From 3aa8b1dd6e0f504ef83da99f8c9cdb2532f948f5 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sun, 13 Sep 2020 23:10:21 +0000 Subject: Initial conversion pass --- raw-wiki-dump/DisasterRecovery.md | 45 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 raw-wiki-dump/DisasterRecovery.md (limited to 'raw-wiki-dump/DisasterRecovery.md') diff --git a/raw-wiki-dump/DisasterRecovery.md b/raw-wiki-dump/DisasterRecovery.md new file mode 100644 index 0000000..9c0e56f --- /dev/null +++ b/raw-wiki-dump/DisasterRecovery.md @@ -0,0 +1,45 @@ +# Disaster Recovery + +This page covers a few likely (hopefully unlikely) oh-noes. + +## Oh no, I bricked my device + +### Recovering from a bad firmware install + +You can upload new firmware through the bootloader. On power-up or reset, +the bootloader flashes the blue LED for 10 seconds. During that time, start +`cryptech_upload`: + +``` +$ cryptech_upload --firmware --user wheel +PIN: +``` + +### Recovering from a bad bootloader install + +Well, now you've done it. You'll need to buy an ST-LINK programmer. +See [wiki:UsingSTLink]. + +## Oh no, I'm locked out of my device + +If you're staring at this thing for the first time, or if you ran +`keystore erase`, then you have no PIN. Believe it or not, this is the +best case scenario. Log in as wheel with the default PIN +`YouReallyNeedToChangeThisPINRightNowWeAreNotKidding`, and you should be +able to reset the PINs. + +If you forgot the PIN, I feel sorry for you. The only way out of this is +via [wiki:UsingSTLink ST-LINK]. The easiest way is to debug with `gdb`, set a breakpoint on +`hal_rpc_login`, and issue the gdb command `return 0`. + +## Oh no, I forgot (or reset) the master key + +As shipped, the Alpha doesn't include a battery backup for the Master Key +Memory. So if power is interrupted, the MKM is wiped. (Also, if we had +tamper protection more sophisticated than a Panic Button, it would wipe +the MKM when you opened the case to install the ST-LINK cable.) + +Sorry, there's nothing that can be done about that. All your keys are +still in flash memory, but encrypted with the KEK, which is now gone. +(Unless you used the `masterkey unsecure set` command to store the KEK in +unprotected flash memory, but you wouldn't do that, would you?) -- cgit v1.2.3