SmartCard v2.1 : factory reset fails
Closed, ResolvedPublic

Description

Dear GnuPG team.

I have accidentally blocked my smartcard version 2.1 after entering AdminPIN 3
times with wrong value.

According to the link on my card provider's homepage I tried to follow the
instructions by Werner to reset the card [1].

I then get the state (gpg --card-edit; verify):

Reader ...........: Gemalto USB Shell Token V2 (78111413) 00 00
Application ID ...: D2760001240102010005000046840000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000XXXX
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

General key info..: [none]

I can then successfully change the PIN as well as AdminPIN.

However, when I try to write a key to the card (gpg --edit-key xxx; keytocard) I
get a message "Error setting the Reset Code: Bad PIN".

The same issue occurs when try set a Reset Code on the card (gpg --card-edit;
admin; passwd => set the Reset Code).

In both cases I am very certain that I'm entering the correct PIN/AdminPIN as I
have also tried to execute the reset process setting different PINs or even
leaving the default PIN values multiple times.

Trying to factory reset from "gpg --card-edit" menu didn't help either.

Is my card bricked?

Am I doing something wrong?

One thing I noticed is the second 0 in the "PIN retry counter" value after
reset. From [2]:

"This field saves how many tries still are left to enter the right PIN. They are
decremented whenever a wrong PIN is entered. They are reset whenever a correct
AdminPIN is entered. The first and second PIN are for the standard PIN. gpg
makes sure that the two numbers are synchronized. The second PIN is only
required due to peculiarities of the ISO-7816 standard; gpg tries to keep this
PIN in sync with the first PIN. The third PIN represents the retry counter for
the AdminPIN."

My current setup is:

gpg 2.1.15
ccid 1.4.24

pcsc-lite 1.8.20 (with udev)

Thank you kindly for your help and feedback.

fibmoro


[1] https://lists.gnupg.org/pipermail/gnupg-users/2009-September/037414.html
[2] https://www.gnupg.org/howtos/card-howto/en/ch03.html#id2521300

Details

Version
2.1
fibmoro set Version to 2.1.
fibmoro added a subscriber: fibmoro.
werner closed this task as Resolved.
werner claimed this task.

Please ask on the gnupg-users at gnupg.org mailing list for help. Note that you
do not need to subscribe but just a wait a bit until our moderators will approve
your mail. But anyway here is a quick hint in case you did not already tried:

$ gpg --card-edit
gpg/card> admin
gpg/card> factory-reset