[NitroPad] Generate new totp/hotp secret failing

Hi,

Firstly I should say I am non technical and my linux experience is about 1 on a scale of 1-10. If you can respond as if explaining this to a small child it would be very much appreciated

I successfully setup and booted my nitropad running qubes 4.0 yesterday. All working ok

Later that day I tried to boot and and got some errors and no matter what the machine would keep booting into emergency mode

After some time I decided to do an OEM factory reset. That process has ran successfully up until the point of generating a new TOTP/HOTP secret. I have a QR code, I hit enter, I used google authenticator to generate a new secret but it is never successful and I can go no further

I get ‚Äúerror setting HOTP secret, re-enter admin PIN and try again‚ÄĚ

After that in the heads boot menu I get ‚ÄúTOTP 127301 | Error checking code, insert nitrokey and retry‚ÄĚ

None of this works

Finally, if I do force a boot. It just asks me x3 times for the disk password and enters emergency mode after a long delay.

Your help here would be much appreciated

Thanks for your help

Hi @tobias!

Could you tell more about your Nitrokey device? I do not see anything about it in your description. Do you have it inserted during the OEM factory reset? What model do you use?

Hi,

Thank you for coming back. Apologies I forgot to mention this.

I purchased a nitropad X230 and with it came the NK pro 2 as standard

The only customisation is having qubes 4.0

Thanks again

Thank you!
During the OEM factory reset, do you have your Nitrokey device inserted?

Thanks for coming back. Yes I do : )

Sorry it seems I cannot ad more than one image to show you me steps to reproduce. Please see steps and screenshots here https://pastebin.com/MjpumSnC

1 Like

Ah, I can see the cause now! Your smart card shows the Admin PIN counter being 0, which in consequence does not allow for any further write operations to it. With the OEM factory reset it should be possible to clear both smart card and the BIOS configuration to the initial working state. Will send the menu path in a minute.

From the main ‚ÄėBIOS‚Äô menu select:

  • Options
  • OEM factory reset

and continue with the instructions. Please check the following guide as well:

Hi,

Thank you for the response but I have repeated the OEM factory reset several times. The problem step is generating the new totp/hotp secret as described above

Can you advise?

Many thanks

I see. I thought you have misunderstood TOTP/HOTP secret regeneration for the OEM factory reset.
Could you send screens please from the latter procedure? The device has to be reset during it as well.

If it does not work from the menu, you can run Options -> Exit to recovery shell and enter the following:

oem-factory-reset

then press <ENTER> button and follow the screen guide.

Please let me know how this went.

I don’t see any documentation in the above link with regard to generating the new totp/hotp secrets.

Can you confirm if the google authenticator app will generate a key?

Also, I suspect the BIOS time is incorrect on my machine. As the BIOS time from memory of the first successful boot was a few hours off. If this is different from the google authenticator app then I assume if would fail. If this is the case, can you tell me how to update the bbIOS time?

Thanks again

HOTP secret cannot be written to the device without working Admin access. Right now the latter is disabled (counter equal 0) due to invalid 3 attempts of entering it. The smart card has to be reset to make it work again, including GPG keys regeneration and signing the boot files.

Let’s make it working with the HOTP / Nitrokey device first. The TOTP verification is for cases, where user does not have the access to the Nitrokey device and still want to confirm the device was not maliciously modified in the meantime.

Hi, thank you again for your help. Just before we proceed can you define some of the terms for me

  • By ‚Äėdevice‚Äô do you mean the PC or the nitrokey?
  • By ‚Äėsmart card‚Äô do you mean the nitrokey or something else?

With regard to the steps

  1. Using ‚Äėoem-factory-reset‚Äô I enter the same factory reset flow I have completed >10 times now. Everything is fine until the TOTP/HOTP secret regeneration step. The errors I recieve are documented in link from earlier https://pastebin.com/MjpumSnC

  2. ‚ÄúThe smart card has to be reset to make it work again, including GPG keys regeneration and signing the boot files.‚ÄĚ

Can you provide instructions on how to do this please?

  1. ‚ÄúLet‚Äôs make it working with the HOTP / Nitrokey device first‚ÄĚ

Can you provide instructions on how to do this please?

Thanks again

Sorry, I should have cleared that out in the beginning. By Nitrokey device I meant Nitrokey Pro or Nitrokey Storage, containing a smart card inside. By NitroPad I mean the Nitrokey Nitropad X230.

  1. I see. Do you always have Admin 0 message like in this screen? https://prnt.sc/tr4tt0
  2. This is done during the OEM factory reset operation.
  3. This is what we are working on right now. This should be fixed by OEM factory reset.

If (1) is true, then we will need to access to recovery console (available from options as written in [NitroPad] Generate new totp/hotp secret failing), then run gpg --card-edit and enter following:

> gpg2 --card-edit

Reader ...........: 20A0:4109:0000000000000:0
Application ID ...: D2760001240102010005000037C70000
Application type .: OpenPGP
(...)
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> factory-reset 
gpg: OpenPGP card no. D2760001240102010005000037C70000 detected

gpg: Note: This command destroys all keys stored on the card!

Continue? (y/N) y
Really do a factory reset? (enter "yes") yes

gpg/card> quit


> gpg2 --card-status
Reader ...........: 20A0:4109:0000000000000:0
Application ID ...: D2760001240102010005000037C70000
Application type .: OpenPGP
(...)
General key info..: [none]

> oem-factory-reset
(...)

Then please run the OEM factory reset once again (as in the listing). The default Admin PIN is 12345678, and User PIN (a.k.a. just PIN) is 123456.

Hi,

Thank you for thew above. Just a note, gpg2 does not exit is the error I get

However the rest of the steps on gpg/card> are ok

After completing I see the following

Note finally that when I do reboot I an asked for the disk password again which doesn not work after 3 attempts and then eventually goes back to emergency mode

Can you please advise what I should do next?

Good afternoon Szszszsz. Are you able to advise with the above?

Thanks

Good afternoon @tobias!

  1. You have not mentioned that - have you executed the oem-factory-reset afterwards as in the listing?
  2. If so, was the OTP secret written on the device successfully?
  3. I understand, that the only issue right now is the not working boot due to the disk password lock, am I right?
  1. Could you tell more about the disk password without revealing it?
  2. Have you booted the Qubes before with the password changed before?

Hi szszszsz

Please see my responses below

1. You have not mentioned that - have you executed the oem-factory-reset afterwards as in the listing?
Yes this have been completed

2. If so, was the OTP secret written on the device successfully?
I still fail at the generate new secret step, it does not seem possible to successfully complete the generate new secret step

3. I understand, that the only issue right now is the not working boot due to the disk password lock, am I right?
Yes I can boot even though the new secret has not been generated. After booting it will not take the disk password that I previously made

1. Could you tell more about the disk password without revealing it?
When I received the machine I successfully completed the setup and during that time created a username and password. The disk password was complex and contains >20 characters

2. Have you booted the Qubes before with the password changed before?
After creating the password the I successfully logged in. On the very next boot the following day I got some errors (I can’t remember what exactly) even if I would force a boot it would not take my disk password

I assume after oem factory reset if does not change the disk password. Is there a reason the machines will not take my disk password?

Thanks again

Correction: I have HOTP success to this seems to be working. I’m just stuck on the disk password step

Thanks!