Cryptnox Docs

cryptnox-logo

Unblock PIN Command

This command allows a user to unblock PIN for a previously blocked account using a valid PUK and simultaneously set a new PIN. This feature is only available when the user PIN is in a blocked state and PinAuth is enabled. For detailed security practices, visit the FIDO Alliance PIN Management Guide for more information.




  def unblock_pin(puk: str, new_pin: str):
      card.unblock_pin(puk, new_pin)

  # For example:
  unblock_pin("09875789012", "132456122")

Application Protocol Data Unit (APDU) Components for Unblock PIN

The following table outlines the components of the Application Protocol Data Unit (APDU) used in the unblock pin process.

Field

Description

Value

CLA

This field specifies the class of the instruction.

0x80

INS

This field specifies the particular command or operation that the smart card or secure element should execute.

0x22

P1

First parameter of the instruction that specifies the details about the operation being requested.

0x00

P2

First parameter of the instruction that specifies additional details about the operation being requested.

0x00

Data

Key data

The PUK followed by the new PIN

📘

Note

  • This command is used to unblock the user PIN when it has been locked due to repeated incorrect attempts.
  • Requires Secure Channel to be opened.
  • The PIN must be blocked and PinAuth must be enabled.
  • After success, the PIN is reset and authenticated for the session.
  • PUK retry is limited to 12 attempts per power cycle.
  • Card must be power-cycled to retry if 0x63C0 is returned due to exhaustion.

Input Validation Rules

  • PUK must be:
    • 12 bytes long
  • PIN must be:
    • 9 characters long
    • Begin with at least 4 digits (‘0’-‘9’)
    • Padded with 0x00 to fill 9 bytes if shorter
  • Total Data: Exactly 21 bytes
    Data = PUK (12 bytes) + new PIN (9 bytes)

Response

The following table outlines the possible responses that you will receive:

Response Code

Description

0x9000

Success

0x6A80

Invalid data format (must be exactly 21 bytes)

0x6985

PIN is not blocked or PinAuth is disabled

0x63Cx

Invalid PUK — x = remaining tries (up to 12 per power cycle)

0x63C0

No more tries left in current session — power cycle required to continue

Product Documentation

Admin Commands

Signature Commands

Menu
Menu
cryptnox-logo
Menu