In search of contributors to a Linux Chromebook fingerprint PAM module


Ability to unlock Linux (KDE lock screen, sudo) with the Chromebook’s fingerprint sensor. As of now, you can’t do that. I want to do that.


How to use ectool to use the fingerprint sensor

Try this on your Chromebook which has a fingerprint sensor.

Set the seed

sudo ectool --name=cros_fp fpseed aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

This is needed before enrolling fingers. It must be exactly 32 bytes. If you’re getting errors for other commands, you may need to set the seed again. When you upload templates you must use the same seed that you had when you enrolled the templates.

Enroll a finger

sudo ectool --name=cros_fp fpmode enroll

Then touch your finger to the sensor. Then run

sudo ectool --name=cros_fp fpmode

to check the fpmode. You should have to do this exactly 5 times to enroll a finger, but you may need to do it a few extra times if your finger didn’t get sensed properly.

If it says 0x30

That means it didn’t detect your finger. Press your finger to the sensor until the fpmode is not 0x30.

If it says 0x10

That means that it detected your finger, but it still needs more data to calibrate it. Run enroll again, press the same finger to the sensor, and check the mode again.

If it says 0x0

That means that your finger is enrolled.

Downloading the template

Choose a place where you want to save the template. I recommend making a fingers folder for your templates. Downloading the template lets you match the template even after the Chromebook suspends, shuts down, and ec resets.

sudo ectool --name=cros_fp fptemplate 0 > r1

You can replace r1 with any file name. I use r1 as an ID for right thumb. r2 would be right index finger, and so on.

Clearing the loaded templates

Before enrolling another finger, I recommend clearing the loaded templates to avoid errors. Remember to download the template before you clear templates.

sudo ectool --name=cros_fp fpmode reset_sensor

Uploading a saved template

sudo ectool --name=cros_fp fptemplate r1

Where r1 is the name/path to the file with the template.

Finding out the maximum number of fingerprint template slots

sudo ectool --name=cros_fp fpinfo

Sample output:

Fingerprint sensor: vendor 20435046 product 9 model 21f version 1
Image: size 160x160 8 bpp
Error flags: 
Dead pixels: UNKNOWN
Templates: version 4 size 5156 count 0/5 dirty bitmap 0

The key info is 0/5. It means that there are 5 slots total and 0 of them are currently being used.

Matching a finger

Before you do this, use fpinfo to check that you have at least 1 template loaded.

sudo ectool --name=cros_fp fpmode match

Then press a finger to test to the sensor. Then run

sudo ectool --name=cros_fp fpstats

Sample output:

FP stats (t0=115662613 us):
Last capture time:  90645 us
Last matching time: 180720 us (finger: 2)
Last overall time:  272723 us

This means that the test finger matched the template with the index 2 (it starts from 0).
Sample output:

FP stats (t0=2394100110 us):
Last capture time:  90756 us
Last matching time: Invalid
Last overall time:  Invalid

Invalid means that the test finger was not the same finger as any loaded templates.

The plan to implement fingerprint login

DBus interface

A program will run as root (to access /dev/cros_fp) and start a system DBus interface to allow interacting with the fingerprint sensor.

DBus client

Programs can run as normal users and interact with the dbus interface to access the fingerprint sensor as a normal user.


A CLI will be made which uses a DBus client to enroll fingerprints. This could be made into an app, but since you don’t really need to enroll fingerprints often, making a CLI makes more sense. No one’s stopping people from making an app though.

PAM Module

This function interacts with other programs to check if they should give you access to certain things. For example, KDE can interace with this function to unlock the lock screen if you press a valid finger to the sensor.

The plan is to write everything in Rust.

Who can contribute

  • Has a Chromebook with a fingerprint sensor
  • Is able to use ectool to manually enroll, download, upload, and match, and understand how to use the commands (I can help you learn)
  • Can contribute to Rust code (you can learn Rust)

How to contribute

Reply to this thread with any ideas, questions, or things you can do. I will be continueing development of GitHub - ChocolateLoverRaj/cros-fp-pam: PAM module for authenticating with fingerprint on Chromebooks in a few weeks. You can start sooner or later. Once I have a kind-of-working version, people who test it, report bugs, and hopefully find the cause and fix the bugs would be very helpful.

@Ultrabook u may be interested in this.

1 Like