SmartCard v2.1 : factory reset fails

Fib Moro fibmoro at
Mon Feb 13 16:21:20 CET 2017

Dear GnuPG-Users List.

I'm having trouble with resetting my smartcard version 2.1.

After posting a bug report for GnuPG Werner Koch asked me to re-post my question on this mailing list [0].

To answer his quick hint: factory-reset did unfortunately not work as I already mentioned in my original request.

Please read more for further details below. Thank you kindly for your support!


I have accidentally blocked my smartcard version 2.1 after entering AdminPIN 3
times with wrong value.

According to the link on my card provider's homepage I tried to follow the
instructions by Werner to reset the card [1].

I then get the state (gpg --card-edit; verify):

Reader ...........: Gemalto USB Shell Token V2 (78111413) 00 00
Application ID ...: D2760001240102010005000046840000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000XXXX
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

I can then successfully change the PIN as well as AdminPIN.

However, when I try to write a key to the card (gpg --edit-key xxx; keytocard) I
get a message "Error setting the Reset Code: Bad PIN".

The same issue occurs when try set a Reset Code on the card (gpg --card-edit;
admin; passwd => set the Reset Code).

In both cases I am very certain that I'm entering the correct PIN/AdminPIN as I
have also tried to execute the reset process setting different PINs or even
leaving the default PIN values multiple times.

Trying to factory reset from "gpg --card-edit" menu didn't help either.

Is my card bricked? 

Am I doing something wrong?

One thing I noticed is the second 0 in the "PIN retry counter" value after
reset. From [2]:

"This field saves how many tries still are left to enter the right PIN. They are
decremented whenever a wrong PIN is entered. They are reset whenever a correct
AdminPIN is entered. The first and second PIN are for the standard PIN. gpg
makes sure that the two numbers are synchronized. The second PIN is only
required due to peculiarities of the ISO-7816 standard; gpg tries to keep this
PIN in sync with the first PIN. The third PIN represents the retry counter for
the AdminPIN."

My current setup is:

gpg 2.1.15 
ccid 1.4.24 
pcsc-lite 1.8.20 (with udev)

Thank you kindly for your help and feedback.




More information about the Gnupg-users mailing list