Install fprintd-tod with support for Broadcom readers on Debian testing

setup.sh

#!/usr/bin/env sh

####################################################################
###  ____  _____ ____ ___    _    _   _    ___  _   _ _  __   __ ###
### |  _ \| ____| __ )_ _|  / \  | \ | |  / _ \| \ | | | \ \ / / ###
### | | | |  _| |  _ \| |  / _ \ |  \| | | | | |  \| | |  \ V /  ###
### | |_| | |___| |_) | | / ___ \| |\  | | |_| | |\  | |___| |   ###
### |____/|_____|____/___/_/   \_\_| \_|  \___/|_| \_|_____|_|   ###
####################################################################
#######  _   _  ___    _   _ ____  _   _ _   _ _____ _   _  ########
####### | \ | |/ _ \  | | | | __ )| | | | \ | |_   _| | | | ########
####### |  \| | | | | | | | |  _ \| | | |  \| | | | | | | | ########
####### | |\  | |_| | | |_| | |_) | |_| | |\  | | | | |_| | ########
####### |_| \_|\___/   \___/|____/ \___/|_| \_| |_|  \___/  ########
####################################################################

TEMPDIR=$(mktemp -d)

# Install build dependencies
sudo DEBIAN_FRONTEND=noninteractive apt -qq build-dep -y libfprint-2-2

# Clone the closed-source library and firmware
cd "${TEMPDIR}" || exit

git clone --depth=1 --branch ubuntu/latest git://git.launchpad.net/libfprint-2-tod1-broadcom
cd libfprint-2-tod1-broadcom || exit

sudo cp lib/udev/rules.d/60-libfprint-2-device-broadcom.rules /usr/lib/udev/rules.d/60-libfprint-2-device-broadcom.rules
sudo chown -R root:root /usr/lib/udev/rules.d/60-libfprint-2-device-broadcom.rules

sudo mkdir -p /usr/lib/x86_64-linux-gnu/libfprint-2/tod-1
sudo cp usr/lib/x86_64-linux-gnu/libfprint-2/tod-1/libfprint-2-tod-1-broadcom.so /usr/lib/x86_64-linux-gnu/libfprint-2/tod-1/libfprint-2-tod-1-broadcom.so
sudo chown -R root:root /usr/lib/x86_64-linux-gnu/libfprint-2/tod-1/libfprint-2-tod-1-broadcom.so

sudo cp -r var/lib/fprint/fw /var/lib/fprint/
sudo chown -R root:root /var/lib/fprint/fw

# Clone libfprint, switch to the correct tag, patch and build
# LIBFPRINT_VERSION=$(dpkg-query --showformat='${Version}' --show fprintd | cut -d '-' -f 1)
LIBFPRINT_VERSION=$(dpkg-query --showformat='${Version}' --show libfprint-2-2 | cut -d '-' -f 1 | cut -d ":" -f 2)
cd "${TEMPDIR}" || exit
git clone --branch v${LIBFPRINT_VERSION}+tod1 --depth=1 https://gitlab.freedesktop.org/3v1n0/libfprint.git
cd "${TEMPDIR}"/libfprint || exit
sed -e "/subdir('tests')/s/^/#/g" -i meson.build
sed -e "/subdir('examples')/s/^/#/g" -i meson.build
meson build --prefix=/usr
cd build || exit
meson compile

sudo cp libfprint/tod/libfprint-2-tod.so.1 /usr/lib/x86_64-linux-gnu/libfprint-2-tod.so.1
sudo chown root:root /usr/lib/x86_64-linux-gnu/libfprint-2-tod.so.1
sudo ln -sf /usr/lib/x86_64-linux-gnu/libfprint-2-tod.so.1 /usr/lib/x86_64-linux-gnu/libfprint-2-tod.so

sudo cp libfprint/libfprint-2.so.2 /usr/lib/x86_64-linux-gnu/
sudo chown root:root /usr/lib/x86_64-linux-gnu/libfprint-2.so.2

## Remove file incorrectly copied in a previous revision of this gist
sudo rm -f /usr/lib/x86_64-linux-gnu/libfprint-2/tod-1/libfprint-2-tod.so.1

cd "${TEMPDIR}"

# Configure fprintd to not sleep
sudo mkdir -p /etc/systemd/system/fprintd.service.d
cat > override.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/libexec/fprintd --no-timeout
EOF
sudo cp override.conf /etc/systemd/system/fprintd.service.d/override.conf

sudo udevadm control --reload-rules
sudo systemctl daemon-reload
sudo systemctl restart fprintd

rm -rf "${TEMPDIR}"

Yeah, it seems like it has something to do with the fprintd. Everything works perfectly on Ubuntu Noble and Jammy but not in Debian. I will try testing with different versions of the driver and fprintd. Thank you again for this script @giannello 👍

You were able to get the broadcom 58200 0a5c:5843 working on noble using these commands? I know they need to be changed slightly for ubuntu but I haven't had any luck.

My new laptop does not have this fingerprint reader anymore, so the script is currently unmaintaned.

Could this script be converted to work on Arch? Also, does it work with 0a5c:5834

necroposting, but was wondering if I could convince you gentlemen to work with me to get it working on fedora 41 on a dell Latitude 5410?

lsusb | grep -i finger
Bus 001 Device 003: ID 0a5c:5843 Broadcom Corp. BCM58200 ControlVault 3 (FingerPrint sensor + Contacted SmartCard)

necroposting, but was wondering if I could convince you gentlemen to work with me to get it working on fedora 41 on a dell Latitude 5410?

Try installing the initial requisite packages manually, the rest of the script should hopefully stay the same (unless redhat changed paths to check/install).

Any reason I cannot use this script, modified to goodix reader?

# lsusb | grep -i finger
Bus 003 Device 002: ID 27c6:538d Shenzhen Goodix Technology Co.,Ltd. FingerPrint

Not all the famiilar with git... I tried replacing 'brodcom' with 'goodix' and git clone failed. Any suggestions?

On my debian trixie on a Dell Latitude 5420 using branch jammy fails : firmware for ( 0a5c:5843 Broadcom Corp. BCM58200 ControlVault 3 ) was not found :

juil. 08 09:35:35 l5420 fprintd[1690]: In cvif_IsUshThere(), cv_get_ush_ver() status: (0x0)
juil. 08 09:35:35 l5420 fprintd[1690]: Control Vault getting chip type
juil. 08 09:35:35 l5420 fprintd[1690]: Citadel A0 CID7 Chip Found....
juil. 08 09:35:35 l5420 fprintd[1690]: Can not find SBI file (bcmsbiCitadelA0_7.otp)
juil. 08 09:35:35 l5420 fprintd[1690]: Missing files necessary for complete firmware update
juil. 08 09:35:35 l5420 fprintd[1690]:                 FwUpgradeError. Check Firmware Files or CID used or Hardware etc. Error: 0x1c
juil. 08 09:35:35 l5420 fprintd[1690]: Ignoring device due to initialization error: An unspecified error occurred!

It might have been broken by 2024 5th june commit f1d11a05ead73d0284a7e80087a3a610b2583c04 for 'CV3 ans CV3 plus support'.

using branch ubuntu/latest fixed it

-git clone --depth=1 --branch jammy git://git.launchpad.net/libfprint-2-tod1-broadcom
+git clone --depth=1 --branch ubuntu/latest git://git.launchpad.net/libfprint-2-tod1-broadcom

then after ./setup,sh and a reboot i got it working

juil. 08 12:25:28 l5420 fprintd[1670]: In cvif_IsUshThere(), cv_get_ush_ver() status: (0x0)
juil. 08 12:25:28 l5420 fprintd[1670]: Control Vault getting chip type
juil. 08 12:25:28 l5420 fprintd[1670]: Citadel A0 CID7 Chip Found....
juil. 08 12:25:28 l5420 fprintd[1670]: Current AAI Version = 5.14.3.0
juil. 08 12:25:28 l5420 fprintd[1670]: Current SBI Version = 202
juil. 08 12:25:28 l5420 fprintd[1670]: AAI version available for upgrade = 5.14.3.0
juil. 08 12:25:28 l5420 fprintd[1670]: SBI version available for upgrade = 202
juil. 08 12:25:28 l5420 fprintd[1670]: AAI version matches - it is up do date
juil. 08 12:25:28 l5420 fprintd[1670]: SBI version matches - it is up do date
juil. 08 12:25:28 l5420 fprintd[1670]: Citadel A0 CID7 Chip Found....
juil. 08 12:25:28 l5420 fprintd[1670]: Sensor type  : 16 Sensor firmware version on device: GF5288_GM188WNC_APP_10009 length: 25
juil. 08 12:25:28 l5420 fprintd[1670]: Sensor-firmware file signature verification is valid
juil. 08 12:25:28 l5420 fprintd[1670]: Sensor firmware version in file(sensor 16): GF5288_GM188WNC_APP_10009 length: 25
juil. 08 12:25:28 l5420 fprintd[1670]: Sensor firmware versions in file and on device match

Thanks! It works with dell latitude 7330 on debian 13 trixie (so stable, not testing). Thanks to that script I am not forced to switching to ubuntu, but to debian, which in my opinion is better... But there is one line, I had to change: git clone --depth=1 --branch jammy git://git.launchpad.net/libfprint-2-tod1-broadcom must have been changed to git clone --depth=1 --branch ubuntu/jammy git://git.launchpad.net/libfprint-2-tod1-broadcom, because git threw an error, that jammy branch is not found, but after that fix is works perfect! And even after suspend it works (at least in my case).

Thank you, it work flawlessly on Latitude 5520 with HW ID: 0a5c:5843. \o/
I had to do the modification described by @artlog

using branch ubuntu/latest fixed it

-git clone --depth=1 --branch jammy git://git.launchpad.net/libfprint-2-tod1-broadcom
+git clone --depth=1 --branch ubuntu/latest git://git.launchpad.net/libfprint-2-tod1-broadcom

Thanks @artlog - the fix is now part of the script

Hello, I wonder if someone could assist me - I have completed the script install for the broadcom driver on my Dell Latitude 5430 with Debian 13, and everything appears to be installed and running correctly:

● fprintd.service - Fingerprint Authentication Daemon
     Loaded: loaded (/usr/lib/systemd/system/fprintd.service; static)
    Drop-In: /etc/systemd/system/fprintd.service.d
             └─override.conf
     Active: active (running) since Sun 2026-04-26 16:35:37 BST; 8min ago
 Invocation: 92a235c610844d0fb24dcf82bb99edeb
       Docs: man:fprintd(1)
   Main PID: 3723 (fprintd)
      Tasks: 7 (limit: 18570)
     Memory: 27.8M (peak: 28.8M)
        CPU: 124ms
     CGroup: /system.slice/fprintd.service
             └─3723 /usr/libexec/fprintd --no-timeout

Apr 26 16:35:37 peitho fprintd[3723]: AAI version available for upgrade = 5.15.10.0
Apr 26 16:35:37 peitho fprintd[3723]: SBI version available for upgrade = 229
Apr 26 16:35:37 peitho fprintd[3723]: AAI version matches - it is up do date
Apr 26 16:35:37 peitho fprintd[3723]: SBI version matches - it is up do date
Apr 26 16:35:37 peitho fprintd[3723]: Citadel A0 CID7 Chip Found....
Apr 26 16:35:37 peitho fprintd[3723]: Sensor type  : 16 Sensor firmware version on device: GF5288_GM188WNC_APP_10009 length: 25
Apr 26 16:35:37 peitho fprintd[3723]: Sensor-firmware file signature verification is valid
Apr 26 16:35:37 peitho fprintd[3723]: Sensor firmware version in file(sensor 16): GF5288_GM188WNC_APP_10009 length: 25
Apr 26 16:35:37 peitho fprintd[3723]: Sensor firmware versions in file and on device match
Apr 26 16:35:37 peitho systemd[1]: Started fprintd.service - Fingerprint Authentication Daemon.

However, every time I try to run fprintd-enroll or attempt through the GUI in Settings for my user account, it doesn't 'bring anything up' or confirm reads at all with a response either in the GUI or CLI, as if it's just not doing anything, yet the above says everything is online and working.

Pulling my hair out a bit now so going to go for a cup of tea and think about anything else until someone might have an idea!!
Thanks in advance, Iain.

Just to add after some further testing, if I wait about 1 minute after starting enroll it seems to register my prints, so at least I know the sensor is physically working now, but I get a certain amount through the registration and then it locks up:

Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-unknown-error

Checking the service logs it shows ongoing registration at the time but at the point of failure above I get one of two errors:

Apr 27 13:21:55 peitho fprintd[1538]: Device reported an error during enroll: Enrollment failed : Device status = (11)
Apr 27 13:24:55 peitho fprintd[1538]: Device reported an error during enroll: Device disabled to prevent overheating.

I have tried reinstalling the script/driver using ubuntu/jammy as suggested earlier in the thread, but that had the same exact outcome, so I have reinstalled again using the default ubuntu/latest.
I have also tried resetting my TPM chip in the BIOS as a post I found suggested that previously registered Windows Hello data, which is held in the reader's local memory, could be blocking registration in Linux - no dice. :(