aboutsummaryrefslogtreecommitdiff
path: root/content/DisasterRecovery.md
diff options
context:
space:
mode:
Diffstat (limited to 'content/DisasterRecovery.md')
-rw-r--r--content/DisasterRecovery.md49
1 files changed, 49 insertions, 0 deletions
diff --git a/content/DisasterRecovery.md b/content/DisasterRecovery.md
new file mode 100644
index 0000000..18b325d
--- /dev/null
+++ b/content/DisasterRecovery.md
@@ -0,0 +1,49 @@
+Title: DisasterRecovery
+Author: pselkirk
+Date: 2017-05-13 00:30
+
+# Disaster Recovery
+
+This page covers a few likely (hopefully unlikely) oh-noes.
+
+## Oh no, I bricked my device
+
+### Recovering from a bad firmware install
+
+You can upload new firmware through the bootloader. On power-up or reset,
+the bootloader flashes the blue LED for 10 seconds. During that time, start
+`cryptech_upload`:
+
+```
+$ cryptech_upload --firmware --user wheel
+PIN: <your-wheel-pin>
+```
+
+### Recovering from a bad bootloader install
+
+Well, now you've done it. You'll need to buy an ST-LINK programmer.
+See [UsingSTLink]({filename}UsingSTLink.md).
+
+## Oh no, I'm locked out of my device
+
+If you're staring at this thing for the first time, or if you ran
+`keystore erase`, then you have no PIN. Believe it or not, this is the
+best case scenario. Log in as wheel with the default PIN
+`YouReallyNeedToChangeThisPINRightNowWeAreNotKidding`, and you should be
+able to reset the PINs.
+
+If you forgot the PIN, I feel sorry for you. The only way out of this is
+via [ST-LINK]({filename}UsingSTLink.md). The easiest way is to debug with `gdb`, set a breakpoint on
+`hal_rpc_login`, and issue the gdb command `return 0`.
+
+## Oh no, I forgot (or reset) the master key
+
+As shipped, the Alpha doesn't include a battery backup for the Master Key
+Memory. So if power is interrupted, the MKM is wiped. (Also, if we had
+tamper protection more sophisticated than a Panic Button, it would wipe
+the MKM when you opened the case to install the ST-LINK cable.)
+
+Sorry, there's nothing that can be done about that. All your keys are
+still in flash memory, but encrypted with the KEK, which is now gone.
+(Unless you used the `masterkey unsecure set` command to store the KEK in
+unprotected flash memory, but you wouldn't do that, would you?)
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-25 19:12:02 +0000