Secure upgrade: Difference between revisions

From OLPC
Jump to navigation Jump to search
(add more info)
 
(64 intermediate revisions by 21 users not shown)
Line 1: Line 1:
<noinclude>{{OLPC}}
<noinclude>{{OLPC}}{{Translations}}
{{obsolete|link=each release's [[Release notes]] have instructions for upgrading to it}}
This page describes how to reinstall the operating system of a secured laptop, whether it is unactivated (fresh from the factory) or already activated.


'''This process destroys all the data on the laptop, wiping out all user data, and resetting the laptop to booting from a new, standard, signed operating system build.''' Please use [[olpc-update]] if you wish to keep your data.
This page describes how to do a re-flash of an activated laptop.


=== Steps for secured upgrade, in plain English ===
'''This process destroys all the data on the internal flash memory of the laptop, wiping out all user data, and resetting the laptop to booting from a new, standard, signed operating system build.''' Please use [[olpc-update]] if you wish to keep your data.

=== Steps for Activated Upgrade, in Plain English ===
{{users}}
{{users}}

(for G1G1 Recipients)
</noinclude><includeonly>: ''Main article: [[Activated Upgrade]]''</includeonly>
</noinclude><includeonly>: ''Main article: [[Secure upgrade]]''</includeonly>


0. '''Before performing the upgrade, please note that EVERYTHING previously created will be deleted!'''
0. '''Before performing the upgrade, please note that EVERYTHING previously created will be deleted!'''


1. '''Read [[release notes]]''' for your target release!
1. You need a USB stick that is larger than 300 MB, and it is better that you format it before copying any files over.


<span style="font-weight: bold; font-color: red; font-size: 24pt; line-height: 120%;">Activities must be [[OLPC_Update.1_Software_Release_Notes#Finding_Activities|installed separately]].</span>
2. Once you have the formatted USB stick, download the following two files from
the Internet (you may need to right click and choose "save as"):


2. You need a formatted USB flash drive that is larger than 325 MB, and it is better that you format it before copying any files over.
http://download.laptop.org/xo-1/os/official/653/jffs2/fs.zip


3. To install build 767 ([[Release_Notes/8.2.0|Release 8.2.0]]) download the following two files from
http://download.laptop.org/xo-1/os/official/653/jffs2/os653.img
the Internet and put them on the USB flash drive:


http://download.laptop.org/xo-1/os/official/767/jffs2/fs.zip
The first file is about 194KB, and the second file is quite large (about 293 MB), which might take a while to download.


http://download.laptop.org/xo-1/os/official/767/jffs2/os767.img
* To download those files, please plug in the USB stick to another computer that is connected to the Internet. Open each of the above two URLs in the browser. You should see a message asking you whether to save/open the file. Save both files to the USB stick. Eject/Remove the USB stick, and unplug it.


* To download those files, plug the USB flash drive into another computer that is connected to the Internet. Right-click (Ctrl-click for Mac) on each of the above two URLs in the browser and choose "Save Target As" ("Save Link As" for Firefox). Save both files to the USB flash drive. Eject/Remove the USB flash drive, and unplug it.
3. Make sure the XO laptop is OFF. Plug in the USB stick.


The first file is about 154Kb, and the second file is quite large (about 233 Mb), which might take a while to download.
4. With the USB stick inserted, power up the laptop while holding down

After you have finished this step, there should be two files on the USB flash drive, the fs.zip file, and the img file.

4. Make sure the XO laptop is OFF. Make sure that the battery is installed, and that you have external (AC) power plugged in as well. Plug in the USB flash drive, and do not unplug it until instructed.

5. With the USB flash drive inserted, power up the laptop while holding down
ALL four game buttons on the right side of screen (the four buttons
ALL four game buttons on the right side of screen (the four buttons
above the power button, and they are marked with O, V, X, and square). Please be sure to press all of them '''firmly'''; use two thumbs if that helps.
above the power button, and they are marked with O, V, X, and square). Please be sure to press all of them '''firmly'''; use two thumbs if that helps.


5. When the screen says 'release the game keys', release all four buttons.
6. When the screen says 'release the game key to continue', release all four buttons.


6. You will see arrays of colored grids running on the screen. We are
7. You will see arrays of colored grids running on the screen. We are
now re-writing the NAND image.
now re-writing the laptop with the new operating system.


7. Once done with re-writing the NAND, the laptop will reboot itself.
8. Once done with re-writing, the laptop will reboot itself.


8. Next, the laptop may update the firmware, if necessary, and reboot
9. Next, the laptop may update the firmware, if necessary, and reboot
itself. (You don't have to do anything; just watch.)
itself. It will insist on being plugged in and having a battery present if it needs to update the firmware. (You don't have to do anything; just watch.)


9. After done with the upgrade(s), the laptop will boot to the prompt
10. After you're done with the update, the laptop will boot to the prompt
for your preferred user name.
for your preferred user name. You can now remove the USB flash drive, and it is no longer needed.


===== Install activities =====
10. Go to the Terminal activity (click on the taskbar icon [[Image:Activity-terminal.svg|35px]])
No activities are included in some versions of the OLPC software. Follow these instructions to install basic activities on release 8.1.0, 8.1.1 and 8.2.0.

# Power off the XO
# Remove the "fs.zip" file from your flash drive.
# Download the [http://wiki.laptop.org/images/6/62/G1G1_Activity_Pack_1.zip activity pack] and unzip it to the flash drive (NOT a subdirectory).
# Insert the USB flash drive and boot the XO. It will display text on a black screen as the activities are installed, after which it will power off.
# Remove the USB flash drive.

==== Verify your update ====
12. Go to the Terminal activity (click on the taskbar icon [[Image:Activity-terminal.svg|35px]])
* The screen should say something like <tt>[olpc@xo-05-2D-2F ~]$</tt>
* The screen should say something like <tt>[olpc@xo-05-2D-2F ~]$</tt>
* The numbers don't matter, but be sure that you type things after the $ sign.
* The numbers don't matter, but be sure that you type things after the $ sign.


11. Type the following to check which version you XO is running:
14. Type the following to check which version you XO is running:


cat /etc/issue
cat /etc/issue


12. Press the Enter key
15. Press the Enter key


13. If the screen says something that begins with
16. If the screen says something that begins with


OLPC build 653
OLPC build 767


then we are one step closer to finishing the upgrade process!
then we are one step closer to finishing the upgrade process!


17. Go to Home view and mouse over the XO guy in the center.
13. Type the following:


18. Select the "Shutdown" option to power off the machine. Now you should be able to power it up as usual, with build 767.
poweroff

14. Press the Enter key

15. Now the laptop is off. You should be able to remove the USB stick
and power it up as usual.


<noinclude>
<noinclude>
Line 79: Line 90:


# Get to a terminal on the laptop, and type: ls /security
# Get to a terminal on the laptop, and type: ls /security
#* ''On XO-1 this requires root permissions. Press the Ctrl+Alt+[[Image:Mesh key f1 small.png]] keys together to get to the console, log in as root and then enter the command above as stated.''
#* ''On XO-1 this requires root permissions. See [[Console]] for how to get them.
#* If there is a lease.sig file, you will want to save this lease before re-flashing the laptop.
#* If there is a lease.sig file, you will want to save this lease before re-flashing the laptop.
#*# To do so, insert a USB stick, wait for it to mount, and then type: cp /security/lease.sig /media/{name_of_usb_stick}
#*# To do so, insert a USB stick, wait for it to mount, and then type: cp /security/lease.sig /media/{name_of_usb_stick}
Line 88: Line 99:
#* If there is an 'ak' there, then the laptop is pre-activated.
#* If there is an 'ak' there, then the laptop is pre-activated.


===Upgrade the Activated Laptop===
===Upgrade a Secured Laptop with a Signed Image===


To put the latest signed image on the laptop, follow these steps:
To put the latest signed image (stable build) on the laptop, follow these steps:


# Create a USB stick with the files '''os{number}.img''' and '''fs.zip''' on the disk in the top-level directory. (We recommend that you use a "factory-formatted" USB stick.)
# Create a USB stick with the files '''os{number}.img''' and '''fs.zip''' on the disk in the top-level directory. (We recommend that you use a "factory-formatted" USB stick.)
#* You can download these files from the latest [http://download.laptop.org/xo-1/os/official/latest/jffs2/ official release].
#* You can download these files from the latest [http://download.laptop.org/xo-1/os/official/latest/jffs2/ official release].
# With the USB stick inserted into your XO, power up while holding down '''all four game buttons''' on the right side of screen.
# With the USB stick inserted into your XO, and the battery installed, and AC power plugged in, power up the laptop while holding down '''all four game buttons''' on the right side of screen.
# When prompted to ''release the game keys'', do so.
# When prompted to ''release the game keys'', do so.
#* This will re-write the internal flash memory image.
#* This will re-write the internal flash memory image.
# Once done with this re-flash, the laptop will reboot itself.
# Once done with this re-flash, the laptop will reboot itself.
# Next, the laptop may update the boot firmware, if necessary, and reboot itself.
# Next, the laptop may update the boot firmware, if necessary, and reboot itself.
# After done with the upgrade(s), the laptop will either boot to the prompt you for a name. (If the laptop is not activated, it will fail to boot; all G1G1 laptops are shipped activated.)
# After you're done with the upgrade(s), the laptop will either boot to the prompt you for a name. (If the laptop is not activated, it will fail to boot; all G1G1 laptops are shipped activated.)
# From the Terminal activity check that the laptop is at the version you wanted by typing the command:
# From the Terminal activity check that the laptop is at the version you wanted by typing the command:
cat /etc/issue
cat /etc/issue
Line 105: Line 116:
(If your laptop failed to boot, insert the USB stick with lease.sig on it, and boot the laptop. This can be the same USB stick you used in Step 1 above. This should get you to the prompt for a name.)
(If your laptop failed to boot, insert the USB stick with lease.sig on it, and boot the laptop. This can be the same USB stick you used in Step 1 above. This should get you to the prompt for a name.)


===Upgrading to an '''Unsigned''' Image by disabling security===
</noinclude>

To put an ''unsigned image'' (not a stable release), you may first need to disable activation security. In a country deployment, this may make your laptop more vulnerable to theft &mdash; but it's assumed that if you're running a unstable build you're a developer and willing to take the risk.

See [[Activation_and_developer_keys#How_to_tell_if_your_laptop_is_secured|how to check]] if it is locked, [[Activation_and_developer_keys#Getting_a_developer_key|how to get]] a developer key, [[Activation_and_developer_keys#Using_a_developer_key|how to use]] a developer key, and [[Activation_and_developer_keys#Disabling_the_security_system|how to unlock]] permanently. For groups of laptops, use the [[collection stick]] then an [[collection stick#unlock stick|unlock stick]].

Now, you can follow the normal "developer upgrade" instructions, using either [[Olpc-update|olpc-update]] or this OFW technique:

# Create a USB drive with the files '''os{number}.img''' and '''os{number}.crc''' on the disk in the top-level directory.
# Boot the laptop. OFW will prompt you to hit "Escape" (the X key in the upper-left) to interrupt the boot process. Do so!
# At the firmware '''ok''' prompt, type '''copy-nand u:\os{number}.img'''. The XO should reboot once it is finished.

You can re-enable security in the future if you want to return to signed builds by typing 'enable-security' at the OFW '''ok''' prompt. (Again, pay attention to what OFW says; you may need to do this twice.)

[[Category:Update paths]]

Latest revision as of 06:11, 3 January 2014

  This page is monitored by the OLPC team.
  english | español HowTo [ID# 294574]  +/-  


542-stopicon.png This page has a more up-to-date location: each release's Release notes have instructions for upgrading to it

This page describes how to reinstall the operating system of a secured laptop, whether it is unactivated (fresh from the factory) or already activated.

This process destroys all the data on the laptop, wiping out all user data, and resetting the laptop to booting from a new, standard, signed operating system build. Please use olpc-update if you wish to keep your data.

Steps for secured upgrade, in plain English

  For the general public


0. Before performing the upgrade, please note that EVERYTHING previously created will be deleted!

1. Read release notes for your target release!

Activities must be installed separately.

2. You need a formatted USB flash drive that is larger than 325 MB, and it is better that you format it before copying any files over.

3. To install build 767 (Release 8.2.0) download the following two files from the Internet and put them on the USB flash drive:

http://download.laptop.org/xo-1/os/official/767/jffs2/fs.zip

http://download.laptop.org/xo-1/os/official/767/jffs2/os767.img

  • To download those files, plug the USB flash drive into another computer that is connected to the Internet. Right-click (Ctrl-click for Mac) on each of the above two URLs in the browser and choose "Save Target As" ("Save Link As" for Firefox). Save both files to the USB flash drive. Eject/Remove the USB flash drive, and unplug it.

The first file is about 154Kb, and the second file is quite large (about 233 Mb), which might take a while to download.

After you have finished this step, there should be two files on the USB flash drive, the fs.zip file, and the img file.

4. Make sure the XO laptop is OFF. Make sure that the battery is installed, and that you have external (AC) power plugged in as well. Plug in the USB flash drive, and do not unplug it until instructed.

5. With the USB flash drive inserted, power up the laptop while holding down ALL four game buttons on the right side of screen (the four buttons above the power button, and they are marked with O, V, X, and square). Please be sure to press all of them firmly; use two thumbs if that helps.

6. When the screen says 'release the game key to continue', release all four buttons.

7. You will see arrays of colored grids running on the screen. We are now re-writing the laptop with the new operating system.

8. Once done with re-writing, the laptop will reboot itself.

9. Next, the laptop may update the firmware, if necessary, and reboot itself. It will insist on being plugged in and having a battery present if it needs to update the firmware. (You don't have to do anything; just watch.)

10. After you're done with the update, the laptop will boot to the prompt for your preferred user name. You can now remove the USB flash drive, and it is no longer needed.

Install activities

No activities are included in some versions of the OLPC software. Follow these instructions to install basic activities on release 8.1.0, 8.1.1 and 8.2.0.

  1. Power off the XO
  2. Remove the "fs.zip" file from your flash drive.
  3. Download the activity pack and unzip it to the flash drive (NOT a subdirectory).
  4. Insert the USB flash drive and boot the XO. It will display text on a black screen as the activities are installed, after which it will power off.
  5. Remove the USB flash drive.

Verify your update

12. Go to the Terminal activity (click on the taskbar icon Activity-terminal.svg)

  • The screen should say something like [olpc@xo-05-2D-2F ~]$
  • The numbers don't matter, but be sure that you type things after the $ sign.

14. Type the following to check which version you XO is running:

  cat /etc/issue

15. Press the Enter key

16. If the screen says something that begins with

  OLPC build 767

then we are one step closer to finishing the upgrade process!

17. Go to Home view and mouse over the XO guy in the center.

18. Select the "Shutdown" option to power off the machine. Now you should be able to power it up as usual, with build 767.


Make sure you won't lose your activation lease

G1G1 recipients do not need a lease, and should skip this section.

(Here we check to see whether your laptop has the ak flag set or an activation lease. This doesn't work if your laptop won't boot, so if you're doing this upgrade to get your laptop to start booting again, just proceed to the next section and do the upgrade.)

  1. Get to a terminal on the laptop, and type: ls /security
    • On XO-1 this requires root permissions. See Console for how to get them.
    • If there is a lease.sig file, you will want to save this lease before re-flashing the laptop.
      1. To do so, insert a USB stick, wait for it to mount, and then type: cp /security/lease.sig /media/{name_of_usb_stick}
      2. Then, switch to the home view, go to the journal, mouse over the USB icon, and click unmount.
      3. Remove the USB stick from the USB slot, but make sure the lease.sig file is stored on it. You will have to boot the laptop with this USB stick inserted after the upgrade.
    • If there is no lease.sig file, your manufacturing data is probably set for pre-activation, and you probably don't need to do anything.
    • If you want to check that this is in fact true, in a terminal, type: ls /ofw/mfg-data/
    • If there is an 'ak' there, then the laptop is pre-activated.

Upgrade a Secured Laptop with a Signed Image

To put the latest signed image (stable build) on the laptop, follow these steps:

  1. Create a USB stick with the files os{number}.img and fs.zip on the disk in the top-level directory. (We recommend that you use a "factory-formatted" USB stick.)
  2. With the USB stick inserted into your XO, and the battery installed, and AC power plugged in, power up the laptop while holding down all four game buttons on the right side of screen.
  3. When prompted to release the game keys, do so.
    • This will re-write the internal flash memory image.
  4. Once done with this re-flash, the laptop will reboot itself.
  5. Next, the laptop may update the boot firmware, if necessary, and reboot itself.
  6. After you're done with the upgrade(s), the laptop will either boot to the prompt you for a name. (If the laptop is not activated, it will fail to boot; all G1G1 laptops are shipped activated.)
  7. From the Terminal activity check that the laptop is at the version you wanted by typing the command:
cat /etc/issue

(If your laptop failed to boot, insert the USB stick with lease.sig on it, and boot the laptop. This can be the same USB stick you used in Step 1 above. This should get you to the prompt for a name.)

Upgrading to an Unsigned Image by disabling security

To put an unsigned image (not a stable release), you may first need to disable activation security. In a country deployment, this may make your laptop more vulnerable to theft — but it's assumed that if you're running a unstable build you're a developer and willing to take the risk.

See how to check if it is locked, how to get a developer key, how to use a developer key, and how to unlock permanently. For groups of laptops, use the collection stick then an unlock stick.

Now, you can follow the normal "developer upgrade" instructions, using either olpc-update or this OFW technique:

  1. Create a USB drive with the files os{number}.img and os{number}.crc on the disk in the top-level directory.
  2. Boot the laptop. OFW will prompt you to hit "Escape" (the X key in the upper-left) to interrupt the boot process. Do so!
  3. At the firmware ok prompt, type copy-nand u:\os{number}.img. The XO should reboot once it is finished.

You can re-enable security in the future if you want to return to signed builds by typing 'enable-security' at the OFW ok prompt. (Again, pay attention to what OFW says; you may need to do this twice.)