[Opensc-devel] Undeletable MF and 3F00/2F00 file, can't create new files due to ACL on ePass2003

[Ondrej M. <ond...@ni...>]

Hi,

I got one ePass2003 token in a strange state where it can't be erased
(via pkcs15-init -E) and no new files can be created. I can't seem to
find a way to reset/erase the token.

Any erase or file create attempt returns 69 82 "Security status not
satisfied".

Even the Feitian's fix_tool [1] doesn't work, the proprietary INS 0xE3
fails to install new PIN/key, instruction fails also with 69 82:

====
 Enc APDU :
 80 50 00 00 08 BF C3 29 11 C7 18 C3 40 1C
 SCardTransmit		: Command successful.
 card response: 90 00

 Enc APDU :
 84 82 03 00 10 FC C4 17 D6 DC 54 83 AF FD 64 DA 2F 23 06 B8 04
 SCardTransmit		: Command successful.
 card response: 90 00


 Install PIN...
 Enc APDU :
 8C E3 00 00 2D 87 21 01 02 7B 4B 2B 34 B1 D5 C4 03 8F A0 73 43 8E 00 91
F9 E6 98 BC 15 ED 8A 99
 E5 05 8B 37 55 EB 63 89 8E 08 CC 8C 9F 77 41 8B 19 B9 00
 SCardTransmit		: Command successful.
 card response: 69 82


 Verify PIN...
 Enc APDU :
 0C 20 00 01 2D 87 21 01 40 F0 5D C2 7C C7 17 5F 85 9B 5F DD 86 BD FF 04
F4 D8 34 48 94 2F 15 4C
 5B 5C E2 C3 5E C7 6E 07 8E 08 6F E0 31 6C 23 9F 88 D9 00
 SCardTransmit		: Command successful.
 card response: 94 03


 Erase MF file ...
 Enc APDU :
 0C E4 00 00 1D 87 11 01 1C A9 3B C0 96 4D 25 40 BF 36 46 40 F9 52 A1 A0
8E 08 6A AD 1E 2D D4 ED
 C7 DD 00
 SCardTransmit		: Command successful.
 card response: 69 82
===

List of files with ACL on the card is below. Notice that pin object file
3F00/5015/4401 is missing, as are missing the ODF, TokenInfo and
UnusedSpace files (3F00/5015/503[1-3]). File list from opensc-tool
--list-files:

===
3f00 [entersafe-fips] type: DF, size: 0
select[N/A] lock[N/A] delete[N/A] create[N/A] rehab[N/A] inval[N/A]
list[N/A] sec: 90:96:FF:96:FF:FF:FF:FF
prop: 00:7F

  3f002f00 type: wEF, ef structure: linear-fixed, size: 0
  read[N/A] update[N/A] erase[N/A] write[N/A] rehab[N/A] inval[N/A] sec:
90:96:96:96:FF:FF:FF:FF

  3f005015 [\xA0\x00\x00\x00cPKCS-15] type: DF, size: 0
  select[N/A] lock[N/A] delete[N/A] create[N/A] rehab[N/A] inval[N/A]
list[N/A] sec: 90:96:FF:96:FF:FF:FF:FF
  prop: 00:7F

    3f0050159f00 type: wEF, ef structure: transparent, size: 2
    read[N/A] update[N/A] erase[N/A] write[N/A] rehab[N/A] inval[N/A]
sec: 90:90:FF:90:FF:FF:FF:FF

00000000: 06 06 ..
===

The ACLs above seem to be card-specific and I haven't find any
documentation on them anywhere. From cardctl.h, 0x90 ==
EPASS2003_AC_MAC_NOLESS, 0x6 == EPASS2003_AC_USER and 0x0 ==
EPASS2003_AC_EVERYONE.

Any idea how to erase or "unbrick" the token? There seems to be no
documentation on INS 0xE3 except for its use in
card-epass2003.c:install_secret_key().


[1] http://www.gooze.eu/forums/support/epass2003-recovery-tool


Ondrej Mikle