I wonder why entering SO-PIN more than 15 times (default value) bricks the device? Is it forced by hardware (i.e. internal smart card works this way) or was that implemented separately? I believe that initializing such device again would wipe data from it, so there should be no problems with it?
This is a hardware security latch, which makes smart card unusable. We do not have any method for reinitializing a device with used up attempt counter for SO PIN.
So this is as I suspected. Thank you for an answer.
Can default amount of max tries (times of attempts to enter a pin) be increased in settings?
How many can be set as a maximum retries before it bricks?
It is not possible to change the default attempt count for the SO PIN as far as I see in the manual. For the User PIN I have found
Retry Counter Initial Value field in the
INITIALIZE DEVICE APDU. Looking at
sc-hsm-tool help screen I see its value can be defined during initialization (no range declared):
$ sc-hsm-tool --help sc-hsm-tool: unrecognized option '--help' Usage: sc-hsm-tool [OPTIONS] Options: -X, --initialize Initialize token -C, --create-dkek-share <arg> Create DKEK key share and save to <filename> -I, --import-dkek-share <arg> Import DKEK key share <filename> -W, --wrap-key <arg> Wrap key and save to <filename> -U, --unwrap-key <arg> Unwrap key read from <filename> -s, --dkek-shares <arg> Number of DKEK shares [No DKEK] --so-pin <arg> Define security officer PIN (SO-PIN) --pin <arg> Define user PIN --pin-retry <arg> Define user PIN retry counter (...) $ man sc-hsm-tool (...) --pin-retry value Define number of PIN retries for user PIN during initialization. Default is 3.