Library for fingerprint readers
Clone or download
Pull request Compare This branch is 5 commits ahead, 2 commits behind 3v1n0:vfs0090.

README.md

Validity Sensor 138a:0097 libfprint driver

A linux driver for 2017 ThinkPad's fingerprint readers

Requires to have the fingers enrolled (for example, in Windows). Tested with fingerprint-gui, Ubuntu 18.04 to authenticate sudo and gdm. Consider the changes made to make it work:

  • Returns a fake print on enrollment
  • Authenticates if the device reports a match
  • Ignores errors

When testing the driver, you might need to set permissions on the device

sudo chmod og+rwx  /dev/bus/usb/001/006
sudo chmod o+r /sys/class/dmi/id/product_serial

IMAGE ALT TEXT HERE`

Thanks to the amazing work that nmikhailov did in his prototype, I spent some time in getting a libfprint driver for the 138a:0090 device up...

  • It only works if the device has been initialized with a Windows VirtualBox (sharing USB) guest or with a Windows installation in bare metal
  • Most of the device interaction and crypto code is coming from the prototype, so basically it needs lots of cleanup, but I noticed Nikita is already on that, so I'll be happy to integrate it in next iterations (the thing that actually took the most was having proper fprintd state machines).
  • Here enroll, verification, led and all the operations work
  • First initialization is the most problematic thing so far, we're still looking on it.
  • It uses libfprint image comparison algorithm, we might move to in-device check later.

You can test it using fprint-demo available in various distro's repositories, or just using fprintd-* tools (GNOME supports it natively from control center).

Ubuntu installation

If you're using ubuntu just use this PPA to get the libfprint packages with vfs0090 sensor support.

Once you've added the ppa you can test it with the fprint_demo application (fprint-demo package) or use it for your desktop by installing the libpam-fprintdpackage.

You can enroll your fingers by using the fprintd-enroll utility or from UI using unity-control-center user-accounts in unity or gnome-control-center user-accounts in GNOME (it's the same as going in System settings -> User accounts pane and enable the fingerprint login).

So, in steps (for ubuntu) it would be:

  • sudo add-apt-repository -u ppa:3v1n0/libfprint-vfs0090
  • sudo apt install libpam-fprintd
  • Go in system settings (account) and enable the fingerprint login

Arch linux Installation

Install packages:

  • fprintd
  • libfprint-vfs0090-git from AUR

Other distros

  • git clone https://github.com/3v1n0/libfprint
  • cd fprint && ./autogen.sh && make && sudo make install

fprintd enrolling

for finger in {left,right}-{thumb,{index,middle,ring,little}-finger}; do fprintd-enroll -f "$finger" "$USER"; done

Help testing

It would be nice if you could help in tuning the value of the bz3_threshold, as that's the value that defines how different should be the prints, and so it's important for having better security. I've set it to 12 currently, but of course increasing the number of prints we enroll or the image quality that could be increased.

Using fprint_demo or monitor fprintd from journalctl you should be able to see the values such as fpi_img_detect_minutiae and fpi_img_compare_print_data in the log, like

fp:debug [fpi_img_new] length=82944
fp:debug [fpi_imgdev_image_captured] 
fp:debug [fpi_img_detect_minutiae] minutiae scan completed in 0,080257 secs
fp:debug [fpi_img_detect_minutiae] detected 18 minutiae
fp:debug [print_data_new] driver=15 devtype=0000
fp:debug [fpi_img_compare_print_data] score 9
fp:debug [fpi_img_compare_print_data] score 12
fp:debug [fpi_img_compare_print_data] score 18
fp:debug [fpi_img_compare_print_data] score 10
fp:debug [fpi_img_compare_print_data] score 12

The score is the value the print got for you, compared to each sample that fprint saves... And to match it needs to reach the said threshold (so 12 for now). For my fingers this value seems secure enough, but.... Let's see if we can increase it.