x+xcH9S=%WOJ%QM$J8w0yc=d
zwFAL~0F89PqiyF*wL^ajp~6IoTKf8|*n$G0yo;8Q$BtLb@t->rmre57Pogwav@8>QVI5F|pdo
z!wWJQGr2T_i1jKu{vj;=sA_!4Ns84^D=OjmJNJpbU5)`sT!v%wt%8%}?uW8cl-X-6<$Av(u<0)Jo
zuq!nAv}8xg>rlj-lR8_z6{|gvOpZu>XYA3i?(m+@(V`3Fdw9ZirBNlrXnI`4g4S&_qx4D5uy!J
zpgM*3vNM&5A_`aRf_2||UQFo>fSivUPIeNny!btux#^|4)Gck(6Vt?_m+{xsm-mzO8b)uR>+VF{%;7|i7`sa
zs_X^rhXya)E&>b4qAmU573450{L5-NC9Bz&&<)w*Mf;?Qaf!6p3I;az`>xwDOOePa
zd)gE~l&S4LDdCL~Wn{SQii)HX@|_k;WMrPNT1Ly}OEmQ0+x)WlaVPYn$u%;qSw`SythiQwYxx*DpQ0P~t(?T`Vowy@K5VZK%NT*RdRR`E&a|GbI6kdBS~g(y2~&h$2+Mq-3m1)0a)f%@2J+cWz^_E#qB
zQ%OR9*i@JmP`f$+vLOhU1}~Te<58HjVFWNcs=wVbLKg2kR%BqU@zfpO?=!H6*4e};
zbs51MM*Yk&$126P6hItuH6EdXers86PQeH9aGG$zHe744;`+tCEmy`(5=H&TvMI3pL8ftxu}
zF~veYp8__WpR4u`+oMemfzBIc)jmVDPg{M@BqLNlJL*KEUc=zY6e3@!l)cmn|7Qf>
z82QwkWA82JMG(-hBwsae7Wm4vnO4}_E)KCxvpDAolub@MRD~p@SKR!=ev#;Eg^+jlSMT8F$dyq6&l;s!UZ`82>Mv3kSS(@i4
z?n38Jp*?1faK;e<<0teuxblebKOpTaLhozB;$>#K724Hu+@m7w)TOs+*!UFEKlE#?
z(QsobG3>w)NW&j1f9V9SW%}{v%Bzwi_t8@EtTo={&L?%9;DoqSVGVq$DSIQty0)a;
zfwL@Mc+55k6bNOBCag*Dux{A>Lw?LN2iDrPud7`SqD%Ufl}IJ5T=VUdU~GKY^(5Il
zxZ*w}NJ}d>Qk)@U4DED%b<=SNqSV7+LLRWF%y0A$X(_!a68eKZk+&4K$tSQUjC(%L
zSM3YM=fhf2DVq2c{T7)2K7Q{4x*#va&i>m6%_r{&bz47#KmW+1_FFl<&`($w9>{ee
zk&0f+^5S3~+yU*m6iR_+i74DlBmdzMVgdrIei_6f8sz?p4%sO;w9f~@zQ$G56E&2X
zBl!1xBM*bvty>Lv(-JHV=;H7EtqA5O-q&k^`Bf<
z3$}2MTFcZN&QgrdSwV1l=?BVE*dBB^GcydxgS(iXoh^3zqi?WC*Xe92U)?HP_YsP{
zb2Zqy>}#FHP)yTppowTprZ;PaOvXHg+l@9%P&l{3jXI5T>9U_WD$U~q@4;y}foALH
z4^^c$1M8g#>L(_t4BcI4Q!!2%WJo#3q6}w?1`?Uk=+%&|h*8gBX60F;H&VEF%{Y`S
zN0c|cY35bT*R=oia*kD`X8!G&*4slU?$)F3(o2{zb{i_58C!b80aip?^ZP-`3z%zO06`u4i@s`0fX
z3pSMajTp0bjn<5*qG0@?lmckgtn^wv`|RXv^+Z8EjF81HA&exXRXn7Y!~}^z+xF7=
zkjl>lH}pAan2sgr#DEoAv{YxKa)K|BQ`+5z_SP_xjY%kuVO+TNo!GA8l}zRz-QW~M
zi+A-@C^>pip>!j9v_v5F#+HRJT9WD2HT?nBn)SmMXD)+Vy=9pm`n}e`$i_!2{*XWo
zi$QPgdjWP%N}^eLw9P5Kei1IpS)%&5AKpV&z9!8f)yTB#l0MBDd4E`{JJW*(a}OcTaBYr#QjMwF(YV-6Ee6P
zEMO4qi!^pDP&%Grw&lq6^ymD~hr4bhy5YWF
z48!t0sE8hLDxR2J>;D2TFCuSxDg9@fLn+fUA
zihbpLXY)CU%pyo9h5^g{{G-A)jBNXbao|C;+KU=E7-+;Rv(ZN0ir#P;C#=fMZER
z=u)rpGW=iBO8fAIGlZh87Jz^~OD7z;%CGb1?c~_Yg_`6%)96RVo0W#MJOJKWz#L)B
zm0t+K?T1xv=%7E3&ish}YGSrDr$qZd0Mf%7`6GCciaKfh13>hxHvfYnW7>0qwqw6!
zU)Pe=F_Jp6I@bwzI=B2c{R>WiY%g4`eaXq+sFI5v8^iB~PVSzQh?j3zj~7p%bv9FPLjX+w(s|xv{h9a;BZM_``|kH_o#nNHkr(_|0cdzj7ToHy%Gc1
zBu8)T$J-Z4CRjVS?j<_B9?#Ce7lL_^d5e#JU{Kl2lB@^+~Omdi3xx_)6O4z%#Vj|M_8nP>ibx}nLqux
z50-xezOr%A@G5AHy0I_3{lwBN5tlERlUDdu>9jphwmNOjE7N$CTCl6z`G2&epy-fe
z$QiU(i3kZd*>6?92s7TEik8|W{|^B1atsu?Cgp}Tqor6(T68N+UP-S*IH5sGo0j-fU&NB
z)gbU|BHN$*5ZPV_RhU-E^93IhxD;hbSuCKBrC5CQV_^g@J6_CB{ZJe&@T+!OTBNnK
zt>kkPpI*|Nor;C_SZ#&ulTS)KCl@2)jTmfjs#gRNz5Y}b$|tdmb^%327s-~PP+Jm4
zvAQPkE~G@~MVy+|z>fOkTju#fx#Vw(1vo!j^iO6v{UF=1N)ksIB_>hK>md4_AU?Lz
zqrg-+EEXVW@j!fAPs{2(!gg&N+%=paV^QB@&nQv`1GZ(0i7>x_;W?hQgGxNuiX^%_T?BQ>54G6AQ?I
z$t-*K40f^zK1}&Os4#7|5u_JY_5I(8w#W*EIK{OEwbWYpu#6c4h
zS_ZX#qO&RGI5}JG3X)3ri>w7jCudPux>@S79?77_U2u!FG4>v{wBQ|l6c4{L6)LiE
zZs`93ZiJ%biSg1fhX@{(RH7OcbSb1}%BuNoBFU3uB
zIsUn7uC3pW|NQn0g|->-#xIy?>9HS_@Xtl%iu%7O)h#q}0(z9N(_oID@p0wfFRljN
z`+g1!y54NSgODc4|Mc$HlAU+Yh|E{hN#%S>RG|ee;3CC;dWc#h=}WU#*L>5Q7j{bV
z&VpXLBz#(uAKCt;Eq1RlD#pSre{#HnLp_emz4q@7a1)kd(8nB+#S#AYSF)$kcy{izngrXE;hh@I@d0v#{xf!p!-{f=dSq5}a#`5Qn%K
z_xz&KQJO#kwZ9X+vb_B3m^|l;U3h}(@|@Il9G8<7!0-gv&0sm>A(0wB|HJQhJ^U3l
zV5LrhRgy|s#bw22955&f-GiHRW~3AA858o*gARTXLRUW6>B@iOMuNj_`*zRBKD+AOD3sc*
z(X>kJF92;&lB3GMJq*8w&c8I%5ItiK7gHI1Sa;^J=Okssyp=&-zNhHAEUuKn4F
zlZ(CeroW=mpL?*EJceYRgdf}U#=ZO0_1)k_TKi}8-^PKAR?4y|tIK^aSXQ{X26ZLe
zSiAk#${HF$n6&aGe#uxkXqCr1L-4ZB@+;|It6G4KMT?-+r_xx^Hgu7Os)CH*KMZI-
z!J9h*JeZTM+8QOltk!=^x%AQqky?FN-gzcaZwqU(12nkF+IYyR#5&dRK6+!)5Rj34
ze#D1A8>CPTW7zj?ziSHU1^%xi>pg$@ciIN>VWpxjWB_ltF%Lr+o=r{uoB|azOW(3b
ze6P>pbxE<+hx6jL>+vJxj700W2gXE3^LaOR6Q9=#Z_QNO*jo`ZtS@lpqf-YwpTrr<
z4p+qinC%y7f~FlkX|C}(ia{`|(v+e7nMQy=Udu%>jO0WS$3g`Dn~ygqU!*-cdkZA`
zy9dFSOL{)EEo9cr?Vqbk~?Kk31h*c$|Rxoe=wIxDyMp
z5UO}jqhe7gJ-Gze?Yu^4o-ZQVGTlhf4|eg=^KbOT2;M?OG6_qy#Nj8(q%$+bsSQ$W
zJrb(~?dFW5Ga;TcBT@A6@(tjVzQaD|{YOT!{X?=EYxP#htT{qqT-2|syvQ{t6XEWQ
zM?pufmyE$j@)cO3_k2eq5j#|Bx`^szKVJ+z6~#P)8a_dzT^o|%;+2ha1`HPA8}E+O
z<6l^xxogvp>qXRtM60il+5LvM!|1sC+ko7BR1}WHV90{{t}kuBJqU6#Vro
zliiCst&*aDKynxy=oi4TxK*}JWUcnK
zEct;M8?tU9+oan1xY2Mo!d*ztOjSf*=~T3b>$p5`VTb9kT^{^d?Xq!ojfL(V*_2vQ
z-YTINK%XJaR^{QsvAhtQ5mfgVTGq0K+4A1A!==%I{FGLxzez8*kWL2NJ~{l2_27@@D_m4dMndJ&k@bej`ys9u^LCVMx5COe
z(FGnaUN^j?yX>j*D9sINTZROVfovPj#xZRB
z;6VnOZRIUHx=aIXO9!hp8iqI+7qo;qz;7bVArEAK?nng&8SN8|+95{awB_yvzRBV7Mt#F!L-#q!D|
zV0qB#f2FosG*9g%jut^pBV%#rBK$31G4b}D07c?B!FOGvI3c?PK`)iSF&TVqu3=TH
zJ9W0Cl?B#zn|RRkXHh+U7@y~epOf))%Fb}5u7B_PKbi!~U!uDdH_>jpAq45eE8*|%
zyG*r{2&-m)JSN*Z{+4~GSlFtnX`Hcvf_V$V#<7#Kot><;igA*a*ZKj%3VG7AJ9zgN
z1wb7=G48B(2#x%C!-i(zf&y^Pm6muYIwqZ=C^?gOc+^AD_K{AOuw(#Qc^OAB$P=~_
zLnUIdMmcjzH7cUnqEWu!)n2!mQw^=y#}|Ic+E*uaDys}pcQ7}7qD*p^p(q?v2;ZHp
z_86kl2pmF=eUZTPJ8J|IA!q4Tl(5b+{hr@ytUyOqs07PJzL8F#7?ws+^Tdl5EDh2Z
z9;Sst_Ud9Kh(2^R>OpnWh1Yeh4c4!@Twh%s7;(2%_y@DsK9h|#s4(VQ$}TMhFz)fr
z<2|VGTo@Y{;e-n7L+kC5Pk(T3^tj82)ISCO2mE)oC_HFR`;3PvBl_K-xC9@0tGM!@
z4IDG(XI(bi{McF&XVX2aKiMnBPM`szd!S7_Yi&NO2@qRzuWBF65d%N>58l7Nj>`_=
zd7f_5FV2-KUF>BsTUk`;Q%9Wp8W4ZWl+4Z7zuos4Y@DI>==*Y<`2Y9Dj8_v(r)`((
zo)40ln`WffxjcJ;-n>UD^-9aq6XbT&RCnr|{tK1R4)w_xin&6C@a@~SSP;m?%1OZa
zBkjgGux+V6>l|HGQ*ph}jQf`an=f2PmbFFPziZT;6*@7px5u@wY!`O#f$KH(I`dVT
z&oIM|iomCd64a}*gB*?o82?6{%Me32Y+C)m
z*ua@oh|0j`KcAQzWgw%wLe*?%Pm7Vqhs>Uvm)YdXZ4%#jwrtjZx@{soo@`$F8&r2b
z^FQ^x1zW;WMr0>`3|sv(lr8_wN58n0c8u(Up0{ZLN(?2mhqOc2j~
z@uMf7tp05P@9fb@85aSSf1Hk3yeeIh>V)I2Z)uX!qA8DNEZE6s-+%7H=1fc;)}?_i*v8agmE*Hsb*etK?6
zT4*0A7)yZ9CO_lMNFnPseMhNteH?d;+5R-kE5%bs1gMP&)pZuy1D9-|_4BB+)nvU>
zfCHLllR)9a(|(nGJ4_c0fl=u<2Md}Y?;RfjGPIb;+W1O=`CXbR9)RG7H6paJ0_UH(gwjFL5
z!H!0HNsC6vDY~K!FYRRwXo(}UYe!*D@wUbQJ(qmU02pDdPVJHN7Bum2BVMEU>Rj-A
zSMz6phz(eU=ZiBF@4$B=;=7@zq(4|!!m!TFh`1!2){BShAA2_=#n(oqwM{-F6IPOtZbX7VC?sSh-a<-rf>Wm5hdZkVdJ
zz+Tb)y;jH?{y7|?pv^IxV;o*fS1&4T-j3k99h;qqXqzOx^&x_ofNKrR4{yc2WlcJO
z3}qTsKXFDORFP<9{>POe>r^!3v63TO3(T}23xsf~x4cf>H+sHcFW>eHDrHmpeoaSv
z$=cA83@cS^2+tj>#2JNRM~-ZO${Ox>Ef}O>wlXgEJSgW~C`X#yv`RhpX;UO?tdv}p
zwte~H3;!^z-&K!Sl};*@Z6@O(K3(Z};SZL55x;yPqSgR2oSP&gVW-JL;;M`%>lnhy
zr3*C?Lf(X(Yc9&KvXD(d1E|2&OVaE!>r@}ZYWT$M?5+xOp69eCIYI!P2#q~&Y7)rwQS@n;38T#;>4zqV8;w_qQr+r<^BH71RJyK11W6cp>cAKT%
z_&IC7N<7A^(ex}gTZ0C#Nd0LiTG+2N`hDTLjt>&*Xv`2b*p{VOHIdr&VibfMg(}lrFQDr%lCZJ4Ki!m^
zlHuZ<-V0SU;h^oB5>2MSGoIpsVc~w}ezYI98>$8w+V+E(Ojp*mT$f#biunGhc?{vN
z)#ti5v9rjhEM32`*K~c`ZG?x$>R&Xkd6SMpqdppc#SStuxB_3bVaXolpIvWFTXkZFmb9qeXOJ*3dx`GAL(v0}_>j6yVXU
z61=zG9kj*xeUV&>M^2IVBG+%mF}~o4>&v2nyt`QIn(u0hg3iSSRS28cMtUj^`GwPL
zUw?8S-3!LTEl26}4^Q@w_N+l;5Bc%)BUB%uPee~kfot+xf?cldCbIw+v`|gUtbF?0HR0Od
zp4R^lcmWFK2Ezk8a8-#rE$~Or;;T_H&){1vQ%(`_g2%P5WKjEl2UtDmUibwp9m1xX
zkOOqGEutMOD3r^#^`uQlz11bK??UjdAl6%CH$viDLRCgDJ^9`@VTT9v*bjZ)!5Hoo
z>iNGt)N?XK3fY=Mq#6wczf(HPbZ0CnXY|&QP2BeKxF0gL#MSqmA+Anf+KfTARdik6
z0e8##t$t37dPj>R;Wx{ijy~K5*J!ErrJ&PC=m=V%uke0Vn%jOn%{MVqc@RZ4xMM5t
zlN4Z-Ka^E~yleE-V0_2L7bU%ihvt<&WGSnmrgY|dmDuPh;V~ew)3~>Y6fH~A=MjVR
z4|&Ouh$I@LzPS255)kzrcAIy-Y;$A0tK~CBXBvoYUpI{}`|4Tjk9Fau)UQEwZ;orO
zQ7oCWt~nL8hxc8lwQ>tuHDXnt6>FnzH^v!}y_t!_!6}iyfaG-8`icowUEJ**7T7CG
zN%d!l7R39cvQVEc#IYogaY7Pr^t|(3FyU;En{!Vu6GYDG(0F4UR|}Ft{cCUDi#c2R
z6Xdg^ynp4Qz9V7ZX-n3Mip1!2`&ayYfG*(+!ngf_O=QHJ7*EXp{`1+(wD2#zXfX*+
zP`*GVUUkKkM@mBtLZ=4zN42dG?fL)@Gd^epDFjAPe;rx>WGs8Cg7f%3)?$G96{D>2QeOMb}r%E0pymcH7L>uRvJ)N@??9LS9FOrfOzkh&T7)lw11q;1Nq|wdWNjxWz++cGMZ7;?S`Ma8JQM}3r
zknIWHM+luMkN9Q^O%xL$W7{a@WsxWW4}4$|Sa?JwgIPnJJ#p-AOYIDunKY5Z&$M0dSmqM_!r7;{XQz3*a;H9{KmF3e*~?
zb_E-O8V}4z+*Vx)2!
z{SnIZrd$Uq>9d9UReq->z&d?7$0_m#7jA#To2wrA{QdMc`&fKnq_^^BdwwYE*-Q5h
zEXtvT%%A`#;~d*=64B1Rhe6)fZj1NogWh>~UwIzUE)9xr|3u-ik)+f2SBaal1#FdE
z2!4c~oYZ*weKeMbed8AOpe<0c3HZ4$iz==ufx#6wATu2-rf*ihP@t1q*$1MP0XErE
zKk>6$EMH(V`inOBM<7{G*3P*B#nTuc_%l7)%}q-gq*sq)s<@#W1B;Ufu8g3VU(zxT
za;p=gRDfRCJzxbCai?(i9=|SP`mrYiqOrg4?IwE5M?(@Yt`;xI2HMLPEJk=nK0_i_
zF!L_p~fbuFWiF0Jl52P(-D`k1rlvOxr
z-e>j+E{@;R^3qrgl_Y^dpErbjzQwt!Uz&{+yie?%40^7HA05BPIf}LRQI)4;gh^oR
ztM>-k{FGkT4H&49h58+n+Fh?D|M1_!4Hz>ZZs%uz_a}d`I(Op4?DwM#yW1nEV%OZ{
zi4sY60**%^O8jH{H*O2i*Gq%Fy;9A1ZLVbFM$O@VyP1DpN?%sek%dKnH@kp=8&FIb
z*@uvw<;&A`88s4#oy$j$H5qCc7^N7P3Wca4U|7+_$V-X6OLBEPk-&_0=Qmh0DynhyK%>
z!Xp*9UC;QJYwW&~1fLh+CI0$u*P5t}M2}~FK5kA90|XM^bs^j=up9~GT4H&!v~|}o
z3KZ7KyQDO|TgYV*<>0m4m(>e!*-InEUMzugDi^8(FR6{4zbGgl^wy;W4KAQRtvfH)
zc6-BajWnLLR9jX$PS-iIoHe%Y>>|uy9R&Jnjzsw&xsT!%@~sOGYH%rbJfGJ@b~RmJ
zizq_6_|85`nEcMiMkHo%qK{6L;zZTC+XI+3;<$s5&3Q&4i%@p>q-6DQ*oj00UA)TU
z(GBDr!n*$faT$j@N*j0U0z2$$y3g-iEe2~vk0SaHqHiI(mOJ%BtpCX8L2p6#8d17q
zY%f$~uk!0Gx0JEIRWXTp+6Dqyt5A|l&)6>>DGmYLy$P=t2RRf$hp
z`NFWVX9>a`4ohL?jPJZr_U(D7-MHSBq8R-MH%@OVY{G5a7*OWc+5w?chV$cOD7YqI
z*?zCK-_|yPx+tN}NH=Uqx
zQ4%?{Rn&7E=IF=KsC$K-qHk4}ZED5~5)BVJi6td-n(EwM5})R$ePf1)g^;CL&q#^yjpdbIYuel9
z2VaGK4fylZ{uBR?qB9L>;!wZ-WFZT(OcIcwEJG5q;8GG?Kv^ajAi)4(Yt?E+h%DBH
zO$7x>LTnSDkU;EBghB*Fz}~vi7O7Vu7X6tC!jKx^A|yI0w|?kyewjypPAEt0=`!$$OL%xAxX9u9sMN9qUT$3Og;o3G2u
zC~lPH5s7bgk?YPxiAOYeqP}Zgy;Kr`zRQb&G83-q8IL^Eb0}=ba@O#syW!ujzUN=x
zge^{YMR1vrj_NXWFx#f3;HV))Y_sesg(n_Uu-$BjzTji`{sA0ax;&lBp?7lGzNBm8
z^t8Xh;1n}v6y$^Wn<#&>5-Wadg^Ucjk%Ry%)-`|VG^-|{uEK<2YQkE!Hl&U2T?by
zuQz
zcbm;!+q{mRMqx8c$rG2No2))L9Nbl4Dyz-ABH!C*tdgNm(q)AhG6_g9GWI9w)J|v=
z+igK&e^7^gge|xz*82!efV1=Jop6CH#;vE7^$YxdVn?hKHI82?M5j{OsK1q9CK9aW
zF)4TU0l6=99a{|+M!V8}Yhdp|qLPYHTD|3z9)AGNm{I-Vz+v>)x~E4+!dNq)%jp?K
zYDAQ9+GSu59KYs#@Yl-L09`^mY=R^{@4}QakVSBJ>nZKT4Dn8kg!^Oh2V9!a#QK*L
zU_!bKU1#>{G}&b=M0KOk&&_^?an;cVER>imdaKOw6FyN_$M*MN%s3sji-YYHZkqkt
zxn}_d9C*gBznZ;|fZfAyW|L|){)giBLAWJ8Q+TrycD0{VwOSAoTXbvTh)duR|3glG
zMESY1u$-XjHVfdP|AILLjBd@MIWW~x`85F}D@}~;ERAuZ0dulG@aU}m
zPrB})WQVTxdm~d$89Jq~%Mo|Z4`IC%v5jd#+^rwu)jPwp{iWo~GfZQI~&DLQy-@I$m-8YQ)+zs5|Gj3OJcf|VmP3bdF^y`v$
zy5&_0T3l6EE?@6}9K_Rigi!{Bq}7H)_O(*v(^|i{%SdrNm`%2k!HeQO+uw1<-uH%;
zo`EBV?~?o-zGDXI7P=y^HWXl-bv6?LgxXdqt$AM;oVXZuQ?ZWl@9u5s3Yti_qrK51
zT4Ard5n$B9HJlP7It1C@mDY%lx5S|XIQSsW^`Vbt7AA^Q=?K#i0zb5FNU?hG$M*sGKboiN}E
zlg5S=$JI3!itE*ws8Mtp&o9nLFREo=r;@#ctsxj#3O{2)<^#^o*QgO7$vOPPHLv;C
zWC-yZq^FV`*}mr6&H@|oFxC<$2^~6syL06?KDKrzl4oCAO;~6F1u50q7L~JA^wU>z
z*QQeb9W2g9q&G!Rb`#$gkBh6n&s4OIJKGjL?+8ztQJlJnbi-hvk%R}G%a?nA
zmTxQ@N6YVBBD^&p*A`Y&K2E$?-Zzr`Y$SpgD~9`I-R&1#)0Ea=(vruGz5=v8Gq
z^EyfgO4m^T((TWQX~sc|Uce-gXoCQLOV
zaf{GXl8l15b=-H`m4wQd;h}{kPwv&G$P$zjIV~V-vwvhP`WLYZeLp%T%1f5@C|%>a
zFX12`KyFO_`+!LshV6T?-I3f~x0Dnz9bX>?R~X*J-b%k*|KykzdB
zlF{q*9%lVz`uBgahc~yqL2n5n>T!|j#hn7r*lkha=mhENh2y}UvN_F1Nd*6vMz)1f
zIT!uzmWlPRJ=5%8R@lzl$%>HG>$=}W75Pf+n_ihBsjQi>GZVT3pqU~9xUhUBz!XC)
zDfccJwqQJ-CJhj3Cz4e?(OI}yKh1`E$8G1P&sj5@vy@Z0&#e`as9o13XIe1awUu^a
zl=(CNNM0GG`T^R0MQJ6-4P)Ud%0rLYxg;Q`4JD1JSFSH|)YLeQd@9|eM0wi?Cb5^h
zvGOsi=!-Y&e>%gTS~u{#z9FYZx)X@71Z-$3tDPb=yPpg))t!t6^+j*P)vVP+WTILu
zBbL;|I{eLa;MdG*AD#}QwD=3nn3cFWd9B
zs#`fP=$PIwf*=_!YlMJ}`0e~2M}_L;UW;=P+h%zowxd6@xT;&}wyn|nn7!F*RU*Oy
zp1c#aGTM|s!{%{=jbPBSnLTvrQ4Euh{?Cvh6xl$K9x}ZFF&&B*R8YpK5&W{mNKj#1
z>!mC8&XKR9+_Ou1N+7!(D3>fk->(#e3B`|Y^Izjv|II%@v#;+RW0K5Q(3L5JRRqd|
z4^WDk9~e6YGA7Fv`46}Fqb#GIW;GK~+HGl{syf^mpPeMc0A=L;J_%v$-N
z$x1<)@2XmwH7moMtfKqxvG5|X
z@jc>+xv)>=oI`2m^+nTMb`W+%nf{K%bVr?pwN)-+(a(@h4SZ++Kzz)PAfgzl1PU9Af
zK^~`cHAO&Y(*!nWAv?0Ujymm3;mM=gDldHID8k|*Vva3)c6v=L!}5ChTTz*N_I(Ma
z&J_QPb`O8`C#z?%ZG}S6M_WqT?yc@C-@&iRwny;jW^7q=(xNj+)-#)cNa_Eg(INJ=
z#Jc^pwEGgQ#Vwk4gLt;t7n(7;C2>a!fxQNC
zBj~4Hl-Q>O4{W!jv1_EuEvQ0WgH2a6@6@8Q^`peDE)*|fRS?SDzZk^SHYY)sm7OnM
z$%^MFRDBtdfb$JGptDP97xqUzrR7oHg<+Q9du>x^Bl8Y#({ta4Ewo?NS@#Pvt4<4<
ztsaz3MS(q_E2PKID3U5?Yqs{bSpP@EtGQ>{P-$Shk|g9xD#7ya58?iCSVD2B$^YO3
zKLrZ&Qpe{K(C~Jqwr5f~@aCHIJ5S?el@X<`mYnf>vvcfGwwB5!DD6ib)8>LWCt0s$
zPQCoHW+EkRkv7N)h}khtSKX6#kP4ByQUCj7?AyQCxQEn*7DCU7^fcGLhA4{AuRqKJ
zmbB}|?o#9ZfWacy!ZehV`6|-oM^B|>B^Y<%GQ8?L%(2N4(AR>-bll~VGXiiYJ!_ui&TvO<+N5OgTWOqYj$57-Lvu#p!u{joxyhEL+@i
zUn1!{J+hh96Y)PlCNJQuY0}+KVz1V(o#V-=DxLH}OTy`awq1*R7U2D0usxNhnQfd!
z>9CZxpang+L8g-089VC*4uJ>V&N^Fy3xA+AZclk%9^%U*ayX%&wQH&JApQadS
z@3fC9a7Z>a=-FvUidZC^=o2}Oqp!cLPY4^f^PX3g-L&mXKa39i2lx=SrSjP0fi%?4
z+OH%SmwgEpd#K_5Lj`}hDshPc|He9xAvGG3y&>h=s_G{?uU&E*L!(7$+*}
z2?aObl+nIQVc*pnAU>zRFjyk;=~s4@v6ROq5_gC{TSlU2>Duk%p9{Y#ARMT1n({h0TsF|X8`c*^eKlGxeK$3Y`c0P^V7_%=N)Vb#MZZ`VVGB1^ULzLoOqP`+)mF!M
zz=lQGdqolO*oGQDiCDPNDR(Ol6*E+K5vw{mbcdir)RIeZdo^1mN3Abu=Z-ta`Ek?S
zrS?k}j=o5;*+=P~SS|X|Ulk#v`i-wooOXFXpmWQtjBZ`$;_yQnd|fI<~8LZ)ZM4e1l1PJ&f8xVo28|Jqh6r5_(^y|o++#?MwXlqRtjr`WL=Ih#I=gkZw8DQ+=G6a=_{OpAvQ0pLbzAuMQ+lVY5u70E;_l^d
z1n(nj{pY^JEX$bxxv=J0!m4Ja;{)q%D&e(w#!&PPY>-%<2PBZsB#k&za;V5^EGI;qKif*KajXxwzh6y;Fbmm8&OIYE46v@%w5cj;Qi7XY!$gXT@iAO)qy
z!oJ936IM%5o9>D>qYO}1+n-feMWBI7WA|K
zcyuXuMpJmvf_Cer}dj6d7s_w=q)dH#s0p+
zVJ>lcH>GW5JGU{ArQO%~FHo=X`770CvhJornqHb`glby_z1P~#?S#K!b;St!dk|gM
z8SboEFe9+1QfEI*KgnS7lGtt?=uJ!TWO~sLUr`p7SFuJbZPwm55QFf7*W9X}
zb|JQ#&x)_aREmHP#GLA<(BhpZXsD%NuX3RsFs$^1TRaW{+2P@kkrL@R_&3uLaA*kx+)DVJTV=SXO
z_SF$EWXjrAwd@7z?0Hr0wS>B$St!n?9@{?8>8@f*n_Y>o>(!P+BW{f|*+?P+q-7b~bB-GSeDQZ5`eR0Tp<}i8+DlZYM
z;+GSO{dSe~HX&#_S&m?|;n@KBIsw1Ja8Df7#1|Aw%_vbwqIB_
z?y+#4$Le3pj`?tr@WVx?cTw+!4~(PW43n;mNDMNO7vZPUzg;1Ld?Av3UnE%R0iBTkzj1G2r(OOazP}JbSNo43{5^yd
z(TNh;W7|WX+c~8|su{?m^Zs!OrwZz72vXM31_9v*`cf!Yxe{mGUuw-j;WVrwu0{*I
ze*+{YBfhMV@PuD?Sg^eWhuN5khgFcl6_O-0_+Hm25S!}*bV4w2a)h|t5Vl7Z?%SgT
zx+XwmS+5vlxj+YnVb{I&+uy?=?cQVTYPp}n=lr>3)N@m)WCN9xHU1e-ZO~@QfZt-|
zxVx&lkLrO*$WLysn)Wy$pcu6Te$zFinef^Z5VTj9eLbXJ+R_rOG`2HZtz$n*XPieqBQ_33;
z?snX&22;QKL6|j24$sQzH-1XLtKCaECG#%_k4HT~`-K!*xE2?q#*=r}1IHZ9Dlsym
zI6H(*KW34c{wQ532RpI(p&c)|TzlWzUNxh^dyACM>%(aw#&z(?Up=shdjtiWc|?TO
zlqhI;u)pr;th~+bY$p2A9%#AeLz4o@y{<+tddt|;?mNb*w<`_2P!9lAo^GAh
z+pR>4N@IO~4abTL+K3hJM1TKM9&g>wm}fKAyS*%JkEd+kq7Cd}0nzcXKn=$w=~ZRU
zO|PCggbHy*IovWRERh9{fM*^$~$P
zd+}Ap>*`HF)E*O7n)G8dH?wcfk8+le|MNJ^T3b
zcH;v4jp7jZxocf5!Dq;uFeRa%TTv!CdKuN_Q8y!bzgIyUi;I2{$e>~&XtkVA@dF0g
z){aZ!s;>G7D)G>j3WD1Nk;UEwelo>D^!$GSHSGJ}l9W;D+eB>m|4Lfc#d4>D30S-F
zxM){uYzF9vUtEE%>?aKg;-Vf?@@?R-_}7Zt{Y(5ml@SkGw%PO`2bf4ai?d_mVc#t4
z4vT*JO$#CMW<}D%8`rDbptgW=oRXARWjy$KIG+gwK4nG>MKBY6%m60%_+iXcVXwHa
z7qZW8F8gg5qX0gFS?qV}_Jz{wv!}tyJA+8Gpml
zPl?Mc9}n#4(*;#Am5s@Wwz%j`p}FR~ZZ@Wq!hYlb1t?V#Mx%6#;70q}U5mM5_+z~7
zpn#w?@1jK*!$v)Nr?)vf-_&kry{>wM7P)$EN!3|5%#|iUMcM^j&(yghVl{{?AJHF%71G9~U^$BEX@?G(NejfKx
zxyQ*0Kc0#6-NJ!v%f=6S6^;b1nAlDPw2}*nmP8Jh@uyl?LCi
zU|f(g*q`bLcl+eVMee>Xw?T+CLkkrDX89r0eTg5auu{?NMWoiTs3Xm`g=unNR7aW5
z^gb4p-c0Nd6A4>y)MQ)F#Yc0uBm5;|BSDr4IaqJ*@zJ$^D|=|MMf<$tbZ++_O9#=B
zyd&tOK53Eoaft;Gc^|%G#w-hw+ar6i1u4G`IHhsEAm~(EM_>Ynx1&?@>?dj1g3Kb+CfT{`VM5dM=amt{^k#vlfEY%JFA0h&Fr1n;ZWub5^+{MSRSJGLq4#=IyF!uK@v}iNsIrn!
z+#Fg%(q*VS(NlvNBiWUCe5LgbQ*xpmh4F3!CkG~Ku)4A$jv`pl^HD;X7&;y5nD`H%
zqh3V3E9Pw#s>lsN0_j@0)`aD{XGhZRnSHAz8D;D>Zx;lk7K&$+dsa0VKd_%Alb*dS
zoy8|Glb6|!DB)s!OT6y1AKzbTvoE8UfS7uUG3?UI-eUK)H9xbNpEL=7zPF0>zdMf{
z!fLsG{#QCNBDw3hN7523r7klAJ21l(i3i4TxG#=iJ+r8NY@7@mbEp>y{*Hj>Ty)r&0V!saUUrPS~z<1)lp6%IG<3f0gU(4@+>YU^$31wV6xx^dsH*nG
z$Q`<zinYPVb58Y00gsheBlG31LXft5PuTz+SG+VTKn72!D_GGta!>%-Iv{v-dbH
zC<%zD1C5%|fO24%)UhDkPx0XjsjGvwotF{k1*Hc(>g8bjg+#bzA4=DH*Rhvre5WNn
zS>$utZ;VU0aDEDcF6($}wo;9~7ZYCU#AWY7lY^81pjUQL#?ft*k&MVze<+Rz3Itw;
zA86%N-xhM?Mf1+TOecj5{uV=!a(y*=uag<|ut-^gKunei3~N8QkxGmcdK2TlH>Q94
z*T>od6oxvhB(}n>7ZE!~MOuE^PS#5O7~z8jSo8BC-tj-JfJzGRUTlyFhOBVMX=jC1
ziP7C
zYOG$0a?J-R+1xa^G&Y+sXHbMI1XZP!?LMl|Oh)sRjTh@$E5|xpbE>L2tuSo|roUSV
zb|`F_58Jov1?Yr+ucIjUY|5dZS1fjG{h8Qe!LPB0s0I^He|s9!)nJ0EDTSaQhmcM(
z%#phPU-cmE6Wur2jk#fY*?GoT!?M@0a+vKlxl#n0KcX4`jIw&)7Aom#
zw|F5sWnU3~R9vlbVt%cZU-Yyy<{bjU@xFJiz=dQIO-(>rf0mU3x8SDxi7{ix_}y`G
z#Eiq)Q{THJ(=)=o(@=q6&hBZ^+YwCXP{hqt#4J+lt^02~*9wK+c$SZ#F=wl!Yn1YT
zfFV3IzE*|=egp{g2H1~aKJ2~Dr_5<8_Wue3W7-AbqjQc#%JVs0bg*28-cX;jywCPU
zbu`+WsCzX)gsTrb$S&g9?Tb-R0bzi^y1ohTdc}__EW(&DMZ&`S!3q0={o3H$Bwg#Q
zBY&+VOwXs)7g*nN6oom&dP~&=)HeHJt`cQeTrUmd$z-3<>+i$FZgYBlh$TBfkY8j6mwhSBP%NP#0@0HmoWW9&=
zcOar?&#bC1p1wuqAK`g=53!;Z4vM>#Z_M#)g#!bpZ92yeZR-edF~ZB9l>N
zl^MNBPC(^Yuq(sRDac&r1<=mwnQ?oCsZ5bQ+VHn&E+=ZLDI71qa*M_UCp8WdfoV`lRo3
zp1$oxeUDsu^^F-db=8yEmm~ftIpZ^qrX}7pCGKQbxuu|-ra(%s;5{;eDM}RnkfG4S
zeYUy8ExdfQ1$|4R|C5`xhH=P`hWIOKL1SVOBg9Bb2+s0E-w*LZzzu9aUU>C5=5}kR
zay@IN;hV1JR;CI2S`N$~pjTb#qbq1%6G-LHpKZ{kzjQ_*rfD*Cm3S@}?sXkv?m*HV>{#aon-u`R8`n*kyW-}HV4o`rG>BM%o94S7VBVL
z*qI-ljuhb_tS#9Hn<-E*%(0q~*^;=Gy~#OhIv@SeWYX
zKshU3z0h5d-8`_uahuS%z~a4Q4l*D82Z-R>(F1)Zw+?fL+QPb%rv1I(S6NP1zQxt1is5Eq;?N@g$GxCz+Z^C&$7EnEpRBZsPoKxm(^QU@ZGFKRS=%z}
zsg(#AfsY>Wu@+XKqr6nWaRUWZ92fGT2*AcMjP~^h$Qf*O?Jt+_&2WKI2<<)#yJQ;B
zneleah{-~*aY=pjH2Gi3HGN@^eX(+rRbOYrAU4E-;(wSl6}!nL8c80XlhBp?-}j1N
z)c+ndf+!iJgcs&rcihe2Yd_;@$Pd-9-R;0=D3Z*xw{QnqMy&oayCx{bWWPwM18Qqa
zLXl9j;hHHgCVtnf{Gi_QIfB+|U`moR!Q4CbHqirY+*P6*_Ip`0BxuMgySX==S7|)Z
ztpp~HM2{|oW`1jTu7~ZczE%qZM9fTc4xy*TVI&p$P51SFQ*c7KosC5@iwySEOCmyH
zyRx@Y4ZBopGjw~7OOQ7{+@{j?*e+Dn6}d&1_FB+7V#|5CAHiLReH!7g?(K_~KXv>{
zw;uNoG4Mf1DTOG0W-CMvcNVYtw$tHk3c-fDLPuW)q}yb$;|%iR@hVP8@zZ@3(h#v8!5<`o6YcKGmAO9A2bzVxsXFWsrsjL5O{?w)wR1#6C^(!+yapopZqek>{yl*&
zfuvWmBhQD?H)=Ry;yemN3t2tH60Y8Gby4>Hlw7n?PSdde(nT;cE;2I%fgCmLt6pCAH0aBla~%RS5Z}AT
zJGEL%31B>z&{si;x47bOxJgB+36rOTJgj6&0CQ9q>2#4O*Y|
zOf8Wa9dn?zzeGxnHmDkvECe2ClM9}&y7
zi3?HoL)J>ki&YIaVxL{=lqO^#FqdV>jx=*YyrAtd<6}P?=hR6{Db6b8`|phz%$Jvjw~E}8
zW(?b;IWSr+!yd-=Y0?$4u0w9IYI&ay5HiP69I|b-Z&bDBlOROWow%n&F$-EIn?F7`
zt=oA$2X-GF=Q|W!NV=P;>OX6&n2~Ed<3VtY;Y(fMZwc!Q#+|TkC_UG^ZdOiZnIbw$
z%R5{f;0%h;<;g
+### :warning: Disclaimer
-It already contains some preview features of 2.1, that you can try by adding the
-flag `--ctap2.1` to the deploy command. The full
-[CTAP2.1 specification](https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html)
-is work in progress in the develop branch and is tested less thoroughly.
+This project is **proof-of-concept and a research platform**. It is **NOT**
+meant for a daily usage. It comes with a few limitations:
+
+* This branch is under development, and therefore less rigorously tested than the stable branch.
+* The cryptography implementations are not resistent against side-channel attacks.
-### Cryptography
-
-We're currently still in the process on making the
+We're still in the process of integrating the
[ARM® CryptoCell-310](https://developer.arm.com/ip-products/security-ip/cryptocell-300-family)
embedded in the
[Nordic nRF52840 chip](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fps_nrf52840%2Fcryptocell.html)
-work to get hardware-accelerated cryptography. In the meantime we implemented
-the required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and
-AES256) in Rust as a placeholder. Those implementations are research-quality
-code and haven't been reviewed. They don't provide constant-time guarantees and
-are not designed to be resistant against side-channel attacks.
+to enable hardware-accelerated cryptography. Our placeholder implementations of required
+cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust are research-quality
+code. They haven't been reviewed and don't provide constant-time guarantees.
+
+## Hardware
+
+You will need one the following supported boards:
+
+* [Nordic nRF52840-DK](https://www.nordicsemi.com/Software-and-Tools/Development-Kits/nRF52840-DK)
+ development kit. This board is more convenient for development and debug
+ scenarios as the JTAG probe is already on the board.
+* [Nordic nRF52840 Dongle](https://www.nordicsemi.com/Software-and-tools/Development-Kits/nRF52840-Dongle)
+ to have a more practical form factor.
+* [Makerdiary nRF52840-MDK USB dongle](https://wiki.makerdiary.com/nrf52840-mdk/).
+* [Feitian OpenSK dongle](https://feitiantech.github.io/OpenSK_USB/).
## Installation
-For a more detailed guide, please refer to our
-[installation guide](docs/install.md).
+To install OpenSK,
+1. follow the [general setup steps](docs/install.md),
+1. then continue with the instructions for your specific hardware:
+ * [Nordic nRF52840-DK](docs/boards/nrf52840dk.md)
+ * [Nordic nRF52840 Dongle](docs/boards/nrf52840_dongle.md)
+ * [Makerdiary nRF52840-MDK USB dongle](docs/boards/nrf52840_mdk.md)
+ * [Feitian OpenSK dongle](docs/boards/nrf52840_feitian.md)
-1. If you just cloned this repository, run the following script (**Note**: you
- only need to do this once):
-
- ```shell
- ./setup.sh
- ```
-
-1. Next step is to install Tock OS as well as the OpenSK application on your
- board. Run:
-
- ```shell
- # Nordic nRF52840-DK board
- ./deploy.py --board=nrf52840dk_opensk --opensk
- # Nordic nRF52840-Dongle
- ./deploy.py --board=nrf52840_dongle_opensk --opensk
- ```
-
-1. Finally you need to inject the cryptographic material if you enabled
- batch attestation or CTAP1/U2F compatibility (which is the case by
- default):
-
- ```shell
- ./tools/configure.py \
- --certificate=crypto_data/opensk_cert.pem \
- --private-key=crypto_data/opensk.key
- ```
-
-1. On Linux, you may want to avoid the need for `root` privileges to interact
- with the key. For that purpose we provide a udev rule file that can be
- installed with the following command:
-
- ```shell
- sudo cp rules.d/55-opensk.rules /etc/udev/rules.d/ &&
- sudo udevadm control --reload
- ```
-
-### Customization
-
-If you build your own security key, depending on the hardware you use, there are
-a few things you can personalize:
-
-1. If you have multiple buttons, choose the buttons responsible for user
- presence in `src/main.rs`.
-1. If you have colored LEDs, like different blinking patterns and want to play
- around with the code in `src/main.rs` more, take a look at e.g. `wink_leds`.
-1. You find more options and documentation in `src/ctap/customization.rs`,
- including:
- - The default level for the credProtect extension.
- - The default minimum PIN length, and what relying parties can set it.
- - Whether you want to enforce alwaysUv.
- - Settings for enterprise attestation.
- - The maximum PIN retries.
- - Whether you want to use batch attestation.
- - Whether you want to use signature counters.
- - Various constants to adapt to different hardware.
-
-### 3D printed enclosure
-
-To protect and carry your key, we partnered with a professional designer and we
-are providing a custom enclosure that can be printed on both professional 3D
-printers and hobbyist models.
-
-All the required files can be downloaded from
-[Thingiverse](https://www.thingiverse.com/thing:4132768) including the STEP
-file, allowing you to easily make the modifications you need to further
-customize it.
-
-## Development and testing
-
-### Printing panic messages to the console
-
-By default, libtock-rs blinks some LEDs when the userspace application panicks.
-This is not always convenient as the panic message is lost. In order to enable
-a custom panic handler that first writes the panic message via Tock's console
-driver, before faulting the app, you can use the `--panic-console` flag of the
-`deploy.py` script.
-
-```shell
-# Example on Nordic nRF52840-DK board
-./deploy.py --board=nrf52840dk_opensk --opensk --panic-console
-```
-
-### Debugging memory allocations
-
-You may want to track memory allocations to understand the heap usage of
-OpenSK. This can be useful if you plan to port it to a board with fewer
-available RAM for example. To do so, you can enable the `--debug-allocations`
-flag of the `deploy.py` script. This enables a custom (userspace) allocator
-that prints a message to the console for each allocation and deallocation
-operation.
-
-The additional output looks like the following.
-
-```text
-# Allocation of 256 byte(s), aligned on 1 byte(s). The allocated address is
-# 0x2002401c. After this operation, 2 pointers have been allocated, totalling
-# 384 bytes (the total heap usage may be larger, due to alignment and
-# fragmentation of allocations within the heap).
-alloc[256, 1] = 0x2002401c (2 ptrs, 384 bytes)
-# Deallocation of 64 byte(s), aligned on 1 byte(s), from address 0x2002410c.
-# After this operation, 1 pointers are allocated, totalling 512 bytes.
-dealloc[64, 1] = 0x2002410c (1 ptrs, 512 bytes)
-```
-
-A tool is provided to analyze such reports, in `tools/heapviz`. This tool
-parses the console output, identifies the lines corresponding to (de)allocation
-operations, and first computes some statistics:
-
-* Address range used by the heap over this run of the program,
-* Peak heap usage (how many useful bytes are allocated),
-* Peak heap consumption (how many bytes are used by the heap, including
- unavailable bytes between allocated blocks, due to alignment constraints and
- memory fragmentation),
-* Fragmentation overhead (difference between heap consumption and usage).
-
-Then, the `heapviz` tool displays an animated "movie" of the allocated bytes in
-heap memory. Each frame in this "movie" shows bytes that are currently
-allocated, that were allocated but are now freed, and that have never been
-allocated. A new frame is generated for each (de)allocation operation. This tool
-uses the `ncurses` library, that you may have to install beforehand.
-
-You can control the tool with the following parameters:
-
-* `--logfile` (required) to provide the file which contains the console output
- to parse,
-* `--fps` (optional) to customize the number of frames per second in the movie
- animation.
-
-```shell
-cargo run --manifest-path tools/heapviz/Cargo.toml -- --logfile console.log --fps 50
-```
+To test whether the installation was successful, visit a
+[demo website](https://webauthn.io/) and try to register and login.
+Please check our [Troubleshooting and Debugging](docs/debugging.md) section if you
+have problems with the installation process or during development. To find out what
+else you can do with your OpenSK, see [Customization](docs/customization.md).
## Contributing
diff --git a/docs/boards/nrf52840_dongle.md b/docs/boards/nrf52840_dongle.md
new file mode 100644
index 0000000..e88104b
--- /dev/null
+++ b/docs/boards/nrf52840_dongle.md
@@ -0,0 +1,85 @@
+# 
+
+## Nordic nRF52840 Dongle
+
+
+
+### 3D printed enclosure
+
+To protect and carry your key, we partnered with a professional designer and we
+are providing a custom enclosure that can be printed on both professional 3D
+printers and hobbyist models.
+
+
+
+All the required files can be downloaded from
+[Thingiverse](https://www.thingiverse.com/thing:4132768) including the STEP
+file, allowing you to easily make the modifications you need to further
+customize it.
+
+### Flashing using DFU (preferred method)
+
+To flash the firmware, run:
+
+```shell
+./deploy.py --board=nrf52840_dongle_dfu --opensk --programmer=nordicdfu
+```
+
+The script will ask you to switch to DFU mode. To activate that on your dongle,
+keep the button pressed while inserting the device into your USB port. You may
+additionally need to press the tiny, sideways facing reset button. The device
+indicates DFU mode with a slowly blinking red LED.
+
+### Flashing with an external programmer (JLink, OpenOCD, etc.)
+
+If you want to use JTAG with the dongle, you need additional hardware.
+
+* a [Segger J-Link](https://www.segger.com/products/debug-probes/j-link/) JTAG
+ probe.
+* a
+ [TC2050 Tag-Connect programming cable](https://www.tag-connect.com/product/tc2050-idc-nl-10-pin-no-legs-cable-with-ribbon-connector).
+* a [Tag-Connect TC2050 ARM2010](http://www.tag-connect.com/TC2050-ARM2010)
+ adaptor
+* optionally a
+ [Tag-Connect TC2050 retainer clip](http://www.tag-connect.com/TC2050-CLIP)
+ to keep the spring loaded connector pressed to the PCB.
+
+Follow these steps:
+
+1. The JTAG probe used for programming won't provide power to the board.
+ Therefore you will need to use a USB-A extension cable to power the dongle
+ through its USB port.
+
+1. Connect the TC2050 cable to the pads below the PCB:
+
+ 
+
+1. You can use the retainer clip if you have one to avoid maintaining pressure
+ between the board and the cable:
+
+ 
+
+1. Depending on the programmer you're using, you may have to adapt the next
+ command line. Run our script for compiling/flashing Tock OS on your device:
+
+ ```shell
+ $ ./deploy.py --board=nrf52840_dongle_opensk --programmer=jlink
+ ```
+
+1. Remove the programming cable and the USB-A extension cable.
+
+### Buttons and LEDs
+
+The bigger, white button conveys user presence to the application. Some actions
+like register and login will make the dongle blink, asking you to confirm the
+transaction with a button press. The small, sideways pointing buttong next to it
+restarts the dongle.
+
+The 2 LEDs show the state of the app. There are different patterns:
+
+| Pattern | Cause |
+|------------------------------------|------------------------|
+| all LEDs and colors | app panic |
+| green and blue blinking | asking for touch |
+| all LEDs and colors for 5s | wink (just saying Hi!) |
+| red slow blink | DFU mode |
diff --git a/docs/boards/nrf52840_feitian.md b/docs/boards/nrf52840_feitian.md
new file mode 100644
index 0000000..664df7b
--- /dev/null
+++ b/docs/boards/nrf52840_feitian.md
@@ -0,0 +1,23 @@
+# 
+
+## Customization
+
+### Cryptographic material
+
+All the generated certificates and private keys are stored in the directory
+`crypto_data/`. The expected content after running our `setup.sh` script is:
+
+File | Purpose
+------------------------ | --------------------------------------------------------
+`aaguid.txt` | Text file containaing the AAGUID value
+`opensk_ca.csr` | Certificate sign request for the Root CA
+`opensk_ca.key` | ECC secp256r1 private key used for the Root CA
+`opensk_ca.pem` | PEM encoded certificate of the Root CA
+`opensk_ca.srl` | File generated by OpenSSL
+`opensk_cert.csr` | Certificate sign request for the attestation certificate
+`opensk_cert.pem` | PEM encoded certificate used for the authenticator
+`opensk.key` | ECC secp256r1 private key used for the autenticator
+`opensk_upgrade.key` | Private key for signing upgrades through CTAP
+`opensk_upgrade_pub.pem` | Public key added to the firmware for verifying upgrades
+
+If you want to use your own attestation certificate and private key,
+replace the `opensk_cert.pem` and `opensk.key` files. The script at
+`tools/configure.py` customizes an OpenSK device with the correct certificate
+and private key.
+
+Our build script `build.rs` is responsible for converting the `aaguid.txt` file
+into raw data that is then used by the Rust file `src/ctap/key_material.rs`.
+
+Please make sure to safely store all private key material before calling
+`reset.sh`, or the files will be lost.
+
+#### Certificate considerations
+
+The certificate on OpenSK is used for attestation. That means, whenever you
+register OpenSK on a website, you attest the legitimacy of your hardware. For
+self-generated certificates, this claim is rather trivial. Still, it is required
+by some websites and to use U2F.
+
+Usually, the attestation private key is shared between a batch of at least
+100,000 security keys of the same model. If you build your own OpenSK, your
+private key is unique to you. This makes you identifiable across registrations:
+Two websites could collaborate to track if registrations were attested with the
+same key material. If you use OpenSK beyond experimentation, please consider
+carefully if you want to take this privacy risk.
+
+### Software personalization
+
+If you build your own security key, depending on the hardware you use, there are
+a few things you can personalize:
+
+1. If you have multiple buttons, choose the buttons responsible for user
+ presence in `src/main.rs`.
+1. If you have colored LEDs, like different blinking patterns and want to play
+ around with the code in `src/main.rs` more, take a look at e.g. `wink_leds`.
+1. You find more options and documentation in `src/ctap/customization.rs`,
+ including:
+ * The default level for the credProtect extension.
+ * The default minimum PIN length, and what relying parties can set it.
+ * Whether you want to enforce alwaysUv.
+ * Settings for enterprise attestation.
+ * The maximum PIN retries.
+ * Whether you want to use batch attestation.
+ * Whether you want to use signature counters.
+ * Various constants to adapt to different hardware.
diff --git a/docs/debugging.md b/docs/debugging.md
new file mode 100644
index 0000000..9414e91
--- /dev/null
+++ b/docs/debugging.md
@@ -0,0 +1,137 @@
+#