Nitokey Start Firmware Update failed / device or firmware missing?

Nitrokey Support
#1

Hello,

after some problems I managed to reset my Nitrokey startup last time. Now I finally wanted to run the firmware update, but unfortunately this fails. It looks like there is no current firmware version on the device anymore.

I am not sure if it is just the firmware that is not recognized or the stick is not recognized at all. My admin-PW is obviously accepted.

Is it broken or is there anything that can be rescued?

pi@raspberrypi:~ $ nitropy start list
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
:: ‘Nitrokey Start’ keys:
None: None None (None)

pi@raspberrypi:~ $ nitropy start update
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
Nitrokey Start firmware update tool
Platform: Linux-5.4.72-v7±armv7l-with-debian-10.7
System: Linux, is_linux: True
Python: 3.7.3
Saving run log to: /tmp/nitropy.log.7h4nj7_q
Admin password:
Firmware data to be used:
- FirmwareType.REGNUAL: 4504, hash: …b’65ac82a1’ valid (from …built/RTM.10/regnual.bin)
- FirmwareType.GNUK: 131072, hash: …b’f85da8f7’ valid (from …prebuilt/RTM.10/gnuk.bin)
Currently connected device strings:
Device:
initial device strings: [{‘name’: ‘’, ‘Vendor’: None, ‘Product’: None, ‘Serial’: None, ‘Revision’: None, ‘Config’: None, ‘Sys’: None, ‘Board’: None}]
Please note:
- Latest firmware available is:
RTM.10 (published: 2020-06-04T12:34:14Z)
- provided firmware: None
- all data will be removed from the device!
- do not interrupt update process - the device may not run properly!
- the process should not take more than 1 minute
Do you want to continue? [yes/no]: yes

Starting bootloader upload procedure
error while running update
Could not connect to the device. Attempting to close scdaemon.
Running: gpgconf --kill all
Running: sudo systemctl stop pcscd pcscd.socket
retrying…

Starting bootloader upload procedure
error while running update
Could not connect to the device. Attempting to close scdaemon.
Running: gpgconf --kill all
Running: sudo systemctl stop pcscd pcscd.socket
retrying…

Starting bootloader upload procedure
error while running update
Could not connect to the device. Attempting to close scdaemon.
Running: gpgconf --kill all
Running: sudo systemctl stop pcscd pcscd.socket
retrying…
Critical error:
.
Could not proceed with the update
Please execute one or all of the following and try again:
- re-insert device to the USB slot
- run factory-reset on the device
- close other applications, which could use it (e.g., scdaemon, pcscd)
.
--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Do you would like to get support/help?
- You can report issues at: https://github.com/Nitrokey/pynitrokey/issues/
- Writing an e-mail to: support@nitrokey.com is also possible
- Please attach the log: ‘/tmp/nitropy.log.7h4nj7_q’ with any support/help request!
--------------------------------------------------------------------------------

pi@raspberrypi:~ $ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

On Window computer:

C:\Windows\system32>gpg --card-status
Reader …: Nitrokey Nitrokey Start 0
Application ID …: xxxxxxxxxxxxxxxxxxxxxxx
Application type .: OpenPGP
Version …: 2.0
Manufacturer …: unmanaged S/N range
Serial number …: xxxxxxxxxxxxxxxxxxxxxxx
Name of cardholder: [nicht gesetzt]
Language prefs …: [nicht gesetzt]
Salutation …:
URL of public key : [nicht gesetzt]
Login data …: [nicht gesetzt]
Signature PIN …: zwingend
Key attributes …: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting …: off
Signature key …: [none]
Encryption key…: [none]
Authentication key: [none]
General key info…: [none]

#2
#3

Hi!
We will take a look. Possibly some additional setup is required on the Raspberry Pi.

@daringer Could you check on your side?

#4

Reproduce on an RPi4 Debian 10.4, some observations:

  • without proper udev rules the behavior is identical
  • with rules still the same behavior
  • as root using sudo nitropy start list it is working as expected, please use this as a workaround in the meantime
  • further Nitrokey FIDO2 devices also do not work as expected without nitropy being run as root

somehow points towards a permission issue, but cannot pinpoint for now, maybe we need to adapt the udev rules? This is also tracked now on github.

1 Like
#5

Thank you for the update, @daringer!

But it’s not working for me.

pi@raspberrypi:~ $ sudo nitropy start list
sudo: nitropy: command not found

pi@raspberrypi:~ $ sudo nitropy start update
sudo: nitropy: command not found

pi@raspberrypi:~ $ sudo -i
root@raspberrypi:~# sudo nitropy start list
sudo: nitropy: command not found
root@raspberrypi:~# sudo nitropy start update
sudo: nitropy: command not found
root@raspberrypi:~# pynitrokey start list
-bash: pynitrokey: command not found
root@raspberrypi:~# exit
logout

I followed the instruction from the this article when I installed the package.

$ sudo apt install python3-pip
$ pip3 install --user pynitrokey

So I removed the package and installed without “–user” part. But same result.

I’m not really an experienced Linux user, I only use the raspberry as pi-hole and for vpn. Maybe I typed something wrong?

#6

it looks like the pip3 call fails,
could you please run pip3 install -U pynitrokey (the -U ensures the package to be updated)
then you should search for the executable (nitropy) you can do this using which nitropy

if the which call does not deliver the full path of the nitropy executable, then there was something wrong with your pip3 install, please check (or paste to some pastebin, then I can check) its output if there is no error…

1 Like
#7 
pi@raspberrypi:~ $ pip3 install -U pynitrokey
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Requirement already up-to-date: pynitrokey in ./.local/lib/python3.7/site-packages (0.4.1)
Requirement already satisfied, skipping upgrade: cryptography in /usr/lib/python3/dist-packages (from pynitrokey) (2.6.1)
Requirement already satisfied, skipping upgrade: intelhex in ./.local/lib/python3.7/site-packages (from pynitrokey) (2.3.0)
Requirement already satisfied, skipping upgrade: pygments in ./.local/lib/python3.7/site-packages (from pynitrokey) (2.7.2)
Requirement already satisfied, skipping upgrade: click>=7.0 in ./.local/lib/python3.7/site-packages (from pynitrokey) (7.1.2)
Requirement already satisfied, skipping upgrade: pyusb in ./.local/lib/python3.7/site-packages (from pynitrokey) (1.1.0)
Requirement already satisfied, skipping upgrade: fido2>=0.8.1 in ./.local/lib/python3.7/site-packages (from pynitrokey) (0.8.1)
Requirement already satisfied, skipping upgrade: requests in /usr/lib/python3/dist-packages (from pynitrokey) (2.21.0)
Requirement already satisfied, skipping upgrade: cbor in ./.local/lib/python3.7/site-packages (from pynitrokey) (1.0.0)
Requirement already satisfied, skipping upgrade: cffi in ./.local/lib/python3.7/site-packages (from pynitrokey) (1.14.4)
Requirement already satisfied, skipping upgrade: pyserial in ./.local/lib/python3.7/site-packages (from pynitrokey) (3.5)
Requirement already satisfied, skipping upgrade: ecdsa in ./.local/lib/python3.7/site-packages (from pynitrokey) (0.16.1)
Requirement already satisfied, skipping upgrade: six in /usr/lib/python3/dist-packages (from fido2>=0.8.1->pynitrokey) (1.12.0)
Requirement already satisfied, skipping upgrade: pycparser in ./.local/lib/python3.7/site-packages (from cffi->pynitrokey) (2.20)

pi@raspberrypi:~ $ which nitropy
/home/pi/.local/bin/nitropy

pi@raspberrypi:~ $ sudo nitropy start list
sudo: nitropy: command not found

pi@raspberrypi:~ $ nitropy start list
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
:: 'Nitrokey Start' keys:
#8

hey this looks good, you are nearly there, let me explain some linux specifics:

pip3 install -U pynitrokey

correctly installs pynitrokey (thus the binary nitropy inside your users (“pi”) directory: ~/.local/bin/, also the directory is in your PATH (where the system is looking for executable binaries), what is what which nitropy tells you …

so if you simply run nitropy start list things run as expected (at least for the raspberry pi), means you can see that nitropy is starting correctly, but it’s not able to access the usb devices (as stated above, for some reason usb-access is not working here for the non-root user), thus you cannot see any devices listed.

if you now run sudo nitropy start list you try to run nitropy as root, but root has no nitropy available (as you have installed it locally to your user directory ~/.local/bin which is of course not part of the root-user’s PATH

soooo, long story short:

  • uninstall the user pynitrokey, so run as user pip3 uninstall pynitrokey this will remove pynitrokey from your -user-local directory
  • install pynitrokey as root user: sudo pip3 install pynitrokey (this will install pynitrokey system-wide)
  • now you should be able to run: sudo nitropy start list
1 Like
#9

Thank you for the explanation and for the patience with me.

I have now managed to update from version RTM.6 to RTM.10.

1 Like