cannot erase epass2003auto - token init failure

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

cannot erase epass2003auto - token init failure

Jay Aurabind
Hi,

I bought a new usb crypto token epass2003auto. I used pkcs15-init to
initially create some keys on it. Later I decided to erase the token,
and from then onwards, I am unable to use my token for anything. I
always get this message "Failed to erase card: Security status not
satisfied" every time I try to erase it. I cannot create new keys
either. Here is what I saw with opesc-explorer:


OpenSC [3F00]> erase
Failed to erase card: Security status not satisfied
OpenSC [3F00]> info

Dedicated File  ID 3F00

File path:     3F00
File size:     0 bytes
DF name:       entersafe-fips
ACL for SELECT:       N/A
ACL for LOCK:         N/A
ACL for DELETE:       N/A
ACL for CREATE:       N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE:   N/A
ACL for LIST FILES:   N/A
ACL for CRYPTO:       N/A
ACL for DELETE SELF:  N/A
Proprietary attributes:  00 7F
Security attributes:     9F 9F FF 9F FF FF FF FF


Somebody else reported the issue with OpenSC github[1], but Feitian is
giving a tool under nda to fix the issue. I too got the tool as well,
but even that aint working. I've been mailing the contact at feitian,
but no responses. From the output of that tool, I speculate that it
needs a properly initialized pcscd running on the system. (the tool
complains about a service not found)

Hopefully if I solve the pcscd problem, this tool might work to fix my
ePass2003auto

Kindly help me fix the issue. Below are the details you need:

USB Token: Feitian ePass2003auto
USB driver version: CCID 1.4.24

Output of pcscd --version:

pcsc-lite version 1.8.17.
Copyright (C) 1999-2002 by David Corcoran <[hidden email]>.
Copyright (C) 2001-2015 by Ludovic Rousseau <[hidden email]>.
Copyright (C) 2003-2004 by Damien Sauveron <[hidden email]>.
Report bugs to <[hidden email]>.
Enabled features: Linux x86_64-unknown-linux-gnu serial usb libudev
usbdropdir=/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd
configdir=/usr/local/etc/reader.conf.d

However, directory /usr/local/etc/reader.conf.d does not exist.

Platform: OS: Fedora 23, using latest versions of pcsc, built locally.

Please revert back to me if you any more information. Full log is
attached as well.

[1]:https://github.com/OpenSC/OpenSC/issues/767

--

Thanks and Regards,
Aurabindo J

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle

pcsc_lite.log.txt (16K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Jay Aurabind
Forgot to highlight, the error I get in pcscd upon plugging my USB token is:

00000000 ifdhandler.c:144:CreateChannelByNameOrChannel() failed
00000031 readerfactory.c:1110:RFInitializeReader() Open Port 0x200000
Failed (usb:096e/080a:libudev:0:/dev/bus/usb/003/014)
00000006 readerfactory.c:375:RFAddReader() FT ePass2003Auto init failed.

On 19 June 2016 at 13:30, Jay Aurabind <[hidden email]> wrote:

> Hi,
>
> I bought a new usb crypto token epass2003auto. I used pkcs15-init to
> initially create some keys on it. Later I decided to erase the token,
> and from then onwards, I am unable to use my token for anything. I
> always get this message "Failed to erase card: Security status not
> satisfied" every time I try to erase it. I cannot create new keys
> either. Here is what I saw with opesc-explorer:
>
>
> OpenSC [3F00]> erase
> Failed to erase card: Security status not satisfied
> OpenSC [3F00]> info
>
> Dedicated File  ID 3F00
>
> File path:     3F00
> File size:     0 bytes
> DF name:       entersafe-fips
> ACL for SELECT:       N/A
> ACL for LOCK:         N/A
> ACL for DELETE:       N/A
> ACL for CREATE:       N/A
> ACL for REHABILITATE: N/A
> ACL for INVALIDATE:   N/A
> ACL for LIST FILES:   N/A
> ACL for CRYPTO:       N/A
> ACL for DELETE SELF:  N/A
> Proprietary attributes:  00 7F
> Security attributes:     9F 9F FF 9F FF FF FF FF
>
>
> Somebody else reported the issue with OpenSC github[1], but Feitian is
> giving a tool under nda to fix the issue. I too got the tool as well,
> but even that aint working. I've been mailing the contact at feitian,
> but no responses. From the output of that tool, I speculate that it
> needs a properly initialized pcscd running on the system. (the tool
> complains about a service not found)
>
> Hopefully if I solve the pcscd problem, this tool might work to fix my
> ePass2003auto
>
> Kindly help me fix the issue. Below are the details you need:
>
> USB Token: Feitian ePass2003auto
> USB driver version: CCID 1.4.24
>
> Output of pcscd --version:
>
> pcsc-lite version 1.8.17.
> Copyright (C) 1999-2002 by David Corcoran <[hidden email]>.
> Copyright (C) 2001-2015 by Ludovic Rousseau <[hidden email]>.
> Copyright (C) 2003-2004 by Damien Sauveron <[hidden email]>.
> Report bugs to <[hidden email]>.
> Enabled features: Linux x86_64-unknown-linux-gnu serial usb libudev
> usbdropdir=/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd
> configdir=/usr/local/etc/reader.conf.d
>
> However, directory /usr/local/etc/reader.conf.d does not exist.
>
> Platform: OS: Fedora 23, using latest versions of pcsc, built locally.
>
> Please revert back to me if you any more information. Full log is
> attached as well.
>
> [1]:https://github.com/OpenSC/OpenSC/issues/767
>
> --
>
> Thanks and Regards,
> Aurabindo J



--

Thanks and Regards,
Aurabindo J

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Ludovic Rousseau
In reply to this post by Jay Aurabind
2016-06-19 10:00 GMT+02:00 Jay Aurabind <[hidden email]>:
Hi,

Hello
 

I bought a new usb crypto token epass2003auto. I used pkcs15-init to
initially create some keys on it. Later I decided to erase the token,
and from then onwards, I am unable to use my token for anything. I
always get this message "Failed to erase card: Security status not
satisfied" every time I try to erase it. I cannot create new keys
either. Here is what I saw with opesc-explorer:


OpenSC [3F00]> erase
Failed to erase card: Security status not satisfied
OpenSC [3F00]> info

Dedicated File  ID 3F00

File path:     3F00
File size:     0 bytes
DF name:       entersafe-fips
ACL for SELECT:       N/A
ACL for LOCK:         N/A
ACL for DELETE:       N/A
ACL for CREATE:       N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE:   N/A
ACL for LIST FILES:   N/A
ACL for CRYPTO:       N/A
ACL for DELETE SELF:  N/A
Proprietary attributes:  00 7F
Security attributes:     9F 9F FF 9F FF FF FF FF


Somebody else reported the issue with OpenSC github[1], but Feitian is
giving a tool under nda to fix the issue. I too got the tool as well,
but even that aint working. I've been mailing the contact at feitian,
but no responses. From the output of that tool, I speculate that it
needs a properly initialized pcscd running on the system. (the tool
complains about a service not found)

Hopefully if I solve the pcscd problem, this tool might work to fix my
ePass2003auto

Kindly help me fix the issue. Below are the details you need:

USB Token: Feitian ePass2003auto
USB driver version: CCID 1.4.24

Output of pcscd --version:

pcsc-lite version 1.8.17.
Copyright (C) 1999-2002 by David Corcoran <[hidden email]>.
Copyright (C) 2001-2015 by Ludovic Rousseau <[hidden email]>.
Copyright (C) 2003-2004 by Damien Sauveron <[hidden email]>.
Report bugs to <[hidden email]>.
Enabled features: Linux x86_64-unknown-linux-gnu serial usb libudev
usbdropdir=/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd
configdir=/usr/local/etc/reader.conf.d

However, directory /usr/local/etc/reader.conf.d does not exist.

Platform: OS: Fedora 23, using latest versions of pcsc, built locally.

Why do you build pcsc-lite yourself instead of using a Fedora package?
 

Please revert back to me if you any more information. Full log is
attached as well.

You get the card ATR so pcsc-lite + driver is working.
Your token is a composite device with more than 1 interface. The other interface is not CCID so the driver reported an error and pcscd complained. Maybe I should fix this behavior.

But I do not have this ATR in my list.

Bye

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Jay Aurabind
Thanks for your reponse Ludovic. please see my inline response

On 19 June 2016 at 20:43, Ludovic Rousseau <[hidden email]> wrote:

> 2016-06-19 10:00 GMT+02:00 Jay Aurabind <[hidden email]>:
>>
>> Hi,
>
>
> Hello
>
>>
>>
>> I bought a new usb crypto token epass2003auto. I used pkcs15-init to
>> initially create some keys on it. Later I decided to erase the token,
>> and from then onwards, I am unable to use my token for anything. I
>> always get this message "Failed to erase card: Security status not
>> satisfied" every time I try to erase it. I cannot create new keys
>> either. Here is what I saw with opesc-explorer:
>>
>>
>> OpenSC [3F00]> erase
>> Failed to erase card: Security status not satisfied
>> OpenSC [3F00]> info
>>
>> Dedicated File  ID 3F00
>>
>> File path:     3F00
>> File size:     0 bytes
>> DF name:       entersafe-fips
>> ACL for SELECT:       N/A
>> ACL for LOCK:         N/A
>> ACL for DELETE:       N/A
>> ACL for CREATE:       N/A
>> ACL for REHABILITATE: N/A
>> ACL for INVALIDATE:   N/A
>> ACL for LIST FILES:   N/A
>> ACL for CRYPTO:       N/A
>> ACL for DELETE SELF:  N/A
>> Proprietary attributes:  00 7F
>> Security attributes:     9F 9F FF 9F FF FF FF FF
>>
>>
>> Somebody else reported the issue with OpenSC github[1], but Feitian is
>> giving a tool under nda to fix the issue. I too got the tool as well,
>> but even that aint working. I've been mailing the contact at feitian,
>> but no responses. From the output of that tool, I speculate that it
>> needs a properly initialized pcscd running on the system. (the tool
>> complains about a service not found)
>>
>> Hopefully if I solve the pcscd problem, this tool might work to fix my
>> ePass2003auto
>>
>> Kindly help me fix the issue. Below are the details you need:
>>
>> USB Token: Feitian ePass2003auto
>> USB driver version: CCID 1.4.24
>>
>> Output of pcscd --version:
>>
>> pcsc-lite version 1.8.17.
>> Copyright (C) 1999-2002 by David Corcoran <[hidden email]>.
>> Copyright (C) 2001-2015 by Ludovic Rousseau <[hidden email]>.
>> Copyright (C) 2003-2004 by Damien Sauveron <[hidden email]>.
>> Report bugs to <[hidden email]>.
>> Enabled features: Linux x86_64-unknown-linux-gnu serial usb libudev
>> usbdropdir=/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd
>> configdir=/usr/local/etc/reader.conf.d
>>
>> However, directory /usr/local/etc/reader.conf.d does not exist.
>>
>> Platform: OS: Fedora 23, using latest versions of pcsc, built locally.
>
>
> Why do you build pcsc-lite yourself instead of using a Fedora package?
>

Version of pcsc-lite in fedora repo does not support ePass2003auto,
hence I had to build it from source.

>>
>>
>> Please revert back to me if you any more information. Full log is
>> attached as well.
>
>
> You get the card ATR so pcsc-lite + driver is working.
> Your token is a composite device with more than 1 interface. The other
> interface is not CCID so the driver reported an error and pcscd complained.
> Maybe I should fix this behavior.
>

The other interface is probably the mass storage device which is
automounted when I plug the device.

> But I do not have this ATR in my list.
> Please submit your token at
> http://smartcard-atr.appspot.com/parse?ATR=3B9F958131FE9F006646530523002571DF000003900096
>

Done.

Is there anything I can do to get this thing working ?

> Bye
>
> --
>  Dr. Ludovic Rousseau
>
> _______________________________________________
> Pcsclite-muscle mailing list
> [hidden email]
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle



--

Thanks and Regards,
Aurabindo J

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Ludovic Rousseau
2016-06-19 17:54 GMT+02:00 Jay Aurabind <[hidden email]>:
> Why do you build pcsc-lite yourself instead of using a Fedora package?
>

Version of pcsc-lite in fedora repo does not support ePass2003auto,
hence I had to build it from source.


Build the CCID driver from source if you need.
But do not build pcsc-lite yourself.
I guess that is the source of the problem: "(the tool complains about a service not found)"

Bye

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Jay Aurabind
On 19 June 2016 at 22:21, Ludovic Rousseau <[hidden email]> wrote:

> 2016-06-19 17:54 GMT+02:00 Jay Aurabind <[hidden email]>:
>>
>> > Why do you build pcsc-lite yourself instead of using a Fedora package?
>> >
>>
>> Version of pcsc-lite in fedora repo does not support ePass2003auto,
>> hence I had to build it from source.
>>
>
> Build the CCID driver from source if you need.
> But do not build pcsc-lite yourself.

Tried that as well (pcsc-lite version 1.8.15 from fedora 23 repo). I
get the same error message. -  both the init failure and the failure
for feitian's proprietary tool.

The proprietary tool fails to work in both the cases - pcsclite from
std repo and latest one compiled from source.

I compiled opensc from source, it can detect the device even with
pcsc-lite from the fedora repo.

> I guess that is the source of the problem: "(the tool complains about a
> service not found)"
>

Is the init error because of the additional USB interface interfering
? If so, engineers at Feitian should contact you and arrive at a
solution I suppose. If you have any workaround patches, I would be
happy to test it out.

> Bye
>
> --
>  Dr. Ludovic Rousseau
>
> _______________________________________________
> Pcsclite-muscle mailing list
> [hidden email]
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle



--

Thanks and Regards,
Aurabindo J

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Ludovic Rousseau
2016-06-20 10:11 GMT+02:00 Jay Aurabind <[hidden email]>:
> I guess that is the source of the problem: "(the tool complains about a
> service not found)"

Is the init error because of the additional USB interface interfering
? If so, engineers at Feitian should contact you and arrive at a
solution I suppose. If you have any workaround patches, I would be
happy to test it out.

Maybe your token can't be erased.

You should contact Feitian to get support on their tool.

Bye

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Dirk-Willem van Gulik
In reply to this post by Jay Aurabind

> On 19 Jun 2016, at 17:54, Jay Aurabind <[hidden email]> wrote:
>
> Thanks for your reponse Ludovic. please see my inline response
>
> On 19 June 2016 at 20:43, Ludovic Rousseau <[hidden email]> wrote:
>
> Version of pcsc-lite in fedora repo does not support ePass2003auto,
> hence I had to build it from source.
….
>> But I do not have this ATR in my list.
>> Please submit your token at
>> http://smartcard-atr.appspot.com/parse?ATR=3B9F958131FE9F006646530523002571DF000003900096

You may have one of the later ‘ODM automatic rebrandable’ ePass 2003 units which require a specific Feitian tool for a complete format (a give away is no label or a label which does not quite fit the recess/seems haphazardly applied).

I would shoot Feitian an email - for things like this they are generally quite responsive,

Dw.
_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: cannot erase epass2003auto - token init failure

Diego Antona
In reply to this post by Jay Aurabind
Dear Jay,

If you just require a new ePass2003 we could provide it, because we are providers, and in fact one of our patent protects Feitian from other industry players.

I suppose and understand factory: there is no interest in recover just one device just one customer put in bad use and make it inaccesible.

All the best,
Diego Antona
http://kalysis.com



De: Jay Aurabind <[hidden email]>
Enviado: 20 de junio de 2016 10:11:06 GMT+02:00
Para: Talks about MUSCLE <[hidden email]>
Asunto: Re: [Pcsclite-muscle] cannot erase epass2003auto - token init failure

On 19 June 2016 at 22:21, Ludovic Rousseau <[hidden email]> wrote:
2016-06-19 17:54 GMT+02:00 Jay Aurabind <[hidden email]>:

Why do you build pcsc-lite yourself instead of using a Fedora package?


Version of pcsc-lite in fedora repo does not support ePass2003auto,
hence I had to build it from source.


Build the CCID driver from source if you need.
But do not build pcsc-lite yourself.

Tried that as well (pcsc-lite version 1.8.15 from fedora 23 repo). I
get the same error message. - both the init failure and the failure
for feitian's proprietary tool.

The proprietary tool fails to work in both the cases - pcsclite from
std repo and latest one compiled from source.

I compiled opensc from source, it can detect the device even with
pcsc-lite from the fedora repo.

I guess that is the source of the problem: "(the tool complains about a
service not found)"


Is the init error because of the additional USB interface interfering
? If so, engineers at Feitian should contact you and arrive at a
solution I suppose. If you have any workaround patches, I would be
happy to test it out.

Bye

--
Dr. Ludovic Rousseau



Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle



-- ydq wnanwnwn


Enviado desde mi teléfono con K-9 Mail. x anan
_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle