Fido2 Failed to update with Nitropy on Linux

Hey, I have a Nitrokey Fido2, and awhile back I tried to upgrade the firmware with pynitrokey on Linux, however, the upgrade failed despite me having the appropriate udev rules set on my machine. Here is the log output:

2823     DEBUG       root print: After update version check...
72824     DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw1'
72824     DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw0'
73080     DEBUG fido2.hid.linux Found CTAP device: /dev/hidraw3
73080     DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw1'
73080     DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw0'
73137     DEBUG  fido2.hid SEND: ffffffff86000815307c0609645017

Later I found out about https://update.nitrokey.com, however, that also fails to help me update, and thus unbrick, my Nitrokey Fido2. It stops at this screen:

What is the umask for user root on your system?

The default udev rules lack MODE="0664"so if the system umask is tightened (e.g. disallowing access by other users by default), it does not get set properly by udev and you might not have access to /dev/hidraw* as is also indicated by the error message. Without access, the update cannot continue.

My root user’s umask is 0022, at least that is what the output is when I type umask as root. Also, I am unfamiliar with udev in Linux to be honest, so I don’t know how to set that rule. I do not even understand what it does - much less what it is. I downloaded the udev rules from https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules, and put them in my udev directory at /etc/udev/rules.d/

That is a rather default umask and should work. Also read the rules you mentioned and it uses uaccess which is another mechanism to provide access to hidraw devices besides user and group permissions.

Then I guess that pynitrokey does not properly resume update. Someone from Nitrokey might have some insights about the Nitrokey FIDO2 update whether it can be resumed like e.g. Nitrokey 3. You could write to support@nitrokey.com.

The Nitrokey Fido2 erases the firmware before installing the new firmware. Also it stays in bootloader mode until a valid firmware image gets flashed. This is per the Nitrokey Fido2 Documentation. Also, I did write to Nitrokey support before coming to the forum, but I have yet to receive a reply from them.

1 Like

Hi!

  1. I do not see any error messages - can you make a screen shot when it fails in browser?
    Ideal would be log from the console
  2. About nitropy, the pasted messages are correct and expected - only one CTAP device is found and connectable. What about the other lines?

Please make sure your pynitrokey is up to date. What version do you use?

Here is a picture of the webupdate page. Additionally, I am using whatever version of PyNitrokey I had installed via pip on Arch Linux. I do not have access to that computer at the moment so I cannot check.

Below is a workaround for this problem:

1 Like