Building an ATmega32U4-based FinalKey

The FinalKey is a one-button device tasked with securely encrypting and storing multiple passwords. Interested in building your own? Well, you’re in luck because CyberStalker recently posted detailed DIY build instructions for his FinalKey project.

Key project components include:

• 1x Arduino Pro Micro (ATmega32U4)
• 1x 6x6x7 mm Tact switch
• 1x 3 mm LED
• 1x 380 Ohm Resistor for LED
• 2x 4.7K Ohm Resistor for I2C Pullup
• 1x EEPROM
• 1x The Final Key Case
• Thin insulated wire (optional but highly recommended for ease of assembly)

Although building the FinalKey is relatively straightforward, CyberStalker recommends DIY Makers read up on basic soldering, using a hot-glue gun and burning firmware to AVR chips.

Recommended tools?

• Soldering iron and solder
• Hot-glue gun and hot-glue stick
• Micro-USB cable
• Small wire-pliers
• Flat-head screw-driver
• Optional: An ISP programmer like AvrISP-MKii

“Note that the optional ISP programmer is for burning the firmware without the Arduino bootloader,” CyberStalker wrote in a recent blog post.

“This option is the most secure as a bootloader on the chip leaves it open to attackers who could install compromised firmware on your FinalKey if it is connected to a compromised computer.”

CyberStalker kicks off the project by soldering the EEPROM chip to the Arduino.

“I used a bit of SuperAttack glue to hold it in place,” he explained.

“Place the EEPROM directly on top of the AVR chip and align its pins such that EEPROM pin0 is at Arduino pin A0 and EEPROM pin 5 (diagonally opposite of 0) is at Arduino pin 2. Then bend the pins down to holes and solder them in place.”

Next, CyberStalker turned the board around and soldered the two 4.7k pullups. They both connect to pin 15, one to pin 2 and the other to pin 3.

“Cut leads to reasonable lengths and fix the button and LED into the case before soldering the next components. I used a small amount of glue to fix the button, be careful about thin glues and tact switches,” he said.

“Solder a short length of wire to the switch and Arduino pins 9 and 7. Solder a short piece of wire to LED- and Arduino pin 10 and solder the 380 ohm reistor to LED+ [with] a small wire going to Arduino VCC.”

In terms of burning, CyberStalker modified a number of files in the Arduino distribution, so DIY Makers should use the patched files from the FinalKey firmware package.

Interested in learning more? You can check out FinalKey’s official project here.

Securing offline passwords with Atmel MCUs

Over the past few months, Bits & Pieces has featured a number of DIY offline password keepers built around Atmel microcontrollers (MCUs).

First up is the official HackADay Mooltipass. Powered by Atmel’s ATmega32U4, the device is equipped with an easily readable screen, a read-protected smart-card (AT88SC102) and flash memory to store encrypted passwords.

Next up is the USBPass. Designed by a Maker named Josh, the platform comprises an ATmega32U2 MCU, USB connector, three buttons and a few passives chips. Like the Mooltipass, the USBPass is connected to a computer via USB and read as an HID keyboard.

The latest Atmel-powered offline password keeper to surface in the Maker community and on the HackADay website? Cyberstalker’s ATMega32U4-packing Final Key, which includes a single button and LED, all neatly enclosed in a 3D printed case.

According to HackADay’s Mathieu Stephan, the Final Key is linked to the host computer via USB and recognized as a composite comm device/HID keyboard, requiring Windows-based devices to install drivers.

“AES-256 encrypted passwords are stored on the device and can only be accessed once the button has been pressed and the correct 256 bit password has been presented through the command line interface,” Stephan explained. “Credentials management and access are also [executed by] the latter.”

Interested in learning more about the ATMega32U4-powered Final Key? You can check out the project’s official page here.