Category Archives: Fingerprinting

UPEK TouchStrip Sensor-only (147e:2016) on Linux

As part of my fprint fingerprint scanning on Linux efforts, I have completed a new driver for a popular bit of hardware that has been unsupported on Linux until now: the UPEK TouchStrip sensor-only variant with USB ID 147e:2016.

We have already supported another variant including a biometric co-processor for some time now, but in the absence of the co-processor, the sensor-only variant required a completely different driver. Support for the sensor-only devices is a significant step forward as this hardware can be found in a lot of laptops. I’ve already received some success reports – thanks!

The driver is only available in libfprint development repositories (not any released versions). System76 have created an installation guide which may be useful for keen users.

Fingerprint scanning project report published

My fprint fingerprint scanning efforts formed my final year Computer Science project at The University of Manchester.

The source code for this project has been available on SourceForge from early on (GPL-2/LGPL-2 licenses). I’ve now completed and submitted a comprehensive project report (similar to a dissertation) for academic assessment, and I’m making this available under a Creative Commons license. You can find the report here.

Creative Commons License

The report is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.0 UK: England & Wales License.

The academic project is now complete, but I plan to continue development as time permits. There is a lot to be done, and I have already made some good progress on moving libusb-1.0 closer to release.

libfprint v0.0.6 and other new devices

Although I’m not really working on the “old” code any more, I released libfprint v0.0.6 today. It fixes compatibility with newer DigitalPersona scanners including the ones in Covadis products (who kindly donated hardware to allow for this development). It also adds Gustavo Chain’s driver for the SecuGen Hamster III.

Gavin Smalley donated a Veridicom 5thSense scanner, which I reverse engineered and produced a driver for. This driver is only available from the highly volatile libfprint development repository. It works well.

System76 generously donated a laptop with one of the dreaded 147e:2016 UPEK scanners so that I can work on getting it supported in fprint. It’s too early to discuss driver practicalities, but I have almost figured out the image format.

The laptop also includes an integrated Genesys Logic GL860 USB webcam (05e3:0503), not standards compliant and not usable under Linux. I’ll probably also be working on a driver for this device. Again, I have already almost determined the image format, but have not looked at the rest of the traffic.

Asynchronous fingerprint scanning

I’ve been a bit quiet on on the fingerprint scanning front recently, but I’ve been doing a lot of work behind the scenes.

Adopted the libusb project

libfprint has had a design flaw from early on: it only provides a synchronous interface. The technical minded will understand this better in terms that each function call to scan a fingerprint blocks for the duration it takes the user to scan their finger. The library could force its users to do fingerprint scanning in a dedicated thread, but that’s not very nice. It could also create threads internally to avoid this problem, but I don’t agree with that either. I know that things can be done properly by providing an asynchronous interface and not requiring any threads.

The biggest roadblock in offering an asynchronous interface from libfprint (and the reason this was not offered from the start) was due to libfprint’s reliance on libusb and the fact that libusb does not offer asynchronous I/O. The result of this is that it is impossible to offer true asynchronous functionality in anything built on top of libusb.

libusb development had unfortunately stalled, and I could not find any alternatives that I was in agreement with. I started writing my own libusb replacement. The original libusb author, Johannes Erdfelt, liked my ideas and this lead to him handing off the libusb project to me. My new USB library will be released as libusb-1.0 when completed.

Making fprint asynchronous

After producing a working prototype of an asynchronous USB library, I converted most fprint drivers to an asynchronous model and exposed an asynchronous API to library users.

I then ported fprint_demo to use the new asynchronous API, which is working well. Another big plus of an asynchronous model is the opportunity to implement cancellation. fprint_demo now has a working “cancel” button which cancels any ongoing fingerprint scan request.

Exposing fprint over D-Bus

Next task on the table was to work towards handling the complicated scenario of when multiple users and/or applications want to be fingerprint scanning simultaneously. Some kind of central entity is needed to coordinate access.

Enter fprintd, my initial step in this direction. fprintd is a D-Bus daemon which exposes fprint functionality over the D-Bus message bus. There are no fprintd users yet, but this will be the approach we take for desktop integration in future.

Assessed project demo

As I mentioned previously, fprint is actually my final year university project and after reaching the stages described above it was time for an assessed demonstration of my project.

The demonstration went extremely well, and I was impressed with the marker who asked exactly the same kinds of questions that I would have done in that situation – which of course I knew the answers to. He also understood the asynchronous issues perfectly despite me not explaining them in detail due to time constraints.

What next?

The above development work was all a little rushed in order to have things to show in time for the project demonstration. Now that the demo is over, I am left with an incomplete libusb-1.0 implementation, an unstable libfprint asynchronous API, a new fprint_demo version relying on the unstable API, and an unstable/incomplete D-Bus daemon. All of these are not released (but code is available from public development repositories) so I have some work to do!

I am going to focus now on stabilising from the ground up, starting with the most low-level component – libusb. I’m working through the TODO list and hope to have an alpha or beta release ready within the next few weeks.

Recent ramblings

Recent writing-related updates:

libfprint v0.0.5 supports new MS hardware

A while ago, Microsoft released a new revision to their fingerprint reader product. The new revision includes some extra security and the open source software that I’ve previously written for the earlier models does not work with the new revision as a result.

The newly added security is a challenge-response algorithm, where the device challenges the authenticity of the driver soon after the device is plugged into the computer:

  1. The device sends a 16 byte challenge
  2. The driver sends a 16 byte response

The challenge produced by the device changes on every plugin and is probably just a random number. The driver then receives the challenge, applies a known secret algorithm to it, and sends the resultant data as a response. The device also knows the secret algorithm, and hence knows the correct response that the driver should send back. If the driver does not send back the correct response, the driver is not able to operate the useful functions of the device.

Naturally this poses a challenge for an open source driver implementation – unless we know the secret challenge-response algorithm, we are unable to operate the device. Previously, all reverse engineering of these devices has been done through bus traffic analysis alone (looking at the USB packets sent and received by the official Windows drivers, and making educated guesses as to what each packet means). It would not be practical to attempt to apply the same reverse engineering techniques to determine the secret challenge-response algorithm – we’re effectively talking about breaking 128 bit encryption by analysing a data set…

So, I got in contact with a 3rd party and we performed chinese wall reverse engineering on this particular part of the Microsoft driver. The 3rd party looked at disassembled instruction code of the Windows driver and documented the algorithms without reproducing any of their code. I received the documentation, and produced a clean-room reimplementation of the authentication scheme in my driver.

The secret challenge-response algorithm in use is simply AES with a specific decryption key.

I have released libfprint v0.0.5 which now supports these devices out of the box. Enjoy!

fprint project featured in LWN

fprint is featured in the November 21 edition of LWN, which should be helpful in spreading the word further!

The article mentions that libfprint does not support identification (one-to-many fingerprint matching) yet. I just released libfprint v0.0.4 which adds identification support, and fprint_demo v0.4 which includes a GUI to demonstrate it. Talk about yesterday’s news ;-)

Torkild Retvedt contributed a logo, which you can see above. I’m happy to consider further logo submissions, but I do like Torkild’s and it will do very nicely for an initial project logo. Thanks Torkild!

Patrick Guignot spotted the LWN article, did some further research, and then published an article about fprint on I have only seen the google translation, but I must say, translation artifacts aside, that is an extremely well written article which has hit on exactly what I’m trying to achieve. I’ve written to Patrick to see if he’ll translate it into English or give me permission to find someone else to do so – I will publish any results here.

Update: Patrick doesn’t know English well enough to write his own translation. Any French-speaking volunteers who wouldn’t mind spending some time translating this into English?

fprint project releases

Things are still busy with my new project. Here are a few more fprint releases which add some crucial features:

  1. libfprint v0.0.3 adds support for the Authentec AES1610 found in various common laptops/tablets, contributed by Anthony Bretaudeau. These fingerprint readers only see a small area of the finger so imaging performance isn’t great, but it is usable!
  2. pam_fprint v0.2 adds an enrollment application contributed by Vasily Khoruzhick, and has been fixed not to activate itself for logins over SSH.
  3. fprint_demo v0.2 and v0.3 add various bits of functionality: enrollment GUI, image saving functionality, plus the ability to count and plot detected minutiae points.

fprint_demo v0.3 showing minutiae plotted on scan image

More fprint releases

The fprint project has kicked off to a good start. Thanks to everyone who provided feedback so far. Any extra help spreading the word is much appreciated!

Immediately after the initial release, Vasily Khoruzhick contributed a fix for my aes2501 driver, as his is mounted in his laptop 180 degrees rotated, it’s upside down (actually I’m not sure which way round mine is supposed to go, but thanks to Vasily it now works either way). I also modified the aes2501 driver to perform fewer USB transactions, resulting in much improved image quality and overall scanning experience.

Jan-Michael Brummer contributed a driver for the UPEK TouchChip fingerprint sensor (USB ID 0483:2015) found in the Samsung P35 laptop. Jan-Michael indicates that the image processing performance is good but not brilliant.

libfprint v0.0.2 has been released with the above changes and a few others.

I also have been working on a simple demonstration GUI which may also help development in future. It’s called fprint_demo. Here’s a screenshot:

Gentoo ebuilds for all released fprint components can be found here.

Announcing fprint project

If you’ve been following my previous work with DigitalPersona fingerprint readers on Linux, you’ll be aware that what was an active and exciting project was reduced to almost nothing when it became apparent that open source fingerprinting code was possibly in conflict with U.S. export control laws.

Well, after studying the export control documents in detail, I discovered that these restrictions simply do not apply. I decided to propose my 3rd year university project as an open source software project to really sort out the state of fingerprinting on Linux. This project is now underway. For an overview, look at this poster.

The core project component, libfprint, aims to make it easy for application developers to add fingerprinting support to their applications – be it imaging or verification (or in future, identification). libfprint strives to provide you a single API for manipulating fingerprint readers in the most generic of fashions. Internally, a variety of different devices are supported through a driver-like abstraction. These devices do differ tremendously, but libfprint works to wrap that up so that as an application developer, you don’t care what type of device the user has plugged in.

As this is an academic project, it was necessary to keep development closed while I implement the fundamentals myself. I’m now at a point where I’m able to release this as open source and accept contributions in the normal way. I plan to keep this project going beyond the academic project schedule and I’d love to see a community forming. In the long term I’m aiming for inclusion with major distros, integration into desktop environments, etc.

Quick summary of where things are at:

  • libfprint is relatively stable and works well with most devices
  • a PAM module named pam_fprint has been created, which allows you to use your fingerprint to login to your system
  • The code is all in git repositories, there are initial releases but there are no guarantees of stability or forwards-compatibility
  • API documentation is mostly complete, but is subject to change without notice
  • I’ve been working hard to get a decent amount of content on the project website

Hardware currently supported:

  1. UPEK TouchStrip (found in many ThinkPads) – works great, we already knew this as ThinkFinger is quite successful
  2. DigitalPersona/Microsoft devices – these work fantastically well
  3. Authentec AES2501 – an imaging device, swipe sensor, works well (requires a little extra care while scanning).
  4. Authentec AES4000 – an imaging device I haven’t really played with before. Image quality isn’t that brilliant, but it’s good enough for fingerprint login if you’re careful.

I’m very happy with the project so far. I’m pretty sure I’m the first person to fully implement open source fingerprint login for the DigitalPersona devices, the AES2501, and the AES4000, plus I’ve done it in a generic way which interchangeably works with all supported devices.

Please direct all questions/bug reports to the mailing list, please don’t use the comment form on this post for anything other than comments.