Yubico Forum

Re: [SOLVED] How to reset a permanently locked "new" NEO?

2014-10-22T09:30:57+01:00

Hello,

it is just on version 1.0.7

You are welcome!

Statistics: Posted by Tom — Wed Oct 22, 2014 9:30 am

Re: [QUESTION] How to reset a permanently locked "new" NEO?

2014-10-22T08:11:07+01:00

Thank you Tom!

So as a summary, with versions before 1.0.8 (with NEOs 3.3+), it's probably not advised to use the ResetApplet procedures, and I should be much more careful with the Admin PIN, as it can only be fixed by replacement.

Embarrassing for me, but the support from this forum is very good, thanks again!

Statistics: Posted by chexum — Wed Oct 22, 2014 8:11 am

Re: [QUESTION] How to reset a permanently locked "new" NEO?

2014-10-22T07:19:52+01:00

Chexum.

Please contact support here: https://www.yubico.com/support/raise-ticket/

And refer them to this post, you are experiencing a known bug present of few versions of the 1.0.7 applet with the reset command.

Yubico apologize for the inconvenience.

Best Regards,
Tom.

Statistics: Posted by Tom — Wed Oct 22, 2014 7:19 am

Re: [QUESTION] How to reset a permanently locked "new" NEO?

2014-10-20T20:24:02+01:00

Thank you - I missed those instructions apparently. They seemed to work, sort of, everything produced the appropriate output (it was showing version 1.0.7). However, now I can see even less of the OpenPGP functionality. After removing and reinserting the NEO, nothing related to OpenPGP seem to work:

Code:

% gpg --card-edit

gpg: OpenPGP card not available: Not supported

gpg/card> %
% gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
ERR 100663427 Conditions of use not satisfied 

Without the agent running, it's just as scary:

Code:

% gpg --card-edit

scdaemon[15130]: can't select application `openpgp': Not supported
gpg: OpenPGP card not available: Not supported

gpg/card> scdaemon[15130]: updating slot 0 status: 0x0000->0x0007 (0->1)
% scdaemon[15130]: scdaemon (GnuPG) 2.0.26 stopped

Apart from that, it's working all right, except for the PGP part.

Code:

% ykinfo -a
serial: 3010629
serial_hex: 2df045
serial_modhex: dtvcfg
version: 3.3.0

The windows NEO manager application says the OpenPGP applet is installed, but without any version shown. Can this still be restored somehow?

Statistics: Posted by chexum — Mon Oct 20, 2014 8:24 pm

Re: [QUESTION] How to reset a permanently locked "new" NEO?

2014-10-20T07:34:17+01:00

Please, follow available documentation here:
https://developers.yubico.com/ykneo-ope ... pplet.html

Statistics: Posted by Tom — Mon Oct 20, 2014 7:34 am

[SOLVED] How to reset a permanently locked "new" NEO?

2014-10-22T08:11:58+01:00

I tried to change the PINs on a fresh NEO, but was confused what the message "Conditions of use not satisfied" means when trying to set the PIN/Admin PIN, and an additional fat-fingered PIN entry means I'm no longer able to use the OpenPGP functionality:

Code:

Application ID ...: D2760001240102000006030106290000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03010629
...
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

scdaemon[13182]: card is permanently locked!
gpg: error clearing forced signature PIN flag: Bad PIN

I thought these PINs would be possible to change from the PIV tools, but alas, yubico-piv-tool seems to manage a completely different set of PINs, not the ones shown above. Even if I change the PINs by yubic-piv-tool and/or reset the PIV applet, these counters don't seem to change.

The first seem to be the PIN retry, and the third is the admin PIN, but the second doesn't seem to change.

I also thought I would then need to reset everything in the OpenPGP applet (no big deal, as I have no private keys on it yet), but it seems to be this card is now too new to allow us mere mortals to upload new applets (Version 3.3.0)

So is it somehow possible to reset the PIN codes with this version?

Statistics: Posted by chexum — Sun Oct 19, 2014 10:19 pm