YubiKey - unblock PIN after locking it with 3 wrong PIN attempts

unlock_yubikey.md

Unlock YubiKey ⚠️

After entering the wrong password 3 times your YubiKey is locked in order to avoid brute-forcing the password. Luckily, there's a way of unlocking yourself.

⚠️ you will lose all data on it

gpg2 --card-status
Application ID ...: D2760001240102010006042126520000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04212652
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Unlocking it

You need to drop into GPG Agent shell and execute these hex commands one by one (wait for the response, then enter the next one):

gpg-connect-agent --hex
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 82 i.
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000] 69 83 i.
OK
> scd apdu 00 e6 00 00
D[0000] 90 00 ..
OK
> scd apdu 00 44 00 00
D[0000] 90 00 ..
OK
>

• unplug/plug YubiKey
• kill the GPG Agent & scdaemon

pkill gpg-agent && pkill scdaemon

• get a card status gpg --card-status
• success; YubiKey was factory-reset - you lost all data on it

Resources

• https://forum.yubico.com/viewtopicfcb3.html?p=8245#p8245

That is ~harsh, i do prefer:

$ gpg  --card-edit

gpg/card> help
quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
fetch          fetch the key specified in the card URL
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code

gpg/card> passwd
gpg: OpenPGP card no. XXXXXXXXXXXXXXXXXX detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2

Then, after entering the PUK code, the PIN code can be changed (which unblock/reset the remaining attempt counter)

nice! I forgot about that one.

My example is harsh indeed but it's intended for a hard-reset; it is uncomfortable and not really user-friendly but it's the last solution I found when I faced with this problem at the time 😄

what if you don't know the puck code? I used the hex method and still worked; thanks for sharing those notes @dminca

I used the hex method and it worked.

Thank you @dminca