aboutsummaryrefslogblamecommitdiff
path: root/content/DisasterRecovery.md
blob: 18b325d14a86fdddb615de5aea9b28059c86fb3d (plain) (tree)
1
2
3
4
                       
                
                      
 



















                                                                           
                                            









                                                                        
                                                                                                    












                                                                         

   

Title: DisasterRecovery Author: pselkirk Date: 2017-05-13 00:30

Disaster Recovery

This page covers a few likely (hopefully unlikely) oh-noes.

Oh no, I bricked my device

Recovering from a bad firmware install

You can upload new firmware through the bootloader. On power-up or reset, the bootloader flashes the blue LED for 10 seconds. During that time, start cryptech_upload:

$ cryptech_upload --firmware --user wheel
PIN: <your-wheel-pin>

Recovering from a bad bootloader install

Well, now you've done it. You'll need to buy an ST-LINK programmer. See UsingSTLink.

Oh no, I'm locked out of my device

If you're staring at this thing for the first time, or if you ran keystore erase, then you have no PIN. Believe it or not, this is the best case scenario. Log in as wheel with the default PIN YouReallyNeedToChangeThisPINRightNowWeAreNotKidding, and you should be able to reset the PINs.

If you forgot the PIN, I feel sorry for you. The only way out of this is via ST-LINK. The easiest way is to debug with gdb, set a breakpoint on hal_rpc_login, and issue the gdb command return 0.

Oh no, I forgot (or reset) the master key

As shipped, the Alpha doesn't include a battery backup for the Master Key Memory. So if power is interrupted, the MKM is wiped. (Also, if we had tamper protection more sophisticated than a Panic Button, it would wipe the MKM when you opened the case to install the ST-LINK cable.)

Sorry, there's nothing that can be done about that. All your keys are still in flash memory, but encrypted with the KEK, which is now gone. (Unless you used the masterkey unsecure set command to store the KEK in unprotected flash memory, but you wouldn't do that, would you?)