I am following raymii's guide for deleting keys

$ python2 tool/gnuk_remove_keys.py -p
returns

Admin password:
Traceback (most recent call last):
  File "tool/gnuk_remove_keys.py", line 112, in <module>
    main(passwd)
  File "tool/gnuk_remove_keys.py", line 86, in main
    gnuk.connection.connect()
  File "/usr/lib64/python2.7/site-packages/smartcard/CardConnectionDecorator.py", line 54, in connect
    self.component.connect(protocol, mode, disposition)
  File "/usr/lib64/python2.7/site-packages/smartcard/pcsc/PCSCCardConnection.py", line 128, in connect
    SCardGetErrorMessage(hresult))
smartcard.Exceptions.CardConnectionException: Unable to connect with protocol: T0 or T1. Sharing violation.

If I unplug and plug the key, I get different errors

$ python2 tool/gnuk_remove_keys.py -p
Admin password:
Token: Nitrokey Nitrokey Pro (xxxxxxxx) 00 00
ATR: xxxxxxxxx
Traceback (most recent call last):
  File "tool/gnuk_remove_keys.py", line 112, in <module>
    main(passwd)
  File "tool/gnuk_remove_keys.py", line 90, in main
    gnuk.cmd_verify(BY_ADMIN, passwd)
  File "tool/gnuk_remove_keys.py", line 54, in cmd_verify
    raise ValueError, ("%02x%02x" % (sw1, sw2))
ValueError: 6a88

python-2.7.13-1.fc25.x86_64 pyscard-1.9.0-5.fc25.x86_64 on Fedora 25

Allow to configure and insert a password string on a special-key double press, similarly to current HOTP functionality.

In the middle of random prefill the device turned unresponsive. Right
after reconnecting the device, Nitrokey application informed me of
underlying storage being fully prefilled, which wasn't true.

Excerpt from dmesg:
[179124.436222] usb 1-1.2: reset high-speed USB device number 102 using ehci-pci
[179124.724359] usb 1-1.2: device descriptor read/64, error -71
[179139.902709] usb 1-1.2: device descriptor read/64, error -110
[179140.078757] usb 1-1.2: reset high-speed USB device number 102 using ehci-pci
[179155.157304] usb 1-1.2: device descriptor read/64, error -110
[179170.335703] usb 1-1.2: device descriptor read/64, error -110
[179170.511653] usb 1-1.2: reset high-speed USB device number 102 using ehci-pci
[179180.921144] usb 1-1.2: device not accepting address 102, error -110
[179180.993440] usb 1-1.2: reset high-speed USB device number 102 using ehci-pci
[179191.402844] usb 1-1.2: device not accepting address 102, error -110
[179191.403670] usb 1-1.2: USB disconnect, device number 102
[179191.483159] usb 1-1.2: new high-speed USB device number 103 using ehci-pci
[179206.557575] usb 1-1.2: device descriptor read/64, error -110
[179221.735995] usb 1-1.2: device descriptor read/64, error -110
[179221.912112] usb 1-1.2: new high-speed USB device number 104 using ehci-pci

Storage v0.45, v0.38
App v1.0-beta.1
Windows 8.1
App cross-compiled with MXE (qMake)

Device crashes (device is not replying to commands, OS is detaching it, green LED stays on) after requesting Password Safe status just after mounting encrypted/hidden volume.

Old App (tested on v0.4) is not causing this behavior since it is not sending any additional commands directly after 'unlock' command. New App (v1.0-beta.1) sends GET_PW_SAFE_SLOT_STATUS which results in locking the device.

Scenario

It seems to be easily reproducible on Windows (MXE i686 cross-compiled binary).

1. Unlock encrypted volume,
2. Set up hidden volume and
3. Try unlock it
4. (edit) App sends GET_PW_SAFE_SLOT_STATUS to update PWS status.

Somewhere on this path the device crash is expected. If not on the first try, then after 3rd or 4th repeating.

App log: storage_crash.zip, crash time: 09:29:15

Workaround

Looks like adding STATUS request before asking for GET_PW_SAFE_SLOT_STATUS avoids the crash.
Simple 5 seconds delay suffices before next request. Lower values not always work.

Sometimes device is locking up on hidden volume activation - either red LED stays on or off or LED stays on when connection to device is lost through HID interface. It is occurring during test mentioned in #20.
Issue might occur more frequent with lower pooling and sending delays (20 ms) between command packets.
Scenario and environment details same as in #20

Frequency: sometimes
Ubuntu 16.04
Nitrokey Storage v0.43
Delay between sending command and receiving response: 200/20 ms
Delay between retrying: 200/20 ms
Encrypted volume is not formatted
Stick is initialized with random data
Stick was reinserted just before test started

Discovered while working on issue Nitrokey/nitrokey-app#97
It looks like device returns success only on first correct change (=> first change after factory reset, device reinsertion and application restart are not helping). Later password changes are always reported by device as failed.
Tested on both Windows 8.0 (compiled with Qt's mingw 5.3) and Ubuntu 16.04. I was using branch issue_97_firmware_password_feedback (the only differences in code with mainline are debug prints and feedback logic).

Prereq:
Firmware 0.36
App Nitrokey/nitrokey-app@bc3ce95#diff-3301dce0d4fa3f36ee73aa1a548416e0R2401
Both Ubuntu and Windows
Device is just after factory reset

Scenario:

1. Run application ./nitrokey-app -d -a
2. Initialize device (generate keys but do not clear SD, disable warning)
3. Change firmware password to asdasdasd using as current 12345678 (device returned TRUE as result so application shows success message)
4. Repeat step 3 with current asdasdasd and new one 123123123 (application shows error)

Any subsequent changes are not working.

Attaching output from app and debug log.
issue_97.txt
issue_97_debug_log.txt

As for App output clarification:

Old:  "12345678"
New1:  "asdasdasd"
New2:  "asdasdasd"
Old: "12345678"
New: "asdasdasd"

The last two lines (which are printed from function sending command to device) are just confirmation of the first 3 lines (which is Qt's form output). In case it would be confusing please let me know so I could simplify it.

FW v0.46+ don't allow to unmount/eject the device through the finder. When you try to do so, the device disappears as expected, but show up again within a few seconds. So unplug of the device could destroy the device as it is still attached.

Workaround: sudo diskutier unmountDisk /dev/diskx where disk is the disk representing NK Storage.
FW v0.45 has not that behavior.

Users reports about dmesg messages similar to the one below while using USB3:

[ 578.959764] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 2 ep 10 with no TDs queued?

Occurency: always
Ubuntu 16.04
Nitrokey Storage
Prodinfo string:
CPU:0xf4780feb,SC:0x000000dc,SD:0x035503a4,SCM:0x1b,SCO:0x534d,DAT:2012.14,Speed:8820,Size:8,Firmware:0.34 - 5
Nitrokey app sha# Nitrokey/nitrokey-app@0dd1630

After issuing:

./nitrokey-app --cmd prodinfo

unencrypted volume disappears from the system and green LED blinks all the time.
Device physical removal and reinsertion restores correct functionality.

Attached parted output: parted -l
parted_before.txt parted_after.txt
And dmesg: dmesg.txt

Storage v0.45
test: test_edit_OTP_slot, test_pro.py in libnitrokey test suite
Ubuntu 16.10

Device is not updating HOTP counter while editing HOTP slot. To test TOTP variant too.
More details in issue linked below.

TOTP returns wrong code with time set bigger than int32 max value (int32_max = 2 ** 31 - 1) according to both RFC spec and handcrafted test. NK Pro passes this. Attaching full log from test run:
TOTP_64bit_issue_log.txt (most interesting part is at the end, but the rest might be helpful too).

Date for max int32 is:

In [42]: datetime.datetime.fromtimestamp(2**31-1)                                                           
Out[42]: datetime.datetime(2038, 1, 19, 4, 14, 7)

Description

Creation of hidden volume is not possible: device returns status: 6.
In the firmware's source code it is defined as:

#define OUTPUT_CMD_STICK20_STATUS_NO_USER_PASSWORD_UNLOCK   6

After device reinsertion creation of hidden volume works. My guess is this is caused by Smartcard being powered off during PC's sleep mode stage or some other power management issue.

Environment

Storage v0.46
OSX Sierra 10.12.3 / 10.12.5 (latest)
Macbook Pro
Nitrokey App v1.1

Scenario

It looks like this is reproducible by following scenario:
Precond:

• Application opened v1.1, v0.46
• Hidden volume set up with known password, 70%-90%, slot 0, exFAT+MBR

1. Enable encrypted volume
2. Go into sleep mode for 30 seconds, wake up
3. Unlock hidden volume set up earlier

Currently this will result in device responding with status 6.
Reinserting the device fixes the issue.

Expected behaviour

Expected behaviour is to unlock/create the hidden volume without issues.

Export firmware command saves data on unencrypted storage making possibly a security risk since it could not be easily securely wiped-out from this volume. In case attacker steals device and identifies firmware using found data on unencrypted volume he can attack using known vulnerabilities if firmware is not up to date.

The OpenPGP Card allows to specify an unblock code which can be used if both User PIN and Admin PIN are blocked. The firmware should enable setting the unblock code and unblocking the device using it. This is similar as using User PIN and Admin PIN.

This issue happens for unencrypted and encryped volumes and occurs on Windows 7. A similar behaviour has been reported for macOS too but affecting hidden and encrypted volumes.

Factory reset should not change firmware password.

Ubuntu 16.04, Firmware 0.36, Nitrokey/nitrokey-app@5ec94e6

Scenario:

1. Change firmware password to password
2. Set update mode with password to confirm change
3. Flash device
4. Run Factory reset
5. Set update mode with password (would not work, but should)
6. Set update mode with 12345678 (would work)

Occurency: always
Ubuntu 16.04
Nitrokey Storage
Prodinfo string:
CPU:0xf4780feb,SC:0x000000dc,SD:0x035503a4,SCM:0x1b,SCO:0x534d,DAT:2012.14,Speed:8820,Size:8,Firmware:0.34 - 5
Nitrokey app sha# Nitrokey/nitrokey-app@0dd1630

Command:

./nitrokey-app --cmd prodinfo

never works first time. Running second time works.

Description

Copying files to freshly formatted encrypted volume fails when the device is after libnitrokey's full test suite.
Device is reset by the kernel and further not accessible, it responds to the HID commands though.

Occurrence: very frequent

Reproduction scenario

As of now issue cause has not been isolated yet and full test suite has to be run to provoke issue occurrence.

Environment

Ubuntu 16.10, Storage v0.46 RC,
libnitrokey: v2.0-147-gec500f1, branch: wip-show_information_about_invalid_CRC
Device connected to USB 2.0/3.0
SD card initialization already done

Steps

1. Run libnitrokey full test suite: pro + storage (without SD card initialization test - default), with --randomly-seed=1498651223
2. Reinsert the device
3. Run Nitrokey App
4. Unlock encrypted volume and format it to Fat32 (or ext4)
5. Mount the encrypted volume
6. Schedule a copy of 2GB of files with 5MB of size on average (about
   400 files) and another 1.5GB (1500 files).

Copy stopped after 500th MB (sometimes it stops after 4GB). After a brief moment the device was reset
(a couple of times) by the kernel. It was still responding to Nitrokey App commands. No LED was flashing.

Logs

Attached full system log.
dmesg.zip
Relevant messages shown:

Jun 28 17:32:25 feather kernel: FAT-fs (sdd): Directory bread(block 5217440) failed
Jun 28 17:32:59 feather kernel: FAT-fs (sdd): unable to read inode block for updating (i_pos 83479173)
Jun 28 17:32:25 feather kernel: FAT-fs (sdd): FAT read failed (blocknr 5105)

Workaround

To clear the issue it suffices to regenerate AES keys (e.g. by selecting Destroy Encrypted Data from Nitrokey App's tray menu) make a factory reset.

Windows 10 Creators Update
Details: https://support.nitrokey.com/t/nitrokey-storage-extrem-slow-after-windows-10-creators-update/431/4
Quote:

After upgrading my computer to Windows 10 Creators Update (version 1703) mounting Nitrokey Storage is extremly slow.
It tooks ~15-20 minutes after insserting the stick to recognise the unencrypted volume and also to recognise the stick in the nitro key app.
After this time i can unlock the encrypted volume....and have to wait again to mount the unlocked volume.

Unlocking the encrypted volume fails, the device keeps returning busy status for a time and it unlocks the volume after all (Nitrokey App shows error and reconnects; sometimes returning WRONG_PASSWORD error code), but with constantly flashing both red and green LEDs.
After locking the device and unlocking the volume it works (as have in previous releases), but setting up hidden volume causes constant BUSY status replies with no LED activity.
Occasionally device returns BUSY right after insertion.

OS: Sierra 10.12.6
Storage: v0.48
Frequency: always
Nitrokey App v1.1

Adding high priority since issue blocks the use of main functionality.

Scenario:

1. Run Nitrokey App
2. Insert Storage device
3. Wait 10 seconds for device initialization
4. Try to unlock encrypted volume

Logs:
Issue occurrence - almost 1 minute of BUSY status: issue_44-encrypted_volume_unlock-3.txt
Retest on v0.47: issue_44-encrypted_volume_unlock-v0.47.txt

StickKeysNotInitiated is changing after sending command STICK20_CMD_GENERATE_NEW_KEYS to the device with incorrect admin password.

Prereq:
Nitrokey Storage, v0.35
Ubuntu 16.04
Initialization scenario:

1. Flash device
2. Make factory reset with application nitrokeyapp --cmd factoryReset

Test Scenario:

1. Run Nitrokey Application (in debug mode)
2. Select Initialize device from application context menu
3. Accept keys generation
4. Enter incorrect password for Admin, like 123123123
5. Accept further messages (click Ok), but do not agree for SD card clearing
6. Initialize device menu item is not shown (since it is depending on StickKeysNotInitiated flag)

Keys should not be generated (since incorrect password has been passed) but the flag StickKeysNotInitiated is changing. Please check is that expected behavior.

Before scenario:

GetStick20Configuration
HID_GetStick20Configuration
MagicNumber_StickConfig_u16      : 12824
ReadWriteFlagUncryptedVolume_u8  : 0
ReadWriteFlagCryptedVolume_u8    : 0
VersionInfo_au8[4]               : 0 35 0 6
ReadWriteFlagHiddenVolume_u8     : 0
FirmwareLocked_u8                : 0
NewSDCardFound_u8                : 1
SDFillWithRandomChars_u8         : 0
ActiveSD_CardID_u32              : 0x035503A4
VolumeActiceFlag_u8              : 1
NewSmartCardFound_u8             : 0
UserPwRetryCount                 : 3
AdminPwRetryCount                : 3
ActiveSmartCardID_u32            : 0x3B60
StickKeysNotInitiated            : 1

After scenario:

GetStick20Configuration
HID_GetStick20Configuration
MagicNumber_StickConfig_u16      : 12824
ReadWriteFlagUncryptedVolume_u8  : 0
ReadWriteFlagCryptedVolume_u8    : 0
VersionInfo_au8[4]               : 0 35 0 6
ReadWriteFlagHiddenVolume_u8     : 0
FirmwareLocked_u8                : 0
NewSDCardFound_u8                : 1
SDFillWithRandomChars_u8         : 0
ActiveSD_CardID_u32              : 0x035503A4
VolumeActiceFlag_u8              : 1
NewSmartCardFound_u8             : 0
UserPwRetryCount                 : 3
AdminPwRetryCount                : 2
ActiveSmartCardID_u32            : 0x3B60
StickKeysNotInitiated            : 0

Same after both application restart and device reinsertion:

GetStick20Configuration
HID_GetStick20Configuration
MagicNumber_StickConfig_u16      : 12824
ReadWriteFlagUncryptedVolume_u8  : 0
ReadWriteFlagCryptedVolume_u8    : 0
VersionInfo_au8[4]               : 0 35 0 6
ReadWriteFlagHiddenVolume_u8     : 0
FirmwareLocked_u8                : 0
NewSDCardFound_u8                : 1
SDFillWithRandomChars_u8         : 0
ActiveSD_CardID_u32              : 0x035503A4
VolumeActiceFlag_u8              : 1
NewSmartCardFound_u8             : 0
UserPwRetryCount                 : 3
AdminPwRetryCount                : 2
ActiveSmartCardID_u32            : 0x3B60
StickKeysNotInitiated            : 0

Perhaps because of a different bootloader...

This idea needs to be confirmed!

Once the Nitrokey App is preinstalled on the unencrypted volume, it should be set read-only by default and only allow the Admin PIN to change it.

Windows 8.1, Ubuntu 16.10
App v1.0-beta.2, v0.6.3
Storage firmware v0.38, v0.45

My Storage sticks were not sending HOTP codes on special key double-press despite enabling this in configuration. Pro device works as expected in same environments.

Objectives:

1. Enable reliable wiping of data on the unencrypted volume
2. Prevent evil maid attacks which physically remove the SD card storage and write to the unencrypted volume.

Possible Solutions:
a. Encrypt the "unencrypted" volume and unlock it when booting the device (without requiring a PIN).
b. Add the SD Card Formatter functionality into the firmware. This would not achieve objective 2.

Further readings on SD cards:

• http://www.bunniestudios.com/blog/?p=3554
• http://flash-extractor.com/
• http://recoverfab.com/

Stick appears to be halted after enabling hidden volume in Nitrokey App and checking partitions using parted. Green Led stayed on. Application reported sticks connection and disconnection mutliple times. Attaching log.

Occurence: once
Nitrokey Storage 0.34
Ubuntu 16.04
App Nitrokey/nitrokey-app@0dd1630
hidden-volume-issue.txt

Scenario:

1. Unlock encrypted volume
2. Create partition table and format as fat32
3. Unlock hidden volume
4. Create partition table and format as fat32
5. Lock device
6. Unlock encrypted and hidden device (Unlock of hidden device is unsuccessful)
7. Create another hidden volume in different slot with same password
8. Unlock hidden volume
9. Check partition list with sudo parted /dev/sdc and command print

Recently new authorization mechanism has been introduced to NK Pro. Briefly it consist of:

• removing CMD_AUTHORIZE completely
• adding temporary password directly to command packets which needs to be authorized

Links:

• Nitrokey/nitrokey-pro-firmware#25
• Nitrokey/nitrokey-pro-firmware#29 (updated WRITE_TO_SLOT command)

v0.45
App v1.1
Windows 7

Some device commands sequential combinations crashes the device or makes the device BUSY (as it is reporting through HID interface).
Example sequence for the latter case are GET_STATUS (Pro status command) and GET_DEVICE_STATUS (Storage status command) invoked one after another - in some cases it makes the device BUSY for 20 seconds, but later it functions properly.

Another case is getting Password Safe status just after unlocking encrypted volume (issue 31).

Log:
windows7-devicebusy-log.txt

You currently use a fixed size for each password slot you store on NK Storage. This will only give you 16 passwords and also a fixed size for each field inside the slot ( which could limit some usage case and also waste space ).

Proposal : Instead of using a fixed slot size (64 byte) for each password slot, a dynamic password slot size would be preferable.

Maybe the following:

{
u8 SlotStatusAndNextSlot_u8; // AND 0x11000000 ==> Status AND 0x0011 1111 ==> start of next slot
u8 SlotNameLength_u8; // No of bytes used after this byte for slot name
u8 SlotNameStartPtr_u8; // Placeholder : Pointer to the first byte of the slot name
u8 SlotPasswordLength_u8; // No of bytes used for password length
u8 SlotPasswordStartPtr_u8; //Placeholder : Pointer to the first byte of the password of that slot
u8 SlotLoginNameLength_u8: // No of Bytes used for User/Login Name
u8 SlotLoginNameStartPtr_u8; // Placeholder : Pointer to the first 
}

of course this is not the complete structure , but maybe give you an idea how I would structure the slots to squeeze the maximum out of the men space - maybe the read & write routines are a bit more complex. The 1st byte would not even need the start of the next slot coded as this would again limit the slot spaces down from 256 to 64 like your slots today ( but with a more flexible internal structure within the 64 bytes).

With 28 chrs for Slot name , password and login name + overhead of 4 bytes you would get 32 slots. I am sure there are different password requirements ( e.g. for a forum vs an bank account ) that would benefit from such a flexible slot handling.

Hi,

can you please use GitHub release feature for your binary releases?
It is easier to stay up to date and get informed about new releases.

If you'd like to include binary files along with your release, such as compiled programs, drag and drop or select files manually in the binaries box.

https://help.github.com/articles/creating-releases/

Thank you.

A command for blinking LEDs would be useful for signalizing from the host (Nitrokey App / libnitrokey) that the device needs action or has finished its time-requiring operation.

Nitrokey App v0.6.3
Storage v0.45
Ubuntu 16.10

Device is not clearing new SD card flag in its internal state after initialization. In consequence "New SD card found" message (depending directly on the byte-flag named similarly in the device's status) is still shown in about window after executing factory reset and clearing SD card with random data.

At the moment not every HID action processing is signalized. Perhaps on finishing processing of a HID command a LED could blink?
With current behavior getting data from PWS is not signalized on the device's LED panel.

Hidden volumes are not always unlocking after creation. Device returns wrong password error code. In test where 4 hidden volumes are created and later on unlocked each (by going through lock device) it failed 7/10. Encrypted volume is not formatted so OS should not interfere with any mounting or any write operations. It fails sometimes on unlocking first volume, sometimes later (mentioned in logs, each volume has password consisting of fixed string and its number).

Frequency 7/10
Ubuntu 16.04
Nitrokey Storage v0.43
Delay between sending command and receiving response: 200 ms
Delay between retrying: 200ms
Encrypted volume is not formatted
Stick is initialized with random data
Stick was reinserted just before test started
Test time: 218 seconds / 10 iterations

Test scenario (from unit test, where status 4 means wrong password):

    def test_encrypted_volume_setup_multiple_hidden(C):
        hidden_volume_password = 'hiddenpassword'
        p = lambda i: hidden_volume_password + str(i)
        assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
        assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
        for i in range(4):
            assert C.NK_create_hidden_volume(i, 20+i*10, 20+i*10+i+1, p(i) ) == DeviceErrorCode.STATUS_OK
        for i in range(4):
            assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
            assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
>           assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
E           assert 4 == 0
E            +  where 4 = <cdata 'int(*)(char *)' 0x7f06c35100b0>('hiddenpassword0')
E            +    where <cdata 'int(*)(char *)' 0x7f06c35100b0> = <cffi.api.FFILibrary_../build/libnitrokey.so object at 0x7f06c37f6f50>.NK_unlock_hidden_volume
E            +    and   'hiddenpassword0' = <function <lambda> at 0x7f06c3801b18>(0)
E            +  and   0 = DeviceErrorCode.STATUS_OK

Attached detailed log: issue_unstable_hidden_volumes.txt

In NK Pro OTP secrets have been extended to support AWS.

Links:

• Nitrokey/nitrokey-pro-firmware#29

79e07a7
Nitrokey/nitrokey-app@0a89ca5
Ubuntu 16.04
Frequency: always

One of my sticks suddenly stopped sending serial numbers. This is an excerpt from prodlog.txt:

timestamp:25.06.2016 13:21:21,CPU:0x00000000,SC:0x00000000,SD:0x035503a4,SCM:0x1b,SCO:0x534d,DAT:2012.14,Size:8,Firmware:0.36 - 7

Full file: prodlog.txt

I am checking will second stick behave same after firmware upgrade.

Description

Issue frequency: once
During the tests suddenly the device stopped responding. Additionally:

• WUDFHost.exe started to take 100% of one of the cores,
• Application has shown tray message about the device being disconnected, unencrypted
  volume vanished,
• usbview shows device's general failure,

Environment

Windows 8.1
USB 2.0
App v1.1
Storage v0.46
Device state: after libnitrokey tests (done on a Ubuntu a minute before)

Scenario

1. Check if unencrypted volume shows up and is accessible
2. Check PWS/OTP functionality
3. Try to unlock encrypted volume

Logs

Excerpt from system log below (looks like issue was caused by CCID, but possibly linked with device ejection by the OS)

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="WudfUsbccidDriver"
Guid="{22C370A7-A3DB-4390-ADE5-3A1ACCF4B5D5}" />
  <EventID>7</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>1</Task>
  <Opcode>10</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2017-06-15T11:10:47.423497100Z" />
  <EventRecordID>1901578</EventRecordID>
  <Correlation />
  <Execution ProcessID="5932" ThreadID="7520" />
  <Channel>System</Channel>
  <Computer>sz1070</Computer>
  <Security UserID="S-1-5-19" />
  </System>
- <EventData>
  <Data Name="Name">ReaderCompletionUnknownMsgType</Data>
  <Data Name="Value">0x0</Data>
  </EventData>
  </Event>

Device responded with an error status.
Status: ReaderCompletionUnknownMsgType

Issue details (same registered on NK Pro):
Nitrokey/nitrokey-pro-firmware#19
Confirmed on line:
https://github.com/Nitrokey/nitrokey-storage-firmware/blob/master/src/OTP/hotp.c#L1100
Proposed solution:
Nitrokey/nitrokey-pro-firmware#20

Description

While reading event log on Windows 8.1 I have encountered the following error event:

Smart Card Reader 'Nitrokey Nitrokey Storage 0' rejected IOCTL 0x313520:
Incorrect function.  If this error persists, your smart card or reader
may not be functioning correctly.

Environment

Windows 8.1
USB 2.0
App v1.1
Storage v0.46

Scenario

Insert the stick and check event log.

Device could present when it is in unlocked state (PWS or Encrypted/Hidden volumes are available) through blinking with one of the LEDs. This would remind user about locking it after use.

Discovered while working on issue Nitrokey/nitrokey-app#97
Might be connected with #11

Prereq:
Firmware 0.36
App Nitrokey/nitrokey-app@bc3ce95#diff-3301dce0d4fa3f36ee73aa1a548416e0R2401
Ubuntu 16.04. I was using branch issue_97_firmware_password_feedback (the only differences in code with mainline are debug prints and feedback logic).

Device has just changed firmware password with application from 12345678 to asdasdasd

Scenario:

1. Send update command ./nitrokey-app --cmd setUpdateMode=asdasdasd
2. Check is device in update mode

I would make use of command which reboots stick. Currently I have to remove and insert again same device for achieving same 'start' state. Would that be possible to implement? Or, is there any other way?
I thought it could be possible through dfu-programmer at32uc3a3256s start, but it shows error it can not find any device.

How large is the storage capacity?

Nitrokey Pro, Nitrokey Start, Nitrokey HSM and Nitrokey U2F don't contain storage capability for ordinary data (it can only store cryptographic keys and certificates).
Nitrokey Storage can store and encrypt 8, 32, or 64 GB of data (depending on particular model).

Upon receiving the device this doesn't appear to be the case. I have a 2GB unencrypted partition and after initializing the device there's another ~5.5GB encrypted device that I'm able to format to whatever filesystem I wish. My question is, how do I reclaim some of that 2GB and shrink it. Or in fact, how can I expand it -- for instance, to install Arch+i3+GRUB etc (might need a bit more than 2GB).

Firmware 0.48 provides about >3 MB/s write performance only.

Hi!
Currently AES keys regeneration command sets SDFillWithRandomChars_u8 to 0 which forces user to make SD card random fill each time.
SD card random overwrite should be done only on first use of given SD card and should not be connected to AES keys regeneration.

For more details please check: Nitrokey/nitrokey-app#45 (comment) and Nitrokey/nitrokey-app#45 (comment)

Attaching logs: after_generating_new_AES_keys.log.txt
before_generating_new_AES_keys.log.txt

Windows
Storage v0.43
Nitrokey App v0.6.3

While setting up hidden volume application has shown that it can be placed between 50th (ReadMinWatermark) and 49th (ReadMaxWatermark) percentile of the SD storage which is not possible. These two values are shown directly as the device has sent to the Application (except when it is x<10 or x>90). It would be great to add proper check in firmware so the watermarks values could be in proper relation to each other.

This situation (ReadMin>ReadMax) could also mean, that the user has overwritten whole SD card and he cannot create hidden volume without losing existing data on encrypted volume. Please clarify.

Details: https://support.nitrokey.com/t/hidden-volume-and-plausible-deniability/388/3

Firmware v0.48
OS: Mac OS 10.12.6

Since many HID commands accesses the smartcard currently they can fail with unknown reason (WRONG_PASSWORD or device would send constantly a BUSY status) while the smartcard is in use by CCID interface/endpoint.
I would like to add new status CCID_IN_USE to show that requested command cannot be applied due to constant parallel usage, which cannot be interrupted/concurrently executed.
This looks to be especially important on v0.48 and Mac OS, where CCID endpoint seems to be in use, blocking HID commands from execution. New device status would then show the cause of their failure.
It should be returned after maximum of 10 seconds of retrying access request to smartcard (on contrary to returning BUSY infinitely).

Certain command responses have a CRC value in them that does not match the actual content. See for instance here where this has been mentioned for the send password case. I have my own library and see the same issue happening for the response of the unlock encrypted volume command.

Can this please be looked into? That is no state to work with. For that reason libnitrokey essentially cuts down on CRC checks completely which circumvents the entire concept of providing such check codes in the first place.