diff options
author | Rob Austein <sra@hactrn.net> | 2020-09-13 23:10:21 +0000 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2020-09-13 23:10:21 +0000 |
commit | 3aa8b1dd6e0f504ef83da99f8c9cdb2532f948f5 (patch) | |
tree | ca300cbdbc9b1ca3224441e50375d94c092223e8 /raw-wiki-dump/DisasterRecovery.md | |
parent | 4ba5e00d5cdd42087a76e379cc39604b2da89ea4 (diff) |
Initial conversion pass
Diffstat (limited to 'raw-wiki-dump/DisasterRecovery.md')
-rw-r--r-- | raw-wiki-dump/DisasterRecovery.md | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/raw-wiki-dump/DisasterRecovery.md b/raw-wiki-dump/DisasterRecovery.md new file mode 100644 index 0000000..9c0e56f --- /dev/null +++ b/raw-wiki-dump/DisasterRecovery.md @@ -0,0 +1,45 @@ +# Disaster Recovery + +This page covers a few likely (hopefully unlikely) oh-noes. + +## Oh no, I bricked my device + +### Recovering from a bad firmware install + +You can upload new firmware through the bootloader. On power-up or reset, +the bootloader flashes the blue LED for 10 seconds. During that time, start +`cryptech_upload`: + +``` +$ cryptech_upload --firmware --user wheel +PIN: <your-wheel-pin> +``` + +### Recovering from a bad bootloader install + +Well, now you've done it. You'll need to buy an ST-LINK programmer. +See [wiki:UsingSTLink]. + +## Oh no, I'm locked out of my device + +If you're staring at this thing for the first time, or if you ran +`keystore erase`, then you have no PIN. Believe it or not, this is the +best case scenario. Log in as wheel with the default PIN +`YouReallyNeedToChangeThisPINRightNowWeAreNotKidding`, and you should be +able to reset the PINs. + +If you forgot the PIN, I feel sorry for you. The only way out of this is +via [wiki:UsingSTLink ST-LINK]. The easiest way is to debug with `gdb`, set a breakpoint on +`hal_rpc_login`, and issue the gdb command `return 0`. + +## Oh no, I forgot (or reset) the master key + +As shipped, the Alpha doesn't include a battery backup for the Master Key +Memory. So if power is interrupted, the MKM is wiped. (Also, if we had +tamper protection more sophisticated than a Panic Button, it would wipe +the MKM when you opened the case to install the ST-LINK cable.) + +Sorry, there's nothing that can be done about that. All your keys are +still in flash memory, but encrypted with the KEK, which is now gone. +(Unless you used the `masterkey unsecure set` command to store the KEK in +unprotected flash memory, but you wouldn't do that, would you?) |