How to create a signed Windows 8 driver for USB Ir Toy

As part of a home automation project I’ve been testing different infrared receivers/transmitters. One inexpensive USB-based transceiver is the Usb Infrared Toy (v2): http://dangerousprototypes.com/docs/USB_Infrared_Toy

This uses the Microchip PIC 18F2550 microcontroller which acts as a virtual USB serial port. The problem is that the included driver isn’t signed so it can’t be used in Windows 8.x. Various people have suggested to disable signature checking in Windows, but that’s both risky and complicated. I wanted to go the proper route instead, which is to sign the driver with a certificate. A real certificate is about $180/year (code signing certificate) and I didn’t wan to pay that, so the alternative is to use a self-created certificate and ask Windows to trust that (which is a normal Windows process, doesn’t require a diagnostic boot, etc). I wanted to document the steps so it can be reproduced as well for other drivers.

Get the driver inf-file in order

First step was to clone the repository so I can commit my changes. The creators of Usb Ir Toy are currently using code.google and have all their projects in one repository. Since code.google is going away and to make it easier to work on this project I copied out the Usb Ir Toy folder and put it up on github instead, here: https://github.com/HakanL/UsbIrToy. The next task was to update the inf-file so it would be compatible with Windows 8.x and go through the signature check (using inf2cat). I took the latest Microchip example driver inf file (http://www.microchip.com/pagehandler/en-us/devtools/mla/home.html) and just copied the relevant settings over. Note that for devices like these (that emulate a serial port) the “driver package” doesn’t actually include the driver, it just consists of an inf-file that describes the device and then it references the built-in usbser driver that’s included with Windows. But you still have to sign the inf-file so Windows can trust it. Here’s the updated inf-file: https://github.com/HakanL/UsbIrToy/blob/master/inf-driver/mchpcdc.inf. And to generate the cat-file from the inf file I used the command tool inf2cat from the Windows Device Driver kit (https://msdn.microsoft.com/en-us/windows/hardware/gg454513#drivers) using the instructions from here https://msdn.microsoft.com/en-us/library/windows/hardware/ff547089(v=vs.85).aspx to come up with this command line:

Inf2Cat.exe /driver:. /os:6_3_X86,6_3_X64,Server6_3_X64,8_X64,8_X86,Server8_X64,Server2008R2_X64,7_X64,7_X86,Server2008_X64,Server2008_X86,Vista_X64,Vista_X86,Server2003_X64,Server2003_X86,XP_X64,XP_X86,2000

Note that the /driver parameter is pointing to the directory where the inf file is, not the file itself. I used . since I was already in that folder. This command runs some signability tests and then outputs the cat-file. From there you need to sign that file before it’s ready to used as a device driver.

Generate certificates

I found this great article on how to create these certificates using Windows: http://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows. I basically just followed the steps in the first answer to generate these files (without password): https://github.com/HakanL/UsbIrToy/tree/master/inf-driver/Certificates. I used mmc to add the CA (https://github.com/HakanL/UsbIrToy/blob/master/inf-driver/Certificates/UsbIrToy.cer) to my list of trusted root certificate, I’m not sure if that’s necessary, but it worked fine. I did not add the Code sign certificate to the trusted roots. To sign the cat-file I used this command:

signtool sign /v /f UsbIrToySPC.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll mchpcdc.cat

And that’s it! You now can take the cat and inf files with the UsbIrToy.cer certificate and have Windows install it without disabling any signature checks or even reboots.

Driver installed

Advertisements

, ,

  1. #1 by hakanl on April 21, 2015 - 12:17 pm

    I found this, not sure if it could be used instead: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

  2. #2 by hakanl on April 21, 2015 - 12:56 pm

    This also applies to deployment of drivers in Windows, this article shows the steps you take if you want to spend the money on a real trusted cert: http://deploymentresearch.com/Research/Post/454/Deploying-Windows-Server-2012-R2-to-Intel-NUC-devices-using-MDT-2013?hc_location=ufi

  3. #3 by HWarin on February 24, 2017 - 5:05 pm

    Hi – just finding your interesting post and seeing that you’re also using Com0Com … Will this “trick” be also able to handle Com0Com’s driver signing issue ?

  4. #4 by hakanl on February 24, 2017 - 5:52 pm

    Probably, but f I remember correct this has nothing to do with com0com, it was just something I used for testing something else.

  5. #5 by Hervé on March 2, 2017 - 1:22 pm

    Well – I definitively need to test this for Com0Com, if it works, I’ll report to you and will be very happy do re-enable signature checking mode on my system

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: