Re: [Bluez-users] CSR firmware

[Steven Singer <steven.singer@csr.com>]

Marcel Holtmann wrote:
>                                    [...] Hopefully the next guy who is
> asking such questions will read the mailing list archive first ;)

But that trick never works.

>> It might be worth gathering to gather information about which products
>> are signed with which keys. Something like:
[...]
> What we need to know is the public key of the boot loader, so we can
> check the signature of the firmware file. Actually I don't know how to
> do that, because we don't get access to the boot loader over USB or
> UART.

I don't know of a way for you to get the public key out of the boot
loader.

> Is it easy to check if a firmware don't uses a signature? Will CSR
> publish their public key?

There's not much point in us publishing our public key if you can't
read it out of the loader to check.

It's been pointed out to me that as well as trashing the module or
compromising the radio performance, putting the wrong firmware onto a
module could compromise the USB performance and might take down the
USB bus or the host itself (for example, some modules have I/O lines
connected to the USB bus, some have them connected to an external radio
amplifier, I can't imagine a host would take too kindly to having its
USB lines toggled at 1600 Hz).

CSR is certainly not prepared to handle the volume of support calls
that incorrect firmware is likely to generate and I suspect that the
BlueZ developers, the Linux USB developers and Microsoft (if people
plug their mutilated dongles into Windows PCs) are unwilling to handle
the calls either.

Signing is meant to prevent these problems. Just because some module
manufacturers have failed to implement it correctly does not mean that
taking firmware from one of these modules (or another manufacturer's
web site) and putting on another is a good thing.

It might be worth building a list of good module manufacturers/OEMs
who regularly release up to date, tested and signed firmware.

[I know this is a change of position from my last mail, but the more
I think about this, the less comfortable I am about putting firmware
on modules it wasn't designed for.]

	- Steven
-- 



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************