Failed to update v1.0.3->v1.8.1

terry · August 26, 2025, 3:53am

I am trying to update my Nitrokey 3C NFC firmware from v1.0.3 to v1.8.1

After I ran nitropy nk3 update ./firmware-nk3-v1.8.1.zip I confirmed that I want to update the device. When prompted to touch the button to reboot the device into bootloader mode I touched it. And then the device went dark and nitropy wrote no further messages. It is stuck in that mode forever. Here is the logfile:

278        INFO pynitrokey.cli Timestamp: 2025-08-26 05:39:25.958459
278        INFO pynitrokey.cli OS: uname_result(system='FreeBSD', node='bedna', release='14.2-RELEASE', version='FreeBSD 14.2-RELEASE releng/14.2-n269506-c8918d6c7412 GENERIC', machine='amd64')
278        INFO pynitrokey.cli Python version: 3.11.13
278        INFO pynitrokey.cli Cli arguments: ['nk3', 'update', './firmware-nk3-v1.8.1.zip']
279        INFO pynitrokey.cli pynitrokey version: 0.10.0
280        INFO pynitrokey.cli cryptography version: 45.0.6
280        INFO pynitrokey.cli fido2 version: 2.0.0
281        INFO pynitrokey.cli pyusb version: 1.3.1
318        INFO nitrokey.trussed.updates Firmware version before update: v1.0.3
322        INFO nitrokey.trussed.updates Current firmware version: v1.0.3
322        INFO nitrokey.trussed.updates Updated firmware version: v1.8.1
322       DEBUG       root print: Current firmware version:  v1.0.3
322       DEBUG       root print: Updated firmware version:  v1.8.1
322       DEBUG       root print: Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
10662     DEBUG       root print: Please press the touch button to reboot the device into bootloader mode ...

Any suggestions?

terry · August 26, 2025, 4:20am

After some retries I got it working. I reran the command and after I pressed Ctrl-C it started flashing:

275        INFO pynitrokey.cli Timestamp: 2025-08-26 06:00:38.997907
275        INFO pynitrokey.cli OS: uname_result(system='FreeBSD', node='bedna', release='14.2-RELEASE', version='FreeBSD 14.2-RELEASE releng/14.2-n269506-c8918d6c7412 GENERIC', machine='amd64')
275        INFO pynitrokey.cli Python version: 3.11.13
275        INFO pynitrokey.cli Cli arguments: ['nk3', 'update', './firmware-nk3-v1.8.1.zip']
277        INFO pynitrokey.cli pynitrokey version: 0.10.0
277        INFO pynitrokey.cli cryptography version: 45.0.6
278        INFO pynitrokey.cli fido2 version: 2.0.0
278        INFO pynitrokey.cli pyusb version: 1.3.1
313        INFO nitrokey.trussed.updates Firmware version before update: v1.0.3
316        INFO nitrokey.trussed.updates Current firmware version: v1.0.3
316        INFO nitrokey.trussed.updates Updated firmware version: v1.8.1
316       DEBUG       root print: Current firmware version:  v1.0.3
316       DEBUG       root print: Updated firmware version:  v1.8.1
317       DEBUG       root print: Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
2953      DEBUG       root print: Please press the touch button to reboot the device into bootloader mode ...
42704     DEBUG  fido2.hid Keyboard interrupt, cancelling...
42704     DEBUG nitrokey.trussed._device./dev/uhid1 ignoring OSError after reboot
Traceback (most recent call last):
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/fido2/hid/__init__.py", line 208, in _do_call
    recv = self._connection.read_packet()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/fido2/hid/base.py", line 79, in read_packet
    return os.read(self.handle, self.descriptor.report_size_in)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyboardInterrupt

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/nitrokey/trussed/admin_app.py", line 237, in reboot
    self._call(AdminCommand.UPDATE)
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/nitrokey/trussed/admin_app.py", line 208, in _call
    return self.device._call(
           ^^^^^^^^^^^^^^^^^^
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/nitrokey/trussed/_device.py", line 76, in _call
    response = self.device.call(command, data=data)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/fido2/hid/__init__.py", line 174, in call
    return self._do_call(cmd, data, event, on_keepalive)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/fido2/hid/__init__.py", line 249, in _do_call
    self._send_cancel()
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/fido2/hid/__init__.py", line 161, in _send_cancel
    self._connection.write_packet(packet)
  File "/home/tejul/.local/share/uv/tools/pynitrokey/lib/python3.11/site-packages/fido2/hid/base.py", line 75, in write_packet
    if os.write(self.handle, packet) != len(packet):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 6] Device not configured
43705     DEBUG nitrokey.trussed.updates Trying to connect to bootloader (try 1 of 3)
43706     DEBUG pynitrokey.cli.trussed Searching NK3 bootloader device (try 1 of 30)
43712      INFO nitrokey.trussed._bootloader.lpc55_upload.mboot.mcuboot Connect: identifier='usb', device= (0x20A0, 0x42DD)path=b'1-8:1.0'
43712     DEBUG nitrokey.trussed._bootloader.lpc55_upload.utils.interfaces.device.usb_device Opening the Interface:  (0x20A0, 0x42DD)path=b'1-8:1.0'
44526     DEBUG nitrokey.trussed.updates Starting firmware update
44526      INFO nitrokey.trussed._bootloader.lpc55_upload.mboot.mcuboot CMD: ReceiveSBfile(data_length=544896)
44526      INFO nitrokey.trussed._bootloader.lpc55_upload.mboot.mcuboot CMD: GetProperty(MaxPacketSize, index=0)
44526     DEBUG nitrokey.trussed._bootloader.lpc55_upload.mboot.mcuboot TX-PACKET: Tag=GetProperty, Flags=0x00, P[0]=0x0000000B, P[1]=0x00000000
44526     DEBUG nitrokey.trussed._bootloader.lpc55_upload.mboot.protocol.bulk_protocol OUT[16]: 01, 00, 0C, 00, 07, 00, 00, 02, 0B, 00, 00, 00, 00, 00, 00, 00
44530     DEBUG nitrokey.trussed._bootloader.lpc55_upload.mboot.protocol.bulk_protocol IN [60]: 03, 00, 0C, 00, A7, 00, 00, 02, 00, 00, 00, 00, 38, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
...

However, in nk3 list I have now only
:: ‘NK3’ keys

whereas before the update I had this:
:: ‘Nitrokey FIDO2’ keys
:: ‘Nitrokey Start’ keys:
:: ‘NK3’ keys
:: ‘NKPK’ keys

I also then ran nitropy nk3 test --pin and it looks good:

Found 1 NK3 device(s):
- Nitrokey 3 at /dev/uhid1

Running tests for Nitrokey 3 at /dev/uhid1

[1/5]	uuid     	UUID query              	SUCCESS  	F0D084B6A5FE7C51BF3A90BEDC662A68
[2/5]	version  	Firmware version query  	SUCCESS  	v1.8.1
[3/5]	status   	Device status           	SUCCESS  	Status(init_status=<InitStatus: 0>, ifs_blocks=56, efs_blocks=478, variant=<Variant.LPC55: 1>)
Running SE050 test: |
[4/5]	se050    	SE050                   	SUCCESS  	SE050 firmware version: 3.1.1 - 1.11, (persistent: (29848,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5]	fido2    	FIDO2                   	SUCCESS  	

5 tests, 5 successful, 0 skipped, 0 failed

Summary: 1 device(s) tested, 1 successful, 0 failed

So, I think I am good again. Sadly I struggle to test the use of it because of another issue I have, but that’s for another topic. So, do you think my device was successfully updated? Why does it show less items in the device listing now?

terry · August 26, 2025, 4:47am

Having read another recent post here, it seems that all this might have happened because of my devd rules being ignored. I added the devd rules for Nk3, added my user to the u2f group and restarted the devd service, but I still cannot write to the Nitrokey unless I am root. Strange.

WithLaTe · August 26, 2025, 8:32am

Are the udev rules a prerequisite for the software to function?

Then the software should also check whether they are present and whether they have been executed. Simple as that.

I really hate unfinished software these days, because it’s wasting people’s time and thus it’s wasting money, and after a few days with NK3, I can’t help but get that impression.

Please don’t get me wrong. I love the idea of an open source solution in this area. But unfortunately, as is all too often the case, it’s simply inadequately implemented. Unfortunately. What a shame.