Nitropy on *BSDs?

I am trying to get nitropy running on FreeBSD and I am running into the following issues:

Newer pc-ble-driver-py cannot be built due to missing sdist on pypi, this skips the nrfutil and the pynitrokey package gets downgraded to 0.4.25 (the newest currently seems to be 0.4.33).

pynitrokey 0.4.25 seems to need to have NXP’s LIBUSBSIO to be ported to the OS I am using (nitropy nk3 list dies with Exception encountered: LIBUSBSIO_Exception('LIBUSBSIO: Unknown platform to load proper library.

The device itself seems to be:

> sudo usbconfig -d 5.2 dump_device_desc
ugen5.2: <Nitrokey Nitrokey 3> at usbus5, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (100mA)

  bLength = 0x0012 
  bDescriptorType = 0x0001 
  bcdUSB = 0x0210 
  bDeviceClass = 0x00ef  <Miscellaneous device>
  bDeviceSubClass = 0x0002 
  bDeviceProtocol = 0x0001 
  bMaxPacketSize0 = 0x0040 
  idVendor = 0x20a0 
  idProduct = 0x42b2 
  bcdDevice = 0x0102 
  iManufacturer = 0x0001  <Nitrokey>
  iProduct = 0x0002  <Nitrokey 3>
  iSerialNumber = 0x0000  <no string>
  bNumConfigurations = 0x0001 

Anyone got this tool running on any non-Linux/MacOS/Windows system?

I think this is possible. Especially since kexec exists in FreeBSD & NetBSD.

As for OpenBSD, it might be possible for that too, given the new interface.

Not sure yet though beyond that.

Sorry @zapper - no idea what you mean… I just want to build python dependencies from source, this seems to be not possible.

As of today the dependency should not be there anymore, thus pynitrokey 0.4.35 is expected to work on *bsd …

Thank you, I can install it, but here is my attempt to talk to Nitrokey 3:

> /usr/home/saper/NITROKEY/bin/nitropy nk3 list
Command line tool to interact with Nitrokey devices 0.4.35
:: 'Nitrokey 3' keys
Critical error:
An unhandled exception occurred
	Exception encountered: LIBUSBSIO_Exception('LIBUSBSIO: Unknown platform to load proper library.')

Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at:
- Writing an e-mail to is also possible
- Please attach the log: '/tmp/nitropy.log.fcovi4i9' with any support/help request!
-------------------------------------------------------------------------------- (1.6 KB)

oh, ok that’s spsdk which uses lisbusio we’ll address this with NXP, maybe they can do something about it. But this should actually be a lpc55 only issue, means with some tweaks this might at least work for Nitrokey 3minis.

I have Nitrokey 3A NFC, I think this is NXP?

yip, it is.
To upload a firmware to the Nitrokey 3A NFC (with a lpc55s from NXP) we strictly need spsdk and libusbsio, the latter does not work with *BSD as it seems:

An unhandled exception occurred
	Exception encountered: LIBUSBSIO_Exception('LIBUSBSIO: Unknown platform to load proper library.')

we have no other means to upload the firmware, despite using this: LIBUSBSIO Host Library for USB Enabled MCUs | NXP Semiconductors

in order to make this work on bsd we need to address NXP to enable this for *BSD. Don’t see any other option …

On the other side, the NK3minis don’t use this, so they might work (with some adaptions inside pynitrokey)

I had a brief look at this, LIBUSBSIO Host Library for USB Enabled MCUs | NXP Semiconductors is basically one C file (lpcusbsio.c) that is supposed to use GitHub - signal11/hidapi: A Simple library for communicating with USB and Bluetooth HID devices on Linux, Mac, and Windows. which officially supports FreeBSD and works without problems, however… NXP decided to use some version of it and patch it a bit.

This is quite a mess.

@robin-nitrokey but we need it only for updates, right ? so we could possibly just disable updating for *bsd in pynitrokey and the other things might work?

Also took a deeper look the error comes from: libusbsio · PyPI

which is a python wrapper which contains built libusbsio libraries, so the whole story might not be too complicated: just put a *bsd library in place (compile libusbsio for *bsd) and add the proper loading mechanism into python next to the other options …

but reasonably this can only be done by NXP

I hacked the C library to build (mostly be removing stuff unused by the Python library apparently) plus some manual copy and voilà

(NITROKEY) radziecki> /usr/home/saper/NITROKEY/bin/nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.35
UUID:               F46A14396DF7AC5AA07923D516BCC3AB
Firmware version:   v1.2.2
(NITROKEY) radziecki> /usr/home/saper/NITROKEY/bin/nitropy nk3 test  
Command line tool to interact with Nitrokey devices 0.4.35
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/uhid0

Running tests for Nitrokey 3 at /dev/uhid0

[1/4]	uuid     	UUID query              	SUCCESS  	F46A14396DF7AC5AA07923D516BCC3AB
[2/4]	version  	Firmware version query  	SUCCESS  	v1.2.2
[3/4]	status   	Device status           	SKIPPED  	
Please press the touch button on the device ...
Please press the touch button on the device ...
[4/4]	fido2    	FIDO2                   	SUCCESS  	

4 tests, 3 successful, 1 skipped, 0 failed

Summary: 1 device(s) tested, 1 successful, 0 failed

Haven’t tried flashing anything.

Maybe you could as them nicely to:

  • at least put their sources to github or some other repository it is possible to provide patches for?
  • clarify if we really need ex_info in HIDAPI_ENUM_T for LPC55 (this seems to be unused by the Python part and SPSDK)
  • Do we really need timeout_ms in HIDAPI_DeviceWrite and if yes, maybe the hid_write_timeout should have been moved inside of that function (and probably rewritten, since it looks pretty strange to me).

That actually was “exactly” what I meant. :wink:

To build libusbio on FreeBSD I simply copy pasta the linux hidapi implementation in a freebsd folder (in src), and then I remove almost all the content of the hid.c .

keeping only the followings function (with some modifications): hid_write_timeout, hid_get_report_lengths, hid_get_usage

And creating a hidapi_mock.h file to keep the function definition and also including hidapi.h

Finally I linked to hidapi, add a check in python/libusbsio/ to support FreeBSD and now I have nitropy that can works.

Do you know if I could put all the patches in a github repos without having legal issues ?

By the ways, I was able to push firmware upgrade (it stops at finalize update 3%, after forcing it to exit it reports the new version, so I guess it is good ?)

To do that you will need to use hidraw on nitrokey, so you need to set the sysctl
hw.usb.usbhid.enable to 1 before plugin the nitrokey devices.

For those interested I put my patches on github

Note that you may use it at your own risk, I am not sure if using nitropy with it for upgrading the nitrokey 3 is really safe since last time I tested I got stuck at 3% in the finalize update part.

Any updates on this? The custom build of libusbsio works, but it would be nice to have an official solution.

currently I have to admit that there is no real plan to fully, officially support pynitrokey for *bsd - nxp didn’t answer our request to properly publish libusbsio - this doesn’t surprise me too much - mid term this means we cannot go towards official support on *bsd platforms w/o major efforts on our side.

Having libusbsio in the port tree would help the process I guess, we could pull the download from
(see arch pkgbuild PKGBUILD · main · Arch Linux / Packaging / Packages / libusbsio · GitLab)

Then do the patching with the ports framework (either my patches or someone else).

So that end user could simply install the libusbsio dependency on *BSD and then either use a venv that have access to the system libs or simply symlink libusbsio into the venv directory.

1 Like