Recovery Nitrokey HSM firmware

Trat · March 14, 2024, 2:24pm

Hello! I can’t restore the firmware for the Nitrokey HSM 2. After installing the firmware from GitHub (via JTAG), pkcs11/15 doesn’t find the slots. Serial number is wrong after re-flashing.

$ pkcs11-tool -I
Cryptoki version 2.20
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.20)
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (01A001000000000 ) 00 00
PKCS#15 binding failed: Transmit failed

Could you help me please to re-init it?

saper · March 15, 2024, 3:05pm

Which firmware did you try to modify and how? Can you provide the details?

Trat · March 15, 2024, 3:26pm

Hello I’ve programmed Release HSM: support new hardware platform · Nitrokey/nitrokey-pro-firmware · GitHub this build through JTAG (using j-link), and after that pkcs dosn’t see the slots.

saper · March 15, 2024, 3:58pm

Well, maybe you should try to roll back. I’ve never done this before, as the SmartCard applet is much more interesting than this firmware.

saper · March 15, 2024, 4:02pm

What are the USB Vendor / Device IDs reported by the device?
Can you compare them to the old ones before the upgrade?

Trat · March 15, 2024, 5:01pm

I didn’t check it before, but serial number was changed. I’ve googled Nitrokey HSM 2 logs and PID/VID looks the same. Also, I cannot update SmartCard applet as well.

saper · March 15, 2024, 5:38pm

I don’t know why are you even doing this, but if I read properly the newest firmware is meant for 4.0 devices. Maybe you should try something from the older branch GitHub - Nitrokey/nitrokey-pro-firmware at ci-hsm

Trat · March 15, 2024, 6:01pm

Thanks, I will try, I’ve also programmed this one Release HSM2 release · Nitrokey/nitrokey-pro-firmware · GitHub but it was the same result.

saper · March 15, 2024, 6:40pm

Can you dump available USB descriptors? And please do not avoid putting actual data in your reply.
Besides, if you are a JTAG expert, you can probably try to debug the code via JTAG.

Trat · March 15, 2024, 6:52pm

I think, that I’m really using a wrong version of firmware for my key. Also the another strange things:
on the original firmware the name was

Nitrokey Nitrokey HSM (DENKXXXXXXXXXXXXX ) 00 00

but now

Using reader with a card: Nitrokey Nitrokey HSM (01A001000000000 ) 00 00

Looks like that SmartCard-HSM doesn’t give a valid data.

saper · March 15, 2024, 9:17pm

Trat · March 15, 2024, 10:04pm

I’ve checked this branch GitHub - Nitrokey/nitrokey-pro-firmware at ci-hsm it also doesn’t work for me (PC doesn’t find Nitrokey, as I understand STM32 don’t see smartcard?).

saper · March 16, 2024, 1:38am

Sorry, I am out. I have no idea. Maybe this is related to the clock and the timing and other issues mentioned in

github.com/Nitrokey/nitrokey-pro-firmware

Nitrokey HSM: handle v4.0 smart cards

opened 01:39PM - 26 Nov 23 UTC

szszszsz

bug help wanted device/Nitrokey HSM smart card

The new H/W v4.0 HSM smart cards are not properly setting up with the current fi…rmware. The problem with communication starts right away after execution of the PPS procedure, where the higher bit rate is configured with the smart card, after which the USART peripheral working in the SMARTCARD mode is reconfigured with higher bitrate as well. After this point smart card is requested for its serial number, which ends up malformed. Similarly further USB CCID requests, which are passed to the smart card, are either ending up in a Default Handler due to the Frame Exception being raised, or just in an infinite loop, where the MCU awaits for the flag change from the USART peripheral, which at some point should signalize data reception. Interestingly, when the `PTS_config()` body execution is skipped (= insert `return` as a first line), everything works fine at the default speed of `9600bps`, however this speed is clearly not enough to have a proper user experience. The aim is to have at least the speed of the previous smart card generation, which is `~ 115kbps`. Even if the configuration of the minimal speed is attempted, which should end up in the same value as the default one - `9600bps`, the proper communication is not achieved. The v3.0 cards work properly with the current implementation. The only changes are: - ATR change, allowing for a higher bitrate; - old ATR: https://smartcard-atr.apdu.fr/parse?ATR=3b+de+18+ff+81+91+fe+1f+c3+80+31+81+54+48+53+4d+31+73+80+21+40+81+07+1c - new ATR: https://smartcard-atr.apdu.fr/parse?ATR=3B+DE+96+FF+81+91+FE+1F+C3+80+31+81+54+48+53+4D++31+73+80+21+40+81+07+92 - hardware change - JCOP 3 -> JCOP 4. Done so far: - [x] rewritten PTS procedure, and verified execution - [x] tried different T0 values - [x] tried previous generation ATR directly - [x] verified USB CCID descriptors - [x] compared the current smartcard HAL with the latest available STM32 examples Some of the mentioned are stored in the commits history of the wip scratch branch (does not work, and its not coherent): - https://github.com/Nitrokey/nitrokey-pro-firmware/pull/101 Things to check yet: - [ ] peripheral microcode update - [ ] clock dependencies (USB, smart card) - [ ] higher peripheral clock setup (different prescaler) for the smaller bitrate error (for the `225kbps` setting) - [ ] ETU configuration, and connected hardcoded delays adjustments (new ATR has half of the previous ETU) Initial configuration - `SC_Init()`: - https://github.com/Nitrokey/nitrokey-pro-firmware/blob/47dd7f1ad6789e5b317266b831d8624c7d126063/src/ccid/smartcard/smartcard.c#L1058-L1193 Mentioned `PTS_config()`: https://github.com/Nitrokey/nitrokey-pro-firmware/blob/47dd7f1ad6789e5b317266b831d8624c7d126063/src/ccid/smartcard/smartcard.c#L507-L670 Hardware schematics: - https://github.com/Nitrokey/nitrokey-pro-hardware

or maybe Nitrokey HSM: timeout on initialization after heavy use · Issue #78 · Nitrokey/nitrokey-pro-firmware · GitHub or Nitrokey HSM: invalid serial number after a heavy load · Issue #79 · Nitrokey/nitrokey-pro-firmware · GitHub