recently got a “NXP - NTAG216” and made the apparently well known mistake of creating a password via NFC Tools.
Now its giving me the following error: “write error - Identification failed” when trying to remove it.
Some details:
0 experience with NFC coding
never used anything other than NFC-Tools
password is known (99.9% sure)
already brute-forced for posible typoes
might have moved hand during password creation (partial write possible)
if you manually added a password and forgot it, you’re screwed. gotta remember that password.
if you don’t remember setting a password deliberately it could be the nfctools password it sets itself to prevent external overwriting of the ndef container, which shouldn’t prevent you from writing ndef to it.
Based on the data posted, AUTH0 is 00 so it is protecting all user memory from unauthenticated writes. However it’s also showing 00 00 00 00 for the pwd which should never be readable… tells me there is a chance that the password is actually set to 00 00 00 00 and the program is checking it as a default password, getting a proper authentication, and then showing that data as the password.
You could try a password of all 00 00 00 00 (4 null bytes) in NFC tools but honestly I don’t know how in NFC tools you might change the AUTH0 protection setting back to FF
I think NFC shell is possibly a good option here for manually authenticating and changing auth0
From a quick test i just did with NFC Tools (this is why I never use it except for writing ndef records), password is showing 00 00 00 00 regardless of whether I have it as default or set to other. Finnily enough, on another chip that I have the PROT bits set it only shows the first 4 pages and no lines of data under that.
If set you need to auth before you can even read. The pages protected are still based on auth0 so if you have AUTH0 set to 04 then 00 through 03 are readable without auth.
I understand, I was just explaining the comparison of the software’s behaviour. I.e. unreadable pages come up as nil pages of data rather than as 0.
Because when a password is set, i.e. comes up as x on tag info, shows as 0 on nfc tools. But when PROT is set to 1 on all pages, on tag info all pages of data show as x but this reflects in nfc tools as no pages of data. So in effect this verifies that the AUTH0 is working and how this would reflect as well.
Ah yeah. I understand. The reason tag info shows pages as unreadable versus no pages is that nxp has a version command in tag info so it asks the tag what it is and the ntag family has a get_version command, so taginfo knows exactly what chip it’s talking to and what memory pages it has. I don’t think NFC tools does the same, it probably just tries to read pages until it can’t read any pages anymore and stops.
Ok here’s where things don’t quite make sense. Let’s dive in…
The chip password can only be 4 bytes, not 6… not 3… it must be 4.
The password byte value can range from 00 to FF (in hex), or 0 to 255 in decimal.
Ascii keyboard character entry does not encompass the entire range of 00 to FF, unless the app / software is letting you enter hex values like 00 and 14 and FF etc.
So, if you entered a 6 character password into NFC Tools, what it likely did was convert your ASCII characters to their hex values, then truncate off 2 bytes leaving 4, and setting that… or… it has some other way of calculating a 4 byte password value from your 6 byte ASCII data you entered… but the point is, the method of doing this is unknown… so;
AND you entered a 6 byte ascii password like “doodoo” or “smart!!” or whatever
THEN there is no way to really know what the 4 byte password is that was written to the chip without decompiling the exact version of NFC Tools that was used to figure out how it takes your ascii password data input and truncates / converts it into a 4 byte chip password.
You can never actually remove the password… the chip always needs some sort of password value… you can only replace it. Even if the app you used says “remove password”, just know it can’t be removed, it can only maybe be set to a factory default of some kind… or perhaps by “remove” it meant changing the AUTO0 setting to remove password protection from the memory blocks, while not actually doing anything to the password stored on chip.
In short, exactness matters. Did you do all this stuff with NFC Tools or did you use other tools like TagWriter somewhere in the process? Did you update NFC Tools at any point in this process? Please make a step by step recount of exactly what you did and how.