Cryptostick V1.2 bricks after password reset

Nitrokeys
1

Hi,
I’ve reset my cryptostick by issuing:
gpg-connect-agent < /tmp/cryptostickreset.txt
where cryptostickreset.txt was from crypto-stick.com/en/faq

after that card become brick:

$ gpg2 --card-status
gpg: OpenPGP card not available: Not supported

$ opensc-tool --atr
Using reader with a card: German Privacy Foundation Crypto Stick v1.2 00 00
Failed to connect to card: Card command failed

Device avaiable on usb bus, but gpg unable to communicate with them

[12658.298333] usb 3-2: new full-speed USB device number 10 using xhci_hcd
[12658.310480] usb 3-2: New USB device found, idVendor=20a0, idProduct=4107
[12658.310487] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[12658.310491] usb 3-2: Product: Crypto Stick v1.2
[12658.310495] usb 3-2: Manufacturer: German Privacy Foundation

I think root of this issue is a bug in cryptostickreset.txt (last two apdu swapped).
in all other sources (for example blog.mozilla.org/security/2013/ … as-an-hsm/)
command is:
hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Reset complete

How to unbick device?

2

Hi!
You used the correct reset script. A wrong script is still circulating, see: lists.gnupg.org/pipermail/gnupg- … 46261.html

Please try to remove pcscd, then “pkill -f gnome-keyring-daemon” and try again accessing the device with GnuPG.

3

Hi,
after disabling pcscd –
the same result (even on other machine)

(user)
$ gpg --card-status
gpg: selecting openpgp failed: ec=6.108
gpg: OpenPGP card not available: general error

(root)

gpg --card-status

Please insert the card and hit return or enter ‘c’ to cancel:

dmesg:

[1190905.706070] usb 3-1: new full-speed USB device number 36 using uhci_hcd
[1190905.853747] usb 3-1: New USB device found, idVendor=20a0, idProduct=4107
[1190905.853758] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1190905.853766] usb 3-1: Product: Crypto Stick v1.2
[1190905.853772] usb 3-1: Manufacturer: German Privacy Foundation

4

Well, if it’s the same behaviour on other computers it indeed seems being broken. Did you try using it on Windows?

5

Hi,
I’ve found the root of problem:
OpenPGP card v2 bricks after cryptostickreset.txt from FAQ.
It actually has a error (two last lines swapped). I’ve prove this by successfully reset
another openpgp card (using lists.gnupg.org/pipermail/gnupg- … 37919.html)
and brick it after that by file from FAQ.

Please try it yourself and fix FAQ.

P.S. Is there any way to recover card from bricked state?

6

bricked openpgp card serial no:
V2.0 0005 00001E1B

7

Hi! Thanks for your feedback. Could you please address your question to lists.gnupg.org/pipermail/gnupg-users/

8

So, to make this short.
If somebody wants to reset the crypto-stick (ver. 1.2) without turning it into a brick in Linux: which of the reset scripts is the correct one. The one indicated by svpcom or the one on the FAQs? Are the FAQs still reliable or outdated?

Thank you.

9

Hi,

I received my nitrokey storage in the mail today. I tried to set it up, but generating keys would always fail. So at first I tried reseting it with factory-reset command in “gpg --card-edit”. It didn’t help. So then I tried the gpg-connect-agent script on the website’s FAQ to reset the stick. Now it’s completely dead. dmesg prints that a device is connecting and disconnecting and lsusb shows an “Atmel” device. But it’s like there’s nothing in there anymore. No light when it’s plugged in et c. I guess I must have bricked it.

10

Originally this thread is about Crypto Stick / Nitrokey 1.2 but not the Storage device. Please post your message in a new discussion. Please state which operating system and which GPG version you are using.

11

Yes, I just realized that. Sorry for the noise.

12

I’m not sure if the following applies to “Cryptostick V1.2”, but it’s worth a shot:

I’ve got a Nitrokey Pro (no idea which version of it), which essentially is an openpgp 2.0 smartcard inside a USB adapter.

I sent a few “apdu” commands to it with opensc-tool, I took the commands from the reset instructions on the FAQ.
Eventually I got to the point where no program detected my “Nitrokey” anymore. Opensc kept telling me “Card command failed”.

Dammit, bricked it. Or so I thought at first.

If you’re in the same situation:

  • Go read the documentation on the actual hardware: g10code.com/docs/openpgp-card-2.0.pdf
    Especially chapters 7.2.13, 7.2.14 and 7.8
  • Debug what opensc-tool is actually doing. Add -vvv flags
  • See that it always sends some standard APDU commands. I assume to auto detect the card or sth. This command fails and lets opensc terminate early.
  • Stop using opensc-tool and communicate directly with pcscd. Here’s a python program to send the reset instructions and ignore all errors:
#!/usr/bin/python3

# Requires packages: pcscd python3-pyscard

import smartcard.System

select_file = [0x00, 0xa4, 0x04, 0x00, 0x06, 0xd2, 0x76, 0x00, 0x01, 0x24, 0x01, 0x00]
verify_pw1 = [0x00, 0x20, 0x00, 0x81, 0x08, 0x40, 0x40, 0x40, 0x40, 0x40, 0x40, 0x40, 0x40]
verify_pw3 = [0x00, 0x20, 0x00, 0x83, 0x08, 0x40, 0x40, 0x40, 0x40, 0x40, 0x40, 0x40, 0x40]
terminate_df = [0x00, 0xe6, 0x00, 0x00]
activate_file = [0x00, 0x44, 0x00, 0x00]

readers = smartcard.System.readers()
reader = readers[0]
conn = reader.createConnection()
conn.connect()

for msg in  
    select_file,
    verify_pw1, verify_pw1, verify_pw1, verify_pw1,
    verify_pw3, verify_pw3, verify_pw3, verify_pw3,
    terminate_df, activate_file, 
]:
    data, sw1, sw2 = conn.transmit(msg)
    print("{:02x} {:02x} {}]".format(sw1, sw2, data))

If you’re lucky, the last command returns “90 00” and your hardware is unbricked.