Reversing a Fingerprint Reader Protocol (2021)
14 comments
·July 19, 2025JJJollyjim
As noted in the article I reversed the protocol for a related Goodix device (which was on Intel so used actual SGX instead of the white-box): I used the firmware update system to insert additional vulnerabilities in the sensor firmware and extract the PSK from that side.
I did a talk about it here: https://www.youtube.com/watch?v=IyjUY-xvFw4
Liftyee
Damn, I always thought that the fingerprint data was encoded somehow and never left the sensor hardware itself! OS-level access to the imagery seems like a security risk, but also opens some interesting possibilities for alternative uses.
jeroenhd
AFAIK it depends per reader. This one seems to be a weird webcam on steroids, but others do the matching locally.
IIRC, none of them do it particularly securely.
th0mas
Author here, didn't expect to see this on HN today! If you've got any questions, shoot!
unlucky666
Do you have more posts similar to this one? Noticed your blog was a bit empty...
th0mas
Ha yeah I should really get on updating some of the info there. Got derailed with work quite a bit.
Most recently did some work on BitLocker: https://news.ycombinator.com/item?id=42747877
ge96
The real work ha underneath the software eg. I can't write a camera driver but thankfully someone else can
That's cool the raw data image GIMP
johnflan
I didn't follow the byte ordering of the image format at the end. Anyone have an explanation?
abstractspoon
Excellent
> It then proceeds to generate a new, random, PSK and sends it to the device. This represents a trust-on-first-use security model.
Wow, i expect them using hardcoded PSK, with PSK is flashed in factory.