Skip to content

Building a U2F Token

Jump to bottom
Conor Patrick edited this page Jun 18, 2016 · 41 revisions

After buying the parts, you can solder everything together like in this high res picture. Notice that the red dot on the LED should be on the left side. Two of the pins on the microcontroller have shorted traces.

Programming

You should be able to complete these instructions whether if you're on Windows, OS X, or Linux.

Prerequisites

  1. First you should install Simplicity Studio from Silicon Labs.

    • Once installed, open it and install "EFM8/C8051 8-bit Products"

  2. Install Python and pip.

  3. Install OpenSSL and USB development packages.

    # Ubuntu
sudo apt-get install openssl libssl-dev libusb-1.0-0-dev
# Or use OS X equivalent or Cygwin on windows

  4. Download project and python modules.

    git clone https://github.com/conorpp/u2f-zero.git
cd u2f-zero/tools/u2f_zero_client
sudo pip install -r requirements.txt

  5. If you're on Linux, some HID devices are only accessible to root. So you will need to add a udev rule for U2F Zero.

Configuring

First we need to configure the U2F token with a set up build. This is to permanently configure the ATECC508 secure element and generate a unique attestation certificate.

  1. Connect GND, C2D, and C2CK signals to your debugger/programmer device. Use this for reference. You also need to plug the U2F token into a USB port on your computer.

  2. Open up Simplicity Studio. On the left, click "Refresh detected hardware." The debugger you are using should show up. Under the debugger, it should detect "EFM8UB11F16G-QSOP24." If this doesn't happen, make sure you soldered it correctly. If the debugger is clearly having issues, try resetting it using Silicon Lab's reset utility.

  3. Once detected, click on "Flash Programmer" and erase and flash the device with firmware/SETUP.hex.

  4. Now open a terminal. We will run a set of small scripts to generate an attestation key pair on the U2F token. The public key will be read and signed to make a certificate. That certificate will be included in the final build. The private key is stored on the token and is write only in hardware.

    # First let's compile the openssl C programs
cd tools/gencert/
make

# Now we can generate a "CA" key pair that will sign our attestation key.
# If you have a different key that you would like to use to sign, skip this step.
cd ca/
./genca.sh

# Now to lock ATECC508 configuration, pull public key, and create attestation certificate
cd ../..
./setup_device.sh gencert/ca/key.pem    # or path to your preferred signing key

    We have signed the public key and the script stored the resulting certificate in the source code. We can build the project and program the U2F Token.

    • Open Simplicity Studio and open Simplicity IDE
    • Click File -> Import
    • General -> Existing Projects into Workspace
    • Select root directory and choose the firmware/ directory
    • Finish
    • Build project and then program U2F Token with firmware/release/u2f-firmware.hex

If the LED is pulsing a green light then it is working.

Clone this wiki locally