APDU Commands
The Application Protocol Data Unit (APDU) command described here is a hidden command, it is listed when you run the command, ykman --full-help.
ykman apdu [OPTIONS] [APDU]
Execute arbitrary Application Protocol Data Unit (APDUs). Provide APDUs as a hex encoded, space-separated list using the following syntax: [CLA]INS[P1P2][:DATA][/LE][=EXPECTED_SW]
If not provided CLA, P1 and P2 are all set to zero. Setting EXPECTED_SW causes the command to check the response SW and fail if it differs. “=” can be used as shorthand for “=9000” (SW=OK).
As an alternative, you can provide full APDUs using the -s/--send-apdu option. You cannot mix -a and positional APDUs with --send-apdu.
Examples
Select the OATH application, send a LIST instruction (0xA1), and make sure we get sw=9000 (these are equivalent):
$ ykman apdu a40400:a000000527210101=9000 a1=9000
or
$ ykman apdu -a oath a1=
Factory reset the OATH application:
$ ykman apdu -a oath 04dead
or
$ ykman apdu a40400:a000000527210101 04dead
or (using full-apdu mode)
$ ykman apdu -s 00a4040008a000000527210101 -s 0004dead
Get 8 random bytes from the OpenPGP application:
$ ykman apdu -a openpgp 84/08=
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-a, --app [otp|management|openpgp|oath|piv|fido|hsmauth|secure-domain] |
Select application. |
-s, --send-apdu TEXT |
Provide full APDUs. |
--short |
Force usage of short APDUs. |
-x, --no-pretty |
Print only the hex output of a response. |