Skip to content
efm32
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
chopstx/u2f/
chopstx/u2f/
This branch is 46 commits ahead, 130 commits behind Nitrokey:master.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

U2F firmware for Tomu

U2F firmware for Tomu.

Installing

Requirements

Build tools

Install and setup Command Line tools for Xcode on macOS.

Install build-essentials package on Debian/Ubuntu:

sudo apt install build-essential libnewlib-arm-none-eabi gcc-arm-none-eabi

GNU Toolchain for ARM Embedded Processors

Installing on macOS with homebrew:

brew tap osx-cross/arm
brew install arm-gcc-bin

Installing on Ubuntu:

sudo apt-add-repository ppa:team-gcc-arm-embedded/ppa
sudo apt update
sudo apt install gcc-arm-embedded

OpenSSL

MacOS comes with openssl installed out of the box.

Installing on Debian/Ubuntu:

sudo apt install openssl

asn1crypto

There is a tiny python script used to convert private keys generated by OpenSSL from DER format into C-array. It depends on asn1crypto package.

To install with pip:

pip install --user --upgrade asn1crypto

If you were trigger happy and tried to run make before you installed this package, you will need to run the command make certclean then install the package, and finally run make again.

Building

git clone https://github.com/im-tomu/chopstx.git
cd chopstx/u2f
make

Flashing

Providing you have Toboot installed:

dfu-util -v -d 1209:70b1 -D build/u2f.bin

Update udev rules

On Linux-based systems you will need to update your entry in /etc/udev/rules.d/10-tomu.rules (or create it if you haven't already) to reflect the new product and vendor IDs so that you'll have permissions to the device.

ACTION=="add|change", KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab", TAG+="uaccess"

Ubuntu before 13.04 Raring will need the udev-acl tag rather than uaccess.

Readout protection

Readout protection is enabled by default. To disable it, build firmware with ENFORCE_DEBUG_LOCK=0:

make clean
make ENFORCE_DEBUG_LOCK=0

Injecting private key

Firmware generates EC private key on its first boot and erases it when it enters the bootloader. You may want to backup your private key and make it survive firmware upgrade. To achieve this, generate the key on your host machine and inject it into the firmware binary.

Generate your private key:

openssl ecparam -name prime256v1 -genkey -noout -outform der -out key.der

You may want to encrypt your key.der and back it up.

Check device's authentication counter if you are going to perform the firmware upgrade. You can see it in Yubikey demo site output. For the new device, you can skip ctr parameter all together or set it to 1. Let's say the current counter value is 1000.

Use this command to patch firmware binary:

./inject_key.py --key key.der --ctr 1001

License

This project is using code components of Chopstx and Gnuk written by Niibe Yutaka.

Copyright © 2017, 2018 Sergei Glushchenko

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

As additional permission under GNU GPL version 3 section 7, you may distribute non-source form of the Program without the copy of the GNU GPL normally required by section 4, provided you inform the recipients of GNU GPL by a written offer.