Setting YubiKey mode fails on YubiKey 5

[elyscape]

When programming YubiKey 4s, I generally run ykpersonalize -m86 -y in order to enable all modes as well as MODE_FLAG_EJECT. Attempting to do this with a YubiKey 5 results in an error:

myhost:~ elyscape$ ykpersonalize -m86 -y
Firmware version 5.1.0 Touch level 522 Program sequence 2

The USB mode will be set to: 0x86

Commit? (y/n) [n]: yes
Yubikey core error: write error

Has this functionality been removed from the YubiKey 5? Does ykpersonalize need to be updated to support this command on the YubiKey 5?

[klali]

Yes, mode is applicable only for YubiKey Neo and YubiKey 4. For YubiKey 5 the recommended tooling would be yubikey-manager (there's a CLI component named ykman). This can still be achieved with ykpersonalize through using the -D option to send a device info string, but the format is arcane and badly documented (so far).

[dagheyman]

Here is a document describing the new capabilities in the YubiKey 5: https://developers.yubico.com/yubikey-manager/Config_Reference.html

To enable everything with ykman:

$ ykman config usb --enable-all # For USB 
$ ykman config nfc --enable-all # For NFC

[elyscape]

Thanks! For future readers: to set MODE_FLAG_EJECT, pass the --touch-eject flag to ykman config. For example, an equivalent to ykpersonalize -m86 -y from the OP would be ykman config usb --enable-all --touch-eject --force.

[securitywizard]

Hi I'm hitting the same error trying to set ykpersonalize -m 81; can you let me know what is the equivalent for ykman

[bigblueswope]

Hi I'm hitting the same error trying to set ykpersonalize -m 81; can you let me know what is the equivalent for ykman

ykman config usb --enable OPENPGP --disable OTP --disable U2F --disable FIDO2 --disable OATH --disable PIV --autoeject-timeout 30 --chalresp-timeout 30 --touch-eject

[mairs8]

what is the equivalent for ykpersonalize -m82?