Nitrokey Start Update Went Badly - Critical error occurred, exiting now

[spamtree]

nitropy.log

See log for details. Followed directions on website for updating firmware and now the nitrokey start is not found at all.

Thanks for any help.

[daringer]

Ok, this looks weird, the update makes the impression it's finished, but the serial number is missing...

• the system you are using is a Linux, right? not WSL or something?
• could you please paste the dmesg output on plugging in the NK-Start ?
• did you try starting the update again ?
• does "not found at all" mean that the NK-Start is not working for any of your regular NK-Start use-cases?

[szszszsz]

Hi @spamtree,

I am afraid the device was lost during the update process. Please contact us at support@nitrokey.com to get the replacement.

According to the log, the bootloader was downloaded and executed, however the update application could not connect to finish the process, probably due to some other service trying to access and locking the smart card interface. Unfortunately removing power at this state makes the device unusable.

@daringer What we can do at this stage is to try closing all potential services for the time of the update. The 0 serial number is the identification for the bootloader.

[spamtree]

Thanks for the explanation and I understand what happened now. Well the problem is the user (me). When I installed "nitropy" it was going to pull in a lot development stuff that I already have in a docker container. I do all my development these days in a docker container. I decided to do the upgrade from the docker container because I have all the packages already installed in the docker container. Anyway it was dumb idea to try and the process totally bricked the nitro start. The docker container was setup for usb devices correctly but something clearly went wrong. I guess you should warn other users not to use a docker container. I will take the lose. I want to order a nitrokey pro anyway. Thanks for the rapid support!

[szszszsz]

I see. Docker container does not refresh the available devices, hence when the Nitrokey Start switched to bootloader it cannot be found. It might have worked, if the update would be executed once again. Good idea to mention that in the documentation!
Perhaps standalone bundled Python binaries could be another (indirect) solution to the problem.
As for your Nitrokey Start device, it can be still used by flashing the firmware through debug adapter, which might need some soldering.

Tasks:

• document potential issues when using Docker
• discuss Pip installation alternatives, e.g. using single Python bundled binary, or pipenv, or venv, etc.
• ask users to rerun the update process if the bootloader cannot be found

(edit moved to #51)

cc @daringer

[spamtree]

Thanks folks!

sudo openocd  -f /usr/share/openocd/scripts/interface/stlink.cfg -f /usr/share/openocd/scripts/target/stm32f1x.cfg -c init -c reset -c halt -c "stm32f1x unlock 0"  -c exit
Open On-Chip Debugger 0.10.0+dev-01514-ga8edbd020-dirty (2020-11-21-20:11)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
Info : clock speed 1000 kHz
Info : STLINK V2J35S7 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.205759
Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f1x.cpu on 3333
Info : Listening on port 3333 for gdb connections
target halted due to debug-request, current mode: Handler HardFault
xPSR: 0x01000003 pc: 0xfffffffe msp: 0xffffffdc
Info : device id = 0x20036410
Warn : STM32 flash size failed, probe inaccurate - assuming 128k flash
Info : flash size = 128kbytes
stm32x unlocked.
INFO: a reset or power cycle is required for the new settings to take effect.

sudo openocd  -f /usr/share/openocd/scripts/interface/stlink.cfg -f /usr/share/openocd/scripts/target/stm32f1x.cfg -c init -c reset -c halt -c "flash write_image erase gnuk.elf" -c "verify_image gnuk.elf" -c "reset run" -c exit
Open On-Chip Debugger 0.10.0+dev-01514-ga8edbd020-dirty (2020-11-21-20:11)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
Info : clock speed 1000 kHz
Info : STLINK V2J35S7 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.219895
Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f1x.cpu on 3333
Info : Listening on port 3333 for gdb connections
target halted due to debug-request, current mode: Handler HardFault
xPSR: 0x01000003 pc: 0xfffffffe msp: 0xffffffdc
Info : device id = 0x20036410
Info : flash size = 128kbytes
auto erase enabled
wrote 124928 bytes from file gnuk.elf in 6.741482s (18.097 KiB/s)

verified 124928 bytes in 1.815055s (67.216 KiB/s)

lsusb 

Bus 001 Device 016: ID 20a0:4211 Clay Logic Nitrokey Start

gpg --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.15-67144447:0
Application ID ...: D276000124010200FFFE671444470000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 67144447
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

~/.local/bin/nitropy start list
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
:: 'Nitrokey Start' keys:
FSIJ-1.2.15-67144447: Nitrokey Nitrokey Start (RTM.10-19-gbf92ae6)

Looks like I am back in action. This was fun! Does everything look okay? Anything else I need to check or do?

For anyone that finds this post - I used arch linux and the openocd-git from the arch linux aur. The openocd version in the arch linux official repository did not work.

openocd-git

None of the recommended openocd versions on the nitrokey firmware update page worked.

Hope this helps someone.

[spamtree]

I will close this issue.

[szszszsz]

Looks good! I am glad you get it back to life.
I am wondering why older OpenOCD was not working for you - maybe Arch has not this patched properly? Ubuntu's stock package version works as far as I know.
Anyway, will update the docs to reflect that. Thank you for the feedback!

I will reopen ticket since there are tasks to be done (documentation side).
(edit moved to #51)

[szszszsz]

Tasks moved to #51. Closing.