Nitropy crash on upgrade to FIDO2 firmware on a 3A mini

Nitrokeys FIDO2 / Nitrokey 3
1

I’ve just tried to update the FIDO2 firmware using Nitropy and it crashes.

OS: Arch linux
Python 3.11

nitropy fido2 update

I’m not sure, but I think the crash happened when I touched the device when the script asked me to. (not during 10 seconds, just touching it)

full update log 
1947       INFO pynitrokey.cli Timestamp: 2023-11-14 22:04:18.231730
1947       INFO pynitrokey.cli OS: uname_result(system='Linux', node='***', release='6.6.1-arch1-1', version='#1 SMP PREEMPT_DYNAMIC Wed, 08 Nov 2023 16:05:38 +0000', machine='x86_64')
1947       INFO pynitrokey.cli Python version: 3.11.5
1947       INFO pynitrokey.cli Cli arguments: ['fido2', 'update']
1967       INFO pynitrokey.cli pynitrokey version: 0.4.41
1968       INFO pynitrokey.cli cryptography version: 41.0.5
1969       INFO pynitrokey.cli ecdsa version: 0.18.0
1970       INFO pynitrokey.cli fido2 version: 1.1.2
1971       INFO pynitrokey.cli pyusb version: 1.2.1
1972       INFO pynitrokey.cli spsdk version: 1.11.0
1978      DEBUG urllib3.connectionpool Starting new HTTPS connection (1): api.github.com:443
2426      DEBUG urllib3.connectionpool https://api.github.com:443 "GET /repos/Nitrokey/pynitrokey/releases/latest HTTP/1.1" 200 1380
2430      DEBUG       root Start session 2023-11-14 22:04:18.715084
2430      DEBUG       root print: Nitrokey FIDO2 firmware update tool
2431      DEBUG       root print: Platform: Linux-6.6.1-arch1-1-x86_64-with-glibc2.38
2431      DEBUG       root print: System: Linux, is_linux: True
2431      DEBUG       root print: Python: 3.11.5
2431      DEBUG       root print: Saving run log to: /tmp/nitropy.log.msfemsxo
2431      DEBUG       root print: Starting update procedure for Nitrokey FIDO2...
2625      DEBUG urllib3.connectionpool Starting new HTTPS connection (1): api.github.com:443
3100      DEBUG urllib3.connectionpool https://api.github.com:443 "GET /repos/Nitrokey/nitrokey-fido2-firmware/releases/latest HTTP/1.1" 200 1268
3103      DEBUG       root print: Found latest firmware: nitrokey-fido2-firmware-2.4.0.json
		(published at 2021-05-12T12:24:14Z, under tag 2.4.1.nitrokey)
4104      DEBUG       root print: Current Firmware version: 0.64.1
4104      DEBUG       root print: Downloading latest firmware: 2.4.1.nitrokey (published at 2021-05-12T12:24:14Z)
4107      DEBUG urllib3.connectionpool Starting new HTTPS connection (1): github.com:443
4571      DEBUG urllib3.connectionpool https://github.com:443 "GET /Nitrokey/nitrokey-fido2-firmware/releases/download/2.4.1.nitrokey/nitrokey-fido2-firmware-2.4.0.json HTTP/1.1" 302 0
4575      DEBUG urllib3.connectionpool Starting new HTTPS connection (1): objects.githubusercontent.com:443
5036      DEBUG urllib3.connectionpool https://objects.githubusercontent.com:443 "GET /github-production-release-asset-2e65be/164468825/1299c880-b400-11eb-8dbb-ea2513c65ffa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231114%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231114T210351Z&X-Amz-Expires=300&X-Amz-Signature=caecc65965812b04df5404b0ec5ae85e985a79e80c2966ba2e1d65d436572c3f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=164468825&response-content-disposition=attachment%3B%20filename%3Dnitrokey-fido2-firmware-2.4.0.json&response-content-type=application%2Foctet-stream HTTP/1.1" 200 228295
5275      DEBUG       root print: Firmware saved to /tmp/fido2_firmware.json
5275      DEBUG       root print: Downloaded firmware version: 2.4.1.nitrokey
5276      DEBUG       root print: This will update your Nitrokey FIDO2
51546     DEBUG       root print: Entering bootloader mode, please confirm with button on key! (long 10 second press)
55216     DEBUG       root print: Critical error:
55216     DEBUG       root print: problem switching to bootloader mode:
55217     ERROR       root [Errno 5] Input/output error
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/pynitrokey/cli/update.py", line 184, in update
    client.enter_bootloader_or_die()
  File "/usr/lib/python3.11/site-packages/pynitrokey/fido2/client.py", line 389, in enter_bootloader_or_die
    self.enter_bootloader()
  File "/usr/lib/python3.11/site-packages/pynitrokey/fido2/client.py", line 385, in enter_bootloader
    self.send_data_hid(SoloBootloader.HIDCommandEnterBoot, b"")
  File "/usr/lib/python3.11/site-packages/pynitrokey/fido2/client.py", line 152, in send_data_hid
    return self.dev.call(cmd, data, event=event)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/fido2/hid/__init__.py", line 191, in call
    recv = self._connection.read_packet()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/fido2/hid/base.py", line 80, in read_packet
    return os.read(self.handle, self.descriptor.report_size_in)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 5] Input/output error
55220     DEBUG       root listing all connected devices:
55221     DEBUG       root :: 'Nitrokey FIDO2' keys
55222     DEBUG       root :: 'Nitrokey Start' keys:
55270     DEBUG       root :: 'Nitrokey 3' keys
56177      INFO  libusbsio Loading SIO library: /usr/lib/python3.11/site-packages/libusbsio/bin/linux_x86_64/libusbsio.so
56186      INFO  libusbsio HID enumeration[94306781988288]: initialized
56186     DEBUG  libusbsio HID enumeration[94306781988288]: device #0: USB Receiver
56187     DEBUG  libusbsio HID enumeration[94306781988288]: device #1: USB Receiver
56187     DEBUG  libusbsio HID enumeration[94306781988288]: device #2: USB Receiver
56187      INFO  libusbsio HID enumeration[94306781988288]: finished, total 3 devices
56203     DEBUG pynitrokey.nk3.bootloader.nrf52 Found Nitrokey 3 NRF52 bootloader with port /dev/ttyACM0
56204     DEBUG       root /dev/ttyACM0: Nitrokey 3 Bootloader (NRF52) 00000000000000000000E9077368C9CC
56204     DEBUG       root print: --------------------------------------------------------------------------------
56204     DEBUG       root print: Critical error occurred, exiting now
56204     DEBUG       root print: Unexpected? Is this a bug? Would you like to get support/help?
56204     DEBUG       root print: - You can report issues at: https://support.nitrokey.com/
56204     DEBUG       root print: - Writing an e-mail to support@nitrokey.com is also possible
56204     DEBUG       root print: - Please attach the log: '/tmp/nitropy.log.msfemsxo' with any support/help request!
56205     DEBUG       root print: - Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshootingManifest-Version: 1.0

Here some outputs:

$ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.41
UUID:               ***
Firmware version:   v1.5.0
Init status:        ok
Free blocks (int):  229
Free blocks (ext):  474
Variant:            NRF52

$ nitropy fido2 status
Command line tool to interact with Nitrokey devices 0.4.41
Critical error:
An unhandled exception occurred
	Exception encountered: CtapError('CTAP error: 0x01 - INVALID_COMMAND')

--------------------------------------------------------------------------------
Critical error occurred, exiting now

(was working before)

I’m stuck and need help getting the FIDO2 firmware back to a usable state.

Thank you

2

That error message for nitropy fido2 status is bogus, because the NK3 does not support the command. Also, you can’t update the fido2 app separately. It’s both commands that are for the legacy FIDO devices. For the NK3 FIDO is included in the main NK3 firmware. If you have no FIDO credentials in use, you can use nitropy fido2 reset and set a pin. Try it.

1 Like
3

Thank you for your reply,
Indeed, I was mistaken in thinking that there were 2 firmwares on the key.

4

Well, how should you know, the log does not give hints. I don’t know why it downloads a FIDO firmware in the first place, when the update command itself is not supported. Perhaps, they want to enable it later.

In any case my previous statement to reset fido was probably premature and not necessary, because nothing breaks just by trying to update. Your key is on the latest stable NK3 firmware (1.5.0 as of now).