Ask Your Question

How Gnuk supports firmware upgrade?

asked 2012-10-31 16:43:28 +0900

hiroshi gravatar image hiroshi
21 6

updated 2012-11-02 08:44:30 +0900

In the source code of Gnuk, there is a directory named 'regnual'. It apparently supports some firmware upgrade, but there is no documentation at all. Tell us about reGNUal. Does this mean that we don't need SWD debugger to modify firmware?

delete close flag offensive retag edit

2 Answers

Sort by ยป oldest newest most voted

answered 2012-11-01 10:13:28 +0900

gniibe gravatar image gniibe flag of Japan
41 3 5

Yes, Gnuk and NeuG support firmware installation by reGNUal. You don't need SWD debugger to install firmware when you use reGNUal.

The only documentation available is a note in Gnuk source code.

The reason why there is less documentation is that it is rather newly added feature, somewhat experimental, and we didn't had enough time to write documentation.

You can find a memorandum at Firmware Upgrade Consideration. Note that it was written in the early stage of the development and the final decision of reGNUal implementation is a bit different (e.g. there is no way to hold secret data when you do firmware installation).

In the release 1.0.1 of Gnuk, you needed another Gnuk Token to authenticate for firmware installation. It is improved on 2012-11-01 (today), you can use GnuPG key on your host PC for authentication. But, the note has not explained about using GnuPG key on host PC yet.

For NeuG, there is no authentication for firmware installation.

link delete flag offensive edit

answered 2012-11-01 11:17:06 +0900

gniibe gravatar image gniibe flag of Japan
41 3 5

updated 2012-11-14 11:49:32 +0900

OK, here are instructions to install NeuG to FST-01 with Gnuk (with GnuPG key on your host PC). No additional hardware is required, but if you will get some failure, you will need SWD debugger. Note that Gnuk will be overwritten by NeuG, it is not possible to run Gnuk and NeuG at the same time.

This text assumes that you are using something like GNU/Linux and you have privilege to change your system. FYI, I am using Debian.

  1. Prepare for NeuG, reGNUal, and tools, or get binaries

    Prepare for NeuG, reGNUal and tools from source code of Gnuk and NeuG. Or you can get binaries and tools or its tarball.

  2. Install software needed

    You need GnuPG proper installed (version 1.4.x or version 2.0.x), as well as gpg-agent and scdaemon. The tool named monkeysphere is needed (If you are using GnuPG 2.1.x, the development version, you don't need monkeysphere). Python (2.6 or later, but not 3.x) and PyUSB are also needed. PC/SC-lite is optional, and it is better not to install it (it is OK to have it, but you need to stop its service).

  3. Configure your system

    If you have PC/SC-lite in your system, please stop the service, at first. Please configure udev rules so that Gnuk works for normal user. Please refer Debian bug #691392 for gnupg and Debian bug #543217 for gnupg2. Just chmod manually by root won't work and you will get failure, since USB address will change in the process of firmware installation.

  4. Check if Gnuk works well

    Please check if Gnuk works. Using lsusb command:

    $ lsusb -d 234b:0000

    And using gpg,

    $ gpg --card-status

    See Question #11.

  5. Create your GnuPG key and add subkey for authentication on your host PC

    Please create your key. See generating RSA 2048-bit key. Note that RSA 2048-bit key is required.

  6. Add your subkey under control of gpg-agent

    Please invoke monkeysphere with s (subkey-to-ssh-agent) argument:

    $ monkeysphere s

  7. Run gpg-connect-agent and get a keygrip

    You get 'keygrip' by gpg-connect-agent:

    $ gpg-connect-agent "KEYINFO --list" /bye
    S KEYINFO 9277C5875C8AFFCB727661C18BE4E0A0DEED9260 D - - - - -

    In the example above, 9277C5875C8AFFCB727661C18BE4E0A0DEED9260 is the keygrip.

  8. Binary edit the file ~/.gnupg/private-key-v1.d/<KEYGRIP>.key

    Because of a bug I reported, you need to edit the file of your private key.

    This step will not be required once the bug will be fixed.

    Please remove the data of comment field. The string of the field is like:


    After the edit, please let gpg-agent reload by:

    $ gpg-connect-agent RELOADAGENT /bye

  9. Run tool/

    You run tool/ to extract raw data of your public key.

    $ ./tool/ 9277C5875C8AFFCB727661C18BE4E0A0DEED9260

    Here, you specify the keygrip of your public key. Then you get the file 9277C587.bin. This is your binary raw data of your public key.

  10. Kill scdaemon

    To proceed to next step, it is needed to kill scdaemon to release Gnuk device from its control.

      $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
      ERR 100679679 End of file <SCD>

    Please check there is no scdaemon (by ps aux).

  11. Register your public key for firmware installation authentication

    You register your public key to Gnuk Token, so that you can use the public key for authentication.

    $ ./tool/ -k 0 9277C587.bin

  12. Invoke tool/ with reGNUal and NeuG

    Lastly, you run tool/, which does ask public key authentication to Gnuk, and send reGNUal, and send NeuG using reGNUal.

    $ ./tool/ -k 9277C5875C8AFFCB727661C18BE4E0A0DEED9260 regnual/regnual.bin neug/neug.bin

That's all. Please paste your session here as your answer when you will install using reGNUal.

link delete flag offensive edit

Your answer

Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!
[hide preview]

Question tools


subscribe to rss feed


Asked: 2012-10-31 16:43:28 +0900

Seen: 252 times

Last updated: Nov 14 '12