[Opensc-devel] Unblock PUK on PIV card

[Ryan C. <ry...@rc...>]

Hi,

Does anyone know if there is a way to unblock a PUK on a PIV card or
re-initialize the PIV applet?

The card is a Gemalto IDPrime PIV Card v2.0 using SCP01
ATR: 3b:7d:96:00:00:80:31:80:65:b0:83:11:11:e5:83:00:90:00

I know the admin key for the card, but even when I authenticate to the card
(which still works), I am unable to change the state of the PUK lockout.
The PIN is also blocked, but I know how to unblock that if the PUK is
unblocked (for anyone who wants to know, if your PUK is 12345 and you want
to unblock the PIN and set the PIN to 1234, do:
piv-tool -A M:9B:03 -s
00:2c:00:80:10:31:32:33:34:35:ff:ff:ff:31:32:33:34:ff:ff:ff:ff
)

This command is used to change the PUK if the current one is known (it's
1234).  However, I'm told 0x6983, which according to ISO7816-4 means
"Authentication method blocked"

$ piv-tool -A M:9B:03 -s
00:24:00:81:10:31:32:33:34:ff:ff:ff:ff:31:32:33:34:ff:ff:ff:ff
Using reader with a card: Gemalto Prox Dual USB PC Link Reader(2)
Sending: 00 24 00 81 10 31 32 33 34 FF FF FF FF 31 32 33 34 FF FF FF FF
Received (SW1=0x69, SW2=0x83)

According to the data sheet, the PUK is stored in the internal object tag
0xFF8101, but I am not sure if it is possible to write to that tag.
http://www.gemalto.com/products/piv_card/download/IDPrime_PIV_Card_v2_0_SCP01_OTP_Data_Model_Samples.pdf

What got me here was that I was unable to generate a keypair on the card
and thought I might be able to reset the PIV application like Yubikey NEO
does it.  With their card, the PIN and PUK must be blocked, then you send
"00 fb 00 00 00" and the PIV applet is reset with retry counters set at 3
again.  Not such much with Gemalto.  And I can't find anyone at Gemalto
that will provide documentation, even if I am willing to pay for it.

Thought I would check here before I toss the card in the drawer and get a
new one.

Thanks in advance

Ryan