How to Change VID/PID on ESP32 S3 without the commissioner #226
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
As the Commissioner is down , I cannot modify the VID/PID values for the esp32s3 platform nor set the pin . Is there a way that can do this by manually flashing the bin file
same request here.
You can set the pin using chrome browser by going to settings, privacy and security, security, manage security keys (chrome://settings/securityKeys)
To set VID/PID you can try using the commissioner archived by web.archive.org
Note that it seems it is only working through WebAuthn, not WebUSB
WebUSB has deliberately not been implemented by Mozilla for security reasons. Maybe it should not be used in conjunction with in a security related project like this at all anyway?
Pico Commissioner has been replaced by PicoKey App.
But the app is expensive for a sutdent
Economically this project is dead (to users) by costing 30€ license fee per each key plus microcontroller costing around 10€ each plus printing a case which sums up to well above 40€ while you can buy a working out of the box YubiKey for around 50€ and it's offering more features. The license fee per each key makes it very expensive considering that even in the smallest possible setup you need two keys (= 60€) to have at least one as backup.
AGPL is no longer of interest, I guess...
Is it offering more features? Which? Yubico sells non-upgradable keys with a closed-source firmware. Can you switch between an HSM, FIDO key or OpenPGP with your yubikey? No. Can you perform a security audit on the source of your yubikey? No. Can you even upgrade your yubikey when a vulnerability is discovered? No. Can you even customize the firmware freely? I don't think so. Please, tell me which are these "more features" because I cannot see them.
Students and developers can use the firmware at 0 cost.
Well I think given that the main project itself is still open source, we can make our own open source app for commissioning the pico key itself, and maybe make that app multi platform to work on android, ios, windows, linux, macos, freebsd, etc.
And I think it is not wrong that Pol is charging money for the picokey app, they gotta earn in some way, however removing the web commissioner because of the new paid app was kinda bad. But anyway if someone is in with me, wanting to build an app for this project then we can start working on it?
Actually I am working on something like that , but mainly to implement a fingerprint sensor into it to perform user verification
Ohh that is great. Is it only for pico-fido or other keys too? And is it cross platform. I was actually interested in this and going to start work on it. I was just looking more peeps to help me, and a co maintainer. If you are already building what I described then I guess I will wait?
Or if it is fine I can help you? contribute in your project.
I was thinking to write a desktop app to commission first, using gtk4/libadwaita.
Hi.
Thanks for this great project.
I just flashed my ESP32 S2 Mini, and was going to commissioner to change stuff, only to find out that the archive is deleted upon a request, which is not good.
Right now, it looks like the app is the only way to change things, and I don't want to pay for a license.
I'm down for developing a script for this.
So something like a python script that commissions this? I think there was something like that already there?
Found it! https://github.com/lockedmutex/pypicokey-mirror
Tho the original repo is down now.
It's certainly not wrong to charge for all the work that's been done here.
However, the way it was handled was simply pathetic.
It could also be described simply in one sentence:
The way this was handled was exactly what I usually expect to see in the digital world these days - deceitful and dishonorable.
I was looking for something like this, thanks!
Although the script has a lot of room to improve, it gets the job done.
@polhenarejos
If we cannot commission the led without picokey app, then how can we fix it?
Gotta edit the source code and build my own firmware?
Or the release builds on github have this already fixed? Cause the latest version when I compile myself the button verification does not work, unless I edit this part of the code.
Also rewriting history of pico-fido-2 repository just to make it behind a paywall of picokey app is really bad practice, if you want to make picokey app paid, then that is fine but actively deleting open source repos is not.
@wlatendresse I think what you said is true.
I think what pol will do is slowly transition from open source to source available and then completely close sourcing it.
Also if any of the stuff I stated above is wrong, then apologies for that.
First, you should compare likewise objects. This is the FIDO Key, isn't it? I am comparing Pico Fido Key against a Yubikey. The other projects might be nice, but it's not like you could create one device, like one MCU carrying out all the task you threw in anyway.
Second, from a consumer perspective a device just needs to work. I am a huge fan of open source software. However you build your project in two parts and the fact that the key is open-source doesn't makes it true open-source, when it's useless without a tool to commissioning it, no matter if it's an app or a web application. It's like giving you every detail on a car but obscuring the engine. Now you are yelling at us. that we can build it ourself in every aspect, and can alter it in anyway. That's true but a car without a engine is just a bunch of useless metal (like my rp-2350 mcus I got to use with this cool open-source software, lol)
I don't need to custom the firmware, I just want a working FIDO2 compliant device that is usable in a real world scenario.
To enlighten you one key feature yubikey is providing is OATH‑TOTP/HOTP support. Another feature if one want to call it that way is the robustness of the hardware key itself. I am not confident to wear a mcu on my key chain on a daily basis. However I would be confident to doing so with a yubikey as it is basically what they are advertising with. NFC support is another feature I can not see in Pico key.
I guess for the simplest FIDO2 device a Pico key will do but then again, I could simply get a Nitrokey Passkey a complete solution (software AND hardware), ready to use out of the box for less than the licensing fee you are asking for. That way, there is no need to thinker or to worry about further strategic turn arounds rendering my devices useless.
Don't get me wrong, monetizing your project is fine but from a user perspective there are so much better solutions for cheap available that it doesn't make any sense anymore to thinker with your solution, when you charging 30€ per device.
What a jaded remark.
@vaishakhsnair I tried to contact you about the app for commissioning. Tho I did not get an answer. You might be busy.
Anyway, I am currently working on an app for commissioning the pico, will update here once the app is in somewhat working stage. I will be for now targeting the version 7 or 7.2 of the firmware, will update this.
Also the app will be AGPL 3.0 similar to the firmware.
Open Source Commissioner app for the open source firmware:
https://github.com/librekeys/picoforge
@wlatendresse @zorrolo @zyp114514 @Lab-8916100448256 @lubeda
Moderation note
This issue is for technical discussion only.
Off-topic comments, including links to forks, external communities, or calls to move the discussion elsewhere, will be removed.
Native App is freezing with ESP32-S2 and can't change tabs with connected ESP32.
AppImage is also freezing, but I can change tabs with unplugged ESP32. Also I can't change Vid-Pid and Product Name
Herein lies one of the main reasons why open source is also falling into disrepute:
Because recently, people have been active in this field who, based on their behavior, would be better off working for Microsoft.