
Linux command-line tool for ATECC608A and ATECC508A

Primary LanguageCMIT LicenseMIT


Linux command-line tool for ATECC608A and ATECC508A ICs connected via i2c. Uses Microchip CryptoAuthLib.


atecc-util consists of set of distinct tools called commands. Each command have its own argument format. There are commands for:

  • reading serial number
  • reading and manipulating config zone
  • calculating HMAC
  • generating, writing and reading ECC keys, ECDSA signing and verifying
  • writing and reading data to/from slots
  • locking data zone and individual data slots
  • reading and manipulating counters
  • reading and writing extra bytes
  • ECDH
  • password authentification

Multiple commands can be specified at once as following:

atecc -b 10 -c 'serial' -c 'read-config /tmp/config.dump'


Please use pre-built Debian packages when possible.

atecc-util don't have external dependencies besides Microchip's CryptoAuthLib which is included as a submodule.

clone this repo:

git clone https://github.com/contactless/atecc-util
cd atecc-util

Initialize submodules

git submodule init
git submodule update

Run GNU Make


You can build Debian package as usual:


List of commands


Reads ATECCx08 IC serial number in hex format:

$ ./atecc -b 10 -c 'serial'


write ATECC config zone blob from file

Usage: write-config input.bin|-


read ATECC config zone blob into file

Usage: read-config output.bin|-


dump ATECC config in human-readable format

Usage: dump-config output.txt|- [config.bin]

If optional third argument is set, dumps config from binary file.


lock ATECC config zone. This can't be undone!

Usage: lock-config


Usage: config-is-locked

Returns 0 if config is locked, 1 if unlocked, 2 on error


Usage: hmac-write-key <slot_id> <offset> data_file [write_key <write_key_id>]

slot_id ID of slot to write data block to

offset Offset (in 32-byte blocks) to write data block to

keyfile File containing data block to write (32 bytes long)

write_key File containing write-guarding key (32 bytes long)

write_key_id ID of write key on device If both data and readkey must be read from stdin, key is read first.


Usage: hmac-dgst <slot_id> <payload_file> <hmac_output>

slot_id ID of slot to use for HMAC dgstulation

payload_file File with payload (or - for stdin)

hmac_output HMAC output file (or - for stdout)


Usage: ecc-gen <slot_id> [pubkey_file]

Generates an ECDSA private key in given slot. If pubkey_file is set, also writes public key into file.


Usage: ecc-write <slot_id> private_key_file [<write_key_slot> write_key_file]

Writes an ECDSA private key in given slot. Private key is 32 bytes in length, without 4 leading zeroes. If data section is locked, you also need to determine write key.


Usage: ecc-read-pub <slot_id> pubkey_file

Reads a public key from selected slot. Note that only slots 8 to 15 are large enough for a public key. Output format: 32 bytes of X and Y, big-endian


Usage: ecc-gen-pub <slot_id> pubkey_file

Generates a public key from private in selected slot. Output format: 32 bytes of X and Y, big-endian


Usage ecc-sign <slot_id> message_file signature_file

Calculates a signature for message using private key in given slot


Usage ecc-verify <slot_id> message_file signature_file [pubkey]

Verifies a signature for message using public key in given slot


Usage: write-data <slot_id> <offset> input_file

Writes data from file to specific slot with offset. Data is written as plaintext.


Usage: write-data-block <slot_id> <offset> data_file [write_key <write_key_id>]

slot_id ID of slot to write data block to

offset Offset (in 32-byte blocks) to write data block to

keyfile File containing data block to write (32 bytes long)

write_key File containing write-guarding key (32 bytes long)

write_key_id ID of write key on device

If both data and readkey must be read from stdin, key is read first.### read-data

Usage: read-data <slot_id> <offset> <size> output_file [readkey_file <readkey_slot>]

Reads data from specific slot with offset. If keys are not set, data is read as plaintext.


Usage: lock-data

Locks data zone. This can't be undone!


Usage: data-is-locked

Returns 0 if data is locked, 1 if unlocked, 2 on error


lock-slot: lock ATECC slot zone. This can't be undone! Usage: lock-slot <slot_id>


Usage: slot-is-locked <slot>

Returns 0 if slot is locked, 1 if unlocked, 2 on error


Usage: counter-read <counter_id> [-r]

-r Show number of counts to overflow

Valid counter IDs: 0, 1, 15


Usage: counter-inc <counter_id>

Valid counter IDs: 0, 1


Usage: counter-init <counter_id> <value>

If value is negative, sets number of counts left to overflow. Max value for counters 0, 1: 2097151 Max value for counter 15: 128


Usage: extra-set <address> <value>

Writes extra byte in specific address. Correct addresses are 84 and 85.


Usage: extra-get <address>

Reads extra byte from specific address. Correct addresses are 84 and 85.


Usage: ecdh <slot_id> public_key [secret_file]

slot_id ID of slot with private key

public_key File with public key (64 bytes, big-endian

secret_file Optional file to store shared secret If slot is configured to save secret in next slot, no secret is returned.


Usage: auth-passwd <slot_id> password_file

Authorizes key to use in next commands in row using password.

slot_id ID of slot with authorizing key.

password_file Input stream with password (file or stdin).

Password ends with EOF or newline. Max length of password is 256


Usage: auth-make-passwd <slot_id> password_file

Makes a key from password.

slot_id ID of slot to write a key.

password_file Input stream with password (file or stdin).

Password ends with EOF or newline. Max length of password is 256


Usage: auth-check-gendig <slot_id> key_file

Checks key in selected slot matches key in file using GenDig.