Yubico Forum :: View topic - [SOLVED] How to reset a permanently locked "new" NEO?

Application ID ...: D2760001240102000006030106290000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03010629
...
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

Please note that the factory settings of the PINs are
PIN = `123456' Admin PIN = `12345678'
You should change them using the command --change-pin

scdaemon[13182]: card is permanently locked!
gpg: error clearing forced signature PIN flag: Bad PIN

% gpg --card-edit

gpg: OpenPGP card not available: Not supported

gpg/card> %
% gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
ERR 100663427 Conditions of use not satisfied <SCD>

% gpg --card-edit

scdaemon[15130]: can't select application `openpgp': Not supported
gpg: OpenPGP card not available: Not supported

gpg/card> scdaemon[15130]: updating slot 0 status: 0x0000->0x0007 (0->1)
% scdaemon[15130]: scdaemon (GnuPG) 2.0.26 stopped

% ykinfo -a
serial: 3010629
serial_hex: 2df045
serial_modhex: dtvcfg
version: 3.3.0

Author:	chexum [ Sun Oct 19, 2014 10:19 pm ]
Post subject:	[SOLVED] How to reset a permanently locked "new" NEO?
I tried to change the PINs on a fresh NEO, but was confused what the message "Conditions of use not satisfied" means when trying to set the PIN/Admin PIN, and an additional fat-fingered PIN entry means I'm no longer able to use the OpenPGP functionality: Code: Application ID ...: D2760001240102000006030106290000 Version ..........: 2.0 Manufacturer .....: Yubico Serial number ....: 03010629 ... Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> admin Admin commands are allowed gpg/card> generate Make off-card backup of encryption key? (Y/n) n Please note that the factory settings of the PINs are PIN = `123456' Admin PIN = `12345678' You should change them using the command --change-pin scdaemon[13182]: card is permanently locked! gpg: error clearing forced signature PIN flag: Bad PIN I thought these PINs would be possible to change from the PIV tools, but alas, yubico-piv-tool seems to manage a completely different set of PINs, not the ones shown above. Even if I change the PINs by yubic-piv-tool and/or reset the PIV applet, these counters don't seem to change. The first seem to be the PIN retry, and the third is the admin PIN, but the second doesn't seem to change. I also thought I would then need to reset everything in the OpenPGP applet (no big deal, as I have no private keys on it yet), but it seems to be this card is now too new to allow us mere mortals to upload new applets (Version 3.3.0) So is it somehow possible to reset the PIN codes with this version?

Author:	Tom [ Mon Oct 20, 2014 7:34 am ]
Post subject:	Re: [QUESTION] How to reset a permanently locked "new" NEO?
Please, follow available documentation here: https://developers.yubico.com/ykneo-ope ... pplet.html

Author:	chexum [ Mon Oct 20, 2014 8:24 pm ]
Post subject:	Re: [QUESTION] How to reset a permanently locked "new" NEO?
Thank you - I missed those instructions apparently. They seemed to work, sort of, everything produced the appropriate output (it was showing version 1.0.7). However, now I can see even less of the OpenPGP functionality. After removing and reinserting the NEO, nothing related to OpenPGP seem to work: Code: % gpg --card-edit gpg: OpenPGP card not available: Not supported gpg/card> % % gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye ERR 100663427 Conditions of use not satisfied <SCD> Without the agent running, it's just as scary: Code: % gpg --card-edit scdaemon[15130]: can't select application `openpgp': Not supported gpg: OpenPGP card not available: Not supported gpg/card> scdaemon[15130]: updating slot 0 status: 0x0000->0x0007 (0->1) % scdaemon[15130]: scdaemon (GnuPG) 2.0.26 stopped Apart from that, it's working all right, except for the PGP part. Code: % ykinfo -a serial: 3010629 serial_hex: 2df045 serial_modhex: dtvcfg version: 3.3.0 The windows NEO manager application says the OpenPGP applet is installed, but without any version shown. Can this still be restored somehow?

Author:	Tom [ Wed Oct 22, 2014 7:19 am ]
Post subject:	Re: [QUESTION] How to reset a permanently locked "new" NEO?
Chexum. Please contact support here: https://www.yubico.com/support/raise-ticket/ And refer them to this post, you are experiencing a known bug present of few versions of the 1.0.7 applet with the reset command. Yubico apologize for the inconvenience. Best Regards, Tom.

Author:	chexum [ Wed Oct 22, 2014 8:11 am ]
Post subject:	Re: [QUESTION] How to reset a permanently locked "new" NEO?
Thank you Tom! So as a summary, with versions before 1.0.8 (with NEOs 3.3+), it's probably not advised to use the ResetApplet procedures, and I should be much more careful with the Admin PIN, as it can only be fixed by replacement. Embarrassing for me, but the support from this forum is very good, thanks again!

Yubico Forum https://forum.yubico.com/

[SOLVED] How to reset a permanently locked "new" NEO? https://forum.yubico.com/viewtopic.php?f=26&t=1520	Page 1 of 1

Author:	Tom [ Wed Oct 22, 2014 9:30 am ]
Post subject:	Re: [SOLVED] How to reset a permanently locked "new" NEO?
Hello, it is just on version 1.0.7 You are welcome!

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/