Can my xNT be easily set to read-only?


#1

Hello. Long time listener, first time caller.

I had an xNT implanted a few days ago, and it’s all gone great. In fact I wrote a blog post documenting my experience so far: http://blog.danhett.com/2017/07/dan.html

Anyway, I’ve used the Dangerous Things app to secure the chip, and I can happily read and write to it.

My question is: is it possible to set the user data to be read only? I’m using mine for encryption keys as part of an artwork, and I’d like to ensure (if possible) that it’s only readable and not writeable.

Thanks!


xNT Security Use-Case - Any big attack vectors?
#2

Hi Dan,

Glad you’re happy with your xNT!

So there are a couple ways to go about this…

  1. Lock your tag. This is permanent and irrevocable. Your tag would need to be removed and thrown out if you ever had to change your key.

  2. Protect your xNT’s contents from unsolicited writes with a password. You can still read it (anyone could), but your content would not be updated without first authenticating.

  3. Protect your xNT’s contents from unsolicited reads and writes with a password. You could’t even read your xNT without first authenticating.

  4. Lock your xNT and also implement a password to protect against unsolicited reads.

For option 1, you can lock your tag, simply use TagWriter, go to Protect Tags, and Lock Tag. It’ll lock it. You’re done.

For options 2 and 3, we recommend disabling the locking feature all together. The lock bytes being changeable is simply a liability. Instead I would disable locking and set a password by using Dangerous NFC. Then, if you wanted to set specific password protections for your tag… well that is done by changing the PROT bit of the ACCESS configuration byte in page E4 (0=write protected, 1=read & write protected), and changing the AUTH byte to at least 04 (00 is also ok, but doesn’t actually protect the UID).

How one does this is, at the moment, difficult. No apps (not even ours) is really that good at being granular enough to dig into the details. Take a deep breath… we’re doing digital surgery here…

1) Read the datasheet

… particularly pages 18 and 19. Be really careful with CFGLCK and AUTHLIM … screwing up either of those will really wreck your xNT hard… which is one reason Dangerous NFC protects these configuration pages.

Configuration Pages

ACCESS BYTE (Page E4)

AUTH & PROT

2) Download and install NFC Shell

I’m jealous of this app… I want it’s code inside Dangerous NFC so bad (under an “advanced” section).

3) Send these commands

Type in the following lines in the shell box;

1B h1 h2 h3 h4
A2 E3 04 00 00 04
A2 E4 00 01 00 00

The first line starting with 1B is the PWD_AUTH command, and the h1 h2 h3 h4 value needs to be replaced with the HEX value of the password you set for your xNT. So, if your password was 1234 then the HEX values of the ASCII characters 1, 2, 3, and 4 are 31 32 33 34. Check ye’ olde ASCII chart for a reference.

The second line, starting with A2, updates the AUTH0 byte to page 04… protecting the memory contents of your tag with the password you’ve set.

The third line, also starting with A2, changes the PROT bit to 1 to ensure nothing protected with AUTH0 + PWD can be read without first authenticating. If instead you want to write protect the tag but still let anyone read it without authenticating first, then change that line to A2 E4 00 00 00 00

Press the SEND button and then scan your tag. You should receive in the shell window, something like this;

TX: 1Bh1h2h3h4
RX: 4454
TX: A2 E3 04 00 00 04
RX:
TX: A2 E4 00 01 00 00
RX:

That means success… no RX after successful write command means success. If it fails, you’ll get an RX: NAK back.

At this point, once you remove the tag from the field, you will need to authenticate with the password before you can read the contents.

If you have any cheap spare NTAG216s around, I’d test on those first. Good luck!


#3

Hey Amal

Thanks for the prompt and detailed response - really useful.

I’ve already secured my xNT with the DT app, but didn’t realise the process was so involved in terms of putting this thing into read-only mode…

I’m inclined not to screw with it really, my use case is a little strange I think compared to most people who have these implants: I’m an artist who’s using my chip to hold encryption keys, which will in turn be used to encrypt messages which I’ll be painting on enormous canvases to be displayed somewhere really cool (secret for now, but you’ll have heard of the person who opened the place)

For this reason, the chip is really largely symbolic - the encryption key could of course be kept on my machine or whatever, but this is a personal work around personal encryption, and so keeping it in my hand felt like a logical move.

I think I’ll leave it as-is for now. I have additional security in terms of the xNT only actually holding half the encryption key, and a few other elements that i’m not revealing. in terms of people writing to it, that’s a risk I’ll take and isn’t the end of the world (and I think in realistic terms isn’t a likely scenario at all)

Once the project is announced and/or finished, I’ll let you know - my implant is now at the center of the artwork, and hopefully series of artworks!

Dan


#4

Awesome! Looking forward to hearing about it!


#5

Hey Amal,

I know this is an old topic but I’ve been following the instructions you’ve posted earlier and I seem to have a problem with read protection. I can password protect writes, but even with AUTH0 to page 04 or 00 and PROT bit to 1 I can still read the tag without authenticating.

What am I missing?

[04] +r 03 0E D1 01 |…|
[05] +r 0A 54 02 65 |.T.e|
[06] +r 6E 54 65 73 |nTes|
[07] +r 74 69 6E 67 |ting|
[08] +r FE 00 00 00 |…|

and

[E2] *r 00 00 7F BD (LOCK2-LOCK4, CHK)
[E3] .r 04 00 00 04 (CFG, MIRROR, AUTH0)
[E4] .r 00 01 – -- (ACCESS)
[E5] +P XX XX XX XX (PWD0-PWD3)
[E6] +P XX XX – -- (PACK0-PACK1)

Thanks for the help!


#6

oh man… sorry for the delay, but I think I have bad news for you… I’m not sure how you set your PROT bit, but I think you forgot that most bit systems are 0 base… it looks like you set bit 6 (CFGLCK), not PROT (bit 7)… which is like, not reversible. Can you change your config now?


#7

No worries, and that’s fascinating. Not sure what has happened

Since getting my chip all I have done is use Dangerous NFC to secure it and then wrote the commands posted above via NFC Shell:

TX: A2 E3 04 00 00 04
RX:
TX: A2 E4 00 01 00 00
RX

I seem to have no problem changing the configuration today:

[E3] .r 04 00 00 05 (CFG, MIRROR, AUTH0)
[E4] .r 00 00 – -- (ACCESS)

So not sure. Inclined to give up now actually but still keen to have a try and post here to help people in future


#8

Aaaahhhh shit. hahah then it was my fault. Sorry man! PM me and I’ll send you a free xNT replacement. The correct value for page E3 should have been TX: A2 E3 08 00 00 04

I guess I forgot to count base 0. :confused:

Amal


#9

Thanks for the prompt reply! I don’t think all hope is lost yet.

I just changed Page E3 without a problem:
[E3] .r 08 00 00 04 (CFG, MIRROR, AUTH0)

It seems we are back in action?


#10

Sorry no, you can’t change anything anymore because the bit I had you flip was the CFGLCK bit… which means “config lock” which means your config bytes are locked.