trustcrypto / onlykey-firmware Goto Github PK
View Code? Open in Web Editor NEWThe OnlyKey Firmware runs on the OnlyKey itself and provides the core functionality of OnlyKey.
Home Page: https://docs.crp.to/firmware.html
The OnlyKey Firmware runs on the OnlyKey itself and provides the core functionality of OnlyKey.
Home Page: https://docs.crp.to/firmware.html
Some 2FA solutions prefer a character between the username and password. It would be nice if we could customize this so that instead of tab or return, we were also presented with the option to send a string before 2FA.
With the new firmware, Teensy (OS X) is saying the file is too large. I downloaded on both Safari and Chrome, got same SHA 256 sum (5b311d84354152d22c114c9b405a23be4bc95cf7d5ea9445ba5ae5b9265d0e2d). Sum does not match guide but most likely because creators did not update guide with new sums after uploading new firmware. See attached picture. Note: I renamed the firmware file so that you could see the "(too large)" part.
Anyone else having this problem?
can't write over flash that has already been written to. Need to copy data to RAM, wipe flash sector, then write data.
After setting a slot and opening notepad to confirm correct output. Press the slot button, LED turns off for a few seconds and nothing outputs. Confirmed with multiple slots, same result. Attached serial monitor output and chrome app output
Set Label on slot 1a &1b
Set label on slot 6a
Notice that the label on slot 1b is now empty
Add check so Lock Pin and SD Pin can't be the same. Also PD pin would need this check as well.
Use
if (!uECC_sign_deterministic((uint8_t *)attestation_key, sha256_hash, 32, &ctx.uECC, signature, curve))
instead of
uECC_sign
https://github.com/kmackay/micro-ecc/blob/master/test/test_ecdsa_deterministic.c.example
Need a SHA2 library that supports this or modify Brad Conte's Library https://github.com/B-Con/crypto-algorithms
We can support https://www.myetherwallet.com/ just like Ledger does this in the web browser just needs to be implemented.
@jaroszke I think you said this was an issue
If I setup an OnlyKey slot to:
[x] Label: something
[x] Password: 12345 / 12345
( ) Tab ( ) Return
I expect that only the password ("12345") will be sent by the OnlyKey. Instead, Return is appended to it. That makes it difficult to use two-factor passwords where one part of the password is a fixed password I type and the other part is a random-looking string stored in OnlyKey - this scenario is only feasible if I setup the two parts in order of known-owned, and only if I can always use the same terminating character on all systems (which is not always the case). It should definitely be possible to select "None" as a terminating character.
Seems this is planned, but I thought I'd create an issue for discussions and people to express support.
Questions:
Some Relevant References:
When the Chrome app sends OKWIPESLOT, slot data still seems to be set. Pressing a "wiped" slot button continues to output usernames and passwords.
Serial Monitor shows:
Received packetFFFFFFFFE710000000000000000000000000000000000000000000000000000000000OKWIPESLOT MESSAGE RECEIVED:67
Wiping Slot #1
Value #0
000000000000000000000000000000000000000000000000000000000Overwriting slot with 0s
If I submit 9 or 10 characters for a label in the app, the firmware consistently sets only 8 chars.
To reproduce on a legacy (single color LED OnlyKey):
RESULT: slot 1a data is correct. slot 4b label is correct, but none of the other fields are output when pressing the button.
After calling OKGETLABELS, slot 1a is consistently returned without the required pipe separator (|). This causes issues when displaying labels in the Chrome app. If slot 1a's label is not set, all other labels are "shifted" up by 1 slot.
Configured slot 5a with Username and Pass, when pressed doesn't output, serial monitor output below
Slot Number 6
Displaying Full Keybuffer
esttest1
A nice feature to have would be to be able to turn off features like:
Backup - By disabling backup the device is more secure as there is no way to get data off of a device with backup disabled. Tradeoff is that there is also no way to backup a device.
OnlyKey Web Access - While being able to decrypt / encrypt using a web browser is a highly desired feature for some users, others may rather disable this to only use OnlyKey offline.
U2F - Same as above, U2F communicates via browser.
Yubikey OTPs seem to work fine, except that a public identity is always output. That is not required with the real Yubikey, where the public identity is only optional. OnlyKey doesn't request it when setting up the OTP, but it will still output some public identity when asked to generate an OTP. IMHO, if the Public Identity field is left empty, OnlyKey should take it as a signal that it should ouput only the OTPs without any public identity.
As far as I can tell, OnlyKey only supports one Yubikey OTP. Is that so? Since I have multiple Yubikeys, I hoped to replce them all with a single OnlyKey.
Technically, OnlyKey shouldn't have any trouble with multiple Yubikey OTPs, the only real limitation I can see is that the UI for setting up OnlyKeys just doesn't handle the situation. Or is there a technical reason why only a single Yubikey OTP is supported?
We can support https://web.telegram.org, this needs to be implemented in a fork of -
https://github.com/zhukov/webogram
Versions:
Arduino: 1.6.12
TeensyDuino: 1.31
Error in file: usb_keyboard.c with
usb_keyboard.c: In function 'deadkey_to_keycode':
usb_keyboard.c:279: warning: control reaches end of non-void function
}
^
expected identifier or '(' before numeric constant
The fix for above error is to move
return 0;
from line 277 to after the } on 278
Additional errors with
keylayouts.h:43:0: warning: "LAYOUT_US_ENGLISH" redefined [enabled by default]
What is the correct procedure for compiling or is there a compile procedure that does not require the Arduino IDE?
email addresses including @example.com increase the username length
Made a change hopefully that will fix intermittent issue with yubikey otp counter need to test that counter works greater than 255
onlykey-backup-1487211569934.txt
Load the backup above:
After restore
Happens on both OK and OK Color
U2F relies on a counter that is supposed to help prevent token cloning. It doesnt really do this and the counter is pretty useless as other devices such as Trezor just increment the counter to the current epoch time (4 byte value) during a restore. This way counter is always ahead and Backup and restore of U2F works. Implementing similar feature would allow backup and restore of U2F on OnlyKey.
password output compounded with old username,
I set a username in each slot, then reset username with a password. The output of the new username works but the password compounds the old username to it.
Accept user value for timeout to Lock OK.
A nice option would be to have a separate PIN for config mode. By requiring separate PIN for config mode a user can choose to only enter their config mode PIN in secret thereby decreasing the chance someone will see them enter their PIN.
Steps to reproduce:
After wiping a slot, serial monitor output shows:
Wiping Slot #5
Value #0
000000000000000000000000000000000000000000000000000000000Overwriting slot with 0s
Wiping Label Value...
Wiping Username Value...
Wiping Additional Character1 Value...
Writing Delay1 to EEPROM...
Wiping Password Value...
Wiping Additional Character2 Value...
Wiping Delay2 Value...
Wiping 2FA Type Value...
Writing TOTP Key to EEPROM...Data to write = 0
Writing to Sector 0x20324, value 0x0 Data to write = 0
Writing to Sector 0x20324, value 0x0 Data to write = 0
Writing to Sector 0x20324, value 0x0 Data to write = 0
Writing to Sector 0x20324, value 0x0 Data to write = 0
Writing to Sector 0x20324, value 0x0
Wiping onlykey AES Key, Priviate ID, and Public ID...
Then, after pressing the wiped slot's key, the OnlyKey LED shuts off and it stops responding to key presses (or any programming) until being removed and reinserted. The last serial monitor entry shows:
Displaying Full Keybuffer
�a��r!����-hHcG�*������xD8������a=�0l"F%�R���z:�a���ABY=�6L���
UPDATE:
After a factory reset, I set slot 1a's label and username. The OnlyKey output correctly when tapping button 1a. Then, I wiped slot 1a. The OKWIPESLOT output looked fine (like pasted above). After pressing the key 1a, the same device freeze happened as above, but the serial monitor output showed the following:
Slot Number 1
Reading Username from EEPROM...
Username Length = 32
Encrypted
00000000000000000000000000000000
0x20004
0x41 0x67 0x76 0x59 0x20004
0x47 0xC2 0x5A 0xC1 0x20004
0x39 0x59 0xE5 0x76Unencrypted
C2F66B1C343ECCBB4E10FC4339C7DC1E0D11184E33D5F2E44E41A738E4B999F
Reading Password from EEPROM...
Password Length = 32
Encrypted
00000000000000000000000000000000
0x20004
0x41 0x67 0x76 0x59 0x20004
0x47 0xC2 0x5A 0xC1 0x20004
0x39 0x59 0xE5 0x76Unencrypted
C2F66B1C343ECCBB4E10FC4339C7DC1E0D11184E33D5F2E44E41A738E4B999F
Displaying Full Keybuffer
��k�4>̻N��C��}������=_.D��s�K����k�4>̻N��C��}������=_.D��s�K��
Backup file attached, after restore try to set a slot with google auth using gmail.
Secret key
qpnr ya6x lit7 f2dd ybkj k6qs osb7 5sbw
I've had to lower my OnlyKey typing speed (it's 8 now), but it is still occasionally skipping keys.
With textpad open on my El Capitan Macbook Pro, I reliably get skips at typing speed 10, but with speed 9 they are much less pronounced.
With speed 10, the errors seem to approach 90% in a sample of 10, while with speed 9, I had to run it nearly 20 times before I got an error. Since I can type almost as quickly on my keyboard and not receive skipped keys, OS latency seems unlikely to be the culprit. I have a second OnlyKey that I will test with and update this issue.
Test Username:
12345678901234567890123456
Test Password:
abcdefghijklmnopqrstuvwxyz
Typing Speed 10
---------------
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
123456780123567890123456
abcdefhijklmnopqrstuvwxyz
123567801234567890123456
abcdefghijkmnoprstuvwxyz
123456789013456890123456
acdefghijklmnopqrstuwxyz
1345678901234567890123456
abcdefghijklmnopqrstuvwxyz
1345678901234567890123456
abcdefghiklmnpqrsuvwxz1345678901234567890123456
abcdfghijklmnopqrstuvwxyz
12346789123567890123456
abdefgijklnopqrstuvxyz
123567890123456780123456abcdefghijkmnopqrstuwxyz
12345678901234567890123456
acdefhijklmnopqrstuvwxyz
Typing Speed 9
--------------
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
1234567890123567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
12345678901234567890123456
abcdefghijklmnopqrstuvwxyz
Hi Team,
My Yubikey has been setup twice, however I have the same problem.
I can see the new public key, registered and checked with the original Yubikey, it validates successfully.
I have programmed the OnlyKey, the public part of the key is correct, however, when I generate code, it unsuccessfully validates.
Can you please provide any advice?
Thank you
After setting a slot and opening notepad to confirm correct output. Press the slot button, LED turns off for a few seconds and nothing outputs. Confirmed with multiple slots, same result. Attached serial monitor output and chrome app output
Steps to reproduce:
US version
We have experimental support for these here -
https://github.com/trustcrypto/Android-U2F
https://github.com/trustcrypto/Android-Google-Auth
randomslotlabelgetswiped-app.txt
After setting all slots, one label will get wiped and then resetting that label causes another label to get wiped.
In your installation instructions you have ambiguities:
To load the US version you will use the OnlyKey_Alpha_US.cpp.hex firmware included in the zip file (OnlyKey-Firmware-master/OnlyKey_Beta_US/OnlyKey_Beta_US.cpp.hex).
There is no Alpha version but as expected there is a Beta version.
You then ask users to ensure they check the SHA256 hash of the firmware against two entries that are listed as:
OnlyKey_Alpha_US.cpp.hex - f1390f31fe426efc8979d5b8c59391957582de94d81ff5abfaab89bdc3710103
OnlyKey_Alpha_IN.cpp.hex - 54746d8c26a3e87e16139aed2889905f3f4b7269d866e2fefd79c2bb02ee12e5
I can only assume this has not been updated as they are obviously Alpha versions not Beta versions, and indeed the hash entries do not appear to match.
after self destruct the message initialized displays, requires power off on to setup.
OKSETTIME MESSAGE RECEIVED
UNINITIALIZEDINITIALIZED
INITIALIZED
INITIALIZED
INITIALIZED
Test this to see if this it is an app or firmware issue
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.