Nitrokey Start bricked?


#1

It seems I’ve managed to brick my just-acquired Nitrokey Start. I feel such a noob here…

So I went through instructions in start and created the keys.

I’ve read the note about the admin/user pwd:

(Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see [this instructions](https://www.fsij.org/doc-gnuk/gnuk-passphrase-setting.html#) for further information.)

I figured, who cares, I have too many passwords to remember in my life any way (as evidenced by me bricking it) and went user-only mode.

I’ve also read the note about old firmwares:

Firmware version 1.2.5 or below: In case you forget a PIN or enter it wrongly three times you need the reset code to unblock the PIN. Otherwise the device wouldn't be usable anymore! Therefore please set the reset code as well when initialising the key!

I figured this does not apply to me, since I have 1.2.10, and have not created any reset code (same reasoning again)

And… I of course managed to enter the passphrase wrong 3 times, setting the key url, of all things.

And of course factory reset does not work either, due to sending card command dummy select failed: Conflicting use.

I have read about this issue in another thread but that supposedly was caused by an old firmware.

So what now? Trash?

Reader ...........: 20A0:4211:FSIJ-1.2.10-43245017:0
Application ID ...: D276000124010200FFFE432450170000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 43245017
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 4
KDF setting ......: off

#2

Hi!

As far as I understood the comment in the linked thread, Conflicting use means, that some other application is accessing the device in parallel. But this might also mean another way for executing reset is required.


Just to confirm, could you try closing the pcscd service and retry the GnuPG reset? E.g. with:

sudo killall pcscd
pkill gpg-agent

Alternatively, I think it should be possible to use the Nitrokey Pro reset script, but let me test it on my device first just in case it would worsen the situation.
Indeed, on our FAQ site we do not have user-mode reset described.

@nitroalex could you add the description there please, when possible?


#3

pcscd is not running on my system during these operations. I am using manjaro.

Based on a hunch I booted from a kali usb and got it resolved. Since I can’t do factory reset on my manjaro system even now, I would expect this to be a gpg incompatibility/bug.

For comparison:

--- gpg.txt	2019-03-25 23:25:54.000000000 +0100
+++ /dev/fd/63	2019-03-25 23:30:46.214813703 +0100
@@ -1,11 +1,11 @@
-gpg (GnuPG) 2.2.12
-libgcrypt 1.8.2
-Copyright (C) 2018 Free Software Foundation, Inc.
+gpg (GnuPG) 2.2.13
+libgcrypt 1.8.4
+Copyright (C) 2019 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

Thanks for your help in any case.


#4

I am glad you have solved it! Perhaps you would find gpg-docker project useful for making further factory resets via a Docker based container, instead of moving to another OS.

@nitroalex Please investigate this further, if possible. Especially I would like to confirm on our side, that GnuPG 2.1.14 is required to make a factory-reset on the user-mode working Start device. Would be nice to have the diff of the APDU communication as well.