/src/build/neug.bin -g 0x0 /dev/ttyUSB0 

Output:

stm32flash 0.5http://stm32flash.sourceforge.net/Using Parser : Raw BINARYInterface serial_posix: 57600 8E1Version      : 0x22Option 1     : 0x00Option 2     : 0x00Device ID    : 0x0410 (STM32F10xxx Medium-density)- RAM        : 20KiB  (512b reserved by bootloader)- Flash      : 128KiB (size first sector: 4x1024)- Option RAM : 16b- System RAM : 2KiBWrite to memoryErasing memoryWrote address 0x08005c24 (100.00%) Done.Starting execution at address 0x08000000... done.

NeuG does work on the FST-01.

Tags: fst-01, gnuk, gnupg, gpg, neug, nitrokey, nitrokey-start, start, stm32f103tb, tutorials