Nitrokey Start reset user pin

lament · October 9, 2016, 4:42pm

Hi, I’m a beginner and need some help with mastering the Nitrokey Start. I have been getting to know the device via different utilities (opensc-explorer, gpg, pkcs15-init, Firefox plugin etc.) in the last days but now I’m stuck in a situation for which I don’t know how to solve. I tried to change the pin code from Firefox and I get the following output with “pkcs15-tool -D”:

[code]
Using reader with a card: Nitrokey Nitrokey Start 0
PKCS#15 Card [OpenPGP card]:
Version : 0
Serial number : fffe52ff6f06
Manufacturer ID: OpenPGP project
Language : en
Flags : PRN generation, EID compliant

PIN [User PIN (sig)]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:127, stored_len:127
Pad char : 0x00
Reference : 1 (0x01)
Type : UTF-8
Path : 3f00
Tries left : 0

PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 02
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:127, stored_len:127
Pad char : 0x00
Reference : 2 (0x02)
Type : UTF-8
Path : 3f00
Tries left : 0

PIN [Admin PIN]
Object Flags : [0x3], private, modifiable
ID : 03
Flags : [0x9B], case-sensitive, local, unblock-disabled, initialized, soPin
Length : min_len:8, max_len:127, stored_len:127
Pad char : 0x00
Reference : 3 (0x03)
Type : UTF-8
Path : 3f00
Tries left : 3[/code]

If I understand correctly I can not use the user pin anymore because there are no more retries left. So how do I reset the user pin with the admin pin? I don’t mind if the card gets erased during this process.

Thanks a lot for help!

jan · October 9, 2016, 7:17pm

The easiest would be to use GnuPG: “gpg --card-edit” then enter “admin” and there you can unblock the PIN.

lament · October 11, 2016, 3:50pm

Hi, thanks!

I tried with “gpg --card-edit”, entered admin mode with “admin” and tried “unblock” command without success. It returns “Error changing the PIN: Bad PIN” but to my surprise, the “PIN retry counter” stays the same as before (“0 3 3”). I also tried all the 4 combinations from the passwd command (change pin, unblock pin, change admin pin, set reset code) but all they return the “PIN blocked” error. Any clues? Did I screw up my Nitrokey?

jan · October 28, 2016, 3:00pm

Perhaps you only changed the user PIN and therefore use the “admin less mode”? See fsij.org/doc-gnuk/gnuk-passp … reset-code

Do you have a reset-code?

lament · October 29, 2016, 10:45am

I might be in admin-less mode, but I’m not sure as I tried a lot of different things when I was getting to know the Key. And unfortunately I did not set the reset key.

So now my only option is to completely erase and re-flash the device via SWD?

jan · October 29, 2016, 10:53am

I’m afraid that is the case.

lament · November 3, 2016, 2:46pm

Did the SWD reprogramming, now the dongle works again.

jan · August 23, 2017, 6:51pm

Just for the record: Nitrokey Start with firmware 1.2 (and newer) can be reset with GnuPG 2.1.