[Nitrokey HSM2] Can't change SO-PIN to default

hi, I’m trying to change my SO-PIN to the default:

pkcs11-tool --login --login-type so --so-pin 6262768868245897 --change-pin --new-pin 3537363231383830
->this is what I get:
Using slot 0 with a present token (0x0)
error: PKCS11 function C_SetPIN failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.

I also tried using this so-pin and received an error:

sc-hsm-tool --initialize --so-pin 6262768868245897 --pin 123456 --dkek-shares 1
received:
Using reader with a card: Nitrokey Nitrokey HSM 0
sc_card_ctl(*, SC_CARDCTL_SC_HSM_INITIALIZE, *) failed with PIN code or key incorrect

I also tried the default one but it’s not working as well.

I got left 9 tries:

sc-hsm-tool.exe
Using reader with a card: Nitrokey Nitrokey HSM 0
Version : 3.4
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 9
User PIN tries left : 3
DKEK shares : 1
DKEK key check value : D06F9424B813676E

I will appreciate any idea to solve (I don’t mind resetting the data if requires)

I’d try with with the Smart Card shell - after starting the scsh3gui, fire up “Keymanager” and once your card data are there, there is “Change SO-PIN” option there.

thanks, but in order to change the so-pin using the GUI you suggested, I need to enter the original so-pin, which I don’t know apparently.
in that case, is the key “lost”? or is there a way to reset the entire card to default in case I don’t know my true so-pin?

I think this is not easy. Maybe the token can be reset by the firmware upgrade process, but I’ve never done this.

Hi @AdiG,

By design the very first initialization can be done only once per installed firmware update. If I remember right the update process does require the SO-PIN as well (to clear the keys from the device, if there were ever created any). With that I am afraid that it is not possible to reuse the Nitrokey HSM after using up the SO-PIN attempt counter.

but there is no way to “factory reset” the token completely? I don’t need the data there…

That’s correct. Once the attempts counter for the SO-PIN is used up, there is no way to recover the Nitrokey HSM.
If there are no keys on it, then it could be potentially reinitialized with firmware update, but otherwise its unusable. This is the only Nitrokey model with factory reset being disabled.

but I still have 5 attempts left.
I just don’t know the so-pin.
regarding keys on it- I can delete them easily ,since I only need user-pin for that and I know it.
so there is a way to recover from this?

I see. I think you can try to proceed then, and it should not worsen the situation. I have asked my colleagues to confirm this, so you can wait for their test results before that to be safe.

OK, I will wait in the meantime.
thanks !

1 Like

hi, do you have an answer for me regarding how to format my key? (considering I don’t know my so-pin)

thanks

Without the SO-PIN it’s not possible to reset a Nitrokey HSM.

There seems to be a special case, where firmware update resets the device, even when the SO-PIN is set to 0. Let’s confirm this first before trying out. See this thread: