.. APDU_Commands.rst

.. _apdu-commands-label:

===============================================
APDU Commands
===============================================

The Application Protocol Data Unit (APDU) command described here is a hidden command, it is listed when you run the command, ``ykman --full-help``. 


ykman apdu [OPTIONS] [APDU]
============================

Execute arbitrary Application Protocol Data Unit (APDUs). Provide APDUs as a hex encoded, space-separated list using the following syntax: ``[CLA]INS[P1P2][:DATA][/LE][=EXPECTED_SW]``

If not provided CLA, P1 and P2 are all set to zero. Setting EXPECTED_SW causes the command to check the response SW and fail if it differs. "=" can be used as shorthand for "=9000" (SW=OK).

As an alternative, you can provide full APDUs using the ``-s/--send-apdu`` option. You cannot mix ``-a and positional APDUs`` with ``--send-apdu``.

Examples
--------

Select the OATH application, send a LIST instruction (``0xA1``), and make sure we get ``sw=9000`` (these are equivalent):

.. code-block::

    $ ykman apdu a40400:a000000527210101=9000 a1=9000
      or
    $ ykman apdu -a oath a1=

Factory reset the OATH application:

.. code-block::

    $ ykman apdu -a oath 04dead
      or
    $ ykman apdu a40400:a000000527210101 04dead
      or (using full-apdu mode)
    $ ykman apdu -s 00a4040008a000000527210101 -s 0004dead

Get 8 random bytes from the OpenPGP application:

.. code-block::

    $ ykman apdu -a openpgp 84/08=

Options
--------

.. table::

   +---------------------------------+--------------------------------------------+
   | Option                          | Description                                |
   +=================================+============================================+
   | ``-h, --help``                  | Show this message and exit.                |
   +---------------------------------+--------------------------------------------+
   || ``-a, --app [otp|management|`` | Select application.                        |
   || ``openpgp|oath|piv|fido|``     |                                            |
   || ``hsmauth|secure-domain]``     |                                            |
   +---------------------------------+--------------------------------------------+
   | ``-s, --send-apdu TEXT``        | Provide full APDUs.                        |
   +---------------------------------+--------------------------------------------+
   | ``--short``                     | Force usage of short APDUs.                |
   +---------------------------------+--------------------------------------------+
   | ``-x, --no-pretty``             | Print only the hex output of a response.   |
   +---------------------------------+--------------------------------------------+