Specifically, from the TagInfo content of your first post, I can guess that this is what happened;
-
You ran Dangerous NFC, typed a password, and scanned your tag.
-
DNFC will check your CC (capability container) in page 03 and ensure it’s legit.
-
DNFC will update the two lock bytes in page 02 to accomplish two things; 1) lock page 03 to protect the OTP bits of the CC, and 2) lock the static lock bytes in page 02 making it impossible to make any further changes to the lock bytes, effectively disabling them. This leaves user memory blocks 04-0F unable to be locked. They can still be password protected, but not locked.
-
DNFC then attempted to disable the dynamic lock bytes in page E2 but there was a coupling problem and an error was produced… probably “tag lost” or something similar was displayed. At this point no changes have been made to the dynamic lock bytes protecting pages 10-E6, the password and PACK bytes have not been updated (they are still FF FF FF FF and 00 00 respectively), and the AUTH0 byte has not been changed from its default of FF.
-
You must have then attempted to use another app like NFC Tools or TagWriter to play around with the password setting, and that app then updated the password AND set AUTH0 to 04.
Does that sound accurate?
As mentioned above, only half the lock bytes were updated… the process was interrupted, so the lower lock bytes, password, PACK, and AUTH0 elements were never updated… only page 02 was updated by Dangerous NFC.
The wording of your question is kind of odd though… I’m not sure what you’re asking… but let me put it this way… it is impossible for the chip to NOT have a password. Memory page E5 will always have a value of some kind, even if that value is four null bytes… that is a value… so it is impossible to not have a password. What NXP decided to do was to make FF FF FF FF the “factory default” password… every NTAG216 chip made has FF FF FF FF as the default value stored in page E5… and pretty much every NFC app that knows how to talk to an NTAG216 (or any NTAG2xx) knows the default password is FF FF FF FF… because you cannot read page E5 or E6 from the NTAG216 chip, TagInfo will perform an PWD_AUTH command with FF FF FF FF by default and if it succeeds, it will show FF FF FF FF and then by doing PWD_AUTH it will get back the PACK too and be able to show that… but if the password has been changed, then TagInfo has no way to get the password out of the NTAG216, so it just shows XX, as it has above.
That said, lock bytes have nothing to do with tag access. Lock bytes are about letting an NFC chip be programmed with data and locked forever. In fact, the NFC application that the NTAG216 chip was designed for is called “smart poster” where these cheap tags are put behind printed poster advertisements so people can walk up and tap the poster to do something on their phone… and in those cases you have no reason to update the tags once deployed, and you don’t want people changing the content… hence lock bytes are useful for smart poster applications… but for an implant, lock bytes are utterly useless… so we disable them.
On top of that, there are certain configuration bytes in pages E3 and E4 that are absolutely terrible if set incorrectly… one will lock the configuration pages forever, and there is no way to disable this… and the other is a password counter that will basically count failed password attempts then lock your chip forever… and there is no way to permanently disable this, only turn the counter off… but if could be turned back on and then tripped… so that’s why Dangerous NFC sets AUTH0 to E2 and leaves the user memory bytes alone… if someone maliciously writes to your tag you can just overwrite it… no real harm done… and of course, you can change AUTH0 to fully write-protect the user memory as well if you want… we just didn’t want to over complicate things for customers right out of the gate… especially considering other NFC apps apparently do not handle password setting and authentication the same way… which is irritating and dumb… so again, I’m back to apparently needing to re-invent the wheel and update Dangerous NFC to do what it does now plus everything every other app can do too.