Trat
March 14, 2024, 2:24pm
1
Hello! I can’t restore the firmware for the Nitrokey HSM 2. After installing the firmware from GitHub (via JTAG), pkcs11/15 doesn’t find the slots. Serial number is wrong after re-flashing.
$ pkcs11-tool -I
Cryptoki version 2.20
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.20)
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (01A001000000000 ) 00 00
PKCS#15 binding failed: Transmit failed
Could you help me please to re-init it?
saper
March 15, 2024, 3:05pm
2
Which firmware did you try to modify and how? Can you provide the details?
Trat
March 15, 2024, 3:26pm
3
Hello I’ve programmed Release HSM: support new hardware platform · Nitrokey/nitrokey-pro-firmware · GitHub this build through JTAG (using j-link), and after that pkcs dosn’t see the slots.
saper
March 15, 2024, 3:58pm
4
Well, maybe you should try to roll back. I’ve never done this before, as the SmartCard applet is much more interesting than this firmware.
saper
March 15, 2024, 4:02pm
5
What are the USB Vendor / Device IDs reported by the device?
Can you compare them to the old ones before the upgrade?
Trat
March 15, 2024, 5:01pm
6
I didn’t check it before, but serial number was changed. I’ve googled Nitrokey HSM 2 logs and PID/VID looks the same. Also, I cannot update SmartCard applet as well.
saper
March 15, 2024, 5:38pm
7
I don’t know why are you even doing this, but if I read properly the newest firmware is meant for 4.0 devices. Maybe you should try something from the older branch GitHub - Nitrokey/nitrokey-pro-firmware at ci-hsm
Trat
March 15, 2024, 6:01pm
8
Thanks, I will try, I’ve also programmed this one Release HSM2 release · Nitrokey/nitrokey-pro-firmware · GitHub but it was the same result.
saper
March 15, 2024, 6:40pm
9
Can you dump available USB descriptors? And please do not avoid putting actual data in your reply.
Besides, if you are a JTAG expert, you can probably try to debug the code via JTAG.
Trat
March 15, 2024, 6:52pm
10
I think, that I’m really using a wrong version of firmware for my key. Also the another strange things:
on the original firmware the name was
Nitrokey Nitrokey HSM (DENKXXXXXXXXXXXXX ) 00 00
but now
Using reader with a card: Nitrokey Nitrokey HSM (01A001000000000 ) 00 00
Looks like that SmartCard-HSM doesn’t give a valid data.
Trat
March 15, 2024, 10:04pm
12
I’ve checked this branch GitHub - Nitrokey/nitrokey-pro-firmware at ci-hsm it also doesn’t work for me (PC doesn’t find Nitrokey, as I understand STM32 don’t see smartcard?).
saper
March 16, 2024, 1:38am
13
Sorry, I am out. I have no idea. Maybe this is related to the clock and the timing and other issues mentioned in
opened 01:39PM - 26 Nov 23 UTC
bug
help wanted
device/Nitrokey HSM
smart card
The new H/W v4.0 HSM smart cards are not properly setting up with the current fi… rmware. The problem with communication starts right away after execution of the PPS procedure, where the higher bit rate is configured with the smart card, after which the USART peripheral working in the SMARTCARD mode is reconfigured with higher bitrate as well. After this point smart card is requested for its serial number, which ends up malformed. Similarly further USB CCID requests, which are passed to the smart card, are either ending up in a Default Handler due to the Frame Exception being raised, or just in an infinite loop, where the MCU awaits for the flag change from the USART peripheral, which at some point should signalize data reception.
Interestingly, when the `PTS_config()` body execution is skipped (= insert `return` as a first line), everything works fine at the default speed of `9600bps`, however this speed is clearly not enough to have a proper user experience. The aim is to have at least the speed of the previous smart card generation, which is `~ 115kbps`.
Even if the configuration of the minimal speed is attempted, which should end up in the same value as the default one - `9600bps`, the proper communication is not achieved.
The v3.0 cards work properly with the current implementation. The only changes are:
- ATR change, allowing for a higher bitrate;
- old ATR: https://smartcard-atr.apdu.fr/parse?ATR=3b+de+18+ff+81+91+fe+1f+c3+80+31+81+54+48+53+4d+31+73+80+21+40+81+07+1c
- new ATR: https://smartcard-atr.apdu.fr/parse?ATR=3B+DE+96+FF+81+91+FE+1F+C3+80+31+81+54+48+53+4D++31+73+80+21+40+81+07+92
- hardware change - JCOP 3 -> JCOP 4.
Done so far:
- [x] rewritten PTS procedure, and verified execution
- [x] tried different T0 values
- [x] tried previous generation ATR directly
- [x] verified USB CCID descriptors
- [x] compared the current smartcard HAL with the latest available STM32 examples
Some of the mentioned are stored in the commits history of the wip scratch branch (does not work, and its not coherent):
- https://github.com/Nitrokey/nitrokey-pro-firmware/pull/101
Things to check yet:
- [ ] peripheral microcode update
- [ ] clock dependencies (USB, smart card)
- [ ] higher peripheral clock setup (different prescaler) for the smaller bitrate error (for the `225kbps` setting)
- [ ] ETU configuration, and connected hardcoded delays adjustments (new ATR has half of the previous ETU)
Initial configuration - `SC_Init()`:
- https://github.com/Nitrokey/nitrokey-pro-firmware/blob/47dd7f1ad6789e5b317266b831d8624c7d126063/src/ccid/smartcard/smartcard.c#L1058-L1193
Mentioned `PTS_config()`:
https://github.com/Nitrokey/nitrokey-pro-firmware/blob/47dd7f1ad6789e5b317266b831d8624c7d126063/src/ccid/smartcard/smartcard.c#L507-L670
Hardware schematics:
- https://github.com/Nitrokey/nitrokey-pro-hardware
or maybe Nitrokey HSM: timeout on initialization after heavy use · Issue #78 · Nitrokey/nitrokey-pro-firmware · GitHub or Nitrokey HSM: invalid serial number after a heavy load · Issue #79 · Nitrokey/nitrokey-pro-firmware · GitHub