I bought the Nitrokey HSM 2 some time ago for testing purposes to see if it fits my use case. When I got it, I played around with it, initializing, writing some keys, etc. Now after some time I returned to this HSM and I do not remember the SO-PIN. But I have the user PIN so I guess there is some functionality available. But I still want to reset it to continue testing other functions. The HSM is not locked, I have a few guesses left for the SO-PIN.
I have also disassembled the NitrokeyHSM 2 and found that it has a micro-SIM card inside:
Judging from the “Nitrokey Pro” text on the PCB, the Nitrokey HSM 2 is just a USB interface for the micro SIM and the SO-PIN and user PIN numbers are stored in that micro-SIM. In that case buying a new micro-SIM by itself is cheaper than buying a new Nitrokey HSM 2.
Questions:
If the SO-PIN counter is 0, does access with user PIN work or is the HSM locked forever?
Is it possible to “reset” the Nitrokey HSM 2 by replacing the micro-SIM?
What happens if the Nitrokey HSM 2 is connected without micro-SIM inserted? Will Nitrokey HSM 2 somehow physically break with no repair?
Is it even theoretically possible to use Nitrokey HSM 2 as a standard mobile SIM card adapter/interface?
The HSM SIM card will be locked, and the only operation left possible to revert this state to my knowledge is to run its firmware update. See this topic for details: Initialize Nitrokey HSM Device Blocked - #10 by sc-hsm.
Yes - both PIN counters and the actual secrets are taken from the smart card. Technically there should be no limitations in this regard (e.g. like there is no SIM card <-> device lock or authentication required). Just a fair warning: hardware changes makes warranty void, can result in hardware damage in some conditions (e.g. ESD), and we do not support it. Please keep in mind some components might be not compatible, or some features not supported by the replaced SIM card.
Without the SIM card Nitrokey HSM2 (and Nitrokey Pro as well) will not start, and with this it will not show up as a USB device. This is by design. During the boot the serial number of the device is received from the smart card, and without it device will simply abort the sequence.
In general yes. Some internal smart card communication procedures (e.g. getting the serial number during the boot) would have to be removed to continue to the USB enumeration, otherwise it should be possible to read out compatible SIM cards (using supported ISO T=1 communication protocol AFAIR).
Nitrokey HSM and Nitrokey Pro have a lot in common, and in fact use the same repository of the latter:
but to have Nitrokey HSM2 “development board” one would also need ability to run JCOP on the smart card as well as the SmartCard-HSM applet by @sc-hsm ?
Correct. The applet’s source code is not public, and there is no development access. More details about this software can be found on the CardContact Developer Network (CDN).
I tried to update the SmartCard-HSM firmware, but as You can see I was unable to do so because “SmartCard-HSM contains keys. Please remove keys first”. I think I can’t do that without the SO-PIN…
