A solution for USB flashing?

User Support
1

I’ve noticed that when an USB device enters in bootloader mode, it disappears from /dev/. This makes it impossible to assign the device to another VM to perform certain operations:

  • flashing an operating system to an Android device
  • flashing the latest firmware to a security key (Nitrokey, OnlyKey, etc.)
  • flashing firmware to a hardware wallet
  • etc.

Should this be done in sys-usb? Probably not.

Is it possible to assign a particular USB type A or USB-C port to another VM, say, sys-usb-flashing?

This doesn’t seem possible with a Nitropad, as it seems all the ports are under the same controller.

I can shutdown sys-usb, start sys-usb-flashing, and connect the USB device to flash. But this is cumbersome.

Any ideas?

2

You’d need to pass the whole controller through to another VM.

In my experience, there’s no good way around just doing it in sys-usb, otherwise the installation process is prone to failures.

3

But then you will need to grant sys-usb network access and that’s very risky to expose your sys-usb like that

4

qvm-copy the ISO to sys-usb, just make sure sys-usb has enough “Private storage max size”. IIRC sys-usb is by default a disposable, so assume anything you flash will get deleted when you shutdown sys-usb.

EDIT: I misunderstood the OP.

5

It’s 2026 and many things use internet not just for convenience.
And also sys-usb holds all the external devices including at the very least keyboard and mice. So I’m just trying to make a point that it’s all good that it’s isolated and disposable etc, but granting internet connection to sys-usb significantly increase security threat.

I can’t suggest any solution thought sadly, maybe somehow duplicating sys-usb for second controller if it’s available

6

You don’t need to grant Internet access to sys-usb with qvm-copy or rearrange controllers. The GUI way to do it I think is documented here: How to copy and move files — Qubes OS Documentation

Download the ISO on a disposable qube (with enough storage space), verify it on the disposable, qvm-copy the ISO to sys-usb, then flash your USB.

EDIT: I misunderstood the OP, anything above is regarding USB ISO flashing, got confused with Bootloader mode. Haven’t had issues flashing ROMs on Androids with the GUI USB utility (passing the device to the VM I want to do the flashing on). Could this be a bug in sys-usb handling of devices? Sorry, my 2c.

7

I was talking about non offline installations(hence require internet connection)

8

Is there a specific device/type you had issues with? I can see how it would be cumbersome with a Nitrokey: install/run their app and dfu-programmer on a sys-usb, download and transfer the firmware file from a disposable to sys-usb, then flash on sys-usb.

9

It’s what I said in the OP:

Basically the USB device (Android phone, Nitrokey, hardware wallet, etc.) appears in my Debian-based sys-usb as /dev/<something>, and when the said device enters in bootloader mode, /dev/<something> disappears and the USB device reappears as /dev/<something-else>.

Of course assigning the USB device to a VM doesn’t work, because such /dev/<something> USB device is unassigned when it disappears, and it isn’t reassigned after reappearing as /dev/<something-else>.

There doesn’t seem to be any good solution for this, only compromises. My compromise is having sys-usb-flashing as a disposable with Internet connection that I only start after unplugging all USB devices and shutting down sys-usb.

Ideally I could have one USB-C port for sys-usb-flashing and the other ones for sys-usb, with both running at the same time. But I don’t think this is possible.