Testing 200 XO's in two weeks time for Nepal's pilot

John Gilmore gnu at toad.com
Mon Mar 3 13:42:01 EST 2008


> Nepal should receive its shipment of 200 XO's in roughly 14 days

Congratulations!

> How do I get developer keys for all 200 XO's and then how do I
> deactivate the developer keys after I no longer need access to the
> firmware?

(You also need developer keys to install a new OS or kernel release,
not just firmware.)

Make a "collection stick" (a USB stick with a particular Forth script
on it), which will collect up all the serial numbers and UUIDs as you
boot each XO with it plugged in.  Then submit that laptops.dat file,
containing 200 serial/uuid combinations, to OLPC (if you have no
better contact, you can email it to help at laptop.org).  In a day or two
you'll get back a develop.sig file with 200 developer keys in it.  You
can put that on the USB stick, and reboot each XO with the stick
inserted.  While the stick is inserted, the firmware will see the
developer key and bring the machine up in developer mode.  When you
remove the stick, you will no longer be in developer mode.  Full
details here:

  http://wiki.laptop.org/go/Activation_and_Developer_Keys

(You can do this in parallel with several USB sticks to speed up the
process, if you have several people helping.  Combine the collected
laptops.dat files into a single file to submit to OLPC.  And you can
duplicate the received develop.sig file onto several USB sticks to
unlock the machines in parallel.)

I recommend that once you have developer keys, you leave the machines
unlocked.  You are going to be running a lot of unsigned builds in the
future -- you're customizing your builds.  It's trivial to install new
customized builds on an unlocked machine (and in the future, it'll be
possible to just upgrade one laptop, then have that laptop share its
upgraded software with others that it comes in contact with -- one of
the joys of free software).  It's painful to install customized build
upgrades on a locked machine (you have to plug in each individual
machine's developer key again).

Also, I helped with the support crew for the G1G1 rollout.  We had
many problems that were hard to diagnose or fix because the machines
were locked.  (The worst of these are fixed in 656.)

To unlock the machines:  while you have the USB stick with the developer
key installed, interrupt the firmware boot messages with the Escape key
(upper left corner of keyboard), and type "disable-security".  You may
have to type it twice (it'll tell you).  

(On a machine with "disable-security" set, you can later re-enable the
security by interrupting the firmware boot and typing
"enable-security".  If you like, you could keep a few machines locked,
give their teacher a USB stick containing the developer keys for
emergencies, and see how much difference it makes in production use.
The "disable-security" state is not *permanent*, it is just remembered
by the laptop without having to use a USB stick.)

> Which anti-theft features of Bitfrost have been implemented on the XO's
> we will receive? 

None.  The 656 release doesn't include any of them.  It's known as
"security by obscurity".  Only "activation", which keeps them from
being useful if stolen during shipment, is included.

> I distinctly recall there was some kind of mechanism
> where the XO would "phone home" periodically to a central database to
> see if it matched a list of stolen XO's. 

Not implemented.  Though there is something similar -- it thinks about
phoning home roughly every 15 minutes, to see if it should do a forced
upgrade to a different OS release (and actually does so at a random
time once a day or so).  My own laptop got hammered this way by a test
run of force-upgrading 100 randomly selected laptops in the field.  I
suppose this misfeature could be used to download and install a
trashed (non-working) software release onto a stolen laptop.  You can
disable this by removing /etc/cron.d/olpc-update-query or
/usr/sbin/olpc-update-query.  If you're running customized builds, I
recommend disabling it, since otherwise it can trash your kid's laptop
at the whim or mistake of somebody in Boston.

	John



More information about the Devel mailing list