{"@attributes":{"version":"2.0"},"channel":{"title":"jrt","link":"https:\/\/jrtberlin.de\/","description":"Recent content on jrt","generator":"Hugo -- gohugo.io","language":"en-gb","lastBuildDate":"Sun, 21 Jun 2026 21:30:00 +0100","item":[{"title":"Passkeys: A comprehensive overview","link":"https:\/\/jrtberlin.de\/p\/passkeys-a-comprehensive-overview\/","pubDate":"Sun, 21 Jun 2026 21:30:00 +0100","guid":"https:\/\/jrtberlin.de\/p\/passkeys-a-comprehensive-overview\/","description":"<img src=\"https:\/\/jrtberlin.de\/p\/passkeys-a-comprehensive-overview\/hw-passkeys.webp\" alt=\"Featured image of post Passkeys: A comprehensive overview\" \/><p>Passkeys are everywhere right now. But <em>Why should I care?<\/em> <em>My password is secure!<\/em><\/p>\n<p>In this post I try to cover how we got into to today&rsquo;s mess of authentication methods and why passkeys are a good option going forward.<\/p>\n<h2 id=\"how-did-we-get-here\">How did we get here?\n<\/h2><p>The first computer password allegedly <sup id=\"fnref:1\"><a href=\"#fn:1\" class=\"footnote-ref\" role=\"doc-noteref\">1<\/a><\/sup> dates back to the MIT Compatible Time-Sharing System (CTSS), with multiple terminals that where not user-specific but with each user having an individual set of user-owned files. At the time it seemed like a straight forward idea. Yesterday&rsquo;s solutions like <em>security questions<\/em> about your mothers maiden name where also considered but discarded due to higher resource usage for something so unimportant like authentication.<\/p>\n<p>Interestingly for us, the system was also a target of the first password theft. Using punch cards users could request to print specific files offline. Allan Scherr, a Ph.D. researcher at MIT at the time, requested a print-out of the file containing all passwords. The next day he found a printout containing all the systems-passwords.<\/p>\n<p>This illustrates two security issues:<\/p>\n<ol>\n<li><strong>If there is a path for actions to be taken with weaker or no authentication it can bypass the resilient authentication flow.<\/strong>\nThis is still the case with passkeys. If you log in using an alternative login method that bypasses the secure path the best authentication method does not protect you.\nRecent articles about &ldquo;hacked&rdquo; passkeys used alternative login methods (e.g. smart TV specific login flows) <sup id=\"fnref:2\"><a href=\"#fn:2\" class=\"footnote-ref\" role=\"doc-noteref\">2<\/a><\/sup>\nImplementors need to look at the authentication flow holistically instead of adding another option. The weakest link will still break, if you put a strong one next to it.<\/li>\n<li><strong>If you have access to the password database, all passwords are compromised.<\/strong>\nThis is true for all <strong>shared secrets<\/strong> and still applies today to the concept of passwords.\nWhile it is best practice to hash and salt the stored passwords and the plain-text is not written to disk, the hash and salt combination enables an offline attack using word lists or sheer brute force to try to find a match for the given hash. Bypassing every rate limit. Once found, the password can be used to authenticate against other systems as well, if the user reused the password. This concept is known as <strong>credential stuffing<\/strong>.<\/li>\n<\/ol>\n<h2 id=\"the-mfa-pitfall\">The MFA Pitfall\n<\/h2><p>We now know that <strong>passwords are shared secret that can lead to credential stuffing attacks<\/strong> because of password reuse. The underlying psychological issue goes a lot deeper than that.\nAs everyone who interacts with computers from time to time knows: <strong>A user can set their own password.<\/strong><\/p>\n<p>The main security of passwords from the user perspective hinges on only a few things:<\/p>\n<ol>\n<li>\n<p><strong>The password should be complex<\/strong><\/p>\n<p>Passwords should ideally contain a random selection of characters from a large alphabet (e.g. numbers, letters, special characters,&hellip;) and should have a sufficient length. The result is a password that&rsquo;s hard to brute force but also hard to remember for most humans.<\/p>\n<\/li>\n<li>\n<p><strong>The password should be stored securely<\/strong><\/p>\n<p>The complexity makes the password hard to remember. The result is that a lot of people write their passwords down. The classic example how this could be a problem is a post-it note on the monitor or under the keyboard containing the password. Writing passwords down in itself isn&rsquo;t an issue when stored securely. Only in shared spaces or when others can access it, the behavior turns into an issue, essentially being the same thing as a key under a rock next to a locked house door.\nThis leads to many users logging in via the password reset flow, bypassing the password authentication flow. This is more or less the same as a <strong>magic link<\/strong> with extra steps. In a lot of scenarios the support staff can be convinced to change the associated e-mail address via phone, leading to the password reset e-mails being sent to the attacker.<\/p>\n<\/li>\n<li>\n<p><strong>The password should only be entered on the correct site<\/strong><\/p>\n<p><strong>Phishing<\/strong> is one of the oldest and most effective entries into organizations and user-accounts in general. Scientific studies indicate that awareness campaigns are not an effective solution to the problem. <sup id=\"fnref:3\"><a href=\"#fn:3\" class=\"footnote-ref\" role=\"doc-noteref\">3<\/a><\/sup> The main issue is that once an attacker convinces the user that the site where they try to log in is the legitimate one the user is very likely to enter their credentials. With minor typos and look-alike, <strong>punycode<\/strong>, domains it is error-prone for users to differentiate correct from malicious domains. As an example <code>jrtberlin.de<\/code> and <code>jrtb\u0435rlin.de<\/code> are almost indistinguishable from each other depending on the font. The second one contains the Cyrillic small letter <code>\u0435<\/code> instead of the Latin <code>e<\/code>.<\/p>\n<p>This issue is further increased by a very diverse landscape of valid domains. A friend of mine (<a class=\"link\" href=\"https:\/\/todon.eu\/@ljrk\"  target=\"_blank\" rel=\"noopener\"\n    >@ljrk@todon.eu<\/a>) made a point in a class by having students decide which of the listed domains is an official Microsoft owned domain. <sup id=\"fnref:4\"><a href=\"#fn:4\" class=\"footnote-ref\" role=\"doc-noteref\">4<\/a><\/sup><\/p>\n<p>Some examples like <code>sharepont.online.com<\/code>, <code>office.m365.com<\/code> and <code>sharepointonline.com<\/code> sound plausible, while legitimate ones can sound <em>phishy<\/em> as well like <code>microsoftrewards.com<\/code>.<\/p>\n<\/li>\n<li>\n<p><strong>The password should be unique<\/strong><\/p>\n<p>People are bad at this because of all the before mentioned points. A lot of people pick the easy route and just use <em>their password<\/em> for everything where it complies with the password policy.<\/p>\n<\/li>\n<\/ol>\n<p>All in all: The password as a concept fails Saltzer&rsquo;s and Schroeder&rsquo;s design principle of psychological acceptability, if the password is good. <sup id=\"fnref:5\"><a href=\"#fn:5\" class=\"footnote-ref\" role=\"doc-noteref\">5<\/a><\/sup> <sup id=\"fnref:6\"><a href=\"#fn:6\" class=\"footnote-ref\" role=\"doc-noteref\">6<\/a><\/sup><\/p>\n<p>Because of the before mentioned issues with passwords compliance teams, security staff and regulatory rules often require a second factor (2FA), often referred to as multi-factor-authentication (MFA).\nMFA methods are an add-on to a flawed authentication method, complicating the authentication process, while not resolving most issues.\nWhen an attacker convinces the user to trust that the phishing site is the real one and the user enters their password, there is no reason not to enter the time-based one time password (TOTP), match the displayed Number or press authenticate within the app.<\/p>\n<p>Most phishing frameworks have built-in support for relaying second factors in real time.<sup id=\"fnref:7\"><a href=\"#fn:7\" class=\"footnote-ref\" role=\"doc-noteref\">7<\/a><\/sup> The second factor usually tries to resolve one issue: <strong>credential stuffing<\/strong>, because it makes the secret the user uses to authenticate unique. Through its addition of a truly unique and machine-generated challenge-code, it renders the combined secret the user uses to authenticate as effectively unique. This makes the requirement of MFA so popular, since it&rsquo;s hard to enforce a unique-password-policy through technological means, unlike enforcing MFA.<\/p>\n<blockquote class=\"alert alert-note\">\n        <div class=\"alert-header\">\n            <span class=\"alert-icon\">\ud83d\udcdd<\/span>\n            <span class=\"alert-title\">Note<\/span>\n        <\/div>\n        <div class=\"alert-body\">\n            <p>If you already have unique passwords, TOTP and similar only add negligible additional security. Further, storing them in the password-manager alongside the password reduces the security only by a negligible amount, if the individual is not targeted directly by adversaries, since credential stuffing is forfeited in this case as well &ndash; phishing with TOTP replay works independently of the TOTP&rsquo;s storage location.<\/p>\n        <\/div>\n    <\/blockquote>\n<p>In reality attackers employ a social engineering technique where they try to log in using the credentials, generating authentication request notifications for the user. If the user doesn&rsquo;t approve the login, the attacker will continue to spam the user with new authentication requests. Annoyance can result in a user approving the action in hope to end the spam or pressing approve on accident. This psychological weakness is known as <strong>mfa fatigue<\/strong>.<\/p>\n<p>One MFA-method that increases in popularity that tries to resolve this issue is the <strong>magic link<\/strong>: When the user authenticates, they get an e-mail containing a link. Opening the link logs the user in. This method has a few issues but can, when used correctly, offer some phishing protections. One typical issue with this method is in the implementation. It is important that the link does not authenticate a remote session and only authenticates the user on the device where the link is clicked. Otherwise, an attacker would get authenticated when a user clicks the received link and the phishing site tells the user to check their e-mails.\nA lot of sites in recent years have adopted this method or even replaced passwords entirely with this method. While being an improvement in terms of security, this method has some issues as well:<\/p>\n<ul>\n<li>The UX breaks when a user authenticates on a desktop system and clicks the link on their phone, because now the mobile browser is authenticated instead of the one on the larger screen.<\/li>\n<li>The risk of credential phishing is reduced but not removed: The magic link can still be copied into a field controlled by the attacker, but this flow breaks the typical authentication flow expected by the user and will probably reduce the phishing success rate quite a lot.<\/li>\n<li>Sometimes e-mails will be delivered after the active time frame of the link or not at all. This can lead to a lot of frustration on the users side.<\/li>\n<li>The security now hinges on the e-mail account. Depending on the mail provider this can be a security improvement or a reduction. Considering password reset flows this was probably the case anyway.<\/li>\n<\/ul>\n<p>The result of most MFA methods is a complex authentication flow that annoys users and decreases acceptance of the authentication. This complexity can also lead to weaker passwords, because users think that MFA will protect them.<\/p>\n<h2 id=\"password-managers\">Password Managers\n<\/h2><p>In addition to MFA, password managers are often an argument why the password is still a good option. Password managers are a concept that tries to solve a lot of the issues like having to remember the password, not writing it down in plain-text and built-in generators for complex passwords that additionally comply with a sites&rsquo; password policy.\nIn reality only 36% of Americans use a password manager<sup id=\"fnref:8\"><a href=\"#fn:8\" class=\"footnote-ref\" role=\"doc-noteref\">8<\/a><\/sup> and the amount of people using password generators is likely even lower. In addition, 23% of surveyed users by Forbes reported using the same password for 3-4 different accounts<sup id=\"fnref:9\"><a href=\"#fn:9\" class=\"footnote-ref\" role=\"doc-noteref\">9<\/a><\/sup>.<\/p>\n<p>Glimpsing at risk management (ISO 27001) we can apply one of four different strategies to the identified issues: accept, transfer, reduce, avoid. From a technical perspective we mostly care about reducing the risks, or to avoid the risk by designing a system that inherently does not result in the identified risks.<\/p>\n<p>Password managers are unable to avoid most issues because it requires the user to either use the software in a correct way for example using the built-in password generator or using autofill to ensure the correct site is used.<\/p>\n<p>Autofill is a good idea in theory as well, that tries to detect login fields and entering credentials specific to the site. If the autofill feature is working as intended, it only autofills the credentials on the legitimate site which the credentials belong to.\nWith a lot of websites trying to differentiate themselves by implementing custom design elements or using non-standard components, password managers sometimes are unable to identify the correct login-form elements, resulting in the user having to copy &amp; paste the username and password, even worse: some sites prohibit pasting into the password field.<\/p>\n<p>This brittleness trains users to be comfortable to manually enter credentials on a site.\nThis results in phishing sites being able to convince users to enter their passwords despite the user having autofill enabled. A standardized API for registering and logging in is therefore an important part of passkeys.<\/p>\n<p>One thing that password managers do particularly well is remembering the passwords. This is one of the main risks that the password manager solves and that&rsquo;s why some <strong>passkeys<\/strong> are still stored within a password manager.<\/p>\n<h2 id=\"how-do-passkeys-deal-with-these-issues\">How do passkeys deal with these issues?\n<\/h2><p>Passkeys assume that the issues in authentication systems aren&rsquo;t psychological issues, but technical ones that can be avoided or reduced by an authentication scheme that considers human limitations. Increased technical complexity is accepted if it reduces the complexity from a users&rsquo; perspective.<\/p>\n<p>Passkeys address the shared secret issue by leveraging a so called <strong>challenge-response<\/strong> method using <strong>public-key cryptography<\/strong>.<\/p>\n<blockquote class=\"alert alert-note\">\n        <div class=\"alert-header\">\n            <span class=\"alert-icon\">\ud83d\udcdd<\/span>\n            <span class=\"alert-title\">Note<\/span>\n        <\/div>\n        <div class=\"alert-body\">\n            <p>Public-key cryptography (asymmetric cryptography) relies on a mathematically linked key pair: a <strong>public key<\/strong> and a <strong>private key<\/strong>. While the public key is shared openly and linked to your identity, the private key remains strictly secret. For passkeys, the central concept is the <strong>digital signature<\/strong>: The private key is used to perform a mathematical operation on a message to generate a unique cryptographic proof. Anyone else can then use the corresponding public key to verify this proof. If the verification succeeds, it proves that the signature was created by the holder of the private key &ndash; without ever exposing the secret key itself.<\/p>\n        <\/div>\n    <\/blockquote>\n<p>Passkeys use this technique to sign challenges from the site with the private key and proving to the site that the user who signed the message is in possession of the private key and therefore likely the legitimate user.<\/p>\n<p>This results for example in the fact that if a website gets breached the attacker does not gain your secret required to log in and the site does not need to rotate all secrets because the website does not store the users confidential private-key.<\/p>\n<pre class=\"mermaid\" style=\"visibility:hidden\">---\ntitle: Passkey Key Storage\n---\nflowchart LR\n    PW(Passkey Generation) -->|Public Key| Server[(\"Website\n    (relying party)\")]\n    PW  -->|Private Key| Authenticator[(\"Authenticator\n    (e.g. User owned device)\")]<\/pre><p>Let&rsquo;s compare the password requirements above with how passkeys solve the issue or absolve of the need entirely:<\/p>\n<ol>\n<li>\n<p><strong>The password should be complex<\/strong><\/p>\n<p>Passkeys are always based on a private key that is not picked by the user and instead generated.<\/p>\n<\/li>\n<li>\n<p><strong>The password should be stored securely<\/strong><\/p>\n<p>Passkeys are created, stored and updated by the password manager, operating system keychain or a physical device.<\/p>\n<\/li>\n<li>\n<p><strong>The password should only be entered on the correct site<\/strong><\/p>\n<p>Passkeys are only valid for the <strong>relying-party id<\/strong> (<code>rp.id<\/code>: Passkey lingo for the domain name or an application) that they are created for. An attacker controlled site can not request an authentication for a different domain.<\/p>\n<\/li>\n<li>\n<p><strong>The password should be unique<\/strong><\/p>\n<p>A relying-party (e.g. a website) can have multiple passkeys, but a passkey can not be shared between sites.<\/p>\n<\/li>\n<\/ol>\n<p>In practice a user is prompted by the operating system or browser to choose an identity provided by a credential manager, like a password manager or a hardware backed credential:<\/p>\n<p><img alt=\"Android\u2019s built-in credential manager\" class=\"gallery-image\" data-flex-basis=\"194px\" data-flex-grow=\"81\" height=\"1276\" loading=\"lazy\" sizes=\"(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px\" src=\"https:\/\/jrtberlin.de\/p\/passkeys-a-comprehensive-overview\/credman-ui.png\" srcset=\"https:\/\/jrtberlin.de\/p\/passkeys-a-comprehensive-overview\/credman-ui_hu_ccd68b1873938533.png 800w, https:\/\/jrtberlin.de\/p\/passkeys-a-comprehensive-overview\/credman-ui.png 1035w\" width=\"1035\"><\/p>\n<p>A more technical explanation of the passkey building blocks and how they work together can be found in the <a class=\"link\" href=\"#appendix\" >appendix<\/a> below.<\/p>\n<h2 id=\"faq\">FAQ\n<\/h2><h3 id=\"what-is-a-passkey\">What is a passkey?\n<\/h3><p>A passkey is a marketing term for a <strong>FIDO2 resident-key credential with user-verification<\/strong>.<\/p>\n<h3 id=\"are-passkeys-an-authentication-vendor-lockin\">Are passkeys an authentication vendor-lockin?\n<\/h3><p>In short: <strong>No<\/strong>, passkeys are an open standard.<\/p>\n<p>In the past companies like, Google, Apple, Facebook, \u2026 tried to tie authentication of third-party services to themselves using &ldquo;Sign in with &hellip;&rdquo; login-options.\nPasskeys are a universal standard. And with the Credential Exchange Specification (CX)<sup id=\"fnref:11\"><a href=\"#fn:11\" class=\"footnote-ref\" role=\"doc-noteref\">11<\/a><\/sup> there is a common solution to export credentials to different providers.\nThat being said relying parties can restrict the choice of the authenticator in a few ways:<\/p>\n<ul>\n<li>restrict to a specific authenticator using the AAGID <sup id=\"fnref:12\"><a href=\"#fn:12\" class=\"footnote-ref\" role=\"doc-noteref\">12<\/a><\/sup>: useful in an organization to restrict the authenticator to the one given out by the IT department or to ones that comply with a specific certification<\/li>\n<li>restrict to device-bound passkeys (exclude software based, syncable passkeys e.g. password managers instead of TPM or USB Token backed passkeys)<\/li>\n<\/ul>\n<p>One negative example how this can be used for consumers outside of organizations is apples restriction to iOS devices and only allowing FIDO2 USB tokens as a second factor for the password login-flow.<\/p>\n<h3 id=\"can-i-still-use-my-hardware-token\">Can I still use my hardware token?\n<\/h3><p><strong>Yes<\/strong>, FIDO2 USB tokens that support resident keys are and will be supported going forward. It is just not required for a user to own a security token to participate in the FIDO ecosystem anymore.\nFor most people software based passkeys are an overall improvement in user experience and security. People with different threat-models should keep using FIDO2 USB tokens or at least hardware-backed credentials that are non-transferable and protected by a strong PIN.<\/p>\n<h3 id=\"should-i-use-a-hardware-token\">Should I use a hardware token?\n<\/h3><p><strong>It depends<\/strong>, we need to differentiate between at-risk users like public figures and privileged users and regular users that typically don&rsquo;t get targeted specifically.<\/p>\n<p>A hardware token is a form of a device-bound passkey, a <strong>roaming authenticator<\/strong> because it is device-bound but can roam between different platforms. A secure enclave for example is a <strong>platfrom authenticator<\/strong> because it is built-in to a platform.<\/p>\n<table>\n\t<thead>\n\t\t\t<tr>\n\t\t\t\t\t<th>Type<\/th>\n\t\t\t\t\t<th>Use-Case<\/th>\n\t\t\t<\/tr>\n\t<\/thead>\n\t<tbody>\n\t\t\t<tr>\n\t\t\t\t\t<td>Synced Passkey<\/td>\n\t\t\t\t\t<td>A synced passkey is software based and can be used as an alternative for passwords by everyday users. It is hard to lose the passkey because it is synced across devices. This is usually a password manager.<\/td>\n\t\t\t<\/tr>\n\t\t\t<tr>\n\t\t\t\t\t<td>Device-Bound Passkey<\/td>\n\t\t\t\t\t<td>A device bound passkey is lost if the device is damaged or stolen. While this is a risk for everyday users it also prevents attackers from stealing the private key in a more resilient way because these are usually backed by hardware instead of software. (e.g. TPM2, Trust Zone, Secure Enclaves, FIDO2 Token, &hellip;)<\/td>\n\t\t\t<\/tr>\n\t<\/tbody>\n<\/table>\n<p>Since hardware keys require more effort to be used, it can be helpful to protect the password manager with a physical token and put other passkeys within the password manager.<\/p>\n<h3 id=\"lack-of-universal-platform-support\">Lack of universal platform support\n<\/h3><p>This was and is indeed one of the pain points that slowly gets addressed.\nCurrent versions of Android, iOS, macOS, Windows and ChromeOS support FIDO2.<\/p>\n<p>Desktop Linux is lacking behind quite a bit, supporting USB security tokens and Bluetooth authenticators (via some Chromium based browsers) and password manager support via browser extensions.\nThe universal backend on the operating system level with an option to store passkeys on device using the TPM2 is work in progress. See the <a class=\"link\" href=\"https:\/\/github.com\/linux-credentials\"  target=\"_blank\" rel=\"noopener\"\n    >linux-credentials project<\/a> <sup id=\"fnref:13\"><a href=\"#fn:13\" class=\"footnote-ref\" role=\"doc-noteref\">13<\/a><\/sup><\/p>\n<h3 id=\"passkeys-are-not-shareable\">Passkeys are not shareable\n<\/h3><p>The shared Netflix-Password is ubiquitous, and it is a common misconception that passkeys prevent shared accounts.<\/p>\n<p>Most sites allow the registration of multiple passkeys and some password managers, like Apple Passwords, allow temporary sharing of passkeys.\nA roaming authenticator, for example a YubiKey, can be handed over like a pair of keys.<\/p>\n<h3 id=\"passkeys-enable-big-tech-to-get-your-biometrics\">Passkeys enable big tech to get your biometrics\n<\/h3><p><strong>No<\/strong>, biometrics are used to locally unlock the authenticator, similar to a PIN on a SIM used in your phone.\nBiometrics are an optional feature, that falls back to device credentials like the device PIN or password.<\/p>\n<p>Additionally, biometrics can improve security in some contexts and threat models: For example when unlocking a phone or signing in on public transport shoulder surfing is often used to see the PIN code to remove the activation lock of the phone after stealing it. Using biometrics can reduce the likeliness of getting the phone stolen in public.<\/p>\n<p>Law enforcement in some jurisdictions is allowed to force you to unlock the phone using your fingerprint but not you to tell them your password. So depending on your personal threat model you might want to make a conscious decision whether to use biometrics. (Relevant aspect here is that Android<sup id=\"fnref:14\"><a href=\"#fn:14\" class=\"footnote-ref\" role=\"doc-noteref\">14<\/a><\/sup> and iOS<sup id=\"fnref:15\"><a href=\"#fn:15\" class=\"footnote-ref\" role=\"doc-noteref\">15<\/a><\/sup> have a quick way to disable biometrics)<\/p>\n<h3 id=\"passkeys-complicate-digital-inheritance-and-account-recovery-after-death\">Passkeys complicate digital inheritance and account recovery after death\n<\/h3><p>If passwords are handled appropriately the issue is more or less identical.\nPasskeys for most users are stored within their password manager that is unlocked with the device credentials. Device credentials on commercial devices usually have an unlock option via the cloud service. In some countries cloud services and device manufacturers need to give access to the account or device when a death certificate is presented by close family members.<\/p>\n<p>Additionally, a few sites allow managing your digital inheritance, like Google.<sup id=\"fnref:16\"><a href=\"#fn:16\" class=\"footnote-ref\" role=\"doc-noteref\">16<\/a><\/sup><\/p>\n<h2 id=\"appendix\">Appendix\n<\/h2><h3 id=\"what-are-the-passkey-building-blocks\">What are the passkey building blocks?\n<\/h3><p>So what are passkeys made of? To understand how passkeys work on a basic level we can investigate the following diagram:<\/p>\n<pre class=\"mermaid\" style=\"visibility:hidden\">---\ntitle: Passkey Building Blocks\n---\nflowchart LR\n\tAuthenticator(\"\n\tAuthenticator\nCredential Storage\n(e.g. USB token, password manager,...)\") <-->|CTAP2| Client(\"Client\nUsually the browser or OS\")\n    Client <-->|WebAuthn| RP(\"Relying Party (RP)\nService to login\")<\/pre><p>There is the <strong>authenticator<\/strong>, that can be a secure enclave in a smartphone, a TPM2 in a laptop, a password manager or a FIDO2 USB token like a YubiKey, that stores the credential. The <strong>roaming authenticator<\/strong>, authenticators that are not built-in to the platform (like TPM2 or secure enclaves), communicates with the browser or operating system of the user (<strong>client<\/strong>) via a protocol named <strong>Client to Authenticator Protocol 2 (CTAP2)<\/strong>.\nThe CTAP2 protocol standardizes the integration of an external authenticator in the platform via a transport method like USB, NFC or Bluetooth.\nWhen a user tries to authenticate with a relying party, for example a website, the communication between the client and the relying party happens through a protocol called <strong>Webauthn<\/strong>. This process is called a <strong>ceremony<\/strong>.<\/p>\n<p>There are two types of webauthn credentials: <strong>resident key (rk)<\/strong> and <strong>non-resident key (nrk)<\/strong>. Resident key refers to the property that the private key of the webauthn credential resides on the authenticator. Non-resident keys on the other hand are ephemeral, and the private key is regenerated in a deterministic way based on the credential-id provided by the relying party. This has an impact on user experience: a non-resident key depends on the relying party providing the credential-id and the site only knows the correct ID associated with the user, when it knows who the user is. The UX effect of this is that the user has to enter a factor identifying the account, like a username or an e-mail address. This type is often used as a second factor for password based login-systems.<\/p>\n<p>The resident key is a full private key stored on the authenticator, containing the relying-party and an account identifier. This can be used to authenticate the user without being required to fill-out a login form by the user. From a user experience perspective in practice this looks like the user pressing sign-in and getting prompted by the authenticator or platform to scan their finger or enter a device pin to log in. This <strong>user-verification (uv<\/strong>) is optional but largely a set requirement for sites that refer to it as a passkey. In addition, there is the concept of <strong>user-presence (up)<\/strong>, which verifies that the user is in physical proximity to the authenticator. This is usually realized by the user tapping the USB Token. Biometrics like a fingerprint reader usually imply user-presence in addition to the user verification.<\/p>\n<p>The built-in user verification on the client side is why passkeys are often referred to having MFA. Whether this is an actual second factor or if the concept of a second factor is useful at all from a security standpoint goes a bit too much off-rails for this post.<\/p>\n<div class=\"footnotes\" role=\"doc-endnotes\">\n<hr>\n<ol>\n<li id=\"fn:1\">\n<p><a class=\"link\" href=\"https:\/\/www.wired.com\/2012\/01\/computer-password\/\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/www.wired.com\/2012\/01\/computer-password\/<\/a>&#160;<a href=\"#fnref:1\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:2\">\n<p><a class=\"link\" href=\"https:\/\/expel.com\/blog\/an-important-update-and-apology-on-our-poisonseed-blog\/\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/expel.com\/blog\/an-important-update-and-apology-on-our-poisonseed-blog\/<\/a>&#160;<a href=\"#fnref:2\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:3\">\n<p><a class=\"link\" href=\"https:\/\/people.cs.uchicago.edu\/~grantho\/papers\/oakland2025_phishing-training.pdf\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/people.cs.uchicago.edu\/~grantho\/papers\/oakland2025_phishing-training.pdf<\/a>&#160;<a href=\"#fnref:3\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:4\">\n<p><a class=\"link\" href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:ugcPost:7384995234763653120?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7384995234763653120%2C7384995652545531904%29&amp;dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287384995652545531904%2Curn%3Ali%3AugcPost%3A7384995234763653120%29\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/www.linkedin.com\/feed\/update\/urn:li:ugcPost:7384995234763653120?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7384995234763653120%2C7384995652545531904%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287384995652545531904%2Curn%3Ali%3AugcPost%3A7384995234763653120%29<\/a>&#160;<a href=\"#fnref:4\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:5\">\n<p><a class=\"link\" href=\"https:\/\/nob.cs.ucdavis.edu\/classes\/ecs153-2000-04\/design.html\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/nob.cs.ucdavis.edu\/classes\/ecs153-2000-04\/design.html<\/a>&#160;<a href=\"#fnref:5\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:6\">\n<p><a class=\"link\" href=\"https:\/\/shostack.org\/blog\/the-security-principles-of-saltzer-and-schroeder\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/shostack.org\/blog\/the-security-principles-of-saltzer-and-schroeder<\/a>&#160;<a href=\"#fnref:6\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:7\">\n<p><a class=\"link\" href=\"https:\/\/evilginx.com\/features\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/evilginx.com\/features<\/a>&#160;<a href=\"#fnref:7\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:8\">\n<p><a class=\"link\" href=\"https:\/\/www.security.org\/digital-safety\/password-manager-annual-report\/\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/www.security.org\/digital-safety\/password-manager-annual-report\/<\/a>&#160;<a href=\"#fnref:8\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:9\">\n<p><a class=\"link\" href=\"https:\/\/www.forbes.com\/advisor\/business\/software\/american-password-habits\/\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/www.forbes.com\/advisor\/business\/software\/american-password-habits\/<\/a>&#160;<a href=\"#fnref:9\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:10\">\n<p><a class=\"link\" href=\"https:\/\/developer.android.com\/identity\/credential-manager\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/developer.android.com\/identity\/credential-manager<\/a> (Portions of this page are reproduced from work created and shared by the Android Open Source Project and used according to terms described in the Creative Commons 2.5 Attribution License.)&#160;<a href=\"#fnref:10\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:11\">\n<p><a class=\"link\" href=\"https:\/\/fidoalliance.org\/specifications-credential-exchange-specifications\/\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/fidoalliance.org\/specifications-credential-exchange-specifications\/<\/a>&#160;<a href=\"#fnref:11\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:12\">\n<p><a class=\"link\" href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-fido2-hardware-vendor\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-fido2-hardware-vendor<\/a>&#160;<a href=\"#fnref:12\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:13\">\n<p><a class=\"link\" href=\"https:\/\/github.com\/linux-credentials\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/github.com\/linux-credentials<\/a>&#160;<a href=\"#fnref:13\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:14\">\n<p><a class=\"link\" href=\"https:\/\/security.googleblog.com\/2020\/09\/lockscreen-and-authentication.html\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/security.googleblog.com\/2020\/09\/lockscreen-and-authentication.html<\/a>&#160;<a href=\"#fnref:14\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:15\">\n<p><a class=\"link\" href=\"https:\/\/daringfireball.net\/2022\/06\/require_a_passcode_to_unlock_your_iphone\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/daringfireball.net\/2022\/06\/require_a_passcode_to_unlock_your_iphone<\/a>&#160;<a href=\"#fnref:15\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<li id=\"fn:16\">\n<p><a class=\"link\" href=\"https:\/\/myaccount.google.com\/inactive\"  target=\"_blank\" rel=\"noopener\"\n    >https:\/\/myaccount.google.com\/inactive<\/a>&#160;<a href=\"#fnref:16\" class=\"footnote-backref\" role=\"doc-backlink\">&#x21a9;&#xfe0e;<\/a><\/p>\n<\/li>\n<\/ol>\n<\/div>\n"},{"title":"A Deep Dive into the Fossil Q Explorist","link":"https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/","pubDate":"Mon, 03 Jun 2019 00:00:00 +0000","guid":"https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/","description":"<p>The Fossil Q Explorist is a smartwatch that comes with Wear OS (formerly Android Wear) and is made from metal and glass. It contains the Snapdragon Wear 2100, a 32-bit ARM CPU with 4 Cortex A7 cores that speeds up to 1.2 GHz and an Adreno 304 GPU. The 512 MB RAM and 4 GB storage sound small, but are enough for a watch, that is essentially just a notification mirror anyway. The 370 mAh battery lasts for one entire day and gets energized via a magnetic wireless charging pad.<\/p>\n<h2 id=\"software\">Software\n<\/h2><p>Customizing the watch face is simple and an integral part of the experience. If you want to change something different it gets more tricky.  Even simple things like custom Ringtones are not possible without access to the internal storage.<\/p>\n<h3 id=\"accessing-the-internal-storage\">Accessing the internal storage\n<\/h3><p>Accessing the internal storage is possible but we need to use WiFi 4 (802.11n) because the watch does not have a single port.\nFirst, we make sure that the Explorist is connected to the WFi of our choice and has an IP address. In the second step, we need to enable the developer options and turn on ADB over WiFI. That can be achieved by going to &lsquo;System -&gt; Info&rsquo; and tapping the &lsquo;Build-Number&rsquo; 7 times in a row.\nNext, we can move back to the first settings page and scroll down to developer options. After enabling ADB and ADB over WiFi we can connect to the watch.<\/p>\n<div class=\"highlight\"><div class=\"chroma\">\n<table class=\"lntable\"><tr><td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code><span class=\"lnt\">1\n<\/span><\/code><\/pre><\/td>\n<td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code class=\"language-bash\" data-lang=\"bash\"><span class=\"line\"><span class=\"cl\">adb connect ip&lt;:port&gt;\n<\/span><\/span><\/code><\/pre><\/td><\/tr><\/table>\n<\/div>\n<\/div><p>While trying to connect there should be a popup on the watch asking for permission. We can add our computer to the list of trusted devices by accepting the request.<\/p>\n<p>To complete the Ringtone example we leave the shell by typing <code>exit<\/code> and choose a sound file on our computer to transfer. We can push the file by writing:\n<code>adb push \/path\/to\/soundfile.mp3 \/sdcard\/Ringtones\/soundfile.mp3<\/code><\/p>\n<p>If the ringtone is not showing up in the audio settings ringtone list, simply reboot the watch by typing <code>adb reboot<\/code> or reboot it via system settings.<\/p>\n<p><img alt=\"Audio Settings - Ringtone list with custom ringtone\" class=\"gallery-image\" data-flex-basis=\"240px\" data-flex-grow=\"100\" height=\"454\" loading=\"lazy\" sizes=\"(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px\" src=\"https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/audio.webp\" width=\"454\"><\/p>\n<h2 id=\"additional-info\">Additional Info\n<\/h2><p><code>adb shell getprop<\/code> returns some new info on the device.<\/p>\n\n    <blockquote>\n        <p><strong>Info<\/strong>\n[ro.hardware]: [bluegill]<br\/>\n[ro.oem.brand]: [Fossil]<br\/>\n[ro.oem.device]: [Explorist]<br\/>\n[ro.oem.sku]: [<strong>FTW4001<\/strong>]<br\/>\n[ro.product.board]: [bluegill]<br\/>\n[ro.product.cpu.abilist]: [armeabi-v7a,armeabi]<br\/>\n[ro.product.device]: [<strong>bluegill<\/strong>]<br\/>\n[ro.product.first_api_level]: [25]<br\/>\n[ro.product.<strong>manufacturer<\/strong>]: [<strong>Compal<\/strong>]<br\/>\n[ro.product.model]: [Q Explorist]<br\/>\n[ro.product.name]: [bluegill]<br\/>\n<strong>[ro.treble.enabled]: [false]<\/strong><bt\/><\/p>\n\n    <\/blockquote>\n<p>Turns out the Fossil Q Explorist is manufactured by Compal and has the codename <code>bluegill<\/code>\nAn interesting note is that this device has no treble layer, which makes it harder to build custom roms for it or use a <a class=\"link\" href=\"https:\/\/source.android.com\/setup\/build\/gsi\"  target=\"_blank\" rel=\"noopener\"\n    >generic system image (GSI)<\/a>. But with a little bit of help by @fossil on Twitter I got a <a class=\"link\" href=\"https:\/\/android.googlesource.com\/kernel\/msm.git\/&#43;\/refs\/heads\/android-msm-bluegill-3.18-pie-wear-dr\"  target=\"_blank\" rel=\"noopener\"\n    >link to the kernel sources<\/a>.<\/p>\n<p>Speaking of custom ROMs, if we want to run our own wear OS builds or a non-Android based OS, we need access to the bootloader.With <code>adb reboot bootloader<\/code> we can boot into the bootloader.<\/p>\n<p><img alt=\"fastboot mode of the fosil q explorist \/ bluegill\" class=\"gallery-image\" data-flex-basis=\"480px\" data-flex-grow=\"200\" height=\"300\" loading=\"lazy\" sizes=\"(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px\" src=\"https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/recovery_fastboot.webp\" width=\"600\"><\/p>\n<p>The fastboot mode can be navigated by pressing the power button short and long to select the shown option.<\/p>\n<p>Unfortunately, WiFi is not working in fastboot or recovery mode and the watch does not have a port.<\/p>\n<h2 id=\"pinouts\">Pinouts\n<\/h2><p>Opening up the Fossil Q Explorist reveals the pinouts on the mainboard. I highly recommend to use a specialized tool for this task to avoid scratching the easy scratchable lid. You can find one for under 2\u20ac on ebay or Aliexpress.<\/p>\n<p><img alt=\"Fossil Q Explorist \/ Compal bluegill pinouts\" class=\"gallery-image\" data-flex-basis=\"185px\" data-flex-grow=\"77\" height=\"2248\" loading=\"lazy\" sizes=\"(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px\" src=\"https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/bluegill.webp\" srcset=\"https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/bluegill_hu_8919d9ab356c5af.webp 800w, https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/bluegill_hu_98c70704bff2bf9.webp 1600w, https:\/\/jrtberlin.de\/p\/a-deep-dive-into-the-fossil-q-explorist\/bluegill.webp 1742w\" width=\"1742\"><\/p>\n\n    <blockquote>\n        <p><strong>Warning:<\/strong>\nI received the pin out via email by someone who claims to have a stable connection via USB by soldering. <strong>I&rsquo;m not responsible for any damaged devices!<\/strong><\/p>\n\n    <\/blockquote>\n<table>\n\t<thead>\n\t\t\t<tr>\n\t\t\t\t\t<th>Pin<\/th>\n\t\t\t\t\t<th>Name<\/th>\n\t\t\t\t\t<th>Description<\/th>\n\t\t\t<\/tr>\n\t<\/thead>\n\t<tbody>\n\t\t\t<tr>\n\t\t\t\t\t<td>1<\/td>\n\t\t\t\t\t<td>VCC<\/td>\n\t\t\t\t\t<td>5V<\/td>\n\t\t\t<\/tr>\n\t\t\t<tr>\n\t\t\t\t\t<td>2<\/td>\n\t\t\t\t\t<td>GND<\/td>\n\t\t\t\t\t<td><\/td>\n\t\t\t<\/tr>\n\t\t\t<tr>\n\t\t\t\t\t<td>3<\/td>\n\t\t\t\t\t<td>Data-<\/td>\n\t\t\t\t\t<td><\/td>\n\t\t\t<\/tr>\n\t\t\t<tr>\n\t\t\t\t\t<td>4<\/td>\n\t\t\t\t\t<td>Data+<\/td>\n\t\t\t\t\t<td><\/td>\n\t\t\t<\/tr>\n\t\t\t<tr>\n\t\t\t\t\t<td>5<\/td>\n\t\t\t\t\t<td>ID<\/td>\n\t\t\t\t\t<td><\/td>\n\t\t\t<\/tr>\n\t<\/tbody>\n<\/table>\n<hr>\n<p>If you have feedback\/more info please send an email to <code>feedback[at]jrtberlin[dot]de<\/code>.<\/p>\n"},{"title":"Making a Huawei\/Honor live demo unit useable","link":"https:\/\/jrtberlin.de\/p\/making-a-huawei\/honor-live-demo-unit-useable\/","pubDate":"Wed, 23 Jan 2019 19:45:00 +0100","guid":"https:\/\/jrtberlin.de\/p\/making-a-huawei\/honor-live-demo-unit-useable\/","description":"<h2 id=\"what-are-live-demo-units\">What are &ldquo;Live Demo Units&rdquo;?\n<\/h2><p>&ldquo;Retail Units&rdquo; or &ldquo;Live Demo Units&rdquo; are the devices you see in shops or on display. You can spot them very easy:<\/p>\n<ul>\n<li>Does it play an ad instead of a lock screen?<\/li>\n<li>Does it factory reset itself every few hours?<\/li>\n<li>Are SIM cards not recognized?<\/li>\n<\/ul>\n<p>Not all of these questions must be answered with yes. &ldquo;Retail Units&rdquo; differ hugely depending on the manufacturer, the model, and the configuration.\nSamsung &ldquo;Live Demo Units&rdquo; often come without a baseband, meaning that you can&rsquo;t use a SIM card. These can be unlocked and flashed. (Be cautious with ROMs that include a baseband\/modem firmware, these can brick your device and make WiFi and\/or Bluetooth unuseable.)\nFlashing the device or removing the &ldquo;Retail Mode&rdquo; has a few benefits.<\/p>\n<ol>\n<li>Devices without a Modem can be used as a &ldquo;WiFi only&rdquo; device (like an iPod touch compared to an iPhone)<\/li>\n<li>Retailers can support customers or demo functionality on the device without being interrupted or restricted by the mode.<\/li>\n<li>Device Settings and\/or custom content doesn&rsquo;t get removed automatically.<\/li>\n<\/ol>\n<p>This small guide is specific for new Huawei\/Honor devices. I use a Mate 20 lite as an example.\nI highly recommend, even with the mentioned upsides, not to sell these devices. They are usually subsidized by the manufacturer and often have still persisting discrepancies. One example could be the lack of a lock screen or a persistent notification.<\/p>\n<h2 id=\"removing-the-retail-mode\">Removing the &ldquo;Retail Mode&rdquo;\n<\/h2><p>The &ldquo;Retail Mode&rdquo; App is set as a Device Admin. Therefore we need to disable it as an administrator before we can remove it. To do so, open up device administrator settings. You can navigate there via the command:<\/p>\n<div class=\"highlight\"><div class=\"chroma\">\n<table class=\"lntable\"><tr><td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code><span class=\"lnt\">1\n<\/span><\/code><\/pre><\/td>\n<td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code class=\"language-bash\" data-lang=\"bash\"><span class=\"line\"><span class=\"cl\">adb shell am start -S <span class=\"s2\">&#34;com.android.settings\/com.android.settings.DeviceAdminSettings&#34;<\/span>\n<\/span><\/span><\/code><\/pre><\/td><\/tr><\/table>\n<\/div>\n<\/div><p>Once the command succeeded and we removed the &ldquo;Retail Mode&rdquo; as an Admin, we can use Androids package manager <code>pm<\/code> to remove it. Since its a system app we can&rsquo;t remove the app completely (we are not root), however, we can uninstall it for the user account. The user account with the ID &ldquo;0&rdquo; is in most cases the right one.<\/p>\n<div class=\"highlight\"><div class=\"chroma\">\n<table class=\"lntable\"><tr><td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code><span class=\"lnt\">1\n<\/span><\/code><\/pre><\/td>\n<td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code class=\"language-bash\" data-lang=\"bash\"><span class=\"line\"><span class=\"cl\">adb shell pm uninstall -k --user <span class=\"m\">0<\/span> com.huawei.retaildemo\n<\/span><\/span><\/code><\/pre><\/td><\/tr><\/table>\n<\/div>\n<\/div><p>Once done, we have successfully removed the video playback and the automatic device-reset. Sometimes there are device specific changes left and a demo app. To determine what the package name could be we can list all packages that are installed and use <code>grep<\/code> to filter.<\/p>\n<div class=\"highlight\"><div class=\"chroma\">\n<table class=\"lntable\"><tr><td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code><span class=\"lnt\">1\n<\/span><\/code><\/pre><\/td>\n<td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code class=\"language-bash\" data-lang=\"bash\"><span class=\"line\"><span class=\"cl\">pm list packages <span class=\"p\">|<\/span> grep <span class=\"s2\">&#34;huawei&#34;<\/span>\n<\/span><\/span><\/code><\/pre><\/td><\/tr><\/table>\n<\/div>\n<\/div><p>We have to look at the results and decide which package is most likely the one we want to remove. In this instance, I found an App called &ldquo;Huawei Experience&rdquo; and a corresponding package name <code>com.huawei.experience.sne<\/code>.<\/p>\n<p>To remove the package we just have to enter the following command:<\/p>\n<div class=\"highlight\"><div class=\"chroma\">\n<table class=\"lntable\"><tr><td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code><span class=\"lnt\">1\n<\/span><\/code><\/pre><\/td>\n<td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code class=\"language-bash\" data-lang=\"bash\"><span class=\"line\"><span class=\"cl\">adb shell pm uninstall -k --user <span class=\"m\">0<\/span> com.huawei.experience.sne\n<\/span><\/span><\/code><\/pre><\/td><\/tr><\/table>\n<\/div>\n<\/div><p>Now we have to find workarounds for not removable retail &ldquo;features&rdquo;, like the persistent notification that informs about the retail mode.\nThe notification is baked into <code>SystemUI<\/code>. While we can modify the <code>SystemUI.apk<\/code>, we can not put it back where it belongs, because we are not root. The Android build in feature, to disable notifications, does not work on <code>SystemUI<\/code>. The workaround here is to &ldquo;Force Stop&rdquo; the process after boot.<\/p>\n<p><img alt=\"How to remove the persistent notification\" class=\"gallery-image\" data-flex-basis=\"332px\" data-flex-grow=\"138\" height=\"2340\" loading=\"lazy\" sizes=\"(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px\" src=\"https:\/\/jrtberlin.de\/p\/making-a-huawei\/honor-live-demo-unit-useable\/notification_remove_huawei.webp\" srcset=\"https:\/\/jrtberlin.de\/p\/making-a-huawei\/honor-live-demo-unit-useable\/notification_remove_huawei_hu_b71d903cc57a1282.webp 800w, https:\/\/jrtberlin.de\/p\/making-a-huawei\/honor-live-demo-unit-useable\/notification_remove_huawei_hu_f8e65425e1da3923.webp 1600w, https:\/\/jrtberlin.de\/p\/making-a-huawei\/honor-live-demo-unit-useable\/notification_remove_huawei_hu_89c6ed7d7647cbfe.webp 2400w, https:\/\/jrtberlin.de\/p\/making-a-huawei\/honor-live-demo-unit-useable\/notification_remove_huawei.webp 3240w\" width=\"3240\"><\/p>\n<p>The command line alternative is to use <code>pm<\/code> to clear SystemUI.<\/p>\n<div class=\"highlight\"><div class=\"chroma\">\n<table class=\"lntable\"><tr><td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code><span class=\"lnt\">1\n<\/span><\/code><\/pre><\/td>\n<td class=\"lntd\">\n<pre tabindex=\"0\" class=\"chroma\"><code class=\"language-bash\" data-lang=\"bash\"><span class=\"line\"><span class=\"cl\">adb shell pm clear com.android.systemui\n<\/span><\/span><\/code><\/pre><\/td><\/tr><\/table>\n<\/div>\n<\/div><p>Sadly this is not persistent and has to be redone after every reboot.<\/p>\n<p>The full script can be found <a class=\"link\" href=\"https:\/\/gitlab.spline.inf.fu-berlin.de\/jrt\/huawei-scripts\/blob\/master\/retail%20mode\/deactivateRetailMode.sh\"  target=\"_blank\" rel=\"noopener\"\n    >here<\/a>.<\/p>\n\n    <blockquote>\n        <p><strong>Important:<\/strong>\nI strongly recommend to stay away from Huawei\/Honor devices. The Bootloader is not officially unlockable and <a class=\"link\" href=\"https:\/\/www.androidpit.com\/huawei-no-launchers-emui-9\"  target=\"_blank\" rel=\"noopener\"\n    >Huawei&rsquo;s decisions are anti-consumer<\/a>.<\/p>\n\n    <\/blockquote>\n<hr>\n<p>If you have feedback, more information or a correction please send an email to <code>feedback[at]jrtberlin[dot]de<\/code>.<\/p>\n"},{"title":"Modding a Windforce GPU to glow green!","link":"https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/","pubDate":"Sun, 20 Jan 2019 14:00:07 +0100","guid":"https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/","description":"<img src=\"https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/final.webp\" alt=\"Featured image of post Modding a Windforce GPU to glow green!\" \/><h2 id=\"motivation\">Motivation\n<\/h2><p>When I&rsquo;ve got the GPU my PC was in a different case with blue LEDs. When I switched the case for a new one I was going for a green-black look and the blue LED logo was not very good visible through the tempered glass side panel. The solution was obvious: I had to change the LEDs of my GPU.<\/p>\n<h2 id=\"preperation\">Preperation\n<\/h2><p>To change the color of the LED logo you have to get two new side view LEDs and (if you don&rsquo;t own one already) a soldering iron. I strongly recommend staying away from hot air stations for this task, because the panel on which the LEDs are on is mostly plastic. An SMD soldering iron would be best for this task, however, there are no other components that you could damage. I used a cheap normal one from Amazon that I already had laying around.<\/p>\n<ul>\n<li><a class=\"link\" href=\"https:\/\/www.ebay.de\/itm\/140908155354\"  target=\"_blank\" rel=\"noopener\"\n    >SMD LED 335<\/a><\/li>\n<li><a class=\"link\" href=\"https:\/\/amzn.to\/2RFPkdI\"  target=\"_blank\" rel=\"noopener\"\n    >Soldering Iron<\/a><\/li>\n<\/ul>\n<h2 id=\"modding\">Modding\n<\/h2><p>The procedure is pretty straight forward. First, you have to remove the screws that hold the logo in place and disconnect the led cable from the header on the GPU PCB. Depending on the Model of the GPU this task can be accomplished without disassembling the whole card.<br>\nOnce the panel is lose you can carefully remove it from the shroud. On my GTX 970, the logo has a plastic frame that can be removed with a bit of pressure and heat to soften the adhesive.<\/p>\n<p><img alt=\"1\u20ac next to one LED and LED panel\" class=\"gallery-image\" data-flex-basis=\"398px\" data-flex-grow=\"165\" height=\"2628\" loading=\"lazy\" sizes=\"(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px\" src=\"https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/winforce_led_panel.webp\" srcset=\"https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/winforce_led_panel_hu_e1adebe667702e75.webp 800w, https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/winforce_led_panel_hu_5c361f40fb5db710.webp 1600w, https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/winforce_led_panel_hu_a81d703fb311de5a.webp 2400w, https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/winforce_led_panel.webp 4362w\" width=\"4362\"><\/p>\n<p>Now comes the fun part:<br>\nWith the soldering iron safely remove the old SMD LEDs and clean up the pads. Once done simply solder in the new LEDs facing each other. The last step is to put everything back together.<\/p>\n<h2 id=\"the-result\">The Result\n<\/h2><p>In the end, I\u2019m quite happy with the result. One advantage is that the new LEDs are shining brighter than the original, which makes them more visible through the tempered glass side panel.<\/p>\n<p><img alt=\"Image of the result\" class=\"gallery-image\" data-flex-basis=\"320px\" data-flex-grow=\"133\" height=\"3480\" loading=\"lazy\" sizes=\"(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px\" src=\"https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/final.webp\" srcset=\"https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/final_hu_6d22c0d862292345.webp 800w, https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/final_hu_e7baedbe722f4ea0.webp 1600w, https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/final_hu_d4161e1b67dbed78.webp 2400w, https:\/\/jrtberlin.de\/p\/modding-a-windforce-gpu-to-glow-green\/final.webp 4640w\" width=\"4640\"><\/p>\n"}]}}