Nitrokey 3A NFC factory reset not working

dirupaneus · June 11, 2023, 9:12am

Hello,

I was experimenting the OpenPGP support for my nitrokey 3a NFC and got into a weird situation where I can’t seem to factory reset it.

I entered 3 times the wrong admin PIN, so I decided to factory reset it which doesn’t work:

$ gpg --card-edit

Reader ...........: 20A0:42B2:X:0
Application ID ...: D276000124010304000F9D66F4DD0000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: 9D66F4DD
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 0
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> factory-reset 
gpg: OpenPGP card no. D276000124010304000F9D66F4DD0000 detected

gpg: Note: This command destroys all keys stored on the card!

Continue? (y/N) y
Really do a factory reset? (enter "yes") yes
sending card command SELECT AID failed: Bad secret key

gpg/card>

I’m running firmware v1.5.0 on my nitrokey.
Am I doing something wrong when trying the factory reset?

dirupaneus · June 13, 2023, 4:26pm

It seems the issue was on my side, I had to install some additional packages that I didn’t have installed:
This command fixed it:

sudo apt-get install gnupg pcscd scdaemon pcsc-tools

okycid · September 3, 2023, 10:32am

Dear Nitrokey Team,

I also encounter a similar situation, as described above. However, I did not have any key on the device yet. Since I first tried to change the default PIN, but always enterd 123456 for the admin PIN until I got blocked. Now my “gpg --card-status” shows PIN retry counter: 0 0 0

I also installed the recommended packages in this post.

sudo apt-get install pcscd pcsc-tools

By the way, I am using a NK3 Mini and unfortuantely, the method "gpg --card-edit” → “admin” → “factory-reset” fails with the following error:

Continue? (y/N) y
Really do a factory reset? (enter "yes") yes
sending card command SELECT AID failed: Bad secret key

Please assist me or let me know how to proceed. Thanks in advance and enjoy the rest of your weekend!

nku · September 3, 2023, 1:01pm

This is not implemented, yet:

It is possible to factory reset the smartcard with the right commands (opensc-tool -s 00:A4:04:00:06:D2:76:00:01:24:01:00 -s 00:E6:00:00 -s 00:44:00:00) even when the state is corrupted.

However, it is not possible to do so with GPG, because GPG tries to run GET DATA on some DOs and doesn’t accept faiiure.

Source

(Use at own risk. Not tested myself)

ivanloisy · September 8, 2023, 11:11pm

Hello @okycid,

I had the same problem as you. With me the concern came from the fact that libccid was not updated, and therefore did not support the NK3. I followed the documentation, and manually changed the /etc/libccid_info.plist file:

https://docs.nitrokey.com/nitrokey3/linux/troubleshooting#updating–dhe-device-database

I can now do factory reset.

Hoping that it can help you.

okycid · September 30, 2023, 9:46am

Dear Ivanloisy,

Thank you for taking the time to reply. I am now able to factory reset my NK3.

Enjoy the rest of you weekend and all the best wishes!