# Failing to stage update, verifysig nacl failed



## eyedrop0 (Jun 9, 2020)

Hello all, Ive replaced the Tegra board on a Model S with a preloaded 2018.20 image. Im trying to update the car to 2020.20.1, but during the signature verification stage, it fails with: 

2020-07-30T08:43:15.933180-07:00 cid : cid-updater:10001: verifysig status=warning key=dev verify_nacl_signature=-1 function=verify_nacl_signature line=100 error=crypto_sign_open result=-1 errno=1 strerror=Operation not permitted 

Ive tried doing GW reboots, 12V resets, Wifi on/off, GSM on/off etc.., to no avail. 

Ive used this image/process on other cars in the past, and my firmware file is already trimmed. 

Whats curious is that the cid appears to already have my image and is trying to send it to IC, but the size is off and when I dd, I simply cant mount it. Its as if the image changed once it copied to cid. Now it just keeps failing over and over with the message above.

Any tips or tricks to get signature checks to pass?


----------



## TrevP (Oct 20, 2015)

I understand there's a process of copying a variety of cyphers/keys/settings from an old MCU before attempting a replacement. Have you contacted https://twitter.com/greentheonly on Twitter? He's an expert on such matters.


----------



## eyedrop0 (Jun 9, 2020)

TrevP said:


> I understand there's a process of copying a variety of cyphers/keys/settings from an old MCU before attempting a replacement. Have you contacted https://twitter.com/greentheonly on Twitter? He's an expert on such matters.


Okay, I think Ill take you advice and make a twitter account, then try contacting him...

So from here, Im wondering if these cyphers/keys/settings stored on some onboard storage on MCU motherboard? Like in the GW? Or is it all stored in the FW images (p1, p2) or car specific data (p3, p4)? I have yet to mess around with the GW or the Tegra recovery mode, bootloaders, etc.... I figured the firmware updates take care of any GW related needs and that it shouldnt be necessary to mess with something sensitive like that. But I may have too


----------



## iChris93 (Feb 3, 2017)

eyedrop0 said:


> Okay, I think Ill take you advice and make a twitter account, then try contacting him...


He also has a Reddit account if you already have one of those.


----------



## eyedrop0 (Jun 9, 2020)

I was able to get past the signature check errors by deleting the old handshake and pending command files, then manually run the "handshake" command in cid-updater while connected to wifi. For whatever reason, this lets the signature check pass for my locally served firmware image. I'm guessing that by bringing over the old handshake files to the new system, cid-updater was probably getting caught up in a knot.


----------

