From b092ffbcbe2c9398494f7dc9db6f0796971633e0 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sun, 13 Sep 2020 23:04:30 +0000 Subject: Import Cryptech wiki dump --- raw-wiki-dump/DisasterRecovery | 45 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 raw-wiki-dump/DisasterRecovery (limited to 'raw-wiki-dump/DisasterRecovery') diff --git a/raw-wiki-dump/DisasterRecovery b/raw-wiki-dump/DisasterRecovery new file mode 100644 index 0000000..bdaa70f --- /dev/null +++ b/raw-wiki-dump/DisasterRecovery @@ -0,0 +1,45 @@ += Disaster Recovery = + +This page covers a few likely (hopefully unlikely) oh-noes. + +== Oh no, I bricked my device == + +=== Recovering from a bad firmware install === + +You can upload new firmware through the bootloader. On power-up or reset, +the bootloader flashes the blue LED for 10 seconds. During that time, start +`cryptech_upload`: + +{{{ +$ cryptech_upload --firmware --user wheel +PIN: +}}} + +=== Recovering from a bad bootloader install === + +Well, now you've done it. You'll need to buy an ST-LINK programmer. +See [wiki:UsingSTLink]. + +== Oh no, I'm locked out of my device == + +If you're staring at this thing for the first time, or if you ran +`keystore erase`, then you have no PIN. Believe it or not, this is the +best case scenario. Log in as wheel with the default PIN +`YouReallyNeedToChangeThisPINRightNowWeAreNotKidding`, and you should be +able to reset the PINs. + +If you forgot the PIN, I feel sorry for you. The only way out of this is +via [wiki:UsingSTLink ST-LINK]. The easiest way is to debug with `gdb`, set a breakpoint on +`hal_rpc_login`, and issue the gdb command `return 0`. + +== Oh no, I forgot (or reset) the master key == + +As shipped, the Alpha doesn't include a battery backup for the Master Key +Memory. So if power is interrupted, the MKM is wiped. (Also, if we had +tamper protection more sophisticated than a Panic Button, it would wipe +the MKM when you opened the case to install the ST-LINK cable.) + +Sorry, there's nothing that can be done about that. All your keys are +still in flash memory, but encrypted with the KEK, which is now gone. +(Unless you used the `masterkey unsecure set` command to store the KEK in +unprotected flash memory, but you wouldn't do that, would you?) -- cgit v1.2.3