Reset your YubiKey to factory defaults using gpg-connect-agent

I’m using MacOS for my work, so here is how to reset your YubiKey using gpg-connect-agent. This is not a mine solution, I found this a while ago on github, can’t remember who’s is author, so I saved to my notes, just wanted to share it with you.

# Install gnupg if it's not installed yet

VKAFEDZH-M-2R3C:~ vkafedzh$ brew install gnupg

# Install gnupg if it's not installed yet VKAFEDZH-M-2R3C:~ vkafedzh$ brew install gnupg

# Install gnupg if it's not installed yet
VKAFEDZH-M-2R3C:~ vkafedzh$ brew install gnupg

Insert your YubiKey to USB and run the following command:

gpg-connect-agent <<EOF

/hex

scd serialno

scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40

scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40

scd apdu 00 e6 00 00

scd apdu 00 44 00 00

/echo Yubikey has been successfully reset.

/echo The factory default PINs are 123456 (user) and 12345678 (admin).

EOF

gpg-connect-agent <<EOF /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo Yubikey has been successfully reset. /echo The factory default PINs are 123456 (user) and 12345678 (admin). EOF

gpg-connect-agent <<EOF
/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Yubikey has been successfully reset.
/echo The factory default PINs are 123456 (user) and 12345678 (admin).
EOF

Here is what I have:

VKAFEDZH-M-2R3C:~ vkafedzh$ gpg-connect-agent <<EOF

> /hex

> scd serialno

> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40

> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40

> scd apdu 00 e6 00 00

> scd apdu 00 44 00 00

> /echo Yubikey has been successfully reset.

> /echo The factory default PINs are 123456 (user) and 12345678 (admin).

> EOF

gpg-connect-agent: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.2.8/bin/gpg-agent'

gpg-connect-agent: waiting for the agent to come up ... (5s)

gpg-connect-agent: connection to agent established

S SERIALNO XXXXXXXXXXXXXX24010201000607XXXXXXX

D[0000] 69 82 i.

D[0000] 69 83 i.

D[0000] 69 82 i.

D[0000] 69 83 i.

D[0000] 90 00 ..

Yubikey has been successfully reset.

The factory default PINs are 123456 (user) and 12345678 (admin).

VKAFEDZH-M-2R3C:~ vkafedzh$ gpg-connect-agent <<EOF > /hex > scd serialno > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 > scd apdu 00 e6 00 00 > scd apdu 00 44 00 00 > /echo Yubikey has been successfully reset. > /echo The factory default PINs are 123456 (user) and 12345678 (admin). > EOF gpg-connect-agent: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.2.8/bin/gpg-agent' gpg-connect-agent: waiting for the agent to come up ... (5s) gpg-connect-agent: connection to agent established S SERIALNO XXXXXXXXXXXXXX24010201000607XXXXXXX OK D[0000] 69 82 i. OK D[0000] 69 82 i. OK D[0000] 69 82 i. OK D[0000] 69 83 i. OK D[0000] 69 82 i. OK D[0000] 69 82 i. OK D[0000] 69 82 i. OK D[0000] 69 83 i. OK D[0000] 90 00 .. OK D[0000] 90 00 .. OK Yubikey has been successfully reset. The factory default PINs are 123456 (user) and 12345678 (admin).

VKAFEDZH-M-2R3C:~ vkafedzh$ gpg-connect-agent <<EOF
> /hex
> scd serialno
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
> scd apdu 00 e6 00 00
> scd apdu 00 44 00 00
> /echo Yubikey has been successfully reset.
> /echo The factory default PINs are 123456 (user) and 12345678 (admin).
> EOF
gpg-connect-agent: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.2.8/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
S SERIALNO XXXXXXXXXXXXXX24010201000607XXXXXXX
OK
D[0000]  69 82                                              i.
OK
D[0000]  69 82                                              i.
OK
D[0000]  69 82                                              i.
OK
D[0000]  69 83                                              i.
OK
D[0000]  69 82                                              i.
OK
D[0000]  69 82                                              i.
OK
D[0000]  69 82                                              i.
OK
D[0000]  69 83                                              i.
OK
D[0000]  90 00                                              ..
OK
D[0000]  90 00                                              ..
OK
Yubikey has been successfully reset.
The factory default PINs are 123456 (user) and 12345678 (admin).

Thanks!

Leave a Reply Cancel reply