[Gnuk-users] Factory-reset on Gnuk with blocked PIN
Alexander Paetzelt | Nitrokey
alex at nitrokey.com
Thu Nov 9 11:58:22 UTC 2017
Hi,
thanks for your explanation and advice (this goes to both of you, NIIBE
and Jeremy!).
I got it working with the new reset code based on the source code for
factory-reset of GnuPG 2.2.2 on a bricked 1.2.4 Gnuk device (Nitrokey
Start). I used 'gpg-connect-agent < file.txt' with following content
/hex
scd reset
scd serialno undefined
scd apdu 00 A4 04 00 06 D2 76 00 01 24 01
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
scd reset
/echo card has been reset to factory defaults
In the source code the last reset command is missing in the comment
(line 1722 of card-util.c)
I was able to upgrade to Gnuk 1.2.6 after applying this. The device
seems to work normal now.
Kind regards
Alex
On 11/02/2017 06:10 PM, Jeremy Drake wrote:
> On Thu, 2 Nov 2017, Alexander Paetzelt | Nitrokey wrote:
>
>> I am not sure if I understood you right. From GnuPG 2.2.2 on, even Gnuk
>> 1.2.2, 1.2.3. and 1.2.4 will be able to factory-reset with gpg command
>> or never at all? And Gnuk 1.2.5 and newer can be reset with use of older
>> GnuPG versions as well or only with GnuPG 2.2.2?
>
> 1.2.2-4 required a device reset and SELECT DF in between TERMINATE DF
> and ACTIVATE DF commands. GnuPG prior to 2.2.2 reset and re-selected
> as part of its reset procedure. The standard does not require a reset
> and re-select between terminate and activate. Gnuk 1.2.5 and newer do
> not require a reset and select between terminate and activate, and
> GnuPG 2.2.2 will not do a reset and select between terminate and
> activate.
>
> I have to admit, I don't see why doing a device reset in GnuPG should
> cause any problems. Once you do a TERMINATE DF, you should be able to
> do whatever you like, and the card should remain in the terminated
> state (and return the corresponding error code) until you do an
> ACTIVATE DF against the OpenPGP AID. In fact, what I've read of
> "de-bricking" devices when GnuPG failed to factory reset them was just
> doing the select and activate (because the card was left in a
> terminated state).
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
More information about the gnuk-users
mailing list