In the source code of Gnuk, there is a directory named 'regnual'. It apparently supports some firmware upgrade, but there is no documentation at all. Tell us about reGNUal. Does this mean that we don't need SWD debugger to modify firmware?
Yes, Gnuk and NeuG support firmware installation by reGNUal. You don't need SWD debugger to install firmware when you use reGNUal.
The only documentation available is a note in Gnuk source code.
The reason why there is less documentation is that it is rather newly added feature, somewhat experimental, and we didn't had enough time to write documentation.
You can find a memorandum at Firmware Upgrade Consideration. Note that it was written in the early stage of the development and the final decision of reGNUal implementation is a bit different (e.g. there is no way to hold secret data when you do firmware installation).
In the release 1.0.1 of Gnuk, you needed another Gnuk Token to authenticate for firmware installation. It is improved on 2012-11-01 (today), you can use GnuPG key on your host PC for authentication. But, the note has not explained about using GnuPG key on host PC yet.
For NeuG, there is no authentication for firmware installation.
OK, here are instructions to install NeuG to FST-01 with Gnuk (with GnuPG key on your host PC). No additional hardware is required, but if you will get some failure, you will need SWD debugger. Note that Gnuk will be overwritten by NeuG, it is not possible to run Gnuk and NeuG at the same time.
This text assumes that you are using something like GNU/Linux and you have privilege to change your system. FYI, I am using Debian.
Prepare for NeuG, reGNUal, and tools, or get binaries
Install software needed
You need GnuPG proper installed (version 1.4.x or version 2.0.x), as well as gpg-agent and scdaemon. The tool named
monkeysphere is needed (If you are using GnuPG 2.1.x, the development version, you don't need
monkeysphere). Python (2.6 or later, but not 3.x) and PyUSB are also needed. PC/SC-lite is optional, and it is better not to install it (it is OK to have it, but you need to stop its service).
Configure your system
If you have PC/SC-lite in your system, please stop the service, at first.
Please configure udev rules so that Gnuk works for normal user. Please refer Debian bug #691392 for gnupg and Debian bug #543217 for gnupg2.
chmod manually by root won't work and you will get failure, since USB address will change in the process of firmware installation.
Check if Gnuk works well
Please check if Gnuk works. Using lsusb command:
$ lsusb -d 234b:0000
And using gpg,
$ gpg --card-status
See Question #11.
Create your GnuPG key and add subkey for authentication on your host PC
Please create your key. See generating RSA 2048-bit key. Note that RSA 2048-bit key is required.
Add your subkey under control of gpg-agent
s (subkey-to-ssh-agent) argument:
$ monkeysphere s
Run gpg-connect-agent and get a keygrip
You get 'keygrip' by gpg-connect-agent:
$ gpg-connect-agent "KEYINFO --list" /bye S KEYINFO 9277C5875C8AFFCB727661C18BE4E0A0DEED9260 D - - - - -
In the example above, 9277C5875C8AFFCB727661C18BE4E0A0DEED9260 is the keygrip.
Binary edit the file ~/.gnupg/private-key-v1.d/
Because of a bug I reported, you need to edit the file of your private key.
This step will not be required once the bug will be fixed.
Please remove the data of comment field. The string of the field is like:
After the edit, please let gpg-agent reload by:
$ gpg-connect-agent RELOADAGENT /bye
tool/get_raw_public_key.py to extract raw data of your public key.
Here, you specify the keygrip of your public key. Then you get the file
This is your binary raw data of your public key.
To proceed to next step, it is needed to kill
scdaemon to release Gnuk device from its control.
$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye ERR 100679679 End of file <SCD> OK
Please check there is no scdaemon (by ps aux).
Register your public key for firmware installation authentication
You register your public key to Gnuk Token, so that you can use the public key for authentication.
./tool/gnuk_put_binary_libusb.py-k 0 9277C587.bin
tool/gnuk_upgrade.py with reGNUal and NeuG
Lastly, you run
tool/gnuk_upgrade.py, which does ask public key authentication to Gnuk, and send reGNUal, and send NeuG using reGNUal.
./tool/gnuk_upgrade.py-k 9277C5875C8AFFCB727661C18BE4E0A0DEED9260 regnual/regnual.bin neug/neug.bin
That's all. Please paste your session here as your answer when you will install using reGNUal.
Asked: 2012-10-31 16:43:28 +0900
Seen: 252 times
Last updated: Nov 14 '12