How to change Nitrokey Pin within Heads Firmware?

I have a T430 with Nitrokey heads, and a Nitrokey 3A-mini.

I want to change the very insecure Pin for the key. Is the Firmware able to do that or do I need other software?

Do I need to add custom udev rules to get the 3A-mini working on Fedora?

Thanks!

Update: I downloaded the Nitrokey Flatpak and attempted to reflash the same firmware version, which failed.

I have no Flatpak overrides that should cause issues.

I found the needed udev rules

https://docs.nitrokey.com/de/software/nitropy/linux/udev

They dont seem to be up to date, what entry is needed to get the 3A working?

There are tons of options

# Nitrokey U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
# Nitrokey FIDO U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess"
# Nitrokey FIDO2
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1", TAG+="uaccess"
# Nitrokey 3A Mini/3A NFC/3C NFC
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b2", TAG+="uaccess"
# Nitrokey 3A NFC Bootloader/3C NFC Bootloader
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42dd", TAG+="uaccess"
# Nitrokey 3A Mini Bootloader
ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42e8", TAG+="uaccess"
# Nitrokey Passkey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42f3", TAG+="uaccess"
# Nitrokey Passkey Bootloader
ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42f4", TAG+="uaccess"

LABEL="u2f_end"

SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
ACTION!="add", GOTO="gnupg_rules_end"

# USB SmartCard Readers
## Crypto Stick 1.2
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Pro
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Pro Bootloader
ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b4", TAG+="uaccess"
## Nitrokey Storage
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Storage Bootloader
ATTR{idVendor}=="03eb", ATTR{idProduct}=="2ff1", TAG+="uaccess"
## Nitrokey Start
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey HSM
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4230", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"

LABEL="gnupg_rules_end"


# Nitrokey Storage dev Entry
KERNEL=="sd?1", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4109", SYMLINK+="nitrospace"

So, I was able to use pynitrokey aka nitropy (this is so confusing can you please use a single name ) and change the FIDO2 password.

I added the udev rules and could then reflash the firmware through the app, as well as see the saved credentials.

I have an HEADS_VALIDATION entry in my key with no username, no password and an unchangeable reverse HOTP entry.

The docs say that each function has a different password/pin? This is confusing, I will see if I was able to change the key that is used for the heads validation.