Critical error: No Nitrokey 3 bootloader device found

tglaeser · November 12, 2022, 9:45pm

Running

$ nitropy nk3 update

fails with the above mentioned error.

Similarly, command sequence

$ nitropy nk3 list
Command line tool to interact with Nitrokey devices 0.4.30
:: 'Nitrokey 3' keys
/dev/hidraw0: Nitrokey 3 DCA33F8E4549105A0000000000000000
$ nitropy nk3 reboot --bootloader
Command line tool to interact with Nitrokey devices 0.4.30
Please press the touch button to reboot the device into bootloader mode ...
$ /nitropy nk3 list
Command line tool to interact with Nitrokey devices 0.4.30
:: 'Nitrokey 3' keys

seems to result in an unresponsive Nitrokey.

Following please find the logging from the update command:

458        INFO  libusbsio HID enumeration[94155587700800]: initialized
458       DEBUG  libusbsio HID enumeration[94155587700800]: device #0: Nitrokey 3
458        INFO  libusbsio HID enumeration[94155587700800]: finished, total 1 devices
590       DEBUG urllib3.connectionpool Starting new HTTPS connection (1): api.github.com:443
900       DEBUG urllib3.connectionpool https://api.github.com:443 "GET /repos/Nitrokey/nitrokey-3-firmware/releases/latest HTTP/1.1" 200 1554
908        INFO pynitrokey.cli.nk3.update Latest firmware version: v1.2.2
908       DEBUG       root print: Current firmware version:  v1.1.0
909       DEBUG       root print: Latest firmware version:   v1.2.2
1920      DEBUG       root print: Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
4594      DEBUG       root print: Please press the touch button to reboot the device into bootloader mode ...
11499     DEBUG pynitrokey.nk3.device./dev/hidraw0 ignoring OSError after reboot
Traceback (most recent call last):
  File "/home/micio/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/pynitrokey/nk3/device.py", line 84, in reboot
    self._call(Command.UPDATE)
  File "/home/micio/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/pynitrokey/nk3/device.py", line 122, in _call
    response = self.device.call(command.value)
  File "/home/micio/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/fido2/hid/__init__.py", line 189, in call
    recv = self._connection.read_packet()
  File "/home/micio/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/fido2/hid/base.py", line 80, in read_packet
    return os.read(self.handle, self.descriptor.report_size_in)
OSError: [Errno 5] Input/output error
11502     DEBUG pynitrokey.cli.nk3.update Trying to connect to bootloader (try 1 of 3)
11502     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 1 of 10)
11503      INFO  libusbsio HID enumeration[94155586558096]: initialized
11504      INFO  libusbsio HID enumeration[94155586558096]: finished, total 0 devices
11506     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
12007     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 2 of 10)
12008      INFO  libusbsio HID enumeration[94155587695952]: initialized
12008      INFO  libusbsio HID enumeration[94155587695952]: finished, total 0 devices
12013     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
12514     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 3 of 10)
12515      INFO  libusbsio HID enumeration[94155579454208]: initialized
12515      INFO  libusbsio HID enumeration[94155579454208]: finished, total 0 devices
12520     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
13021     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 4 of 10)
13022      INFO  libusbsio HID enumeration[94155586724384]: initialized
13023      INFO  libusbsio HID enumeration[94155586724384]: finished, total 0 devices
13028     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
13529     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 5 of 10)
13530      INFO  libusbsio HID enumeration[94155587696288]: initialized
13531      INFO  libusbsio HID enumeration[94155587696288]: finished, total 0 devices
13535     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
14036     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 6 of 10)
14037      INFO  libusbsio HID enumeration[94155586558096]: initialized
14038      INFO  libusbsio HID enumeration[94155586558096]: finished, total 0 devices
14043     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
14544     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 7 of 10)
14545      INFO  libusbsio HID enumeration[94155587695952]: initialized
14546      INFO  libusbsio HID enumeration[94155587695952]: finished, total 0 devices
14550     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
15051     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 8 of 10)
15052      INFO  libusbsio HID enumeration[94155579454208]: initialized
15052      INFO  libusbsio HID enumeration[94155579454208]: finished, total 0 devices
15057     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
15558     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 9 of 10)
15559      INFO  libusbsio HID enumeration[94155586724384]: initialized
15559      INFO  libusbsio HID enumeration[94155586724384]: finished, total 0 devices
15564     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
16065     DEBUG pynitrokey.cli.nk3 Searching Nitrokey 3 bootloader device (try 10 of 10)
16066      INFO  libusbsio HID enumeration[94155587696288]: initialized
16067      INFO  libusbsio HID enumeration[94155587696288]: finished, total 0 devices
16072     DEBUG pynitrokey.cli.nk3 No Nitrokey 3 bootloader device found, continuing
16072     DEBUG       root print: Critical error:
16072     DEBUG       root print: No Nitrokey 3 bootloader device found
16072     DEBUG       root listing all connected devices:
16072     DEBUG       root :: 'Nitrokey FIDO2' keys
16072     DEBUG       root :: 'Nitrokey Start' keys:
16081     DEBUG       root :: 'Nitrokey 3' keys
16081      INFO  libusbsio HID enumeration[94155587696288]: initialized
16081      INFO  libusbsio HID enumeration[94155587696288]: finished, total 0 devices
16083     DEBUG       root print: --------------------------------------------------------------------------------
16083     DEBUG       root print: Critical error occurred, exiting now

Please advise.

daringer · November 14, 2022, 5:37pm

Hey @tglaeser

this looks like a permission issue, some distributions do allow access to the needed /dev devices via a group the user might be part of. For all the others there is the udev-rules file, which is not yet released, only on master in libnitrokey (see link).

So you can replace this file with your udev rules file to make it work. (don’t forget to restart udev and re-read the rules)

best

tglaeser · November 14, 2022, 6:44pm

Actually no. Sorry for not mentioning before, but I’m already using the latest version of libnitrokey/data/41-nitrokey.rules from branch master.

tglaeser · November 14, 2022, 7:40pm

Not sure if the following output helps in anyway:

# udevadm test /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.1/0003:20A0:42B2.0001/hidraw/hidraw0
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.

Trying to open "/etc/systemd/hwdb/hwdb.bin"...
Trying to open "/etc/udev/hwdb.bin"...
=== trie on-disk ===
tool version:          251
file size:        11536578 bytes
header size             80 bytes
strings            2438978 bytes
nodes              9097520 bytes
Load module index
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
Using default interface naming scheme 'v251'.
Parsed configuration file "/lib/systemd/network/99-default.link"
Created link configuration context.
Loaded timestamp for '/etc/udev/rules.d'.
Reading rules file: /lib/udev/rules.d/10-dm.rules
...
Reading rules file: /lib/udev/rules.d/99-systemd.rules
hidraw0: /lib/udev/rules.d/60-fido-id.rules:5 Importing properties from results of 'fido_id'
hidraw0: Starting 'fido_id'
Successfully forked off '(spawn)' as PID 3524.
hidraw0: 'fido_id'(err) 'Failed to get current device from environment: Invalid argument'
hidraw0: Process 'fido_id' failed with exit code 1.
hidraw0: /lib/udev/rules.d/60-fido-id.rules:5 Command "fido_id" returned 1 (error), ignoring
hidraw0: /lib/udev/rules.d/70-libfido2-u2f.rules:143 GROUP 272
hidraw0: /lib/udev/rules.d/70-libfido2-u2f.rules:143 MODE 0660
hidraw0: /lib/udev/rules.d/71-seat.rules:74 Importing properties from results of builtin command 'path_id'
hidraw0: /lib/udev/rules.d/73-seat-late.rules:16 RUN 'uaccess'
hidraw0: Preserve permissions of /dev/hidraw0, uid=0, gid=272, mode=0660
hidraw0: Handling device node '/dev/hidraw0', devnum=c249:0
hidraw0: sd-device: Created db file '/run/udev/data/c249:0' for '/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.1/0003:20A0:42B2.0001/hidraw/hidraw0'
DEVPATH=/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.1/0003:20A0:42B2.0001/hidraw/hidraw0
DEVNAME=/dev/hidraw0
MAJOR=249
MINOR=0
ACTION=add
SUBSYSTEM=hidraw
TAGS=:seat:security-device:uaccess:
CURRENT_TAGS=:seat:uaccess:
ID_PATH=pci-0000:00:14.0-usb-0:2:1.1
ID_PATH_TAG=pci-0000_00_14_0-usb-0_2_1_1
ID_FOR_SEAT=hidraw-pci-0000_00_14_0-usb-0_2_1_1
USEC_INITIALIZED=9085346
run: 'uaccess'
Unload module index
Unloaded link configuration context.

But then again, the key seems to be working fine, only running command nitropy nk3 reboot --bootloader results in an unresponsive Nitrokey.

tglaeser · November 14, 2022, 8:06pm

Plugging in the key and then executing

# nitropy nk3 reboot --bootloader
# dmesg

shows the following information:

[   45.977599] usb 1-2: USB disconnect, device number 3
[   50.560186] usb 1-2: new full-speed USB device number 6 using xhci_hcd
[   50.688755] usb 1-2: New USB device found, idVendor=20a0, idProduct=42b2, bcdDevice= 1.01
[   50.688773] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[   50.688780] usb 1-2: Product: Nitrokey 3
[   50.688786] usb 1-2: Manufacturer: Nitrokey
[   50.697105] hid-generic 0003:20A0:42B2.0006: hiddev96,hidraw2: USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-0000:00:14.0-2/input1
[  101.513050] usb 1-2: USB disconnect, device number 6
[  101.794860] usb 1-2: new full-speed USB device number 7 using xhci_hcd
[  101.925599] usb 1-2: New USB device found, idVendor=20a0, idProduct=42e8, bcdDevice= 1.00
[  101.925619] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  101.925628] usb 1-2: Product: Nitrokey 3 Bootloader
[  101.925633] usb 1-2: Manufacturer: Nitrokey
[  101.925639] usb 1-2: SerialNumber: D9C7E2B0231D

The problem seems that after switching from product Nitrokey 3 to Nitrokey 3 Bootloader, all further commands result in error

Critical error:
No Nitrokey 3 device found

daringer · November 14, 2022, 8:32pm

uha, this is weird

generally I would expect a line, which is missing from your dmesg output:

[xxxx.yyyyy] cdc_acm 1-4.4.3:1.0: ttyACM0: USB ACM device

Can you confirm that this is indeed missing or did you maybe just not paste it?

If it’s there, please check the permissions on /dev/ttyACMx (with the x taken from you dmesg output),
if it’s not there, this might be the issue, but I currently have no idea what might be the reason…

tglaeser · November 14, 2022, 9:40pm

No, there is no such device:

# journalctl --boot | grep ttyACM
# dmesg | grep ttyACM

tglaeser · November 14, 2022, 10:22pm

Excellent pointer; USB_ACM support was simply not enabled in my kernel. Rebuilding the kernel with CONFIG_USB_ACM=m solved the issue.

I was now able to update the nk3 firmware to version 1.2.2. Thanks.

daringer · November 15, 2022, 10:05am

uh, that’s good! cool