I recently wanted to sign some drivers to avoid requiring users of my ChipWhisperer device to do the usual bypass-signature deal. The end result is a sweet sweet screen like this when install the drivers:
If you are in this situation, I wanted to add some of my own notes into the mix.
David Grayson has an awesome guide which I mostly followed, available at http://www.davidegrayson.com/signing.
The steps I followed (again from his guide basically) are:
- Buy a Code Signing Certificate, I selected one from GlobalSign. They will verify your company information as part of this (or name if person) which basically involves calling you.
- Download the certificate. You can then double-click on it to install it into your system (hint: you may want to dedicate a VM or machine to this to keep your certificate off your laptop you travel with for example).
- You need the ‘signtool’ and ‘inf2cat’ programs. This requires install Windows SDK + Windows WDK (which itself depends on Visual Studio 2013). There’s like 10GB of other crap you install in order to get these files. Anyway install them…
- Write the following in a batch file:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\inf2cat" /v /driver:%~dp0 /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool" sign /v /n "Your Company Name Inc." /tr http://timestamp.globalsign.com/scripts/timestamp.dll *.cat
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool" sign /v /n "Your Company Name Inc." /tr http://timestamp.globalsign.com/scripts/timestamp.dll /fd SHA256 /as *.cat
- Copy the batch file to the directory with the .inf file, and double-click it.
- You might need to modify your .INF file, check the output for errors – I had to update the date to be past 2013 for example. The above will work if you’ve installed the certificate on your system, as it will search for a certificate with “Your Company Name Inc.”, so you need to match that exactly.
- Party – you should now have a signed .cat file! Distribute the whole batch (be sure to remove the .bat file) to your customers/users.
The batch file I use above signs both a SHA1 and SHA256 signature. SHA1 is being deprecated due to collision attacks (interesting sidenote: these were used as part of the attack on Iranian centrifuges by creating digitally signed drivers).
Unfortunately SHA256 isn’t fully supported across all platforms you might need to support (see https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility), so for now I’m using both, which I think works?
For some time I’ve been planning on updating my website design. Ultimately I want to move towards more blog posts and less static pages, this is the result. This should help showing some of my projects and videos off a little easier. The old site will remain accessible at http://www.colinoflynn.com/oldsite as I haven’t migrated everything.
In addition this means old links can easily be fixed by inserting ‘oldsite’ into them! I.e. if you have a link to http://colinoflynn.com/tiki-index.php?page=15dot4tools, just change it to http://colinoflynn.com/oldsite/tiki-index.php?page=15dot4tools and everything works!
Let me know if anything breaks though, but in the mean-time I’ll be slowly trying to migrate additional content.
I recently got an LPCXpresso board, which you can cut and make into a debugger. I wanted to use the 0.1″ header (J4) and not the specified JTAG (2×10 0.5″) header. Here is how I cut my board such it can be plugged back together: the female header is just half an IC socket:
Counting pin 1 at the top of the board (near J49), the pinout is:
RTCK is not present on this header, it’s only on J5. You may wish to consider not mounting pin 7 (+5V) since if you ever connect the plug wrong this will give you serious trouble, since +5V at high current is available. I ended up removing pin 7 and plugging it, so I also used that as a key on the other side of my connector. This prevents me from plugging in something backwards.
I recently got my 34401A bench meter out of storage, and wanted it working with my computer, something I hadn’t done for several years. I forgot to get my ‘official’ Agilent connection cable, but figured I could use my standard cables no problem.
This took a bit of effort to actually get working, so here is my notes on the issue:
- The required settings are 9600 Baud, 1 Start Bit, 2 Stop Bits, Hardware flow control. Hyperterminal never seemed to work, possibly because the 34401A uses full RTS/CTS + DTR/DSR flow control. I did however have success with the ‘Termite’ program with the following settings:
- Send the SYSTem:REMote command first, you should see a little ‘RMT’ appear on the 34401A VFD front panel. This indicates comms are working. Try a READ? command too; As an example see the following, blue is what I’ve sent and green is the meter responding:
- I first tried a small null-modem adapter + RS232 extension cable. You need to ensure your cable has all lines connected, since the 34401A uses full flow control. My null-modem adapter didn’t have lines 1 & 9 connected straight-through, as the 34401A manual says it should be. I figured it wouldn’t matter since it doesn’t claim to use them, and the rest of the lines were connected as required, but the meter didn’t respond to any commands. Using a null-modem cable which had line 9 connected straight-through, but not 1, seemed to work fine. So the hardware can be an issue!
- So far the Excel/Word Plug-In hasn’t worked for me. I know it did at one point, so still working on that, but I might end up just using Python or something instead anyway.
If you will be in San Diego this coming Monday/Tuesday/Wednesday I encourage you to attend Smart Grid Security West (http://www.smartgridsecuritysummit.com/), where I’ll be discussing some of my work in wireless security. Hope to meet you there!
I added a link to one of my big new projects, a book about all these wireless networks. It’s called “IPv6 for the (Wireless) Masses”, and I hope the playful title will make you to believe that perhaps it will offer more than just regurgitated standards and information you can find elsewhere with a bit of Googling.
I’ve also upgraded my TikiWiki software version (again), so let me know what else breaks. I’ve been playing around with menus and plan on updating my ‘random tips’ blog more often with what I am up to.
In my effort to build the calibration software for my simple Digital Compass, I’ve been working on doing tests with it.
Here is a screen-shot of the output (using MATLAB to interface to the serial port), it shows a plot of X & Y magnetic field readings plotted on X/Y axis. You can see it’s a (fairly) nice circle. The object will be mapping a distorted circle due to iron in the area onto something like that…
I needed to use my AT90USBKEY at higher than 3.3V for ADC input purposes. It’s not documented in the manual, but the schematic shows they anticipated this. You can easily convert the AT90USBKEY to run on 5V with a few changes. The changes needed are:
- Remove resistor R20 (0-ohm resistor)
- Remove resistor R16 (0-ohm resistor)
- Place a 0-ohm resistor on pads at R21 (move R16 or R20)
That’s it! The DataFLASH chip’s VCC needs to be in the 2.5-3.6V range, but with those changes it is still powered by the 3.3V regulator. Thus you don’t need to remove the DataFLASH chips. The DataFLASH devices have 5V tolerant I/O, so even though your MCU is running at 5V, it won’t fry the DataFLASH. Note the logic high levels of the DataFLASH may not be sufficient to actually work with the MCU, since it’s logic high will only be using 3.3V logic.
The following diagram shows the changes, red = remove resistor, green = new resistor, yellow = optional change. I actually removed the DataFLASH in this photo only because I wanted the I/O lines the DataFLASH was using.
Note that D3 drops the 5V input to about 4.2V. The actual VCC with just the resistor change is 4.2V. If you want full 5V from the USB, you also need to remove diode D3 and replace with a short. This is the change highlighted in yellow above.
When running from 5V you need to ensure the USB regulator is enabled. If using LUFA make sure the ‘USB_OPT_REG_ENABLED’ is enabled. e.g. in the Makefile:
LUFA_OPTS += -D USE_STATIC_OPTIONS="(USB_DEVICE_OPT_FULLSPEED | USB_OPT_REG_ENABLED | USB_OPT_AUTO_PLL)"
Another hint too: If you aren’t removing resistors permanently, just slide them onto one of the pads. This way you won’t lose the parts when you want to put them back. For example when I was using the line with the HWB pushbutton:
TikiWiki has just been upgraded, which might break a few things… let me know if you find any of those!
File not found.
FIP has passed IPv6 Ready Silver (Phase 1) testing when operating as a host device. Next up is the router test, then full Gold (Phase 2) testing.
See the entry at IPv6 Ready Forum
I presented a paper entitled at a conference in Paris, France this past week. Much to my surprise it was selected as the best paper in the security track! I’ve now posted it online, along with the presentation + notes from Paris. See all the information on my Articles page.